{"categories":[{"id":"security","displayName":"Security","related":{"tables":["AADAgentRiskEvents","AADB2CRequestLogs","AADCustomSecurityAttributeAuditLogs","AADDomainServicesAccountLogon","AADDomainServicesAccountManagement","AADDomainServicesDirectoryServiceAccess","AADDomainServicesLogonLogoff","AADDomainServicesPolicyChange","AADDomainServicesPrivilegeUse","AADDomainServicesSystemSecurity","AADGraphActivityLogs","AADManagedIdentitySignInLogs","AADNonInteractiveUserSignInLogs","AADProvisioningLogs","AADRiskyAgents","AADRiskyServicePrincipals","AADRiskyUsers","AADServicePrincipalRiskEvents","AADServicePrincipalSignInLogs","AADUserRiskEvents","ABAPAuditLog","ABAPAuthorizationDetails","ABAPChangeDocsLog","ABAPTableDataLog","ABAPUserDetails","ADFSSignInLogs","ASimAgentEventLogs","ASimAlertEventLogs","ASimAssetEntityLogs","ASimAuditEventLogs","ASimAuthenticationEventLogs","ASimDhcpEventLogs","ASimDnsActivityLogs","ASimFileEventLogs","ASimNetworkSessionLogs","ASimProcessEventLogs","ASimRegistryEventLogs","ASimUserManagementActivityLogs","ASimWebSessionLogs","AWSALBAccessLogs","AWSCloudTrail","AWSCloudWatch","AWSEKSLogs","AWSGuardDuty","AWSNLBAccessLogs","AWSNetworkFirewallAlert","AWSNetworkFirewallFlow","AWSNetworkFirewallTls","AWSRoute53Resolver","AWSS3ServerAccess","AWSSecurityHubFindings","AWSVPCFlow","AWSWAF","AZFWApplicationRule","AZFWApplicationRuleAggregation","AZFWDnsFlowTrace","AZFWDnsQuery","AZFWFatFlow","AZFWIdpsSignature","AZFWInternalFqdnResolutionFailure","AZFWNatRule","AZFWNatRuleAggregation","AZFWNetworkRule","AZFWNetworkRuleAggregation","AZFWThreatIntel","AggregatedSecurityAlert","AlertEvidence","AlertInfo","Anomalies","AppServiceServerlessSecurityPluginData","AuditLogs","AzureActivity","AzureDiagnostics","BehaviorAnalytics","BehaviorEntities","BehaviorInfo","CampaignInfo","CloudAppEvents","CloudAuditEvents","CloudDnsEvents","CloudProcessEvents","CloudStorageAggregatedEvents","CommonSecurityLog","CommunicationComplianceActivity","ConfidentialWatchlist","CopilotActivity","CrowdStrikeAlerts","CrowdStrikeAuditEvents","CrowdStrikeCases","CrowdStrikeDetections","CrowdStrikeHosts","CrowdStrikeIncidents","CrowdStrikeVulnerabilities","DSMDataClassificationLogs","DSMDataLabelingLogs","DataverseActivity","DeviceBehaviorEntities","DeviceBehaviorInfo","DeviceCustomFileEvents","DeviceCustomImageLoadEvents","DeviceCustomNetworkEvents","DeviceCustomProcessEvents","DeviceCustomRegistryEvents","DeviceCustomScriptEvents","DeviceEvents","DeviceFileCertificateInfo","DeviceFileEvents","DeviceImageLoadEvents","DeviceInfo","DeviceLogonEvents","DeviceNetworkEvents","DeviceNetworkInfo","DeviceProcessEvents","DeviceRegistryEvents","DeviceTvmSecureConfigurationAssessment","DeviceTvmSecureConfigurationAssessmentKB","DeviceTvmSoftwareInventory","DeviceTvmSoftwareVulnerabilities","DeviceTvmSoftwareVulnerabilitiesKB","DisruptionAndResponseEvents","DnsAuditEvents","DynamicEventCollection","EmailAttachmentInfo","EmailEvents","EmailPostDeliveryEvents","EmailUrlInfo","EnrichedMicrosoft365AuditLogs","Event","FileMaliciousContentInfo","GCPApigee","GCPAuditLogs","GCPCDN","GCPCloudRun","GCPCloudSQL","GCPComputeEngine","GCPDNS","GCPFirewallLogs","GCPIAM","GCPIDS","GCPLoadBalancer","GCPMonitoring","GCPNAT","GCPNATAudit","GCPResourceManager","GCPVPCFlow","GKEAPIServer","GKEApplication","GKEAudit","GKEControllerManager","GKEHPADecision","GKEScheduler","GoogleCloudSCC","GoogleWorkspaceReports","GraphNotificationsActivityLogs","HDInsightSecurityLogs","HuntingBookmark","IdentityAccountInfo","IdentityDirectoryEvents","IdentityEvents","IdentityLogonEvents","IdentityQueryEvents","IlumioInsights","LinuxAuditLog","MDCDetectionDNSEvents","MDCDetectionFimEvents","MDCDetectionGatingValidationEvents","MDCDetectionK8SApiEvents","MDCDetectionProcessV2Events","MDCFileIntegrityMonitoringEvents","MDECustomCollectionDeviceFileEvents","McasShadowItReporting","MessageEvents","MessagePostDeliveryEvents","MessageUrlInfo","MicrosoftGraphActivityLogs","MicrosoftGraphPolicyLogs","MicrosoftPurviewInformationProtection","MicrosoftServicePrincipalSignInLogs","NCBMBreakGlassAuditLogs","NCBMSecurityDefenderLogs","NCBMSecurityLogs","NSPAccessLogs","NetworkAccessAlerts","NetworkAccessConnectionEvents","NetworkAccessGenerativeAIInsights","NetworkAccessTraffic","NetworkSessions","OAuthAppInfo","OfficeActivity","OktaSystemLogs","PowerAppsActivity","PowerAutomateActivity","PowerBIActivity","PowerPlatformAdminActivity","PowerPlatformConnectorActivity","PowerPlatformDlpActivity","ProjectActivity","ProtectionStatus","PurviewDataSensitivityLogs","QualysKnowledgeBase","Rapid7InsightVMCloudAssets","Rapid7InsightVMCloudVulnerabilities","RemoteNetworkHealthLogs","SalesforceAuditTrail","SalesforceLoginHistory","SecurityAlert","SecurityAttackPathData","SecurityBaseline","SecurityBaselineSummary","SecurityDetection","SecurityEvent","SecurityIoTRawEvent","SecurityRecommendation","SentinelAlibabaCloudAPIGatewayLogs","SentinelAlibabaCloudVPCFlowLogs","SentinelAlibabaCloudWAFLogs","SentinelAudit","SentinelBehaviorEntities","SentinelBehaviorInfo","SentinelHealth","SentinelImpervaWAFCloudV2Logs","SigninLogs","StorageMalwareScanningResults","Syslog","ThreatIntelExportOperation","ThreatIntelIndicators","ThreatIntelObjects","ThreatIntelligenceIndicator","Update","UrlClickEvents","UserAccessAnalytics","UserPeerAnalytics","Watchlist","WindowsEvent","WindowsFirewall","WireData"],"queries":["00d2b78e-df02-42d4-ae3a-27db94a534fc","c4ee740a-6d0e-4a87-b998-663d2d36fca0","4b3c3ebd-fba6-49a4-8709-7507a347a969","31a88ff8-4608-4645-ab18-4b09871b07ea","c8258837-c1bd-456c-961f-14bf71748f79","d6aaf873-8082-4960-aba0-146eb0414a27","9b285dc2-6dc7-454a-aaa0-d3113cdb8825","07f7133f-baae-444c-a1a1-2e0b6caf09c2","30a46f4f-dc1a-43e1-9fe4-c82750e218b3","dd5cd0fc-683c-4ace-a7da-ef6afd649407","5eea8814-60dd-4d3c-bec0-3c364c88efca","8146e954-5df5-4eaa-afe6-1cef6c1583cb","ddacb4dd-a7c6-4f36-9642-71a0fac3a34c","3d806161-ab30-4c7c-a4fc-9bae0622e531","dca5053f-af30-44dc-bfa7-089e61668991","ae4119c9-1e46-4b3f-b9a6-df570e93e6f9","2705d573-c84c-4b40-973c-2aba2407ff22","04205bbc-69b9-4c56-8ef6-f99814abfcba","616c413f-dc29-402c-851e-3b524865ce2a","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b","462adba2-ab3c-42ad-8279-ba34d5f3cd49","0672f0f4-b973-486e-8f05-25f93f3799cb","d6cf92b1-3b52-4b8b-b5c6-c4c1a0d657ee","e16559ad-9ff2-418b-b194-8bccf6fb184c","cdeed2a7-e6b7-4e08-bd8e-a7d9d6ec08a8","6b26cc79-2a2f-4d29-9caa-bd14690e53ed","29ccaaf9-d25b-4aec-8b2b-3047a16516f9","e3e89b71-9c05-46e9-a981-6ec61edbd52d","000c3177-e775-4c3b-8425-c346af81389d","d02256eb-1eae-46e9-b63b-4e389f6ce0ae","bdb7da24-8f5f-422d-927e-14b06c75a407","5a1c1fd7-a9c7-428a-a804-64d0b46d1c18","ca4f4032-55e0-48c9-aac1-aa14d6ff21d3","1e4f66c0-41e2-45ff-864f-39e9d7a4f492","1558bfb7-2aa3-49e1-8386-f4f8509e514c","a697d547-302a-4092-a3ad-b3cb8e43c204","a697d547-302a-4092-a3ad-b3cb8e43c205","1cf50156-0581-4890-8563-e04def3dbd26","86016240-9a8e-4aa3-8195-73609ef95294","64ded722-608e-472b-a3dd-17f94b7cac07","6307514a-d00a-4ada-a0fb-087b72bee4f5","d343d7e2-9407-485a-96e5-8fb5d0031ee2","650380ee-8027-4dc3-8763-c338222be64a","8d9fc68f-84a8-4186-9675-952013133dc9","44640527-2945-467a-a5db-fcaf8b11f1b1","affffc71-5531-497d-ae2b-6d536ae12784","f8a1b2c3-4d5e-6f7a-8b9c-0d1e2f3a4b5c","a9b8c7d6-5e4f-3a2b-1c0d-9e8f7a6b5c4d","b1c2d3e4-f5a6-7b8c-9d0e-1f2a3b4c5d6e","4e44198b-0072-4be0-a2aa-60b8804da78f","e2eb04f4-fce9-58e6-aa56-86d12e79e496","440a414a-17dd-54a7-8ad6-ec077680bcb1","0b4777dd-730e-4b8b-8a13-2bb21f5626c1","32e805e5-fe72-4141-aac4-f49c8ae6d03c","335fcdf9-4712-4176-8266-d19eab3e64a0","a1b2c3d4-e5f6-7890-abcd-ef1234567890","b2c3d4e5-f6g7-8901-bcde-f12345678901","c3d4e5f6-g7h8-9012-cdef-123456789012","d4e5f6g7-h8i9-0123-defg-234567890123","e5f6g7h8-i9j0-1234-efgh-345678901234","f6g7h8i9-j0k1-2345-fghi-456789012345","f3e18c86-c0aa-4d1a-8f30-6e8c6cd3cad2","ad9ab554-0b90-4eca-b39a-7871b96d23f4","be15042c-877f-4842-8e66-5bdb4355bcde","9ad198e4-a2d5-4a5c-926d-fc67f1941a9f","56a5cc12-e9d0-4b30-b566-2b28952db73b","6068c9c7-ce57-40ee-9cb2-bcf4023e9963","55cf1c68-c638-42eb-84d8-7e76eced6737","20c91d09-47f6-4b2b-8d22-4ef6e6c2b8c4","3b623afd-c690-47fd-9304-e3f678ad715b","76a0586c-7122-4fc4-abd0-348a6b852174","0d531240-ad3d-4714-91a9-3e36bf51a607","0cd8d3ed-6d62-4bf4-b854-3a5ca4b8c25c","6c605c9c-6eca-4945-8a42-18833ad3cf42","68b79dce-2343-49e7-a1a1-1e9c61cc9888","09be64ab-51be-4f8c-8c03-17243fbfdfbc","67e621ec-0a84-412a-ac48-1cfd80f30a43","44fc0e47-dc0e-4d77-8fcb-0e7aa58b7e92","824be1eb-27b7-44e9-97b6-ceba952b5301","90f66bc3-2a34-4ea7-8849-2a0c1abb9a75","d826f137-f675-459e-a758-5acbc604ce90","d353de41-be6b-4bd0-9c88-62f8db108f09","4759e733-d0b0-4415-bd31-72b9765994d6","a2cdbdc7-3abb-426d-a77f-771d6bf5a4f9","fb42f174-b844-4416-8033-9f40cd9162a4","11769810-ba17-4663-bdc3-d6114617aadd","4e7a449a-ae3f-4100-9598-197f4a43abc1","8df595d6-7c32-4257-8280-90182a32c23a","d5f248e0-45a6-45a7-9bd2-8ef963d39a05","d6a06676-95e8-4632-b949-44bc00f0793f","054777d1-722e-4b86-512d-2bb21f562cc1","d5eec317-3dee-4aa9-92ec-28af5f25242f","8c391e1d-f7d0-4a0b-bab1-a0fc8978e108","af2a6875-f636-497f-a721-10070b187d3a","65800d1d-80dd-4792-a147-5ce60fdd84bb","9fb56969-bd66-46b7-9c43-1aae797a302a","52f7ea87-5e0f-4366-90fa-d73f627b3bc6","63b0b1fc-ec04-4485-900d-a656aa32111e","3b26c2e7-62eb-4cb1-b350-1afbdac2d7e0","9a3c7b7e-2a9f-4e4a-9f3c-3e2d8b1c5a67","7c5e2d1f-4b3a-8c9e-0d1f-2a3b4c5d6e7f","291d06cf-e4b6-43e2-aa5d-45b2fcd74d6b","e8215b69-4cfe-4e8e-9d8e-cec354bd3ecb","3459bf35-3c3c-5d12-b6f6-e01431cbf19b","e2ffe7a8-d457-5cfa-8f76-ddc2c2a38fc9","180e9e53-1653-4483-aab8-9f55725e8a63","e0b79a1a-edf7-4a0e-9ed4-8a0ae14d3a85","dcd68ba6-0656-43f8-8c16-21ed36226048","bffd4ec5-3957-408c-9831-3f49a4614e93","2ceeb9da-0e43-44b8-b0c7-9debf01d0d89","aecb76d9-4063-422b-8837-9f4dba347a56","9448aa98-3680-40c1-8a3e-d67f0e9c64f7","09786294-08ad-48b1-b467-55ff30e7ca28","7014f07d-00e7-48ae-85df-df5913ee6174","a894f0af-bb74-4525-bf5a-7e0faaf345d4","94477231-37df-47e8-88a1-862e04d16a75","d2812a18-ed70-4a01-b124-0f1bf86e86ac","957d87b7-6acf-4cae-85b0-c45c65e69d0d","cc80f907-6e9d-4ec0-99f6-e6dbc2ecd528","86ec7263-b38a-4b73-b0cd-0939156545a6","9fe432a8-1b0a-4cb5-8878-0825e01c66fa","9fe432a8-1b0a-4cb5-8878-0825e01c66fb","083f9ca4-df5c-43d1-951c-0dc34ea73db1","30963fe3-2352-42de-94af-43ef3f63b1e3","be6a0cec-b2bc-4513-88ce-64c555f5bca6","b397218a-c6a7-4221-8265-c1fa29303883","7f5b14e9-a072-4d31-b73b-cd8de50c63b3","314645a8-79f8-487d-8dc0-7103fa5dbc7a","1986631a-103b-403b-9860-2eb03a9564c6","f35fd4ac-7121-4085-8204-b6700a59d84b","36fdb8a7-ee08-4390-8bc4-8686b9b0d4bb","e7e0e961-d151-41fd-9062-260808ae1190","ccbfe85d-b880-4ec2-8760-c382d17db131","820798dc-cd18-4f1a-b7f0-1163f78e3935","8318f5a7-adba-41d0-8170-c5af5b31e494","3df2e36e-6154-11ea-954a-c8348e025209","3df49151-6154-11ea-99f0-c8348e025209","3df4df3b-6154-11ea-a9a8-c8348e025209","48aa0383-62e4-11ea-9e82-c8348e025209","48b065a4-62e4-11ea-930c-c8348e025209","48b192a3-62e4-11ea-89fd-c8348e025209","8b7ea3bd-0571-0eec-1a82-605a44e00989","acaaa91b-7585-2e37-9930-d455f72013e5","1b3e105a-735e-11ea-bc03-c8348e02520c","1b3ead6e-735e-11ea-9bb2-c8348e02520c","a5f28cd0-773b-11ea-8000-c8348e02520c","a5f4136f-773b-11ea-90bb-c8348e02520c","a5f48946-773b-11ea-b628-c8348e02520c","a5f65d8f-773b-11ea-8092-c8348e02520c","f05a7df3-8564-11ea-8cd4-c8348e02520c","c591b611-9b80-11ea-8243-c8348e02520c","c59845a8-9b80-11ea-8a09-c8348e02520c","51c067a6-a025-11ea-a1b8-c8348e02520c","51c43753-a025-11ea-b382-c8348e02520c","51c6ccf0-a025-11ea-93fd-c8348e02520c","ddf445a8-d5a6-11ea-8d3c-c8348e03e0b8","ddf445af-d5a6-11ea-93db-c8348e03e0b8","ddf445b0-d5a6-11ea-bc48-c8348e03e0b8","ddf445b1-d5a6-11ea-babb-c8348e03e0b8","ddf445b2-d5a6-11ea-85c6-c8348e03e0b8","ddf445b3-d5a6-11ea-90d5-c8348e03e0b8","ddf445b4-d5a6-11ea-9688-c8348e03e0b8","ddf445b5-d5a6-11ea-a854-c8348e03e0b8","ddf445b6-d5a6-11ea-a2ab-c8348e03e0b8","ddf445b7-d5a6-11ea-916b-c8348e03e0b8","ddf445b8-d5a6-11ea-bc05-c8348e03e0b8","ddf445b9-d5a6-11ea-bdff-c8348e03e0b8","ddf445ba-d5a6-11ea-83b5-c8348e03e0b8","ddf445bb-d5a6-11ea-8592-c8348e03e0b8","ddf445bc-d5a6-11ea-a24e-c8348e03e0b8","ddf445bd-d5a6-11ea-bb95-c8348e03e0b8","ddf445be-d5a6-11ea-852f-c8348e03e0b8","ddf445bf-d5a6-11ea-9218-c8348e03e0b8","ddf445c0-d5a6-11ea-bc3f-c8348e03e0b8","ddf445c1-d5a6-11ea-92b8-c8348e03e0b8","ddf445c2-d5a6-11ea-81dd-c8348e03e0b8","ddf445c3-d5a6-11ea-b003-c8348e03e0b8","ddf46ca0-d5a6-11ea-b455-c8348e03e0b8","ddf46ca1-d5a6-11ea-86fb-c8348e03e0b8","ddf46ca2-d5a6-11ea-ae07-c8348e03e0b8","ddf46ca3-d5a6-11ea-b6a7-c8348e03e0b8","ddf46ca4-d5a6-11ea-b876-c8348e03e0b8","ddf46ca5-d5a6-11ea-8e9f-c8348e03e0b8","ddf46ca6-d5a6-11ea-8642-c8348e03e0b8","ddf46ca7-d5a6-11ea-940a-c8348e03e0b8","ddf46ca8-d5a6-11ea-9e8d-c8348e03e0b8","ddf46ca9-d5a6-11ea-aa6f-c8348e03e0b8","ddf46caa-d5a6-11ea-821e-c8348e03e0b8","ddf46cab-d5a6-11ea-be2b-c8348e03e0b8","ddf46cac-d5a6-11ea-aa01-c8348e03e0b8","ddf46cad-d5a6-11ea-a398-c8348e03e0b8","b839c4b8-2e6c-11eb-978b-c8348e03e0b8","b839c4b9-2e6c-11eb-b951-c8348e03e0b8","b839c4ba-2e6c-11eb-aac2-c8348e03e0b8","b839c4bb-2e6c-11eb-85b9-c8348e03e0b8","b839c4bc-2e6c-11eb-9bb0-c8348e03e0b8","b839c4bd-2e6c-11eb-92a1-c8348e03e0b8","b839c4be-2e6c-11eb-bfbd-c8348e03e0b8","b839c4bf-2e6c-11eb-9169-c8348e03e0b8","b839c4c0-2e6c-11eb-83ef-c8348e03e0b8","b839c4c1-2e6c-11eb-a5d6-c8348e03e0b8","b839c4c2-2e6c-11eb-98df-c8348e03e0b8","b839c4c3-2e6c-11eb-b9b3-c8348e03e0b8","b839c4c4-2e6c-11eb-b7e8-c8348e03e0b8","b839c4c5-2e6c-11eb-b8dd-c8348e03e0b8","b839c4c6-2e6c-11eb-abf4-c8348e03e0b8","b839c4c7-2e6c-11eb-b0d8-c8348e03e0b8","b839c4c8-2e6c-11eb-8554-c8348e03e0b8","b839c4c9-2e6c-11eb-b557-c8348e03e0b8","b839c4ca-2e6c-11eb-bdea-c8348e03e0b8","b839c4cb-2e6c-11eb-a8f4-c8348e03e0b8","b839c4cc-2e6c-11eb-9fee-c8348e03e0b8","b839c4cd-2e6c-11eb-9089-c8348e03e0b8","b839c4ce-2e6c-11eb-9426-c8348e03e0b8","b839c4cf-2e6c-11eb-bfed-c8348e03e0b8","b839c4d0-2e6c-11eb-89cf-c8348e03e0b8","b839c4d1-2e6c-11eb-a467-c8348e03e0b8","b839c4d2-2e6c-11eb-b717-c8348e03e0b8","b839c4d3-2e6c-11eb-9b72-c8348e03e0b8"]}},{"id":"network","displayName":"Network","related":{"tables":["AGCAccessLogs","AGCFirewallLogs","AGWAccessLogs","AGWFirewallLogs","AGWPerformanceLogs","AVNMConnectivityConfigurationChange","AVNMIPAMPoolAllocationChange","AVNMNetworkGroupMembershipChange","AVNMRuleCollectionChange","AzureDiagnostics","DnsEvents","DnsInventory","EnrichedMicrosoft365AuditLogs","GraphNotificationsActivityLogs","MNFDeviceUpdates","MNFSystemSessionHistoryUpdates","MNFSystemStateMessageUpdates","NSPAccessLogs","NTAInsights","NTAIpDetails","NTANetAnalytics","NTANspRuleRecommendation","NTARuleRecommendation","NTATopologyDetails","NWConnectionMonitorDNSResult","NWConnectionMonitorPathResult","NWConnectionMonitorTestResult","NetworkAccessAlerts","NetworkAccessConnectionEvents","NetworkAccessGenerativeAIInsights","NetworkAccessTraffic","NetworkMonitoring","RemoteNetworkHealthLogs","ZTSRequest"],"queries":["c3cf794b-5617-4eb8-95fa-66aa2a2678df","e7766bc6-9d49-4b09-93ed-e564d7593be3","2c4f7c71-9d37-4987-a767-3951876a5477","7147966e-f714-405b-b243-2c2d69e8b3fe","b0743562-0414-4fb9-a14b-fb1cfd5242b9","c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a","96c338bf-610b-4231-83b5-df264ddbf749","f789e18e-9204-43f0-9656-ae305a7c56d3","53052d78-882f-46b7-a711-69dca0f58af4","ade0fc51-681d-490d-b8f5-216b3203e419","c21d56d3-8079-46ff-b056-9d5be6505e88","a1378514-505d-453b-a0a9-44cd62cd5228","6f7d4fb8-e91c-4fa3-aa6f-c695d21e5e1a","ddd81f93-5320-4626-ac94-a938757326a4","42dfde83-f564-4282-854d-612dfda54abf","e1629bb4-4c6e-49a1-a826-5627804b3dcf","d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","e4c56072-f3d4-4d90-89af-7b94cf0a80e1","db83ff91-df3b-4d7d-b62f-559d49e7d63c","5c27eae1-f25b-46e1-b18b-c1cc11e35ddb","b40ab49e-3ef0-4c97-862b-207b98a68b02","c864821b-bcc9-4305-a0e1-37dcb9f1f82d","8a9e48ac-20be-4074-8118-9366e73d8dac","da3145ca-5cb9-43f4-afcc-0544bc320d8d","a756c739-e5cb-4bf1-9b37-4d58d5a49e2d","a2995731-5c93-42bc-894e-704789d8deba","52772f3b-f583-4901-b75c-ec368bcb1b78","8a81a8ec-db62-45d1-b6e3-6385cadd2f74","40f8162e-e9b1-4b78-9d8a-e939fc3e363b","baf32abd-8e68-46d4-88bb-82e65859d0b2","6ab7ef4f-5ccd-4509-9a9d-98e315759d6f","62cb4687-3d08-424f-b872-71757bbcc1d0","dc815502-2306-4db0-a0a5-b34ac7f299da","3dedfcff-6154-11ea-b43b-c8348e025209","3df04ba0-6154-11ea-a4a9-c8348e025209","3df099bd-6154-11ea-950e-c8348e025209","3df22024-6154-11ea-bb45-c8348e025209","3df26e48-6154-11ea-8a19-c8348e025209","3df2e36e-6154-11ea-954a-c8348e025209","3df49151-6154-11ea-99f0-c8348e025209","3df4df3b-6154-11ea-a9a8-c8348e025209","48aa0383-62e4-11ea-9e82-c8348e025209","48b065a4-62e4-11ea-930c-c8348e025209","48b192a3-62e4-11ea-89fd-c8348e025209","8b7ea3bd-0571-0eec-1a82-605a44e00989","acaaa91b-7585-2e37-9930-d455f72013e5","c5992ffc-9b80-11ea-8243-c8348e02520c","c5997e17-9b80-11ea-8e07-c8348e02520c","c59b04a4-9b80-11ea-9429-c8348e02520c","c59b52d1-9b80-11ea-abe2-c8348e02520c","c59bc801-9b80-11ea-a673-c8348e02520c","c59c161a-9b80-11ea-b8e4-c8348e02520c","92237ddb-9b82-11ea-805c-c8348e02520c","ddf3d063-d5a6-11ea-a3df-c8348e03e0b8","ddf44593-d5a6-11ea-ac4c-c8348e03e0b8","ddf44594-d5a6-11ea-94a5-c8348e03e0b8","ddf44595-d5a6-11ea-b8bd-c8348e03e0b8","ddf44596-d5a6-11ea-a8af-c8348e03e0b8","ddf44597-d5a6-11ea-ae46-c8348e03e0b8","ddf44598-d5a6-11ea-bdfc-c8348e03e0b8","8062ec5b-0436-534c-357d-a1a9750542fd","b6e396a1-49f4-002e-943b-9bcf087a3b58","100c8fe9-2f3e-4899-6ef4-6d70047d3f84","ae03d069-6d7a-2ecd-81e4-dbc6b6337f92","19ef0e4b-2959-3cb3-22ee-594fa7417cde","a9d51280-2768-856a-84f6-e5a4396a6997","adec1d64-576d-4536-2459-b9181ce6a440","7cce0397-0d02-0d98-29de-f79a1f3a1cd6","02343258-23f7-8f05-682f-4dede54b8f38","805cb7a6-792e-93f1-9292-d71efaf296f2","c1a54a83-064c-248a-1328-77d03fd914d1","f82e75bb-dd42-11ea-8cee-c8348e03e0b8","f82e75bc-dd42-11ea-bd9c-c8348e03e0b8","f82e75bd-dd42-11ea-8c4d-c8348e03e0b8","f82e75be-dd42-11ea-bdca-c8348e03e0b8","f82e75bf-dd42-11ea-98ce-c8348e03e0b8","f82e75c0-dd42-11ea-8d89-c8348e03e0b8","f82e75c1-dd42-11ea-a974-c8348e03e0b8","f82e75c2-dd42-11ea-a2f7-c8348e03e0b8","a6428840-f7fb-11ea-9f84-c8348e03e0b8","a6428841-f7fb-11ea-a564-c8348e03e0b8","a6428842-f7fb-11ea-9339-c8348e03e0b8","c04f8b4c-8f78-8652-28db-d12cb5296bcb"]}},{"id":"management","displayName":"IT & Management Tools","related":{"tables":["AMAHealth","AddonAzureBackupAlerts","AddonAzureBackupJobs","AddonAzureBackupPolicy","AddonAzureBackupProtectedInstance","AddonAzureBackupStorage","ComputerGroup","ConfigurationChange","ConfigurationData","CoreAzureBackup","EnrichedMicrosoft365AuditLogs","GraphNotificationsActivityLogs","Heartbeat","IntuneAuditLogs","IntuneDeviceComplianceOrg","IntuneDevices","IntuneOperationalLogs","NetworkAccessAlerts","NetworkAccessConnectionEvents","NetworkAccessGenerativeAIInsights","NetworkAccessTraffic","RemoteNetworkHealthLogs","Update","UpdateRunProgress","W3CIISLog"],"queries":["1b37f929-735e-11ea-b6cc-c8348e02520c","1b3a3fbb-735e-11ea-a165-c8348e02520c","1b3c664d-735e-11ea-8315-c8348e02520c","1b3cdc20-735e-11ea-a43a-c8348e02520c","1b3e105a-735e-11ea-bc03-c8348e02520c","1b3ead6e-735e-11ea-9bb2-c8348e02520c","1b3f2289-735e-11ea-b431-c8348e02520c","67756e5c-735e-11ea-a1fc-c8348e02520c","67787b98-735e-11ea-8214-c8348e02520c","6778f0c8-735e-11ea-9bcd-c8348e02520c","67798d1e-735e-11ea-9066-c8348e02520c","0a9a8546-8566-11ea-85d3-c8348e02520c","0a9be4e3-8566-11ea-bb0a-c8348e02520c","0a9d1db1-8566-11ea-86f4-c8348e02520c","0a9d6b7a-8566-11ea-8fbe-c8348e02520c","0a9de0a6-8566-11ea-96d1-c8348e02520c","0a9e2ecc-8566-11ea-95b0-c8348e02520c","51d5d5cb-a025-11ea-a80b-c8348e02520c","51d64afb-a025-11ea-a30b-c8348e02520c","51d84768-a025-11ea-a170-c8348e02520c","51d8e30c-a025-11ea-a73e-c8348e02520c","51da42ca-a025-11ea-8b9b-c8348e02520c","51db05ee-a025-11ea-93b5-c8348e02520c","51db7b14-a025-11ea-96a8-c8348e02520c","51dcdaa5-a025-11ea-8887-c8348e02520c","51dd28da-a025-11ea-9725-c8348e02520c","51dd9de7-a025-11ea-99e2-c8348e02520c","f82e75cb-dd42-11ea-82ac-c8348e03e0b8","f82e75cc-dd42-11ea-a557-c8348e03e0b8","f82e75cd-dd42-11ea-909e-c8348e03e0b8","f82e75ce-dd42-11ea-b511-c8348e03e0b8","f82e75cf-dd42-11ea-bcfc-c8348e03e0b8","f82e75d0-dd42-11ea-91f3-c8348e03e0b8","f82e75d1-dd42-11ea-991a-c8348e03e0b8","f82e75d2-dd42-11ea-b46b-c8348e03e0b8","bb60448c-0c7f-11eb-965c-c8348e03e0b8","bb60448d-0c7f-11eb-93a5-c8348e03e0b8","bb60448e-0c7f-11eb-8095-c8348e03e0b8","bb60448f-0c7f-11eb-ab22-c8348e03e0b8","bb604490-0c7f-11eb-a548-c8348e03e0b8"],"functions":["b65a317e-7513-4379-b5fc-a467d3daa1d9","29112523-50d8-4bb9-931f-47b8b3da558f","19551c5e-1e3e-4425-a1d7-c846a0bca2a1","19551c5e-1e3e-4425-a1d7-c846a0bca2a2","19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a5","19551c5e-1e3e-4425-a1d7-c846a0bca2a6","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"virtualmachines","displayName":"Virtual Machines","related":{"tables":["AMAHealth","AutoscaleEvaluationsLog","AutoscaleScaleActionsLog","ComputerGroup","DataSetOutput","DataSetRuns","ETWEvent","Event","Heartbeat","InsightsMetrics","Perf","PerfInsightsFindings","PerfInsightsImpactedResources","PerfInsightsRun","Syslog","UpdateSummary","VMBoundPort","VMComputer","VMConnection","VMProcess","W3CIISLog","WVDAgentHealthStatus","WireData"],"queries":["37325c2f-a267-4c55-8b85-3a315e9e50a3","e70b8048-60cc-485e-aa4c-13681020dc97","30acf699-84cb-4c65-ad46-b2ad151ebc55","32b49610-7500-4578-a909-b937a976ebfe","d2f75376-07d4-4ef7-b3b4-36a97d5b6228","f4ee7d36-fcae-4d21-879b-e11f9a831590","6810d165-9ec6-4e87-84e4-800d74cf85ad","b6aa1541-5290-41c5-9bc3-48e26fd6f899","10eeb5b8-140d-4790-a509-e6f2d62c6abe","d78e5c0b-190f-42b3-9b90-43758415fab2","e7e0e961-d151-41fd-9062-260808ae1190","ccbfe85d-b880-4ec2-8760-c382d17db131","820798dc-cd18-4f1a-b7f0-1163f78e3935","8318f5a7-adba-41d0-8170-c5af5b31e494","f7a287bb-a9ab-44c1-942f-1ec5c03e388e","043360e8-9071-46fe-8ae2-1c27eeca2d7b","5cd45fcf-8566-11ea-821c-c8348e02520c","5cd6f7ed-8566-11ea-a2a1-c8348e02520c","5cd745fe-8566-11ea-9fa7-c8348e02520c","5cd79425-8566-11ea-ab11-c8348e02520c","5cd7e251-8566-11ea-b5f3-c8348e02520c","5cd85792-8566-11ea-b77a-c8348e02520c","a5f28cd0-773b-11ea-8000-c8348e02520c","a5f4136f-773b-11ea-90bb-c8348e02520c","a5f48946-773b-11ea-b628-c8348e02520c","a5f65d8f-773b-11ea-8092-c8348e02520c","0932fe64-c205-11ea-8cfc-c8348e03e0b8","09339aab-c205-11ea-b403-c8348e03e0b8","09339aac-c205-11ea-ad1e-c8348e03e0b8","09339aad-c205-11ea-9405-c8348e03e0b8","09339aae-c205-11ea-a66c-c8348e03e0b8","09339aaf-c205-11ea-8a79-c8348e03e0b8","09339ab0-c205-11ea-8471-c8348e03e0b8","09339ab1-c205-11ea-b87c-c8348e03e0b8","09339ab2-c205-11ea-bbde-c8348e03e0b8","09339ab3-c205-11ea-9701-c8348e03e0b8","09339ab4-c205-11ea-80dd-c8348e03e0b8","09339ab5-c205-11ea-b4f6-c8348e03e0b8","09339ab6-c205-11ea-9eb2-c8348e03e0b8","09339ab7-c205-11ea-b31c-c8348e03e0b8","09339ab8-c205-11ea-be95-c8348e03e0b8","09339ab9-c205-11ea-9088-c8348e03e0b8","09339aba-c205-11ea-9bcb-c8348e03e0b8","09339abb-c205-11ea-883c-c8348e03e0b8","09339abc-c205-11ea-8ebf-c8348e03e0b8","09339abd-c205-11ea-af17-c8348e03e0b8","09339abe-c205-11ea-b842-c8348e03e0b8","09339abf-c205-11ea-af78-c8348e03e0b8","0933c1b3-c205-11ea-a4a3-c8348e03e0b8","0933c1b4-c205-11ea-a4fb-c8348e03e0b8","0933c1b5-c205-11ea-920a-c8348e03e0b8","0933c1b6-c205-11ea-85b3-c8348e03e0b8","0933c1b7-c205-11ea-9582-c8348e03e0b8","0933c1b8-c205-11ea-bc2b-c8348e03e0b8","0933c1b9-c205-11ea-b166-c8348e03e0b8","0933c1ba-c205-11ea-ab65-c8348e03e0b8","0933c1bb-c205-11ea-b387-c8348e03e0b8","0933c1bc-c205-11ea-8f2f-c8348e03e0b8","0933c1bd-c205-11ea-ae6b-c8348e03e0b8","0933c1be-c205-11ea-8b45-c8348e03e0b8","0933c1bf-c205-11ea-8e65-c8348e03e0b8","0933c1c0-c205-11ea-b3d5-c8348e03e0b8","0933c1c1-c205-11ea-bdc4-c8348e03e0b8","0933c1c2-c205-11ea-a865-c8348e03e0b8","0933c1c3-c205-11ea-91fc-c8348e03e0b8","ddf44599-d5a6-11ea-930c-c8348e03e0b8","ddf4459a-d5a6-11ea-a6e8-c8348e03e0b8","ddf4459b-d5a6-11ea-85e5-c8348e03e0b8","ddf4459c-d5a6-11ea-bcd7-c8348e03e0b8","ddf4459d-d5a6-11ea-b154-c8348e03e0b8","ddf4459e-d5a6-11ea-b023-c8348e03e0b8","ddf4459f-d5a6-11ea-b7ce-c8348e03e0b8","ddf445a0-d5a6-11ea-8c67-c8348e03e0b8"]}},{"id":"container","displayName":"Containers","related":{"tables":["AKSAudit","AKSAuditAdmin","AKSControlPlane","ArcK8sAudit","ArcK8sAuditAdmin","ArcK8sControlPlane","ContainerImageInventory","ContainerInventory","ContainerLog","ContainerLogV2","ContainerNetworkLogs","ContainerNodeInventory","ContainerRegistryLoginEvents","ContainerRegistryRepositoryEvents","ContainerServiceLog","Heartbeat","InsightsMetrics","KubeEvents","KubeMonAgentEvents","KubeNodeInventory","KubePVInventory","KubePodInventory","KubeServices","MeshControlPlane","Perf","RetinaNetworkFlowLogs"],"queries":["f47ac10b-58cc-4372-a567-0e02b2c3d479","d3b07384-d9a0-4c9d-8f00-6e7a9e7a8b0d","571b97f3-d68b-41eb-b1ac-6c40a38fbb4d","54bb9cdf-3eb8-4f1b-bb39-a2e578bceecb","39ef777f-53d8-400a-9d4e-d6e6946a538f","5bcdd75f-8eaf-4c5a-aa38-7c10a501d260","820ac966-e438-4fae-aef9-2d162ce23ced","39ef777f-53d8-400a-9d4e-d6e6946a538e","1f0b44f9-2a90-4d74-bd6f-32671f493c65","6d69a6ab-78ed-45c8-b5bb-557c2a096d54","5eea8814-60dd-4d3c-bec0-3c364c88e123","8146e954-5df5-4eaa-afe6-1cef6c158456","b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e","590ef5ae-7354-11ea-8b23-c8348e02520c","5911dbf1-7354-11ea-b34d-c8348e02520c","fa69eeb1-8569-11ea-8fe4-c8348e02520c","59d1df0c-9f8c-4d39-88b2-9c649b110aa3","fa6b98ca-8569-11ea-9445-c8348e02520c","fa6be679-8569-11ea-82ff-c8348e02520c","fa6c348e-8569-11ea-9b4a-c8348e02520c","fa6c82a3-8569-11ea-8c6c-c8348e02520c","fa6cf7e0-8569-11ea-9523-c8348e02520c","fa6d45fc-8569-11ea-9289-c8348e02520c","fa6e5843-8569-11ea-8d4b-c8348e02520c","fa6eccc5-8569-11ea-9088-c8348e02520c","fa6f41c2-8569-11ea-98c6-c8348e02520c","fa6f8fde-8569-11ea-a8f6-c8348e02520c","fa705446-8569-11ea-aa86-c8348e02520c","fa7200ef-8569-11ea-b3aa-c8348e02520c","fa724f0c-8569-11ea-931d-c8348e02520c","fa729d2f-8569-11ea-8e66-c8348e02520c","fa73fd03-8569-11ea-aa34-c8348e02520c","fa7471e0-8569-11ea-b6ce-c8348e02520c","fa74c014-8569-11ea-aa82-c8348e02520c"]}},{"id":"audit","displayName":"Audit","related":{"tables":["AACAudit","AADAgentRiskEvents","AADB2CRequestLogs","AADCustomSecurityAttributeAuditLogs","AADGraphActivityLogs","AADManagedIdentitySignInLogs","AADNonInteractiveUserSignInLogs","AADProvisioningLogs","AADRiskyAgents","AADRiskyServicePrincipals","AADRiskyUsers","AADServicePrincipalRiskEvents","AADServicePrincipalSignInLogs","AADUserRiskEvents","ACICollaborationAudit","ACLTransactionLogs","ACLUserDefinedLogs","ACRConnectedClientList","ACREntraAuthenticationAuditLog","ADFSSignInLogs","AEWAssignmentBlobLogs","AEWAuditLogs","AEWComputePipelinesLogs","AFSAuditLogs","AGCFirewallLogs","AGSGrafanaLoginEvents","AGSGrafanaUsageInsightsEvents","AGSUpdateEvents","AGWAccessLogs","AGWFirewallLogs","AGWPerformanceLogs","AHDSDeidAuditLogs","AHDSDicomAuditLogs","AKSAudit","AKSAuditAdmin","AMSKeyDeliveryRequests","AMSLiveEventOperations","AMSMediaAccountHealth","AMSStreamingEndpointRequests","AOIDatabaseQuery","AOIStorage","ASCAuditLogs","ASCDeviceEvents","ASRJobs","ASRReplicatedItems","ASRv2HealthEvents","ASRv2JobEvents","ASRv2ProtectedItems","ASRv2ReplicationExtensions","ASRv2ReplicationPolicies","ASRv2ReplicationVaults","AVNMConnectivityConfigurationChange","AVNMIPAMPoolAllocationChange","AVNMNetworkGroupMembershipChange","AVNMRuleCollectionChange","AZKVAuditLogs","AZKVPolicyEvaluationDetailsLogs","AZMSApplicationMetricLogs","AZMSArchiveLogs","AZMSAutoscaleLogs","AZMSCustomerManagedKeyUserLogs","AZMSDiagnosticErrorLogs","AZMSHybridConnectionsEvents","AZMSKafkaCoordinatorLogs","AZMSKafkaUserErrorLogs","AZMSOperationalLogs","AZMSRunTimeAuditLogs","AZMSVnetConnectionEvents","AegDataPlaneRequests","AgriFoodApplicationAuditLogs","AmlComputeInstanceEvent","AmlDataLabelEvent","AmlDataSetEvent","AmlDataStoreEvent","AmlDeploymentEvent","AmlEnvironmentEvent","AmlInferencingEvent","AmlModelsEvent","AmlOnlineEndpointConsoleLog","AmlOnlineEndpointEventLog","AmlOnlineEndpointTrafficLog","AmlPipelineEvent","AmlRegistryReadEventsLog","AmlRegistryWriteEventsLog","AmlRunEvent","AppEnvSessionConsoleLogs","AppEnvSessionLifecycleLogs","AppEnvSessionPoolEventLogs","AppEnvSpringAppConsoleLogs","ArcK8sAudit","ArcK8sAuditAdmin","AzureActivity","AzureBackupOperations","AzureLoadTestingOperation","CCFApplicationLogs","CDBCassandraRequests","CDBControlPlaneRequests","CDBDataPlaneRequests","CDBDataPlaneRequests15M","CDBDataPlaneRequests5M","CDBGremlinRequests","CDBMongoRequests","CDBPartitionKeyRUConsumption","CDBPartitionKeyStatistics","CDBQueryRuntimeStatistics","CDBTableApiRequests","CIEventsAudit","CassandraAudit","ChaosStudioExperimentEventLogs","CloudHsmServiceOperationAuditLogs","CommunicationComplianceActivity","ContainerAppConsoleLogs","ContainerAppHTTPLogs","ContainerAppSystemLogs","ContainerEvent","ContainerInstanceLog","CopilotActivity","DatabricksApps","DatabricksBrickStoreHttpGateway","DatabricksBudgetPolicyCentral","DatabricksCloudStorageMetadata","DatabricksClusterPolicies","DatabricksDashboards","DatabricksDataMonitoring","DatabricksDataRooms","DatabricksFiles","DatabricksFilesystem","DatabricksGroups","DatabricksIngestion","DatabricksLakeviewConfig","DatabricksLineageTracking","DatabricksMarketplaceConsumer","DatabricksMarketplaceProvider","DatabricksOnlineTables","DatabricksPredictiveOptimization","DatabricksRBAC","DatabricksRFA","DatabricksVectorSearch","DatabricksWebhookNotifications","DatabricksWorkspaceFiles","DataverseActivity","DevCenterConnectionLogs","DevCenterDiagnosticLogs","DiscoveryBookshelfAuditLogs","DiscoverySupercomputerAuditLogs","DiscoveryWorkspaceAuditLogs","DurableTaskSchedulerLogs","EGNSuccessfulMqttConnections","EdgeActionConsoleLog","EdgeActionServiceLog","HDInsightGatewayAuditLogs","HDInsightRangerAuditLogs","LAQueryLogs","LedgerTransactionLogs","LedgerUserDefinedLogs","MPCIngestionLogs","MicrosoftGraphActivityLogs","MicrosoftGraphPolicyLogs","MicrosoftHealthcareApisAuditLogs","MicrosoftPurviewInformationProtection","MicrosoftServicePrincipalSignInLogs","MySqlAuditLogs","MySqlSlowLogs","NSPAccessLogs","OEPAuditLogs","OEWAuditLogs","OracleCloudDatabase","PFTitleAuditLogs","PGSQLAutovacuumStats","PGSQLDbTransactionsStats","PGSQLPgBouncer","PGSQLPgStatActivitySessions","PGSQLQueryStoreQueryText","PGSQLQueryStoreRuntime","PGSQLQueryStoreWaits","PGSQLServerLogs","PowerAppsActivity","PowerAutomateActivity","PowerBIActivity","PowerPlatformAdminActivity","PowerPlatformConnectorActivity","PowerPlatformDlpActivity","QuantumProviderAccountJobAuditLogs","QuantumProviderAccountQueueAuditLogs","QuantumProviderAccountTargetAuditLogs","QuantumWorkspaceJobAuditLogs","REDConnectionEvents","SCGPoolExecutionLog","SCGPoolRequestLog","SVMPoolExecutionLog","SVMPoolRequestLog","SecurityCaseEvent","SentinelAudit","TOUserAudits","VCoreMongoRequests","VIAudit","WOUserAudits","Windows365AuditLogs","ZTSJobStatus","ZTSRequest"],"queries":["b30699d3-efa7-4341-acad-b0d745f57061","c72d1185-3401-4e65-9a9b-424730f26288","feb88498-7f52-4cbc-9893-a0eef24f8790","865a3ded-aeb4-473a-9f60-1af94374b5a2","1c9afed0-4e16-42f5-ace0-24b0b34d29d2","03e774ad-103e-42d5-b006-ba8b32754996","f1382f9e-b98d-44ca-bb27-72d5ece96dbf","f2599fa8-3ccd-41e1-a3a2-8f9bbcca9a9a","1d18188d-3133-4439-8e85-e9efaadad013","681582c5-1c89-4701-a256-608e82cbd0aa","c9ee41c4-5b23-4e04-a193-21ee5c4cfc8d","7147966e-f714-405b-b243-2c2d69e8b3fe","b0743562-0414-4fb9-a14b-fb1cfd5242b9","c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a","e1d8c76d-8a12-4e91-a04d-1aa38423af60","78169da5-08d5-4abb-a419-8abcae4b8279","711f80bd-d89f-4c07-84f6-e053b0d5c8ed","3eb92137-5019-4eb0-8a01-7480256befea","bc25e051-3518-4aa2-9493-2dc1abf176b1","acd263c0-a5a3-42cd-af74-d12df6f577e3","1c7e3db4-ce89-43b3-a951-b7948e6f4874","30a46f4f-dc1a-43e1-9fe4-c82750e218b3","dd5cd0fc-683c-4ace-a7da-ef6afd649407","09073e9b-334f-43b8-8b42-58ddf7e6b1e2","b2bd1ca4-8a33-11ec-8fd3-00155dd7661c","5d9df8e3-7ff1-45f5-9569-411f6ffacfc7","126a5c26-d357-4b03-a4bc-5e8fbd26a1b8","d196c718-afdf-4eb1-9849-4f236030f51b","10026928-5243-4850-82e5-e1c4c175bc15","163b3a0a-e23d-4648-aec6-72906be0c027","dcfebdea-1637-46b9-8452-1979e9e30251","79cf6219-a0c3-4cac-a011-e5c02fc7cada","5bcdd75f-8eaf-4c5a-aa38-7c10a501d260","820ac966-e438-4fae-aef9-2d162ce23ced","39ef777f-53d8-400a-9d4e-d6e6946a538e","7c29ceda-72da-4398-befe-2a17722165b1","5bb1d784-35fa-4065-bcfe-d780877bb42a","9883e7d9-5df2-4ced-bd47-3fc5f34f3c7a","4ad830b9-b8b6-4e8e-a934-754d4ad2d959","1b1df069-ae9b-4026-876e-09b8d1c4cf12","b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e","5a5e640c-37d6-4f21-93c2-3287fd420ea3","d7328548-c02f-4461-a86d-ddea98534a3c","8ae09b10-bba7-4059-a179-4dd802f9dd28","4e376b4a-24d9-4110-9640-4c427e80af43","ddd81f93-5320-4626-ac94-a938757326a4","42dfde83-f564-4282-854d-612dfda54abf","e1629bb4-4c6e-49a1-a826-5627804b3dcf","d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","e4c56072-f3d4-4d90-89af-7b94cf0a80e1","44e16774-d990-4192-8fce-2e543e34633a","6f2a51a0-449a-4578-b715-4f634a4d084a","485749e7-4fa6-4e11-80f7-ef1696cd7736","517e9bd0-4635-44cd-9ddc-6f799d319de2","76378a5b-a5ed-4ad1-b0fa-8831475066be","a00b5597-266a-49b4-be69-ebf5606677a6","5206e354-d7a9-4eec-b3e9-7e5255a932a0","cfcdfea7-2e51-45b0-9d09-62a35900b151","7aef15d0-37cf-4db0-9691-fddd8508210b","0fc4a89c-1430-4422-816b-f3ead837b9c8","9dccb0ff-36b5-4682-b6ab-e7a4f085d782","fe1dd542-afb3-4b72-88c0-02e00a34608a","d4737f7d-28ee-4969-bf67-9065fd911210","09a0e87c-6410-4316-b7be-80b6592ca8e4","4bc9187e-5aec-464a-ba2f-86f07d1bc42b","a3b9cb07-69f5-4034-9b3d-c5f4ee3655c7","637510f2-9609-4eed-ad8d-8efc0bfe442a","cbcf3a45-5896-4020-abb3-bdc0c0581319","2079cc76-82bd-4deb-beb7-595a66c8e7b0","a1b2c3d4-1111-4aaa-bbbb-000000000001","a1b2c3d4-1111-4aaa-bbbb-000000000002","a1b2c3d4-1111-4aaa-bbbb-000000000003","a1b2c3d4-1111-4aaa-bbbb-000000000004","a1b2c3d4-1111-4aaa-bbbb-000000000005","a1b2c3d4-1111-4aaa-bbbb-000000000006","a1b2c3d4-1111-4aaa-bbbb-000000000007","a1b2c3d4-1111-4aaa-bbbb-000000000008","a1b2c3d4-1111-4aaa-bbbb-000000000009","a1b2c3d4-1111-4aaa-bbbb-000000000010","a1b2c3d4-1111-4aaa-bbbb-000000000011","a1b2c3d4-1111-4aaa-bbbb-000000000012","a1b2c3d4-1111-4aaa-bbbb-000000000013","a1b2c3d4-1111-4aaa-bbbb-000000000014","16191aba-3eee-4973-b338-7077300f32e1","151d25cf-7e9a-48eb-98ff-fe39a595ddff","e159f354-4be5-40de-90cc-0152553aca5a","3f837a43-8382-465c-9681-cadd66b5755d","f986ae23-a5e3-4b1a-8c7f-d3209a0267a7","a68218d8-84d3-45ce-87c5-1ff89cbe9eaf","d42180dc-be37-4b53-9c02-302848dfff5f","6fabff7b-d466-43a6-b5e4-e91acd00a155","5de254d1-fd54-4468-a243-6756670c51ca","c72b0389-6dc7-40de-9e90-ce5ade614d46","427943d1-85ad-4fc2-b268-3da41e4a6c1a","e71bcfbf-4518-41ea-b013-80e249d62c28","bd46892d-853b-4b2e-a72d-040189673031","3888a9d5-61f3-43e1-af05-40cf805d0dc2","09097f08-6a4b-4747-a251-21dd4237d99a","4fec14fe-d662-4b6f-a3a6-4a6bfcfe55cb","83c3b089-8510-4925-8614-f7f36a04af0b","6c056893-0853-4a39-9638-35a5b0644363","61d8a45e-1589-489f-8d69-792c36fa8967","80ddf123-662f-408d-b1c9-1efcaee4ea25","3c0316ed-8069-4b75-8247-519398618f34","8c11b79a-eff0-439c-a54c-519a0cdc30cf","abca51a5-f135-4977-af75-46670f36017c","c50219bc-5393-40c6-b7aa-d5ac8cd065b8","c8e78040-e38f-46d1-a4ca-ec3fa1ea3c92","faffa3cc-01d7-4c65-9dcd-15c65d8db91f","54526cff-06de-4bec-bfa5-6909c04908bb","b61211bc-abef-4e01-b6f5-9154166f9021","8c1d6f16-f409-4be5-a36e-e7366e91fbc8","0f906ebd-a275-4f19-afb8-66956e3de6ba","d8825350-6728-45cd-8120-edf428e459f1","f41d96e1-a466-434c-96ba-f7ae31601398","bd908e0d-680a-40b9-88c2-b7fedf053c96","98ce5af3-de4d-45ac-91dc-b8a42f9bd2a4","f749c7ac-5407-4926-a42f-b8c684d6b169","6cba4bad-1a95-4970-9fc6-1a5f6936187b","c5ec4e2d-c7b3-42c3-9150-6ec344d62ee3","73917797-b07e-495f-874e-337d5c089123","3412a5f6-4520-4ac5-bd10-6b137a30845e","f88e66dd-2057-47d3-9758-3aab93c7602a","44a38a05-1147-4795-bd5e-fa808308375f","6b8cd500-15a6-4311-a97b-806710922c5a","c7ce5ec8-5650-443b-9690-f79167d4ad28","4fc5e32f-d276-4f01-b513-d28ff85ff632","11e2a947-7cac-4932-b08c-833ca8ed4b66","54954c67-9753-4acb-b9c4-647ed5eb8962","09eb47e3-0af5-4434-9e49-a71e5c3ceeb4","3b6c64fc-9624-45d4-8ca9-387fb3996ecf","f17b9109-4747-4ce4-94d1-bffc4bc04e18","4aa5f9aa-2eea-4297-95b4-37143a962df5","4a8a8d90-af11-1302-7556-02c1a6c4287f","307938f2-3ebe-e1dd-e6cd-60181b631133","c6b38466-c4e7-4b51-59c6-9dc6ab8b7d56","8abfa818-c87f-81c7-99ef-fa38d0c750b3","ae89676f-3dbe-495a-a5e6-b9673afe98ca","58719d71-dd9e-4c0c-9405-2e3d5a47f10a","f3b8ad66-b178-49bf-b165-31c2896c406b","9e1062d5-b526-42d0-9d46-80ec8604da4d","62ae5228-928d-4ef8-a383-3d3793dec41c","89e77e30-828d-4e3d-96a2-d28befa4275b","c6eb80df-d93e-451d-8a78-500adeb829ca","4a4819f6-4d4f-4c1e-8f9f-445c957af054","78b49d99-ccb7-4791-ba0c-73fbf2104daa","9edff33b-7951-4601-a50b-1da5fea7a127","3b374e0c-6e5c-4367-88a8-10d265ce5e42","3d08f663-9b40-4dcb-824c-e073806d5257","8b5511d4-2df9-445f-ac8c-183615aeff4f","b098e967-079a-4467-898a-8568b6f96f6a","e5d93d90-7ff9-4c4d-b46f-5bc037afa284","7308fa13-7b01-48d3-b9b6-8ac464ba5b3f","fba0fd35-f822-4df0-bc10-2ca0d9041d63","ecdcd5a9-ac4e-4e24-9ce6-bcb9b2e0cfa6","1b582828-0234-4b71-9949-c9e08be3bc04","3a2a2aea-8ada-497f-8ff1-e3a01c2469da","9788de8c-73da-4b6f-b259-28f89c8f8964","1d326b1d-b84f-475a-9ce6-78dc33d33461","2f7096f6-093c-4c1d-bd85-b47737aa1aa7","0bd960eb-b761-4ff6-bf0e-73bc57590734","30005149-f6be-42fc-871c-65b45fbb7891","a4934395-ec10-438d-8dfa-b01b44f86c65","def050d2-9447-4229-8a62-b980bb38ca9a","a1b2c3d4-e5f6-7890-abcd-ef1234567890","b2c3d4e5-f6g7-8901-bcde-f12345678901","c3d4e5f6-g7h8-9012-cdef-123456789012","e5f6g7h8-i9j0-1234-efgh-345678901234","f6g7h8i9-j0k1-2345-fghi-456789012345","d5f248e0-45a6-45a7-9bd2-8ef963d39a05","d6a06676-95e8-4632-b949-44bc00f0793f","d5eec317-3dee-4aa9-92ec-28af5f25242f","8c391e1d-f7d0-4a0b-bab1-a0fc8978e108","af2a6875-f636-497f-a721-10070b187d3a","65800d1d-80dd-4792-a147-5ce60fdd84bb","9fb56969-bd66-46b7-9c43-1aae797a302a","52f7ea87-5e0f-4366-90fa-d73f627b3bc6","bffd4ec5-3957-408c-9831-3f49a4614e93","c4cdf677-7d39-4fc9-9894-e2264e719916","1ef86e81-77c6-467a-a7a6-f5769f1df2f2","b81828c9-f1b6-4901-8705-744199b363c5","ed8f4b3c-4e68-47a7-98d8-86e8dae96466","a933b563-1729-4a4a-aae6-0918df2a3762","260cbcfa-559a-416b-b97d-31c385b384be","f6dd9440-131a-478c-a85d-815c5ee81fc6","5bac9c74-6e1e-4a67-8693-9661cc3fdb1e","7cef51e4-3e2a-4090-9227-9d5940c8e542","0d314981-ea13-468d-9693-08f17978b07c","ee407f4b-01d9-4867-99d6-b69f9cbc48fb","23669822-eee9-4fc7-ad01-3002e4e1f2c7","14f5f1bb-1d32-4c36-8cec-3fb5669f116b","bd1a9d5b-a31e-4b0e-8e32-ae4fdf667edd","4c761634-8075-45d0-bb0a-17020cedd849","d1fadd92-2480-461a-b576-9fd63214c197","ef05fc29-2ade-40c0-8a2b-a5e44c96d864","b95779e5-8cae-4d4e-9caa-8d4c463946a2","73336bb3-52b5-4005-8130-45c6385ae708","a9d27e1b-1088-4da5-bc78-a772659f6977","245b67bd-f04d-4a9f-9008-964dca98fd67","7908b709-0d81-459e-a0df-5f18d05ebebe","74fd0091-7a1e-4da7-bea1-6b8dfb84646d","7f315593-1fb7-1749-91e9-618eaed5990c","fa0c8117-6153-11ea-8cb3-c8348e025209","fa0ef211-6153-11ea-8bab-c8348e025209","fa1078e9-6153-11ea-a498-c8348e025209","fa112e83-6153-11ea-b11d-c8348e025209","fa117c9a-6153-11ea-9c29-c8348e025209","fa11cab7-6153-11ea-8733-c8348e025209","fa1320ea-6153-11ea-90da-c8348e025209","fa136ede-6153-11ea-857e-c8348e025209","1b3ab4e9-735e-11ea-bd69-c8348e02520c","1b3c1ae5-735e-11ea-9058-c8348e02520c","188b66fe-8564-11ea-b1c6-c8348e02520c","188bdc5b-8564-11ea-be3c-c8348e02520c","39559e97-8564-11ea-b62e-c8348e02520c","3955ecb1-8564-11ea-9064-c8348e02520c","f05c7a2c-8564-11ea-9d91-c8348e02520c","f05cc7e5-8564-11ea-bd57-c8348e02520c","c593ffdc-9b80-11ea-9200-c8348e02520c","f82e75b9-dd42-11ea-a8b1-c8348e03e0b8","bb5ff65d-0c7f-11eb-be85-c8348e03e0b8","bb60447f-0c7f-11eb-9344-c8348e03e0b8","bb604480-0c7f-11eb-828b-c8348e03e0b8","bb604481-0c7f-11eb-a61d-c8348e03e0b8","bb604482-0c7f-11eb-9834-c8348e03e0b8","bb604483-0c7f-11eb-b808-c8348e03e0b8","bb604484-0c7f-11eb-bef2-c8348e03e0b8","bb604485-0c7f-11eb-b2cf-c8348e03e0b8","bb604486-0c7f-11eb-ab5c-c8348e03e0b8","a4288de6-1d24-11eb-9472-c8348e03e0b8","a42903d6-1d24-11eb-8648-c8348e03e0b8","a42903d7-1d24-11eb-afed-c8348e03e0b8","a42903d8-1d24-11eb-aa16-c8348e03e0b8"],"functions":["bd5b5b75-dad2-40f2-b2f1-a58a0b41106d","7625213e-e8e7-433c-9f64-fdc984ad7ee0","cd3f45c0-2b70-42d9-bbad-cbbe7f3ee715","86401b72-78ca-46bd-a1ef-2f63d9230a5c","d6dad52a-5669-4cb4-bbbe-d5d1e4f9435d","2d003852-e92b-49b3-b12e-164332b0edab","f7a72ca9-df71-4cfb-811a-ea70469f3e3f"]}},{"id":"desktopanalytics","displayName":"Desktop Analytics","related":{"tables":["DHAppReliability","DHDriverReliability","DHLogonFailures","DHLogonMetrics","DHOSCrashData","DHOSReliability","DHWipAppLearning","MAApplication","MAApplicationHealth","MAApplicationHealthAlternativeVersions","MAApplicationHealthIssues","MAApplicationInstance","MAApplicationInstanceReadiness","MAApplicationReadiness","MADeploymentPlan","MADevice","MADeviceNRT","MADeviceNotEnrolled","MADeviceReadiness","MADriverInstanceReadiness","MADriverReadiness","MAOfficeAddin","MAOfficeAddinHealthEventNRT","MAOfficeAddinInstance","MAOfficeAddinReadiness","MAOfficeAppInstance","MAOfficeAppReadiness","MAOfficeBuildInfo","MAOfficeCurrencyAssessment","MAOfficeSuiteInstance","MAProposedPilotDevices","MAWindowsBuildInfo","MAWindowsCurrencyAssessment","MAWindowsCurrencyAssessmentDailyCounts","MAWindowsDeploymentStatus","UAApp","UAComputer","UAComputerRank","UADriver","UADriverProblemCodes","UAFeedback","UAIESiteDiscovery","UAOfficeAddIn","UAProposedActionPlan","UASysReqIssue","UAUpgradedComputer","UCDOAggregatedStatus","UCDOStatus","WDAVStatus","WDAVThreat","WUDOAggregatedStatus","WUDOStatus","WaaSDeploymentStatus","WaaSInsiderStatus","WaaSUpdateStatus"],"queries":["6c73ae0a-50af-46ee-9ff1-e19b1d3d9a0b","367b4e64-9488-45f8-94fa-88905a332c73","f82e75c3-dd42-11ea-9a7f-c8348e03e0b8","f82e75c4-dd42-11ea-a402-c8348e03e0b8","f82e75c5-dd42-11ea-8046-c8348e03e0b8","f82e75c6-dd42-11ea-8b94-c8348e03e0b8","f82e75c7-dd42-11ea-8a63-c8348e03e0b8","f82e75c8-dd42-11ea-9781-c8348e03e0b8","f82e75c9-dd42-11ea-a3ab-c8348e03e0b8","f82e75ca-dd42-11ea-a4de-c8348e03e0b8","f3993b22-e78f-11ea-8d7e-c8348e03e0b8","f3998942-e78f-11ea-b0a9-c8348e03e0b8"]}},{"id":"workloads","displayName":"Workloads","related":{"tables":["ADAssessmentRecommendation","ADReplicationResult","ADSecurityAssessmentRecommendation","AzureAssessmentRecommendation","AzureSQLAutomaticTuning","AzureSQLBlocks","AzureSQLDatabaseWaitStatistics","AzureSQLDeadlocks","AzureSQLErrors","AzureSQLQueryStoreRuntimeStatistics","AzureSQLQueryStoreWaitStatistics","AzureSQLResourceUsageStats","AzureSQLTimeouts","DeviceAppCrash","DeviceAppLaunch","DeviceCalendar","DeviceCleanup","DeviceConnectSession","DeviceEtw","DeviceHardwareHealth","DeviceHealth","DeviceHeartbeat","DeviceSkypeHeartbeat","DeviceSkypeSignIn","ExchangeAssessmentRecommendation","ExchangeOnlineAssessmentRecommendation","SCCMAssessmentRecommendation","SCOMAssessmentRecommendation","SPAssessmentRecommendation","SQLAssessmentRecommendation","SfBAssessmentRecommendation","SfBOnlineAssessmentRecommendation","SharePointOnlineAssessmentRecommendation","SqlVulnerabilityAssessmentResult","WindowsClientAssessmentRecommendation","WindowsServerAssessmentRecommendation","WorkloadDiagnosticLogs","WorkloadMonitoringPerf"],"queries":["0d32e6ff-9894-415e-a981-2e9e5f76bd78","a1b2c3d4-e5f6-4192-8fce-2e543e34633b","a1b2c3d4-e5f6-4192-8fce-2e543e34633c","a1b2c3d4-e5f6-4192-8fce-2e543e34633d","a1b2c3d4-e5f6-4192-8fce-2e543e34633e","a1b2c3d4-e5f6-4192-8fce-2e543e34633f","a1b2c3d4-e5f6-4192-8fce-2e543e346341","a1b2c3d4-e5f6-4192-8fce-2e543e346343","a1b2c3d4-e5f6-4192-8fce-2e543e346345","a1b2c3d4-e5f6-4192-8fce-2e543e346348","a5c31bf6-314c-4c77-9144-eacc566de521","a3e072ef-5aa5-484a-9641-11485b55cb42","fa6f41c2-8569-11ea-98c6-c8348e02520c","fa73fd03-8569-11ea-aa34-c8348e02520c","18879673-8564-11ea-b38b-c8348e02520c","188a2ec5-8564-11ea-b3bc-c8348e02520c","188aa3a9-8564-11ea-bf1e-c8348e02520c","188b66fe-8564-11ea-b1c6-c8348e02520c","188bdc5b-8564-11ea-be3c-c8348e02520c","39530689-8564-11ea-a825-c8348e02520c","3953c9e1-8564-11ea-90b5-c8348e02520c","395417f2-8564-11ea-a1fa-c8348e02520c","39559e97-8564-11ea-b62e-c8348e02520c","3955ecb1-8564-11ea-9064-c8348e02520c","f057bedc-8564-11ea-bde7-c8348e02520c","f059e1be-8564-11ea-baa5-c8348e02520c","f05a2fd3-8564-11ea-b82c-c8348e02520c","f05a7df3-8564-11ea-8cd4-c8348e02520c","f05af337-8564-11ea-8713-c8348e02520c","f05b415a-8564-11ea-8e4c-c8348e02520c","f05c7a2c-8564-11ea-9d91-c8348e02520c","f05cc7e5-8564-11ea-bd57-c8348e02520c","f05d162a-8564-11ea-9b09-c8348e02520c","f05d8b32-8564-11ea-be76-c8348e02520c","f05dd951-8564-11ea-a396-c8348e02520c","f05f601a-8564-11ea-9958-c8348e02520c","f05ffc32-8564-11ea-8128-c8348e02520c","f0604a53-8564-11ea-9866-c8348e02520c","f061a449-8564-11ea-8a9c-c8348e02520c","f0621953-8564-11ea-904e-c8348e02520c","51c952ba-a025-11ea-9f63-c8348e02520c","51cb9cb0-a025-11ea-9b66-c8348e02520c","51cc86f0-a025-11ea-ae39-c8348e02520c","51ce5ba9-a025-11ea-b3d9-c8348e02520c","51cef7f8-a025-11ea-94ac-c8348e02520c","51d07f71-a025-11ea-bd43-c8348e02520c","ddf445a1-d5a6-11ea-aba2-c8348e03e0b8","ddf445a2-d5a6-11ea-be86-c8348e03e0b8","ddf445a3-d5a6-11ea-8248-c8348e03e0b8","ddf445a4-d5a6-11ea-9289-c8348e03e0b8","ddf445a5-d5a6-11ea-8158-c8348e03e0b8","ddf445a6-d5a6-11ea-b3b7-c8348e03e0b8","ddf445a7-d5a6-11ea-aae9-c8348e03e0b8","ddf445a9-d5a6-11ea-b635-c8348e03e0b8","ddf445aa-d5a6-11ea-8aae-c8348e03e0b8","ddf445ab-d5a6-11ea-8a6f-c8348e03e0b8","ddf445ac-d5a6-11ea-b1c0-c8348e03e0b8","ddf445ad-d5a6-11ea-af86-c8348e03e0b8","ddf445ae-d5a6-11ea-a8f6-c8348e03e0b8"]}},{"id":"resources","displayName":"Azure Resources","related":{"tables":["AACHttpRequest","AADDomainServicesAccountLogon","AADDomainServicesAccountManagement","AADDomainServicesDirectoryServiceAccess","AADDomainServicesLogonLogoff","AADDomainServicesPolicyChange","AADDomainServicesPrivilegeUse","AADDomainServicesSystemSecurity","ABSBotRequests","ACICollaborationAudit","ACLTransactionLogs","ACLUserDefinedLogs","ACRConnectedClientList","ACREntraAuthenticationAuditLog","ACSAdvancedMessagingOperations","ACSAuthIncomingOperations","ACSBillingUsage","ACSCallAutomationIncomingOperations","ACSCallAutomationMediaSummary","ACSCallAutomationStreamingUsage","ACSCallClientMediaStatsTimeSeries","ACSCallClientOperations","ACSCallClientServiceRequestAndOutcome","ACSCallClosedCaptionsSummary","ACSCallDiagnostics","ACSCallDiagnosticsUpdates","ACSCallRecordingIncomingOperations","ACSCallRecordingSummary","ACSCallSummary","ACSCallSummaryUpdates","ACSCallSurvey","ACSCallingMetrics","ACSChatIncomingOperations","ACSEmailSendMailOperational","ACSEmailStatusUpdateOperational","ACSEmailUserEngagementOperational","ACSJobRouterIncomingOperations","ACSOptOutManagementOperations","ACSRoomsIncomingOperations","ACSSMSIncomingOperations","ADFActivityRun","ADFPipelineRun","ADFSandboxActivityRun","ADFSandboxPipelineRun","ADFTriggerRun","ADGSyslogEvent","ADTDataHistoryOperation","ADTDigitalTwinsOperation","ADTEventRoutesOperation","ADTModelsOperation","ADTQueryOperation","ADXJournal","ADXTableDetails","AEWAssignmentBlobLogs","AEWAuditLogs","AEWComputePipelinesLogs","AFSAuditLogs","AGCAccessLogs","AGCFirewallLogs","AGSGrafanaLoginEvents","AGSGrafanaUsageInsightsEvents","AGSUpdateEvents","AGWAccessLogs","AGWFirewallLogs","AGWPerformanceLogs","AHCIDiagnosticLogs","AHDSDeidAuditLogs","AHDSDicomAuditLogs","AHDSDicomDiagnosticLogs","AHDSMedTechDiagnosticLogs","AKSAudit","AKSAuditAdmin","AKSControlPlane","ALBHealthEvent","AMSKeyDeliveryRequests","AMSLiveEventOperations","AMSMediaAccountHealth","AMSStreamingEndpointRequests","AMWMetricsUsageDetails","ANFFileAccess","ANFTopClientReadIOPS","ANFTopClientWriteIOPS","ANFTopFileReadIOPS","ANFTopFileWriteIOPS","AOIDatabaseQuery","AOIStorage","ASCAuditLogs","ASCDeviceEvents","ATCExpressRouteCircuitIpfix","ATCMicrosoftPeeringMetadata","ATCPrivatePeeringMetadata","AVNMConnectivityConfigurationChange","AVNMIPAMPoolAllocationChange","AVNMNetworkGroupMembershipChange","AVNMRuleCollectionChange","AZFWFlowTrace","AZKVAuditLogs","AZKVPolicyEvaluationDetailsLogs","AZMSApplicationMetricLogs","AZMSArchiveLogs","AZMSAutoscaleLogs","AZMSCustomerManagedKeyUserLogs","AZMSHybridConnectionsEvents","AZMSKafkaCoordinatorLogs","AZMSKafkaUserErrorLogs","AZMSOperationalLogs","AZMSVnetConnectionEvents","AddonAzureBackupAlerts","AddonAzureBackupJobs","AddonAzureBackupPolicy","AddonAzureBackupProtectedInstance","AddonAzureBackupStorage","AegDataPlaneRequests","AegDeliveryFailureLogs","AegPublishFailureLogs","AgriFoodApplicationAuditLogs","AgriFoodFarmManagementLogs","AgriFoodFarmOperationLogs","AgriFoodInsightLogs","AgriFoodJobProcessedLogs","AgriFoodModelInferenceLogs","AgriFoodProviderAuthLogs","AgriFoodSatelliteLogs","AgriFoodSensorManagementLogs","AgriFoodWeatherLogs","AmlComputeClusterEvent","AmlComputeClusterNodeEvent","AmlComputeCpuGpuUtilization","AmlComputeInstanceEvent","AmlComputeJobEvent","AmlDataLabelEvent","AmlDataSetEvent","AmlDataStoreEvent","AmlDeploymentEvent","AmlEnvironmentEvent","AmlInferencingEvent","AmlModelsEvent","AmlOnlineEndpointConsoleLog","AmlOnlineEndpointEventLog","AmlOnlineEndpointTrafficLog","AmlPipelineEvent","AmlRegistryReadEventsLog","AmlRegistryWriteEventsLog","AmlRunEvent","AmlRunStatusChangedEvent","ApiManagementGatewayLogs","ApiManagementWebSocketConnectionLogs","AppEnvSessionConsoleLogs","AppEnvSessionLifecycleLogs","AppEnvSessionPoolEventLogs","AppEnvSpringAppConsoleLogs","AppPlatformContainerEventLogs","AppPlatformIngressLogs","AppPlatformLogsforSpring","AppPlatformSystemLogs","AppServiceAntivirusScanAuditLogs","AppServiceAppLogs","AppServiceAuditLogs","AppServiceAuthenticationLogs","AppServiceConsoleLogs","AppServiceFileAuditLogs","AppServiceHTTPLogs","AppServicePlatformLogs","ArcK8sAudit","ArcK8sAuditAdmin","ArcK8sControlPlane","AuditLogs","AutoscaleEvaluationsLog","AutoscaleScaleActionsLog","AzureActivity","AzureAttestationDiagnostics","AzureDiagnostics","AzureLoadTestingOperation","AzureMetrics","AzureMetricsV2","AzureMonitorPipelineLogErrors","BlockchainApplicationLog","BlockchainProxyLog","CCFApplicationLogs","CDBCassandraRequests","CDBControlPlaneRequests","CDBDataPlaneRequests","CDBDataPlaneRequests15M","CDBDataPlaneRequests5M","CDBGremlinRequests","CDBMongoRequests","CDBPartitionKeyRUConsumption","CDBPartitionKeyStatistics","CDBQueryRuntimeStatistics","CDBTableApiRequests","CIEventsAudit","CIEventsOperational","ChaosStudioExperimentEventLogs","CloudHsmServiceOperationAuditLogs","ContainerAppConsoleLogs","ContainerAppHTTPLogs","ContainerAppSystemLogs","ContainerEvent","ContainerInstanceLog","CoreAzureBackup","DCRLogErrors","DNSQueryLogs","DSMDataClassificationLogs","DSMDataLabelingLogs","DataSetOutput","DataSetRuns","DataTransferOperations","DatabricksAccounts","DatabricksApps","DatabricksBrickStoreHttpGateway","DatabricksBudgetPolicyCentral","DatabricksCapsule8Dataplane","DatabricksClamAVScan","DatabricksCloudStorageMetadata","DatabricksClusterLibraries","DatabricksClusterPolicies","DatabricksClusters","DatabricksDBFS","DatabricksDashboards","DatabricksDataMonitoring","DatabricksDataRooms","DatabricksDatabricksSQL","DatabricksDeltaPipelines","DatabricksFeatureStore","DatabricksFiles","DatabricksFilesystem","DatabricksGenie","DatabricksGitCredentials","DatabricksGlobalInitScripts","DatabricksGroups","DatabricksIAMRole","DatabricksIngestion","DatabricksInstancePools","DatabricksJobs","DatabricksLakeviewConfig","DatabricksLineageTracking","DatabricksMLflowAcledArtifact","DatabricksMLflowExperiment","DatabricksMarketplaceConsumer","DatabricksMarketplaceProvider","DatabricksModelRegistry","DatabricksNotebook","DatabricksOnlineTables","DatabricksPartnerHub","DatabricksPredictiveOptimization","DatabricksRBAC","DatabricksRFA","DatabricksRemoteHistoryService","DatabricksRepos","DatabricksSQLPermissions","DatabricksSSH","DatabricksSecrets","DatabricksServerlessRealTimeInference","DatabricksTables","DatabricksUnityCatalog","DatabricksVectorSearch","DatabricksWebTerminal","DatabricksWebhookNotifications","DatabricksWorkspace","DatabricksWorkspaceFiles","DevCenterAgentHealthLogs","DevCenterBillingEventLogs","DevCenterConnectionLogs","DevCenterDiagnosticLogs","DevCenterResourceOperationLogs","DurableTaskSchedulerLogs","EGNFailedHttpDataPlaneOperations","EGNFailedMqttConnections","EGNFailedMqttPublishedMessages","EGNFailedMqttSubscriptions","EGNMqttDisconnections","EGNSuccessfulHttpDataPlaneOperations","EGNSuccessfulMqttConnections","FailedIngestion","FunctionAppLogs","HDInsightAmbariClusterAlerts","HDInsightAmbariSystemMetrics","HDInsightGatewayAuditLogs","HDInsightHBaseLogs","HDInsightHBaseMetrics","HDInsightHadoopAndYarnLogs","HDInsightHadoopAndYarnMetrics","HDInsightHiveAndLLAPLogs","HDInsightHiveAndLLAPMetrics","HDInsightHiveQueryAppStats","HDInsightHiveTezAppStats","HDInsightJupyterNotebookEvents","HDInsightKafkaLogs","HDInsightKafkaMetrics","HDInsightOozieLogs","HDInsightRangerAuditLogs","HDInsightSecurityLogs","HDInsightSparkApplicationEvents","HDInsightSparkBlockManagerEvents","HDInsightSparkEnvironmentEvents","HDInsightSparkExecutorEvents","HDInsightSparkExtraEvents","HDInsightSparkJobEvents","HDInsightSparkLogs","HDInsightSparkSQLExecutionEvents","HDInsightSparkStageEvents","HDInsightSparkStageTaskAccumulables","HDInsightSparkTaskEvents","HDInsightStormLogs","HDInsightStormMetrics","HDInsightStormTopologyMetrics","InsightsMetrics","LAJobLogs","LASummaryLogs","LIATrackingEvents","LedgerTransactionLogs","LedgerUserDefinedLogs","LogicAppWorkflowRuntime","MCCEventLogs","MCVPAuditLogs","MCVPOperationLogs","MDPResourceLog","MeshControlPlane","MicrosoftAzureBastionAuditLogs","MicrosoftDataShareReceivedSnapshotLog","MicrosoftDataShareSentSnapshotLog","MicrosoftHealthcareApisAuditLogs","MySqlAuditLogs","MySqlSlowLogs","NCBMBreakGlassAuditLogs","NCBMSecurityDefenderLogs","NCBMSecurityLogs","NCBMSystemLogs","NCCIDRACLogs","NCCKubernetesAPIAuditLogs","NCCKubernetesLogs","NCCPlatformOperationsLogs","NCCVMOrchestrationLogs","NCMClusterOperationsLogs","NCSStorageAlerts","NCSStorageAudits","NCSStorageLogs","NGXOperationLogs","NGXSecurityLogs","NSPAccessLogs","NatGatewayFlowlogsV1","NginxUpstreamUpdateLogs","OEPAirFlowTask","OEPAuditLogs","OEPDataplaneLogs","OEPElasticOperator","OEPElasticsearch","OEWAuditLogs","OLPSupplyChainEntityOperations","OLPSupplyChainEvents","PFTitleAuditLogs","PGSQLAutovacuumStats","PGSQLDbTransactionsStats","PGSQLPgBouncer","PGSQLPgStatActivitySessions","PGSQLQueryStoreQueryText","PGSQLQueryStoreRuntime","PGSQLQueryStoreWaits","PGSQLServerLogs","PerfInsightsFindings","PerfInsightsImpactedResources","PerfInsightsRun","PowerBIDatasetsTenant","PowerBIDatasetsWorkspace","PurviewDataSensitivityLogs","PurviewScanStatusLogs","PurviewSecurityLogs","REDConnectionEvents","ResourceManagementPublicAccessLogs","SQLSecurityAuditEvents","ServiceFabricOperationalEvent","ServiceFabricReliableActorEvent","ServiceFabricReliableServiceEvent","SignalRServiceDiagnosticLogs","SigninLogs","StorageBlobLogs","StorageCacheOperationEvents","StorageCacheUpgradeEvents","StorageCacheWarningEvents","StorageFileLogs","StorageMalwareScanningResults","StorageMoverAuditLogs","StorageMoverCopyLogsFailed","StorageMoverCopyLogsTransferred","StorageMoverJobRunLogs","StorageQueueLogs","StorageTableLogs","SucceededIngestion","SynapseBigDataPoolApplicationsEnded","SynapseBuiltinSqlPoolRequestsEnded","SynapseDXCommand","SynapseDXFailedIngestion","SynapseDXIngestionBatching","SynapseDXQuery","SynapseDXSucceededIngestion","SynapseDXTableDetails","SynapseDXTableUsageStatistics","SynapseGatewayApiRequests","SynapseIntegrationActivityRuns","SynapseIntegrationPipelineRuns","SynapseIntegrationTriggerRuns","SynapseLinkEvent","SynapseRbacOperations","SynapseScopePoolScopeJobsEnded","SynapseScopePoolScopeJobsStateChange","SynapseSqlPoolDmsWorkers","SynapseSqlPoolExecRequests","SynapseSqlPoolRequestSteps","SynapseSqlPoolSqlRequests","SynapseSqlPoolWaits","TOUserAudits","TOUserDiagnostics","TSIIngress","VIIndexing","WOUserAudits","WOUserDiagnostics","WebPubSubConnectivity","WebPubSubHttpRequest","WebPubSubMessaging","ZTSJobStatus","ZTSRequest"],"queries":["a4d5c564-f185-450d-9024-ac003c4f96a9","97234902-0236-4821-a438-d52c8a80a8ba","f3518255-2374-448a-878a-d5d4457da11c","b093d561-a33c-4997-a3b1-cb82f2b97c05","26b400a2-3108-4cdd-bdc9-b6889b0ecfb7","5d179a0d-ce8a-40ed-89d0-5a5eef4f5891","a9d9a6a2-de65-4f82-aca1-17f78df08b34","d3556a69-bce6-4f66-8611-5c41237c7593","39ef777f-53d8-400a-9d4e-d6e6946a538f","edffa3dc-fbae-42e7-a972-8639d323cacf","c8e2cc5e-c9e3-499c-93ef-56ffe79e9bba","4a6eac8a-736f-4f1b-a237-f5801daedbff","e68dd16c-3295-43e8-aae2-09870e143b67","681582c5-1c89-4701-a256-608e82cbd0aa","c9ee41c4-5b23-4e04-a193-21ee5c4cfc8d","03c620a0-e64b-46dd-8337-092d17106f96","4b3c3ebd-fba6-49a4-8709-7507a347a969","31a88ff8-4608-4645-ab18-4b09871b07ea","c8258837-c1bd-456c-961f-14bf71748f79","d6aaf873-8082-4960-aba0-146eb0414a27","9b285dc2-6dc7-454a-aaa0-d3113cdb8825","07f7133f-baae-444c-a1a1-2e0b6caf09c2","7147966e-f714-405b-b243-2c2d69e8b3fe","b0743562-0414-4fb9-a14b-fb1cfd5242b9","c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a","e1d8c76d-8a12-4e91-a04d-1aa38423af60","78169da5-08d5-4abb-a419-8abcae4b8279","711f80bd-d89f-4c07-84f6-e053b0d5c8ed","afece89a-eed3-4aa4-ba30-dfb7edd8b429","d72355a1-1cc9-405c-bfbb-02dfc41cfd5f","f2291767-c2a3-4865-8f70-f4f5adca5dd2","9812504c-00a6-42c4-9cd6-b1532480a3cf","4a0cdc80-bf62-498e-98e8-e52804a8a766","2e541dc6-bf82-4fcc-9e57-1faedbbfa48a","c0e3ac32-7bc7-45b0-bbd1-4f2ab8abc70e","f3712c70-6f28-4cb2-9ff1-ba35854115a2","66ffdd36-8574-4622-b269-d4965e5d8b1d","28e284cb-faf4-4577-92a6-1fa73eed18bc","8dc3bc93-2339-4035-8a92-b67f48f5d972","ca2d21c4-ac33-4ac0-88a9-ee2208e01ab7","050dc234-d6a1-4408-8c5e-dc61d81a2f57","d5195a1a-c7ab-4f2a-8720-6b3f5c544df0","cc68c95a-8de0-4c40-8394-537a00437ea7","056f1614-fffa-4286-be6b-fd614dfa4dc5","be71a17c-5ffd-4215-ab19-2ead19f56396","cf4f8822-721b-4bf0-91a8-6d0b7937047c","4E309B85-22D3-4D75-96FA-E507BED0DFC4","9E690E1D-16C2-4476-A233-ECD3D3EC3815","60802B04-BD2C-455E-B18D-ABCE28675B11","44E70EDA-FA17-4B40-BF7A-4CD476525EB4","e89a42f7-5318-4ca1-a0d9-2f105543a1bf","7d6310c2-4c88-45c4-9e4d-9feab95f84f8","d64d18e9-1c75-4b3b-a6c9-acd67a6f55f6","8db4823c-7f3d-4d5a-89db-5b5f5eb2a4a9","a4b6d7c9-8e6f-4a3b-81c3-1f9d6e7b8a2c","6f935ea8-7c95-4f6b-a13a-16af03485d29","894a51a8-1e91-4ac1-b7d8-156894eb06c2","7fb10cd3-ed0f-4a4b-a00c-a039d3e6ccbc","a634f34d-b0b7-4e06-9f63-9323011e23ea","6d965ac8-a8c6-4831-80d3-5c51275100d5","6f1bc254-caa7-4598-a714-d3ec267e2eee","61a39dfb-f069-4639-a650-ef6c292cfc7b","25852cd3-2216-49ad-a492-6778b4854c5c","b061d0cf-21c1-4b76-b890-caf0dd3ce71e","7f3d1936-3775-429b-bfd7-dc9b2ba60c64","40461cde-9c28-4bb0-a227-f6a1a7467541","b42ac607-c76d-438a-b76a-33acb4e54138","b67c8c54-3f67-47b2-b452-16fb84ed417c","9e8fe6f0-8c27-4177-aa41-e49f1e7450be","78bcf04a-0b38-4996-9f4e-7372e9c2d020","98d0fd24-6a32-435f-96ac-2581938a8416","440010c7-039e-4ef3-9e9e-edd4d3771257","7a167d23-5ea5-481e-bbb6-fd19699af0ba","b91f0d9c-d737-426a-8f82-ae437dd9f96a","8d00c931-20c2-407b-9259-1ae4c88b028d","36fbf974-5e1b-4769-87fa-225eaa89d5f7","c9644b48-1200-4111-8f62-b0149217257e","a2922c7d-f507-4475-aa51-05d132d74533","016bbfac-c423-4c25-83e5-53853c691c9c","b4cdbea5-9617-4b09-b176-50240a07ba65","f6011a1e-5ed2-4965-b7fb-62ed5ac0ffd9","a21345ab2-4eb1-1323-c5ba-64ad3bd3ga25","f05244sn2-5ed2-4965-b7fb-62ee5ac0fh21","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","e23137ab2-1ba3-2526-a3eb-14bd1bc1gb31","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","c22325ab2-5ea1-3436-a5eb-14ad2ac4gb31","b22325db4-5ea1-3436-a5eb-14ad2ab4gb31","d22137ab2-6ba3-2426-a2eb-14ad1bc1gb32","a6552tt9-5ed2-4965-b7fb-62ee5ac0ff66","a3552tt9-4ed2-4665-b7eb-61ee5ac0fc46","d0fad1c6-6580-4c19-ad0b-d410db4e04d6","b838972e-f1e4-4141-be20-fcb264e283ac","77b86d68-0cad-4dbe-a475-89f76f524035","aad69aaf-18e3-480a-93f3-5e4fac15f772","064165C0-C98A-490F-B1CC-EEB7E97E14D7","C413DD46-FC07-4503-BD46-6675865964D9","43BDBB0E-EDEB-4553-9D3B-0F0FCD634A2A","11E85FFF-DB30-44EB-BF92-C1B2AE87FA67","903C2AAD-D6B3-4EBE-B36F-489BAE2CE89B","5A911040-8674-47FB-B9F6-82F16E98F6EE","ADB6AFF9-FEAD-443C-BCC8-704F586CC5A4","9a6be894-4674-4d77-8d2e-844a8eb28eae","a00fc011-6091-440b-8284-f9fac99a7afe","e804b73f-639a-4b9c-acc2-cbbbfa2ef312","ad05f177-82ee-43fb-8454-522e08f987e0","dfa672f3-f6ae-4eda-8550-1f7fbf1bcca1","6b2c4057-669d-493d-a6b3-fbb2a2f44fb3","a45ed096-b8c6-4ce1-ba2e-a6b5a52a7aae","64844757-e0db-4568-845c-cf608593778c","6c58d1d8-5dfe-4a65-9764-4bd50fbcf37d","d99254bc-99b3-421b-ba6c-8ef7d465ecfc","1b5f6e45-fefc-465e-ae38-5d5a57ce5d1a","cd98dfa9-1467-4c31-a378-b65063fea535","3eb92137-5019-4eb0-8a01-7480256befea","bc25e051-3518-4aa2-9493-2dc1abf176b1","acd263c0-a5a3-42cd-af74-d12df6f577e3","1c7e3db4-ce89-43b3-a951-b7948e6f4874","1681882b-e00c-408b-8cd3-4f0b58374d7a","9d7c3fe3-1f56-4a92-9888-7ba597e3b0d2","24310862-5ed4-41f6-b7b0-66176ac8a4f3","9b5542ef-7676-40ad-999d-efba45f42e9c","22db387f-49a3-4b3e-88a4-13b1b00728b8","7a684553-e9ad-4fd8-a31f-75c1a4db8d2c","56bf07f2-0029-4c3a-9eb1-22320fd92b39","60E4B8B4-31FA-4BA7-9155-44AF1DDA8BA3","1a5d3292-cb61-4372-bf32-0c013cb15625","14ed6864-b898-400d-9083-b811bca96cb5","09073e9b-334f-43b8-8b42-58ddf7e6b1e2","eaa7957b-aecb-406b-be10-f48696b0ecehdel","8a0df091-26c3-4e64-a3b9-d2b2bd397c4e","c6b1a9cd-8b76-468d-8a00-b3be3040cf2b","2600882e-3766-4e90-8823-4f1285d4595c","719df79c-282d-49ff-9163-35542afe3e47","cc0aeb16-1fe2-43c5-b483-cc8aba72b41c","b1101646-c48a-4f18-83b9-2a3af4cd2c2b","b8df4aec-7c87-46e1-a6fb-d20b9c0e0ef0","bcb23e62-59f9-4b81-b7f9-91f2157c051f","b48bce62-0ab9-4b29-9d48-fd0602f175c3","8741ae6e-c9d1-4af4-8e8b-e139342c94cd","6e754b00-8d1b-4191-a332-fe3c746d64ee","eeafb4d2-cc77-45de-8ee4-bcc7f804fa9b","375f9d9e-29bd-44ba-84ef-f30bbf8edbbb","03935bbe-6dcb-4712-a695-cba2e583784f","88ab8b25-c3c5-4c97-a93f-8e3158dc487e","b2bd1ca4-8a33-11ec-8fd3-00155dd7661c","e2c1b8a7-4f8b-4e2a-9a3d-2c6e8f7d5b1c","e8a2f7c1-5b3d-4c9a-9e2f-7d1b6a4c2f8e","68299a2f-71a3-4795-a11c-9dfc7b2d0651","af396c53-a04e-43aa-8bd9-c9cf75f96318","3dfc6cd3-9545-43f3-b1b8-7c4813d1da5c","5c33c4fb-04cf-410e-9556-04509fb24090","f1aa373c-ecc6-49cd-835a-05ac38b0749f","5d9df8e3-7ff1-45f5-9569-411f6ffacfc7","c3346bdf-e3db-4af3-b6f7-5e1e73ce0d2b","126a5c26-d357-4b03-a4bc-5e8fbd26a1b8","d196c718-afdf-4eb1-9849-4f236030f51b","10026928-5243-4850-82e5-e1c4c175bc15","163b3a0a-e23d-4648-aec6-72906be0c027","dcfebdea-1637-46b9-8452-1979e9e30251","79cf6219-a0c3-4cac-a011-e5c02fc7cada","5bcdd75f-8eaf-4c5a-aa38-7c10a501d260","820ac966-e438-4fae-aef9-2d162ce23ced","39ef777f-53d8-400a-9d4e-d6e6946a538e","1f0b44f9-2a90-4d74-bd6f-32671f493c65","6d69a6ab-78ed-45c8-b5bb-557c2a096d54","2a9d8818-5683-41cc-bedb-493c61a04bb6","a4b29234-b732-486e-9e5a-1d61af4aaf1e","37325c2f-a267-4c55-8b85-3a315e9e50a3","e70b8048-60cc-485e-aa4c-13681020dc97","1b1df069-ae9b-4026-876e-09b8d1c4cf12","d7f3a1b9-4c2e-48a6-b5d1-9e8f7c6a3b20","f6544502-3c0c-4e40-916d-bac6bb3ce8cf","b0398ff8-d74a-11ec-9d64-0242ac120002","b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e","8f2774ec-9662-4eff-bc18-b223ec9ce86d","652774ec-9662-4e1f-bc18-b223ec9ce36d","252274ec-9662-4e3f-bc18-b225ec9ce31d","5a5e640c-37d6-4f21-93c2-3287fd420ea3","ddd81f93-5320-4626-ac94-a938757326a4","42dfde83-f564-4282-854d-612dfda54abf","e1629bb4-4c6e-49a1-a826-5627804b3dcf","d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","e4c56072-f3d4-4d90-89af-7b94cf0a80e1","07097c10-af17-46fd-b8a0-65c405f8b299","d25850ef-feda-42dc-afdb-d6f527854b8b","942c6acb-1f7e-498e-b5fa-d3c30f787f61","eaa7957b-aecb-406b-be10-f48696b0ecdf","eaa7957b-aecb-406b-be10-f48696b0ecdfdel","e16d5b06-e193-4e8f-8f2c-e3dd04413d9e","2b7d7c31-a6f4-4fcc-857e-c40fd9ecd918","9edb2134-7a9d-4193-b727-1900e50b133d","5956fb69-ccc1-40a2-a7be-8cf35a3fc627","39525fb9-8431-4c02-826f-c610eaaeb9c1","e42b82a3-12b7-49d3-90da-cb8f0d15090c","5378867d-d538-4133-b9ad-b98d8e920995","7f71e893-1960-4080-b67f-1a06c5a79143","1b9a6421-8d31-4a38-ae8c-35f70ffafdb8","1b159023-07e2-4d37-9447-af7b6cc5cfc6","1bd9dbca-3306-4985-8043-b4cb8c1f21e7","26f1dcce-f504-41fc-8613-e0458cce591a","e71a5c12-1ac5-4784-9c99-ce483f11da8d","ad8246e6-68dd-4bb6-a94a-dddb9c1e35d1","066798a4-70b2-4a0e-badb-a551fa92603d","483f4b2c-5325-441f-9ec4-edc9baefcdd4","24acfce7-569c-4e05-9145-e09752fae02c","0c4a1b53-4761-4793-88ee-b5e569a333c4","f718df22-98e8-4b32-a6d0-bfd05f725a42","5ef6030d-8c6a-44a0-8739-5797f36eea20","db83ff91-df3b-4d7d-b62f-559d49e7d63c","5c27eae1-f25b-46e1-b18b-c1cc11e35ddb","b40ab49e-3ef0-4c97-862b-207b98a68b02","f4d4d8db-7fa4-4196-872f-c8235d23ee8e","70eca34a-da99-45bf-9d68-415eb5def7c3","7c5ca7f7-1d91-461b-b451-9bb10d8ebdde","10b9ae2f-97fd-4807-af5f-8039f9cc7491","32e84b39-f121-4053-8d37-111c385f3e1a","b09ac15b-67c3-4531-bbb6-b0e2dba38d73","e522b056-537a-4775-9e13-2bc6e83fcd9c","ed719e04-ef7e-4d72-b03f-14e429ce4a4f","64f87548-08b9-4b7a-83af-c05315d36666","8b407dc8-15eb-4ab6-8ddc-b9fa4d71ea0a","bc1ef3cf-7f5d-4516-9464-3d192bddce3b","60f51b61-07de-4bd5-a0ee-e0d9cf82d340","10fc7fcb-95db-4b92-aeb7-36e8fdec7d31","b8e80791-6507-423b-8cba-0e0b320af1c3","fec44dbd-94cd-4dab-8c68-0b0b64c256de","599d9097-d85c-44a3-8284-55e525590f20","599d9097-d85c-44a3-8284-55e525590f21","599d9097-d85c-44a3-8284-55e525590f23","599d9097-d85c-44a3-8284-55e525590f24","599d9097-d85c-44a3-8284-55e525590f25","599d9097-d85c-44a3-8284-55e525534f97","16191aba-3eee-4973-b338-7077300f32e1","151d25cf-7e9a-48eb-98ff-fe39a595ddff","36891d32-455c-4492-9681-a06713a17de0","191c185d-0bb0-4690-a8cd-51a38289b9c0","9db05ad5-c9f7-4136-882e-a5bebb798cf1","e5922e5d-6e1c-4bb8-a0ba-eb64414622a6","10b27cd1-2881-481a-aa4e-7a7b310fe3af","67abc9cc-f88e-4d0f-9b47-51bbff409682","f94b4370-78dd-40ad-9b22-f3461f9d8446","cbb070f5-c424-41ff-96ab-f3e6e31e18f2","cf1dc664-075c-4fb6-962c-0280edb652a0","8dbbc541-1c2b-4985-8e5c-fbb3e908bd0d","5c9510de-ae67-4f1d-afa8-97d8e458182c","9bc303aa-0156-42d0-a4ea-5795de314b01","e2505eec-f620-4fbb-87e7-eb447d608a04","d7d0e750-f20c-4d13-8887-2d088f25bb68","09097f08-6a4b-4747-a251-21dd4237d99a","4fec14fe-d662-4b6f-a3a6-4a6bfcfe55cb","83c3b089-8510-4925-8614-f7f36a04af0b","6c056893-0853-4a39-9638-35a5b0644363","61d8a45e-1589-489f-8d69-792c36fa8967","80ddf123-662f-408d-b1c9-1efcaee4ea25","3c0316ed-8069-4b75-8247-519398618f34","8c11b79a-eff0-439c-a54c-519a0cdc30cf","abca51a5-f135-4977-af75-46670f36017c","c50219bc-5393-40c6-b7aa-d5ac8cd065b8","c8e78040-e38f-46d1-a4ca-ec3fa1ea3c92","faffa3cc-01d7-4c65-9dcd-15c65d8db91f","54526cff-06de-4bec-bfa5-6909c04908bb","b61211bc-abef-4e01-b6f5-9154166f9021","8c1d6f16-f409-4be5-a36e-e7366e91fbc8","0f906ebd-a275-4f19-afb8-66956e3de6ba","d8825350-6728-45cd-8120-edf428e459f1","f41d96e1-a466-434c-96ba-f7ae31601398","bd908e0d-680a-40b9-88c2-b7fedf053c96","98ce5af3-de4d-45ac-91dc-b8a42f9bd2a4","f749c7ac-5407-4926-a42f-b8c684d6b169","6cba4bad-1a95-4970-9fc6-1a5f6936187b","c5ec4e2d-c7b3-42c3-9150-6ec344d62ee3","73917797-b07e-495f-874e-337d5c089123","3412a5f6-4520-4ac5-bd10-6b137a30845e","44a38a05-1147-4795-bd5e-fa808308375f","51e6c592-e4f1-d373-e927-aab82f9c1044","25f8bafd-7cf8-4eb9-a10b-b8e23442f666","000c951d-5d77-4590-ab98-813149c42682","be18b9bb-7cde-4b04-961a-b08db7f51882","dc826897-f00f-4d3d-8f4f-1c8a370a0e78","1e6825d2-847b-4027-a2d7-699d8875f6eb","4a8a8d90-af11-1302-7556-02c1a6c4287f","307938f2-3ebe-e1dd-e6cd-60181b631133","c6b38466-c4e7-4b51-59c6-9dc6ab8b7d56","8abfa818-c87f-81c7-99ef-fa38d0c750b3","323226e0-df9e-4287-92aa-3795cf8a964e","ddc56a57-a0a1-442d-b738-a600bca740f8","efb1f6c6-6498-4eba-9f42-71ca1b4ae3ee","8b5511d4-2df9-445f-ac8c-183615aeff4f","b098e967-079a-4467-898a-8568b6f96f6a","e5d93d90-7ff9-4c4d-b46f-5bc037afa284","7308fa13-7b01-48d3-b9b6-8ac464ba5b3f","fba0fd35-f822-4df0-bc10-2ca0d9041d63","ecdcd5a9-ac4e-4e24-9ce6-bcb9b2e0cfa6","1b582828-0234-4b71-9949-c9e08be3bc04","3a2a2aea-8ada-497f-8ff1-e3a01c2469da","26e8acf3-e27d-4d7b-9718-31bda68a0b1d","e198f4d4-6420-4506-a965-f752b002f744","9788de8c-73da-4b6f-b259-28f89c8f8964","1d326b1d-b84f-475a-9ce6-78dc33d33461","2f7096f6-093c-4c1d-bd85-b47737aa1aa7","0bd960eb-b761-4ff6-bf0e-73bc57590734","30005149-f6be-42fc-871c-65b45fbb7891","eff2d4f3-9a25-4a3e-9434-b1ce56ff7d8c","55b0b24b-dd8a-4f91-a797-2c0eae9ea440","4d51c78c-2124-4637-8fd1-0450556306bc","26551BF0-E908-4C30-8199-335F7CC86520","df341dc6-ff0a-4579-b23e-d84b22419c91","b3e13991-72f2-4b47-aaa1-37ea6c4bcae9","b6e48dd7-12b6-494a-b164-52df19d45a9d","29adebd2-37b1-44fc-a684-422431bf0ddd","3ac59a15-04e1-4474-9b8d-8046477d177e","91d7b5a5-93b8-4a8f-8875-b5c511bc9e41","7f9d3e8f-df6d-4156-93c7-0877c1000716","ea5e6919-17ea-4cc9-880c-0626d5a351f3","6e113596-c393-4745-b93f-c371d452d94f","394023dd-9607-44b9-8f6d-45740903d67a","c646d0fd-7eee-44d1-ae13-0791e3f7b766","a4d5c564-f185-450d-9024-ac003c123456","a4d5c564-f185-450d-9024-ac003c456789","c4cdf677-7d39-4fc9-9894-e2264e719916","1ef86e81-77c6-467a-a7a6-f5769f1df2f2","84dd84da-6817-4482-92a6-4bcb3ec96cb6","cee04e51-5743-4b8e-9913-6d50f3813742","1d18a296-9f63-4753-a271-cc9e38e32e5a","aa3b3c6e-70e0-4d36-89d3-8ff32afb2c09","4b6de6c1-0bc4-4056-bb4b-07feaea2b6f3","df057014-305f-4fa9-8522-18ccf8caaa22","f355a34a-0902-469d-a20d-126b6abe9647","9ddee6d4-c94d-411d-8fb9-ee10fc74502b","8a09c867-4caf-4a3c-ae4a-d8bd5c2b0263","f6dd9440-131a-478c-a85d-815c5ee81fc6","5bac9c74-6e1e-4a67-8693-9661cc3fdb1e","b3bdb478-5088-4179-a6f9-669e1b97f2d6","716e9029-57e3-485d-87f4-97497192d3cb","993e8088-d4af-46bd-bb26-2eb6ef2873d2","d180b15e-73ee-4275-8f99-a5b5a7e8cb97","0542e63c-e978-4f1a-a141-2675e0d49e88","7d2e183d-421e-4240-a1f6-6c139473ec27","dbd3ee2d-b50b-4def-9955-0e3d0576eeca","4445a657-aced-497b-a588-a86f845e4ea7","bed7fb50-cd96-48a4-80f9-3976b0529235","b82a0150-a330-49ba-ae11-81a950b55a5b","a03eab02-f73b-493f-90ff-e0223bfb4ce1","8adbd857-a7a7-44fb-9ab4-c11743fc21f2","b90c8414-fce6-478f-b372-a80827a3c7f9","376ce53b-9f74-4c4f-ab46-dec5060092f1","ec90d150-2298-476b-8b42-953ed8907dc2","1093f8f4-6b21-4d46-b8e6-706dbc620a98","67c95b3b-0791-4e05-bc18-2d8ecdef16d3","49991367-accb-4bf3-a449-c4fe1b11d42b","34dfd1af-6153-11ea-9732-c8348e025209","34e21b0f-6153-11ea-ba17-c8348e025209","d661e902-a0a1-34c4-3e41-537475821a79","4f39e42a-1858-28a8-7a2e-fae3ee9f08fc","6e21eddd-12a4-1d5d-23b3-aaf0b32737b9","e918b817-a253-4578-b8a0-0514269ede41","e2f4aaff-3204-41cc-a2cd-9adabb071847","67509168-f4c5-40e9-bed5-659d66238394","5bf97db7-243d-4cfe-b928-91b8f60a1507","e15f26b4-196a-463b-b61c-16d5aeacf611","16cc1100-8d9e-40cc-9f46-11f26dfb6d83","96b1f5ee-b9c0-41f8-ac78-c63c892316e0","25557665-32d7-4275-bee8-5f66ba7414b0","bc06437d-ec5a-41d4-a99c-5448e75af0ea","962528ba-aa8a-4ed9-b882-269d77b1c317","ffd8f3c6-2df8-4919-b897-415fdbd67679","b4d66462-3b14-48e0-8f73-69963f167e07","5ee61bc5-7ab3-4ea6-bd8a-894199439250","b90dfde7-6647-431a-ba33-a8d15ce03cfd","787bfae4-3b13-4edf-b04c-df38392915f0","b8c03410-f001-4b97-9cd7-0e0f133dec66","3d9fb8b2-befb-4583-8c92-1da2bf3411b4","4d078508-6a71-4f6d-8408-74cc20ad7867","aa09b62c-25ef-446e-b7b3-a950aef7800f","8fb2034b-6c12-47bc-838b-b657bd5f5300","b1c25cc3-f90b-4514-8391-283ca87952bd","33fb2c35-1ffd-4325-9f93-0a23ccf6d0d4","052020ef-b3ca-4980-8c22-cd02e0471ee2","a5921654-c003-4486-8122-60092622db9f","1ba813c0-8d01-4837-b8b4-ea954aa2c02d","c64e6268-9405-45fa-acce-e59dea7054fe","1c4e1e99-3d45-4125-ab76-320c8fdd3413","ec788186-ccc0-43fd-b974-1def808dfa21","801fa603-7ed8-4a4a-b028-5b0ff6277eb5","5b86398a-8291-40ce-8d97-c534997f61e6","366f2856-ffd7-4f9b-9c42-862e3b201f3c","79ff4844-6154-11ea-aec5-c8348e025209","7a01741c-6154-11ea-b256-c8348e025209","7a01e758-6154-11ea-8513-c8348e025209","7a02356e-6154-11ea-9f6e-c8348e025209","7a02aa98-6154-11ea-be45-c8348e025209","7a02f8bb-6154-11ea-ae08-c8348e025209","27374154-3ae9-5c0f-047b-059790771ae2","2fb22203-1815-2061-2dcf-f2f162ee3334","fde796bf-52b0-120a-7bff-444d8f9a60ed","d8f84807-6154-11ea-8c04-c8348e025209","d8fb0c4b-6154-11ea-aae5-c8348e025209","d8fc9214-6154-11ea-9ce5-c8348e025209","d8fcdffd-6154-11ea-b3f4-c8348e025209","d8fd5523-6154-11ea-b89c-c8348e025209","d8fda3be-6154-11ea-a8af-c8348e025209","d8fedbce-6154-11ea-8815-c8348e025209","d8ff5103-6154-11ea-9777-c8348e025209","d8ff9f0b-6154-11ea-aea9-c8348e025209","d8ffed31-6154-11ea-880d-c8348e025209","d900144a-6154-11ea-b2e1-c8348e025209","d9019f0b-6154-11ea-9c41-c8348e025209","d901ed1f-6154-11ea-bc4a-c8348e025209","d9023cf0-6154-11ea-ae1c-c8348e025209","d9028ad3-6154-11ea-98bf-c8348e025209","758fc257-7359-11ea-9fad-c8348e02520c","759342e9-7359-11ea-bb5a-c8348e02520c","7593b6c0-7359-11ea-88c8-c8348e02520c","8393bf25-50e9-e88d-23b3-afabe2d845e9","6b63ba82-9e35-babe-0386-96b648bb1a56","d1a21eb9-4d9e-0e21-a81d-7e78dc488f84","c6f0918a-a022-4273-9737-05312ae54211","bfdd0f36-f300-425f-b149-65c21f652297","96578d25-6dbf-475c-a6fd-adcafd97a138","bc0bf95e-735e-11ea-926d-c8348e02520c","bc0edc14-735e-11ea-85a2-c8348e02520c","bc0f5421-735e-11ea-93cb-c8348e02520c","bc0fc666-735e-11ea-9e0a-c8348e02520c","bc1014e4-735e-11ea-8c7b-c8348e02520c","a5e5e3f2-773b-11ea-b11e-c8348e02520c","a5eac4ad-773b-11ea-83e6-c8348e02520c","a5ee200a-773b-11ea-8e01-c8348e02520c","a5efcdbd-773b-11ea-8034-c8348e02520c","a5f2180e-773b-11ea-a27d-c8348e02520c","a5f6f9b3-773b-11ea-83b3-c8348e02520c","a5f795e5-773b-11ea-aa8e-c8348e02520c","a5fb8d87-773b-11ea-9f44-c8348e02520c","14b2fa58-8560-11ea-b457-c8348e02520c","7bbc0cff-8560-11ea-9ac3-c8348e02520c","7e6d856a-8560-11ea-9a95-c8348e02520c","837689e6-8560-11ea-9a45-c8348e02520c","898689c9-8560-11ea-bb44-c8348e02520c","fa69eeb1-8569-11ea-8fe4-c8348e02520c","fa6b98ca-8569-11ea-9445-c8348e02520c","fa6be679-8569-11ea-82ff-c8348e02520c","fa6c348e-8569-11ea-9b4a-c8348e02520c","fa6c82a3-8569-11ea-8c6c-c8348e02520c","fa6cf7e0-8569-11ea-9523-c8348e02520c","fa6d45fc-8569-11ea-9289-c8348e02520c","fa6e5843-8569-11ea-8d4b-c8348e02520c","fa6eccc5-8569-11ea-9088-c8348e02520c","fa6f41c2-8569-11ea-98c6-c8348e02520c","fa73fd03-8569-11ea-aa34-c8348e02520c","fa74c014-8569-11ea-aa82-c8348e02520c","e7110b5b-2788-8dad-89bb-118d066f0348","45f5c9a8-0bb5-6d2a-8562-a53d34e93887","5ea47bca-4305-4423-3b2f-3db502a42760","1256fc3f-8134-417c-9e24-a6d573eb93f9","f1bf35d8-7afb-05bd-842e-5fbddced8dbd","19b4df05-22bb-4ac7-a0d1-e1e3029c6256","395c7803-7b63-0779-6863-c5c7ac7c0d62","62ffa781-123a-a1f5-79b4-c31c2ea8769a","46a359a0-8e7b-5319-5fc1-84fb70211c0b","19a3ed70-1e90-8f62-5e90-58ec8ea3a705","09291696-0b1d-3266-34a3-4a6eda396d8b","b944809b-373e-036c-059f-78cf8bb5206a","096294d7-8492-448e-2ad3-b4c7f7c0a535","eafdf8b8-7931-752b-6890-f6b292ca9bcb","0740862d-6150-3251-8096-8d6a06f356f5","ee063ac9-8b4b-2d38-8806-ecaae055503a","1d7c8ba9-957a-05f1-3ac0-c6cecd388592","83d6b912-8565-11ea-a50d-c8348e02520c","83d88aba-8565-11ea-9c59-c8348e02520c","83d8d8ae-8565-11ea-bb97-c8348e02520c","83d94dca-8565-11ea-aceb-c8348e02520c","9216f2d9-9b82-11ea-ba13-c8348e02520c","921acbc5-9b82-11ea-bebf-c8348e02520c","921bdcea-9b82-11ea-ad5d-c8348e02520c","921e4dd0-9b82-11ea-abb1-c8348e02520c","9220983b-9b82-11ea-a82a-c8348e02520c","0acad5d4-9b87-11ea-b69c-c8348e02520c","0acf42ae-9b87-11ea-b093-c8348e02520c","0ad18cad-9b87-11ea-9184-c8348e02520c","0ad29e51-9b87-11ea-9bee-c8348e02520c","be55aaa8-ec2b-11ea-8a0a-c8348e03e0b8","be55f9e0-ec2b-11ea-a6d1-c8348e03e0b8","be55f9e1-ec2b-11ea-8a88-c8348e03e0b8","be55f9e2-ec2b-11ea-857f-c8348e03e0b8","be55f9e3-ec2b-11ea-9759-c8348e03e0b8","be55f9e4-ec2b-11ea-829f-c8348e03e0b8","be55f9e5-ec2b-11ea-86be-c8348e03e0b8","be55f9e6-ec2b-11ea-b9e9-c8348e03e0b8","be55f9e7-ec2b-11ea-8b7b-c8348e03e0b8","9eb66810-f1da-11ea-9224-c8348e03e0b8","9eb6b446-f1da-11ea-9405-c8348e03e0b8","9eb6b447-f1da-11ea-a670-c8348e03e0b8","9eb6b448-f1da-11ea-bbaa-c8348e03e0b8","9eb6b449-f1da-11ea-9d02-c8348e03e0b8","9eb6b44a-f1da-11ea-8c4a-c8348e03e0b8","a6420dd9-f7fb-11ea-9194-c8348e03e0b8","a6428833-f7fb-11ea-8d8a-c8348e03e0b8","a6428834-f7fb-11ea-8313-c8348e03e0b8","a6428835-f7fb-11ea-b623-c8348e03e0b8","a6428836-f7fb-11ea-8392-c8348e03e0b8","a6428837-f7fb-11ea-bb94-c8348e03e0b8","a6428838-f7fb-11ea-af2d-c8348e03e0b8","a6428839-f7fb-11ea-aa48-c8348e03e0b8","a642883a-f7fb-11ea-8c76-c8348e03e0b8","a642883b-f7fb-11ea-ae71-c8348e03e0b8","a642883c-f7fb-11ea-a8e7-c8348e03e0b8","a642883d-f7fb-11ea-9dfe-c8348e03e0b8","a642883e-f7fb-11ea-95c6-c8348e03e0b8","a642883f-f7fb-11ea-832d-c8348e03e0b8","a6428840-f7fb-11ea-9f84-c8348e03e0b8","a6428841-f7fb-11ea-a564-c8348e03e0b8","a6428842-f7fb-11ea-9339-c8348e03e0b8","c04f8b4c-8f78-8652-28db-d12cb5296bcb","a6428843-f7fb-11ea-8ea5-c8348e03e0b8","a6428844-f7fb-11ea-bdfb-c8348e03e0b8","a6428845-f7fb-11ea-a22d-c8348e03e0b8","a6428846-f7fb-11ea-bfa0-c8348e03e0b8","a6428847-f7fb-11ea-a877-c8348e03e0b8","a6428848-f7fb-11ea-aade-c8348e03e0b8","a6428849-f7fb-11ea-a623-c8348e03e0b8","a642884a-f7fb-11ea-9ffc-c8348e03e0b8","a642884b-f7fb-11ea-8961-c8348e03e0b8","a42903db-1d24-11eb-88c1-c8348e03e0b8","a42903d9-1d24-11eb-afcb-c8348e03e0b8","a42903da-1d24-11eb-9b58-c8348e03e0b8","a42903df-1d24-11eb-99e3-c8348e03e0b8","a42903e0-1d24-11eb-9739-c8348e03e0b8","a42903de-1d24-11eb-ae49-c8348e03e0b8","a42903dd-1d24-11eb-9fdf-c8348e03e0b8","a42903dc-1d24-11eb-a6ff-c8348e03e0b8","a42903e3-1d24-11eb-a60d-c8348e03e0b8","a42903e2-1d24-11eb-a6da-c8348e03e0b8","a42903e4-1d24-11eb-83c0-c8348e03e0b8","a42903e5-1d24-11eb-bf99-c8348e03e0b8","a42903e6-1d24-11eb-9ef5-c8348e03e0b8","a42903e7-1d24-11eb-944e-c8348e03e0b8","a42903e8-1d24-11eb-bc91-c8348e03e0b8","a42903e1-1d24-11eb-ab6e-c8348e03e0b8"],"functions":["bd5b5b75-dad2-40f2-b2f1-a58a0b41106d","7625213e-e8e7-433c-9f64-fdc984ad7ee0","cd3f45c0-2b70-42d9-bbad-cbbe7f3ee715","86401b72-78ca-46bd-a1ef-2f63d9230a5c","d6dad52a-5669-4cb4-bbbe-d5d1e4f9435d","2d003852-e92b-49b3-b12e-164332b0edab","f7a72ca9-df71-4cfb-811a-ea70469f3e3f"]}},{"id":"applications","displayName":"Applications","related":{"tables":["ACLUserDefinedLogs","AEWExperimentAssignmentSummary","AEWExperimentScorecardMetricPairs","AEWExperimentScorecards","AppAvailabilityResults","AppBrowserTimings","AppDependencies","AppEvents","AppExceptions","AppGenAIContent","AppMetrics","AppPageViews","AppPerformanceCounters","AppRequests","AppServiceConsoleLogs","AppSystemEvents","AppTraces","ContainerLog","FunctionAppLogs","LedgerUserDefinedLogs","OEWExperimentAssignmentSummary","OEWExperimentScorecardMetricPairs","OEWExperimentScorecards","OTelEvents","OTelLogs","OTelResources","OTelSpans","OTelTraces","OTelTracesAgent"],"queries":["3f837a43-8382-465c-9681-cadd66b5755d","a68218d8-84d3-45ce-87c5-1ff89cbe9eaf","bcec51fd-9e72-40a8-b01b-6d3fd16e0fb6","967eb9bf-2d91-4a86-8115-18ee8b458d0e","7f870b0a-b457-4221-a739-20bf3ece31f3","3d08f663-9b40-4dcb-824c-e073806d5257","a7cb524f-2347-4ed2-a9ff-3ce04cb87913","3964f9a7-6371-445c-924f-9efdaef758ca","1e349818-951d-456b-b4b5-90dc93330b98","3f8d4567-12ab-34cd-56ef-789012345678","1e2f3a4b-5c6d-7e8f-9012-3456789abcde","2a1b3c4d-6e7f-8901-bcde-f23456789abc","3391637e-7394-489f-b190-e5786da9c8e7","7deda973-b5cf-4c58-a4e7-f41cc30555fc","20ad87bf-b901-4d0b-b548-0f65a6c1210b","47a8646f-f2e5-45b7-9e27-63b4235d1137","d31cc37e-b086-4ab2-9dad-742d6a4d46c6","bada9215-5cf1-4723-9c2e-9f91e2c13738","33447b49-182b-4b6f-a26b-e2267279df81","59cfa403-4b7c-4610-b650-de70dc4af480","0e39010e-0b8e-4698-a435-e1ffa3451896","58147e09-cf5b-4a47-99c4-a5aedbb7c32c","87bcb1a9-2519-4671-a450-bb2971575507","58a835f6-b86f-4d79-a800-26f1d5265a76","7f050aba-bfab-11ea-995b-c8348e03e0b8","91e3ee17-bfab-11ea-bad1-c8348e03e0b8","55ca5870-bfab-11ea-ac5f-c8348e03e0b8","95035ec2-bfab-11ea-a608-c8348e03e0b8","9a9283e8-bfab-11ea-b7f5-c8348e03e0b8","9f16b134-bfab-11ea-99c3-c8348e03e0b8","e40b84ff-bfab-11ea-9407-c8348e03e0b8","ed941c7f-bfab-11ea-8dd3-c8348e03e0b8","fdfc57ce-bfab-11ea-ba10-c8348e03e0b8","1ab9dc94-bfac-11ea-8dcb-c8348e03e0b8","26172a26-bfac-11ea-9c5e-c8348e03e0b8","321b088f-bfac-11ea-b703-c8348e03e0b8","be55f9e1-ec2b-11ea-8a88-c8348e03e0b8","be55f9e2-ec2b-11ea-857f-c8348e03e0b8","be55f9e3-ec2b-11ea-9759-c8348e03e0b8","be55f9e4-ec2b-11ea-829f-c8348e03e0b8","be55f9e5-ec2b-11ea-86be-c8348e03e0b8","be55f9e6-ec2b-11ea-b9e9-c8348e03e0b8","be55f9e7-ec2b-11ea-8b7b-c8348e03e0b8"]}},{"id":"monitor","displayName":"Azure Monitor","related":{"tables":["ALBHealthEvent","AMWMetricsUsageDetails","Alert","AlertHistory","AutoscaleEvaluationsLog","AutoscaleScaleActionsLog","AzureMetrics","AzureMetricsV2","ComputerGroup","NatGatewayFlowlogsV1","Operation","Perf","SCGPoolExecutionLog","SVMPoolExecutionLog","Usage","WorkloadDiagnosticLogs"],"queries":["ed999090-4bc2-4704-ba16-ff0223930a4d","1a2b3c4d-e5f6-7a8b-9c0d-1e2f3a4b5c6d","f46854c3-fa37-4b92-8675-ce838000949b","7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b","6d9f94e6-0421-4611-b43a-c9a8f409b83b","3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b","7f49ca30-a69f-45fd-b06f-d2b5271587da","9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f","a7cc4b34-b191-4d3a-8fac-830ed3321e45","5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d","912d4bfd-f025-4f8d-909e-2936b7796eb8","023e5cae-a136-5a9e-010f-1047c8807fc9","df398179-e2b2-418d-bfae-95faf858c0cf","d62bf65f-66b7-482f-b296-83f2ca4e19d8","444fcb48-73f7-49b4-bc43-852418bbd394","f94860c-a83f-44cb-88bd-3fc8d2ab5510","98481911-2a32-4b68-b7bb-8065ffc25376","fc661805-ba40-45c5-84f0-1afa40af255d","16168079-3eda-4f8e-b486-51a592299b87","2f874bbe-63ac-479a-ba4e-858c0607b2ac","4a3ef465-671d-4759-815e-c6bd2769da61","d13a7541-aeee-425f-89e6-33795d8e1e23","693cc58e-1b66-41f2-b83e-d92de385aace","07dd8389-c27d-4fbe-8b52-8506a933be06","e94fbeb3-4642-4ccf-b138-82c39dede64c","985dcc97-d950-413f-a024-9e12640775a9","4944e5c6-520d-41b4-84e6-9c9cc4b564ec","141e074c-7563-4d02-8e03-41fbb2be1f39","f240c320-03bb-4562-ad29-8282c706778d","2b6d1a2b-3c4d-5e6f-7e6f-4d3c9d8b2b6d","7fe223e8-c01b-482a-9578-4fb0f0fa86af","1e2d3c4b-5a6f-7e8d-9c0b-1a2b3c4d5e6f","b87b8817-e3ee-4bfc-87b3-e07176865011","7e6f5d4c-3b2a-1d0c-9e8b-7a6f5d4c3b2a","f94f0759-ed97-45dd-bdc3-d856e2c93ea4","5e6f7e8d-9c0b-1a2b-3c4d-5e6f7e8d9c0b","6309ad3f-f611-4c95-a627-5ba6b1eda4d4","5e6f7e6f-4d3c-9d8b-2b6d-1a2b3c4d5e6f","61e410fb-0923-4837-a93b-b68b771dc7f5","7e8d9c0b-1a2b-3c4d-5e6f-7e8d9c0b1a2b","ff582702-6d8c-4487-bcb7-584fc3f5c223","1a2b3c4d-5e6f-7e8d-9c0b-1a2b3c4d5e6f","b77fadc5-0e2b-4d97-958a-8069988150be","7e6f4d3c-9d8b-2b6d-1a2b-3c4d5e6f7e6f","4a074c0d-6343-46df-b9dc-c693f1cc54c5","3c4d5e6f-7e6f-4d3c-9d8b-2b6d1a2b3c4d","c8bf3142-c260-4062-8a92-b7b22ba14c90","4d3c9d8b-2b6d-1a2b-3c4d-5e6f7e6f4d3c","c1815bd9-9000-4477-8a47-7ec598b3d482","3c4d5e6f-7e8d-9c0b-1a2b-3c4d5e6f7e8d","f06635bd-c6ed-4052-b2d9-074bc8fa9f79","b5716eb0-b7ed-4748-9c3f-ace527fc382a","9aeac264-1f94-4b63-a1e7-afff335dadde","0462291d-ba25-4268-8440-6135184e6f7b","42d970fa-0354-4325-b9c2-bc47f7cbd46b","421c4968-ba9a-41fb-8f3e-0b43837e5b79","0d32e6ff-9894-415e-a981-2e9e5f76bd78","8f2774ec-9662-4eff-bc18-b223ec9ce86d","652774ec-9662-4e1f-bc18-b223ec9ce36d","252274ec-9662-4e3f-bc18-b225ec9ce31d","aed2e616-52ae-4c8e-8562-af62c017718a","d76e62a6-9777-4e9c-a455-1d2541deaaf2","254a4228-9e71-489f-ba2c-e47017afbaa3","16191aba-3eee-4973-b338-7077300f32e1","c8f597f3-9251-468a-86b3-d94ed8ea996d","bdbc27e8-3f5d-4981-9050-5ed7f63615a8","ba8b1839-7334-11ea-bed0-c8348e02520c","ba8e256b-7334-11ea-99d3-c8348e02520c","35883956-d397-42e6-a820-01eaceb11471","89e77e30-828d-4e3d-96a2-d28befa4275b","c6eb80df-d93e-451d-8a78-500adeb829ca","4a4819f6-4d4f-4c1e-8f9f-445c957af054","78b49d99-ccb7-4791-ba0c-73fbf2104daa","9edff33b-7951-4601-a50b-1da5fea7a127","3b374e0c-6e5c-4367-88a8-10d265ce5e42","38d33331-aba2-43f7-92c5-c527123edbf6","bd465c3f-0a2c-4ab7-ad8b-43b616528363","30acf699-84cb-4c65-ad46-b2ad151ebc55","9b2174e7-b6a3-4613-8f0b-df0bb7cef53e","548e7a2f-4c64-41c2-a5e7-50cefeaaf87b","fa983d75-eb88-4a9a-a890-715661e8a5b2","3fee872d-3c17-4d12-ae85-b270c2af27a1","df6e5ae0-de57-401f-9161-0bf1e39a5309","f615beb4-a0b8-4fe6-a477-3662e6ff0526","8e4177ab-8bf4-4d77-9a00-b9122a27d83a","522fe594-74dd-4e4e-913a-a025b0b10595","cf3c0e16-b107-4df0-8ab9-fc6b56846f34","ba88f54c-7334-11ea-b97f-c8348e02520c","ba896aa0-7334-11ea-b814-c8348e02520c","ba8bb46d-7334-11ea-ae17-c8348e02520c","ba8db056-7334-11ea-bb30-c8348e02520c","ba9048b7-7334-11ea-aa22-c8348e02520c","ba90e48d-7334-11ea-be6e-c8348e02520c","ba926c00-7334-11ea-9216-c8348e02520c","ba92e06e-7334-11ea-a524-c8348e02520c","ba93559a-7334-11ea-aa00-c8348e02520c","c58b9b88-9b80-11ea-9137-c8348e02520c","c58ea8c7-9b80-11ea-afe7-c8348e02520c","c59b04a4-9b80-11ea-9429-c8348e02520c","c59b52d1-9b80-11ea-abe2-c8348e02520c","c59bc801-9b80-11ea-a673-c8348e02520c","c59c161a-9b80-11ea-b8e4-c8348e02520c","f82e2799-dd42-11ea-9ea5-c8348e03e0b8","f82e75b8-dd42-11ea-b884-c8348e03e0b8","f82e75b9-dd42-11ea-a8b1-c8348e03e0b8","f82e75ba-dd42-11ea-a077-c8348e03e0b8","bb5ff65d-0c7f-11eb-be85-c8348e03e0b8","bb60447f-0c7f-11eb-9344-c8348e03e0b8","bb604480-0c7f-11eb-828b-c8348e03e0b8","bb604481-0c7f-11eb-a61d-c8348e03e0b8","bb604482-0c7f-11eb-9834-c8348e03e0b8","bb604483-0c7f-11eb-b808-c8348e03e0b8","bb604484-0c7f-11eb-bef2-c8348e03e0b8","bb604485-0c7f-11eb-b2cf-c8348e03e0b8","bb604486-0c7f-11eb-ab5c-c8348e03e0b8","a4288de6-1d24-11eb-9472-c8348e03e0b8","a42903d6-1d24-11eb-8648-c8348e03e0b8","a42903d7-1d24-11eb-afed-c8348e03e0b8","a42903d8-1d24-11eb-aa16-c8348e03e0b8"]}},{"id":"databases","displayName":"Databases","related":{"queries":["59e7db22-9f52-11ea-b8de-c8348e02520c","59ecbd47-9f52-11ea-bc53-c8348e02520c","59f150f7-9f52-11ea-8681-c8348e02520c","59f34cde-9f52-11ea-a5c7-c8348e02520c"]}},{"id":"windowsvirtualdesktop","displayName":"Azure Virtual Desktop","related":{"tables":["WVDAutoscaleEvaluationPooled","WVDCheckpoints","WVDConnectionGraphicsDataPreview","WVDConnectionNetworkData","WVDConnections","WVDErrors","WVDFeeds","WVDHostRegistrations","WVDManagement","WVDMultiLinkAdd","WVDSessionHostManagement"],"queries":["9301ac33-090c-4cb5-b841-dc31c5d1ce13","7409e5d2-1178-4487-8f11-fb38a1a368ac","b544376e-b9ef-11ea-afad-c8348e03e0b8","b544ac5e-b9ef-11ea-9479-c8348e03e0b8","b544d256-b9ef-11ea-a8fb-c8348e03e0b8","b544d257-b9ef-11ea-8a32-c8348e03e0b8","b544d258-b9ef-11ea-840c-c8348e03e0b8","b544d259-b9ef-11ea-b62a-c8348e03e0b8","b544d25a-b9ef-11ea-9067-c8348e03e0b8","b544d25b-b9ef-11ea-b824-c8348e03e0b8","b544d25c-b9ef-11ea-94c4-c8348e03e0b8","b544d25d-b9ef-11ea-870f-c8348e03e0b8","b544d25e-b9ef-11ea-96fb-c8348e03e0b8","39382287-7d94-4b21-a8ee-e2f08b55f721","304217d6-6dcf-498e-b052-8fda82967980","66f7c5e9-bf9f-4ce8-b1d9-5f74c9e58749","2a537cac-6349-435a-8bbd-4cf2d1d3819a","a92ee56d-4ba3-49f5-9966-bd66cb58063f","91eb68a2-9d4f-4e83-86e3-323f414b4b96","7fb96445-e76f-41dc-8edb-22803c52c8af"]}},{"id":"_general","displayName":"_General","related":{"queries":["d4e5f6a7-b8c9-11eb-a1b2-c8348e03e0b8"]}}],"resourceTypes":[{"id":"microsoft.aad/domainservices","type":"Microsoft.AAD/domainServices","displayName":"Azure AD Domain Services","description":"Tables related to Azure AD Domain Services.","related":{"tables":["AzureActivity","AADDomainServicesDNSAuditsDynamicUpdates","AADDomainServicesDNSAuditsGeneral","AzureMetrics","AADDomainServicesAccountLogon","AADDomainServicesAccountManagement","AADDomainServicesDirectoryServiceAccess","AADDomainServicesLogonLogoff","AADDomainServicesPolicyChange","AADDomainServicesPrivilegeUse","AADDomainServicesSystemSecurity"],"queries":["a6428843-f7fb-11ea-8ea5-c8348e03e0b8","a6428844-f7fb-11ea-bdfb-c8348e03e0b8","a6428845-f7fb-11ea-a22d-c8348e03e0b8","a6428846-f7fb-11ea-bfa0-c8348e03e0b8","a6428847-f7fb-11ea-a877-c8348e03e0b8","a6428848-f7fb-11ea-aade-c8348e03e0b8","a6428849-f7fb-11ea-a623-c8348e03e0b8","a642884a-f7fb-11ea-9ffc-c8348e03e0b8","a642884b-f7fb-11ea-8961-c8348e03e0b8"]}},{"id":"microsoft.azureadgraph/tenants","type":"Microsoft.AzureADGraph/tenants","displayName":"AAD Graph Logs","description":"All tables related to Azure Active Directory Graph logs.","related":{"tables":["AzureActivity","AuditLogs","AADGraphActivityLogs"],"queries":["00d2b78e-df02-42d4-ae3a-27db94a534fc","c4ee740a-6d0e-4a87-b998-663d2d36fca0"]}},{"id":"microsoft.containerservice/managedclusters","type":"Microsoft.ContainerService/managedClusters","displayName":"Kubernetes Services","description":"Tables used by Azure Monitor for Containers.","related":{"tables":["RetinaNetworkFlowLogs","ContainerNetworkLogs","AzureActivity","AzureDiagnostics","AzureMetrics","ContainerImageInventory","ContainerInventory","ContainerLog","ContainerLogV2","ContainerNodeInventory","ContainerServiceLog","Heartbeat","InsightsMetrics","KubeEvents","KubeMonAgentEvents","KubeNodeInventory","KubePodInventory","KubePVInventory","KubeServices","Perf","Syslog","AKSAudit","AKSAuditAdmin","AKSControlPlane"],"queries":["f47ac10b-58cc-4372-a567-0e02b2c3d479","d3b07384-d9a0-4c9d-8f00-6e7a9e7a8b0d","571b97f3-d68b-41eb-b1ac-6c40a38fbb4d","54bb9cdf-3eb8-4f1b-bb39-a2e578bceecb","5bcdd75f-8eaf-4c5a-aa38-7c10a501d260","820ac966-e438-4fae-aef9-2d162ce23ced","39ef777f-53d8-400a-9d4e-d6e6946a538e","1f0b44f9-2a90-4d74-bd6f-32671f493c65","6d69a6ab-78ed-45c8-b5bb-557c2a096d54","5eea8814-60dd-4d3c-bec0-3c364c88e123","8146e954-5df5-4eaa-afe6-1cef6c158456","fa69eeb1-8569-11ea-8fe4-c8348e02520c","59d1df0c-9f8c-4d39-88b2-9c649b110aa3","fa6b98ca-8569-11ea-9445-c8348e02520c","fa6be679-8569-11ea-82ff-c8348e02520c","fa6c348e-8569-11ea-9b4a-c8348e02520c","fa6c82a3-8569-11ea-8c6c-c8348e02520c","fa6cf7e0-8569-11ea-9523-c8348e02520c","fa6d45fc-8569-11ea-9289-c8348e02520c","fa6e5843-8569-11ea-8d4b-c8348e02520c","fa6f41c2-8569-11ea-98c6-c8348e02520c","fa6f8fde-8569-11ea-a8f6-c8348e02520c","fa705446-8569-11ea-aa86-c8348e02520c","fa7200ef-8569-11ea-b3aa-c8348e02520c","fa724f0c-8569-11ea-931d-c8348e02520c","fa729d2f-8569-11ea-8e66-c8348e02520c","fa73fd03-8569-11ea-aa34-c8348e02520c","fa7471e0-8569-11ea-b6ce-c8348e02520c","fa74c014-8569-11ea-aa82-c8348e02520c","e7110b5b-2788-8dad-89bb-118d066f0348","45f5c9a8-0bb5-6d2a-8562-a53d34e93887","5ea47bca-4305-4423-3b2f-3db502a42760","1256fc3f-8134-417c-9e24-a6d573eb93f9","f1bf35d8-7afb-05bd-842e-5fbddced8dbd","19b4df05-22bb-4ac7-a0d1-e1e3029c6256","395c7803-7b63-0779-6863-c5c7ac7c0d62","62ffa781-123a-a1f5-79b4-c31c2ea8769a","46a359a0-8e7b-5319-5fc1-84fb70211c0b","19a3ed70-1e90-8f62-5e90-58ec8ea3a705","09291696-0b1d-3266-34a3-4a6eda396d8b","b944809b-373e-036c-059f-78cf8bb5206a","096294d7-8492-448e-2ad3-b4c7f7c0a535","eafdf8b8-7931-752b-6890-f6b292ca9bcb","0740862d-6150-3251-8096-8d6a06f356f5","ee063ac9-8b4b-2d38-8806-ecaae055503a","1d7c8ba9-957a-05f1-3ac0-c6cecd388592"]}},{"id":"microsoft.cdn/edgeactions","type":"Microsoft.Cdn/edgeactions","displayName":"Edge Actions","description":"All tables related to Edge Actions","related":{"tables":["EdgeActionConsoleLog","EdgeActionServiceLog"],"queries":["b30699d3-efa7-4341-acad-b0d745f57061","c72d1185-3401-4e65-9a9b-424730f26288"]}},{"id":"microsoft.agfoodplatform/farmbeats","type":"Microsoft.AgFoodPlatform/farmBeats","displayName":"Microsoft.AgFoodPlatform/farmBeats","description":"Microsoft.AgFoodPlatform diagnostic log export, LogAnalytics tables","related":{"tables":["AgriFoodFarmManagementLogs","AgriFoodWeatherLogs","AgriFoodSatelliteLogs","AgriFoodFarmOperationLogs","AgriFoodProviderAuthLogs","AgriFoodApplicationAuditLogs","AgriFoodModelInferenceLogs","AgriFoodInsightLogs","AgriFoodJobProcessedLogs","AgriFoodSensorManagementLogs"],"queries":["a4d5c564-f185-450d-9024-ac003c4f96a9","97234902-0236-4821-a438-d52c8a80a8ba","f3518255-2374-448a-878a-d5d4457da11c","b093d561-a33c-4997-a3b1-cb82f2b97c05","26b400a2-3108-4cdd-bdc9-b6889b0ecfb7"]}},{"id":"microsoft.informationprotection/datasecuritymanagement","type":"Microsoft.InformationProtection/DataSecurityManagement","displayName":"DataSecurityManagement","description":"Data Security Threat and Incident Management."},{"id":"microsoft.apimanagement/service","type":"Microsoft.ApiManagement/service","displayName":"API Management services","description":"API Management services.","related":{"tables":["APIMDevPortalAuditDiagnosticLog","ApiManagementGatewayLlmLog","ApiManagementGatewayMCPLog","AzureActivity","AzureMetrics","AzureDiagnostics","ApiManagementGatewayLogs","ApiManagementWebSocketConnectionLogs"],"queries":["d8f84807-6154-11ea-8c04-c8348e025209","d8fb0c4b-6154-11ea-aae5-c8348e025209","d8fc9214-6154-11ea-9ce5-c8348e025209","d8fcdffd-6154-11ea-b3f4-c8348e025209","d8fd5523-6154-11ea-b89c-c8348e025209","d8fda3be-6154-11ea-a8af-c8348e025209","d8fedbce-6154-11ea-8815-c8348e025209","d8ff5103-6154-11ea-9777-c8348e025209","d8ff9f0b-6154-11ea-aea9-c8348e025209","d8ffed31-6154-11ea-880d-c8348e025209","d900144a-6154-11ea-b2e1-c8348e025209","d9019f0b-6154-11ea-9c41-c8348e025209","d901ed1f-6154-11ea-bc4a-c8348e025209","d9023cf0-6154-11ea-ae1c-c8348e025209","d9028ad3-6154-11ea-98bf-c8348e025209"]}},{"id":"microsoft.appconfiguration/configurationstores","type":"Microsoft.AppConfiguration/configurationStores","displayName":"Microsoft App Configuration","description":"Azure App Configuration allows developers to store, retrieve and manage access to application settings all in one place. It is easy to set up and simple to use from any application. It gives developers the ability to modify an application's behavior on demand without having to redeploy the application.","related":{"tables":["AzureActivity","AACHttpRequest","AACAudit"],"queries":["5d179a0d-ce8a-40ed-89d0-5a5eef4f5891","a9d9a6a2-de65-4f82-aca1-17f78df08b34","d3556a69-bce6-4f66-8611-5c41237c7593","feb88498-7f52-4cbc-9893-a0eef24f8790","865a3ded-aeb4-473a-9f60-1af94374b5a2"]}},{"id":"microsoft.network/applicationgateways","type":"Microsoft.Network/applicationGateways","displayName":"Application Gateways","description":"Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.","related":{"tables":["AzureActivity","AzureMetrics","AGWAccessLogs","AGWPerformanceLogs","AGWFirewallLogs","AzureDiagnostics"],"queries":["52772f3b-f583-4901-b75c-ec368bcb1b78","8a81a8ec-db62-45d1-b6e3-6385cadd2f74","40f8162e-e9b1-4b78-9d8a-e939fc3e363b","baf32abd-8e68-46d4-88bb-82e65859d0b2","6ab7ef4f-5ccd-4509-9a9d-98e315759d6f","62cb4687-3d08-424f-b872-71757bbcc1d0","dc815502-2306-4db0-a0a5-b34ac7f299da"]}},{"id":"microsoft.servicenetworking/trafficcontrollers","type":"Microsoft.ServiceNetworking/TrafficControllers","displayName":"Application Gateway for Containers","description":"Azure Application Gateway for Containers is an application load balancer that enables you to manage traffic to your container workloads.","related":{"tables":["AzureActivity","AzureMetrics","AGCAccessLogs","AGCFirewallLogs"],"queries":["c3cf794b-5617-4eb8-95fa-66aa2a2678df","e7766bc6-9d49-4b09-93ed-e564d7593be3","2c4f7c71-9d37-4987-a767-3951876a5477"]}},{"id":"microsoft.applink/applinks/applinksmembers","type":"Microsoft.AppLink/applinks/applinksmembers","displayName":"AppLinks","description":"Tables used for managed mesh a.k.a. AppLinks.","related":{"tables":["MeshControlPlane"],"queries":["39ef777f-53d8-400a-9d4e-d6e6946a538f"]}},{"id":"microsoft.web/sites","type":"Microsoft.Web/sites","displayName":"App Services","description":"Logs generated through your application and pushed to Azure Monitoring.","related":{"tables":["AzureActivity","LogicAppWorkflowRuntime","AppServiceAuthenticationLogs","AppServiceServerlessSecurityPluginData","AzureMetrics","AppServiceAppLogs","AppServiceAuditLogs","AppServiceConsoleLogs","AppServiceFileAuditLogs","AppServiceHTTPLogs","FunctionAppLogs","AppServicePlatformLogs","AppServiceAntivirusScanAuditLogs","AppServiceIPSecAuditLogs"],"queries":["edffa3dc-fbae-42e7-a972-8639d323cacf","c8e2cc5e-c9e3-499c-93ef-56ffe79e9bba","4a6eac8a-736f-4f1b-a237-f5801daedbff","e68dd16c-3295-43e8-aae2-09870e143b67","376ce53b-9f74-4c4f-ab46-dec5060092f1","ec90d150-2298-476b-8b42-953ed8907dc2","1093f8f4-6b21-4d46-b8e6-706dbc620a98","67c95b3b-0791-4e05-bc18-2d8ecdef16d3","49991367-accb-4bf3-a449-c4fe1b11d42b","34dfd1af-6153-11ea-9732-c8348e025209","34e21b0f-6153-11ea-ba17-c8348e025209","be55f9e1-ec2b-11ea-8a88-c8348e03e0b8","be55f9e2-ec2b-11ea-857f-c8348e03e0b8","be55f9e3-ec2b-11ea-9759-c8348e03e0b8","be55f9e4-ec2b-11ea-829f-c8348e03e0b8","be55f9e5-ec2b-11ea-86be-c8348e03e0b8","be55f9e6-ec2b-11ea-b9e9-c8348e03e0b8","be55f9e7-ec2b-11ea-8b7b-c8348e03e0b8","a6420dd9-f7fb-11ea-9194-c8348e03e0b8","a6428833-f7fb-11ea-8d8a-c8348e03e0b8","a6428834-f7fb-11ea-8313-c8348e03e0b8","a6428835-f7fb-11ea-b623-c8348e03e0b8","a6428836-f7fb-11ea-8392-c8348e03e0b8"]}},{"id":"microsoft.authorization/tenants","type":"Microsoft.Authorization/tenants","displayName":"Microsoft Authorization Datasets","description":"Tenant diagnostic logs from Microsoft Authorization.","related":{"queries":["1c9afed0-4e16-42f5-ace0-24b0b34d29d2","03e774ad-103e-42d5-b006-ba8b32754996","f1382f9e-b98d-44ca-bb27-72d5ece96dbf","f2599fa8-3ccd-41e1-a3a2-8f9bbcca9a9a","1d18188d-3133-4439-8e85-e9efaadad013"]}},{"id":"microsoft.resources/azureactivity","type":"Microsoft.Resources/AzureActivity","displayName":"Azure activity Log V2","description":"Entries from the Azure Activity log that provides insight into any subscription, management group and tenant level events that have occurred in Azure."},{"id":"microsoft.kubernetes/connectedclusters","type":"Microsoft.Kubernetes/connectedClusters","displayName":"Azure Arc Enabled Kubernetes","description":"Tables used by Azure Monitor for Containers.","related":{"tables":["AzureActivity","AzureDiagnostics","AzureMetrics","ContainerImageInventory","ContainerInventory","ContainerLog","ContainerLogV2","ContainerNodeInventory","ContainerServiceLog","Heartbeat","InsightsMetrics","KubeEvents","KubeMonAgentEvents","KubeNodeInventory","KubePodInventory","KubePVInventory","KubeServices","Perf","Syslog","ArcK8sAudit","ArcK8sAuditAdmin","ArcK8sControlPlane"]}},{"id":"microsoft.toolchainorchestrator/diagnostics","type":"Microsoft.ToolchainOrchestrator/diagnostics","displayName":"Toolchain orchestrator","description":"Toolchain orchestrator is a cloud-native, cross-platform orchestrator that simplifies and streamlines the deployment, management, and update of different application solutions across different edge environments.","related":{"tables":["AzureActivity","AzureDiagnostics","TOUserAudits","TOUserDiagnostics"],"queries":["681582c5-1c89-4701-a256-608e82cbd0aa","c9ee41c4-5b23-4e04-a193-21ee5c4cfc8d","03c620a0-e64b-46dd-8337-092d17106f96"]}},{"id":"microsoft.attestation/attestationproviders","type":"Microsoft.Attestation/attestationProviders","displayName":"Azure Attestation","description":"Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service receives evidence from the platform, validates the evidence against security standards and configurable policies, and produces an attestation token for claims-based applications (e.g., relying parties, auditing authorities).","related":{"tables":["AzureActivity","AzureAttestationDiagnostics"],"queries":["4b3c3ebd-fba6-49a4-8709-7507a347a969","31a88ff8-4608-4645-ab18-4b09871b07ea","c8258837-c1bd-456c-961f-14bf71748f79","d6aaf873-8082-4960-aba0-146eb0414a27","9b285dc2-6dc7-454a-aaa0-d3113cdb8825","07f7133f-baae-444c-a1a1-2e0b6caf09c2"]}},{"id":"microsoft.cache/redis","type":"microsoft.cache/redis","displayName":"Azure Cache for Redis","description":"All tables related to Azure Cache for Redis service.","related":{"tables":["ACRConnectedClientList","ACREntraAuthenticationAuditLog","AzureActivity","AzureMetrics"],"queries":["7147966e-f714-405b-b243-2c2d69e8b3fe","b0743562-0414-4fb9-a14b-fb1cfd5242b9","c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a"]}},{"id":"microsoft.cdn/profiles","type":"Microsoft.Cdn/profiles","displayName":"CDN Profiles","description":"All tables related to Azure CDN resources.","related":{"tables":["AzureActivity","AzureDiagnostics"],"queries":["ddf3d063-d5a6-11ea-a3df-c8348e03e0b8","ddf44593-d5a6-11ea-ac4c-c8348e03e0b8","ddf44594-d5a6-11ea-94a5-c8348e03e0b8","ddf44595-d5a6-11ea-b8bd-c8348e03e0b8","ddf44596-d5a6-11ea-a8af-c8348e03e0b8","ddf44597-d5a6-11ea-ae46-c8348e03e0b8","ddf44598-d5a6-11ea-bdfc-c8348e03e0b8","8062ec5b-0436-534c-357d-a1a9750542fd","b6e396a1-49f4-002e-943b-9bcf087a3b58","100c8fe9-2f3e-4899-6ef4-6d70047d3f84","ae03d069-6d7a-2ecd-81e4-dbc6b6337f92","19ef0e4b-2959-3cb3-22ee-594fa7417cde","a9d51280-2768-856a-84f6-e5a4396a6997","adec1d64-576d-4536-2459-b9181ce6a440","7cce0397-0d02-0d98-29de-f79a1f3a1cd6","02343258-23f7-8f05-682f-4dede54b8f38","805cb7a6-792e-93f1-9292-d71efaf296f2","c1a54a83-064c-248a-1328-77d03fd914d1"]}},{"id":"microsoft.hardwaresecuritymodules/cloudhsmclusters","type":"Microsoft.HardwareSecurityModules/cloudHsmClusters","displayName":"Azure CloudHsm","description":"Azure CloudHsm is a service that provides secure storage for cryptographic keys using hardware security modules that meet the FIPS 140-2 Level 3 security standard.","related":{"tables":["AzureActivity","AzureMetrics","CloudHsmServiceOperationAuditLogs"],"queries":["e1d8c76d-8a12-4e91-a04d-1aa38423af60","78169da5-08d5-4abb-a419-8abcae4b8279","711f80bd-d89f-4c07-84f6-e053b0d5c8ed"]}},{"id":"microsoft.communication/communicationservices","type":"Microsoft.Communication/CommunicationServices","displayName":"Communication Services","description":"All tables related to Communication Services.","related":{"tables":["AzureActivity","AzureMetrics","ACSChatIncomingOperations","ACSSMSIncomingOperations","ACSOptOutManagementOperations","ACSAuthIncomingOperations","ACSBillingUsage","ACSCallDiagnostics","ACSCallDiagnosticsUpdates","ACSCallingMetrics","ACSCallSurvey","ACSCallClientServiceRequestAndOutcome","ACSCallClientOperations","ACSCallClientMediaStatsTimeSeries","ACSCallSummary","ACSCallSummaryUpdates","ACSEmailSendMailOperational","ACSEmailStatusUpdateOperational","ACSEmailUserEngagementOperational","ACSCallRecordingIncomingOperations","ACSCallRecordingSummary","ACSCallClosedCaptionsSummary","ACSJobRouterIncomingOperations","ACSRoomsIncomingOperations","ACSCallAutomationIncomingOperations","ACSCallAutomationMediaSummary","ACSCallAutomationStreamingUsage","ACSAdvancedMessagingOperations"],"queries":["afece89a-eed3-4aa4-ba30-dfb7edd8b429","d72355a1-1cc9-405c-bfbb-02dfc41cfd5f","f2291767-c2a3-4865-8f70-f4f5adca5dd2","9812504c-00a6-42c4-9cd6-b1532480a3cf","4a0cdc80-bf62-498e-98e8-e52804a8a766","2e541dc6-bf82-4fcc-9e57-1faedbbfa48a","c0e3ac32-7bc7-45b0-bbd1-4f2ab8abc70e","f3712c70-6f28-4cb2-9ff1-ba35854115a2","66ffdd36-8574-4622-b269-d4965e5d8b1d","28e284cb-faf4-4577-92a6-1fa73eed18bc","8dc3bc93-2339-4035-8a92-b67f48f5d972","ca2d21c4-ac33-4ac0-88a9-ee2208e01ab7","050dc234-d6a1-4408-8c5e-dc61d81a2f57","d5195a1a-c7ab-4f2a-8720-6b3f5c544df0","cc68c95a-8de0-4c40-8394-537a00437ea7","056f1614-fffa-4286-be6b-fd614dfa4dc5","be71a17c-5ffd-4215-ab19-2ead19f56396","cf4f8822-721b-4bf0-91a8-6d0b7937047c","ed999090-4bc2-4704-ba16-ff0223930a4d","1a2b3c4d-e5f6-7a8b-9c0d-1e2f3a4b5c6d","f46854c3-fa37-4b92-8675-ce838000949b","7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b","6d9f94e6-0421-4611-b43a-c9a8f409b83b","3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b","7f49ca30-a69f-45fd-b06f-d2b5271587da","9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f","a7cc4b34-b191-4d3a-8fac-830ed3321e45","5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d","912d4bfd-f025-4f8d-909e-2936b7796eb8","023e5cae-a136-5a9e-010f-1047c8807fc9","df398179-e2b2-418d-bfae-95faf858c0cf","d62bf65f-66b7-482f-b296-83f2ca4e19d8","444fcb48-73f7-49b4-bc43-852418bbd394","f94860c-a83f-44cb-88bd-3fc8d2ab5510","98481911-2a32-4b68-b7bb-8065ffc25376","fc661805-ba40-45c5-84f0-1afa40af255d","16168079-3eda-4f8e-b486-51a592299b87","2f874bbe-63ac-479a-ba4e-858c0607b2ac","4a3ef465-671d-4759-815e-c6bd2769da61","d13a7541-aeee-425f-89e6-33795d8e1e23","693cc58e-1b66-41f2-b83e-d92de385aace","07dd8389-c27d-4fbe-8b52-8506a933be06","e94fbeb3-4642-4ccf-b138-82c39dede64c","985dcc97-d950-413f-a024-9e12640775a9","4944e5c6-520d-41b4-84e6-9c9cc4b564ec","141e074c-7563-4d02-8e03-41fbb2be1f39","f240c320-03bb-4562-ad29-8282c706778d","2b6d1a2b-3c4d-5e6f-7e6f-4d3c9d8b2b6d","7fe223e8-c01b-482a-9578-4fb0f0fa86af","1e2d3c4b-5a6f-7e8d-9c0b-1a2b3c4d5e6f","b87b8817-e3ee-4bfc-87b3-e07176865011","7e6f5d4c-3b2a-1d0c-9e8b-7a6f5d4c3b2a","f94f0759-ed97-45dd-bdc3-d856e2c93ea4","5e6f7e8d-9c0b-1a2b-3c4d-5e6f7e8d9c0b","6309ad3f-f611-4c95-a627-5ba6b1eda4d4","5e6f7e6f-4d3c-9d8b-2b6d-1a2b3c4d5e6f","61e410fb-0923-4837-a93b-b68b771dc7f5","7e8d9c0b-1a2b-3c4d-5e6f-7e8d9c0b1a2b","ff582702-6d8c-4487-bcb7-584fc3f5c223","1a2b3c4d-5e6f-7e8d-9c0b-1a2b3c4d5e6f","b77fadc5-0e2b-4d97-958a-8069988150be","7e6f4d3c-9d8b-2b6d-1a2b-3c4d5e6f7e6f","4a074c0d-6343-46df-b9dc-c693f1cc54c5","3c4d5e6f-7e6f-4d3c-9d8b-2b6d1a2b3c4d","c8bf3142-c260-4062-8a92-b7b22ba14c90","4d3c9d8b-2b6d-1a2b-3c4d-5e6f7e6f4d3c","c1815bd9-9000-4477-8a47-7ec598b3d482","3c4d5e6f-7e8d-9c0b-1a2b-3c4d5e6f7e8d","4E309B85-22D3-4D75-96FA-E507BED0DFC4","9E690E1D-16C2-4476-A233-ECD3D3EC3815","60802B04-BD2C-455E-B18D-ABCE28675B11","44E70EDA-FA17-4B40-BF7A-4CD476525EB4","e89a42f7-5318-4ca1-a0d9-2f105543a1bf","7d6310c2-4c88-45c4-9e4d-9feab95f84f8","d64d18e9-1c75-4b3b-a6c9-acd67a6f55f6","8db4823c-7f3d-4d5a-89db-5b5f5eb2a4a9","a4b6d7c9-8e6f-4a3b-81c3-1f9d6e7b8a2c","6f935ea8-7c95-4f6b-a13a-16af03485d29","f06635bd-c6ed-4052-b2d9-074bc8fa9f79","b5716eb0-b7ed-4748-9c3f-ace527fc382a","9aeac264-1f94-4b63-a1e7-afff335dadde","0462291d-ba25-4268-8440-6135184e6f7b","42d970fa-0354-4325-b9c2-bc47f7cbd46b","421c4968-ba9a-41fb-8f3e-0b43837e5b79","894a51a8-1e91-4ac1-b7d8-156894eb06c2","7fb10cd3-ed0f-4a4b-a00c-a039d3e6ccbc","a634f34d-b0b7-4e06-9f63-9323011e23ea","6d965ac8-a8c6-4831-80d3-5c51275100d5","6f1bc254-caa7-4598-a714-d3ec267e2eee","61a39dfb-f069-4639-a650-ef6c292cfc7b","25852cd3-2216-49ad-a492-6778b4854c5c","b061d0cf-21c1-4b76-b890-caf0dd3ce71e","7f3d1936-3775-429b-bfd7-dc9b2ba60c64","40461cde-9c28-4bb0-a227-f6a1a7467541","b42ac607-c76d-438a-b76a-33acb4e54138","b67c8c54-3f67-47b2-b452-16fb84ed417c","9e8fe6f0-8c27-4177-aa41-e49f1e7450be","78bcf04a-0b38-4996-9f4e-7372e9c2d020","98d0fd24-6a32-435f-96ac-2581938a8416","440010c7-039e-4ef3-9e9e-edd4d3771257","7a167d23-5ea5-481e-bbb6-fd19699af0ba","b91f0d9c-d737-426a-8f82-ae437dd9f96a","8d00c931-20c2-407b-9259-1ae4c88b028d","36fbf974-5e1b-4769-87fa-225eaa89d5f7","c9644b48-1200-4111-8f62-b0149217257e","a2922c7d-f507-4475-aa51-05d132d74533","016bbfac-c423-4c25-83e5-53853c691c9c","b4cdbea5-9617-4b09-b176-50240a07ba65","f6011a1e-5ed2-4965-b7fb-62ed5ac0ffd9","a21345ab2-4eb1-1323-c5ba-64ad3bd3ga25","f05244sn2-5ed2-4965-b7fb-62ee5ac0fh21","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","e23137ab2-1ba3-2526-a3eb-14bd1bc1gb31","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","c22325ab2-5ea1-3436-a5eb-14ad2ac4gb31","b22325db4-5ea1-3436-a5eb-14ad2ab4gb31","d22137ab2-6ba3-2426-a2eb-14ad1bc1gb32","a6552tt9-5ed2-4965-b7fb-62ee5ac0ff66","a3552tt9-4ed2-4665-b7eb-61ee5ac0fc46","d0fad1c6-6580-4c19-ad0b-d410db4e04d6","b838972e-f1e4-4141-be20-fcb264e283ac","77b86d68-0cad-4dbe-a475-89f76f524035","aad69aaf-18e3-480a-93f3-5e4fac15f772","064165C0-C98A-490F-B1CC-EEB7E97E14D7","C413DD46-FC07-4503-BD46-6675865964D9","43BDBB0E-EDEB-4553-9D3B-0F0FCD634A2A","11E85FFF-DB30-44EB-BF92-C1B2AE87FA67","903C2AAD-D6B3-4EBE-B36F-489BAE2CE89B","5A911040-8674-47FB-B9F6-82F16E98F6EE","ADB6AFF9-FEAD-443C-BCC8-704F586CC5A4","9a6be894-4674-4d77-8d2e-844a8eb28eae","a00fc011-6091-440b-8284-f9fac99a7afe","e804b73f-639a-4b9c-acc2-cbbbfa2ef312","ad05f177-82ee-43fb-8454-522e08f987e0","dfa672f3-f6ae-4eda-8550-1f7fbf1bcca1","6b2c4057-669d-493d-a6b3-fbb2a2f44fb3","a45ed096-b8c6-4ce1-ba2e-a6b5a52a7aae","64844757-e0db-4568-845c-cf608593778c","6c58d1d8-5dfe-4a65-9764-4bd50fbcf37d","d99254bc-99b3-421b-ba6c-8ef7d465ecfc","1b5f6e45-fefc-465e-ae38-5d5a57ce5d1a","cd98dfa9-1467-4c31-a378-b65063fea535"]}},{"id":"microsoft.containerinstance/containergroups","type":"Microsoft.ContainerInstance/containerGroups","displayName":"Microsoft Container Instances Services","description":"Tables for customer logs","related":{"tables":["ContainerInstanceLog","ContainerEvent"]}},{"id":"microsoft.documentdb/databaseaccounts","type":"Microsoft.DocumentDb/databaseAccounts","displayName":"Azure Cosmos DB","description":"All tables related to Azure CosmosDB Service.","related":{"tables":["AzureActivity","CDBDataPlaneRequests","CDBDataPlaneRequests5M","CDBDataPlaneRequests15M","CDBPartitionKeyStatistics","CDBPartitionKeyRUConsumption","CDBQueryRuntimeStatistics","CDBMongoRequests","CDBCassandraRequests","CDBGremlinRequests","CDBTableApiRequests","CDBControlPlaneRequests","AzureMetrics","AzureDiagnostics"],"queries":["bc0bf95e-735e-11ea-926d-c8348e02520c","bc0edc14-735e-11ea-85a2-c8348e02520c","bc0f5421-735e-11ea-93cb-c8348e02520c","bc0fc666-735e-11ea-9e0a-c8348e02520c","bc1014e4-735e-11ea-8c7b-c8348e02520c"]}},{"id":"microsoft.datacollaboration/workspaces","type":"Microsoft.DataCollaboration/workspaces","displayName":"Project CI Workspace","description":"All tables related to Project CI Workspaces.","related":{"tables":["AzureActivity","AzureMetrics","ACICollaborationAudit"],"queries":["3eb92137-5019-4eb0-8a01-7480256befea","bc25e051-3518-4aa2-9493-2dc1abf176b1","acd263c0-a5a3-42cd-af74-d12df6f577e3","1c7e3db4-ce89-43b3-a951-b7948e6f4874"]}},{"id":"microsoft.azuredatatransfer/connections","type":"Microsoft.AzureDataTransfer/connections","displayName":"Azure Data Transfer","description":"All tables related to Azure Data Transfer.","related":{"tables":["DataTransferOperations"],"queries":["1681882b-e00c-408b-8cd3-4f0b58374d7a","9d7c3fe3-1f56-4a92-9888-7ba597e3b0d2"]}},{"id":"microsoft.security/defenderforstoragesettings","type":"Microsoft.Security/DefenderForStorageSettings","displayName":"Defender for Storage Settings","description":"This table contains malware scan results of azure storage blob and files with detailed explanations on each scanned object, such as malware type or error information in case of failed scan.","related":{"tables":["StorageMalwareScanningResults"],"queries":["30a46f4f-dc1a-43e1-9fe4-c82750e218b3","dd5cd0fc-683c-4ace-a7da-ef6afd649407"]}},{"id":"microsoft.digitaltwins/digitaltwinsinstances","type":"Microsoft.DigitalTwins/digitalTwinsInstances","displayName":"Azure Digital Twins","description":"All tables related to Azure Digital Twins service.","related":{"tables":["AzureActivity","ADTDataHistoryOperation","ADTDigitalTwinsOperation","ADTEventRoutesOperation","ADTModelsOperation","ADTQueryOperation"],"queries":["bc4366ef-b269-43f2-aad7-4919e5defdfb","5fdb334b-28ad-411e-8679-e9ef7f40ad1f","bb5ff65d-0c7f-11eb-be85-c8348e03e0b8","bb60447f-0c7f-11eb-9344-c8348e03e0b8","bb604480-0c7f-11eb-828b-c8348e03e0b8","bb604481-0c7f-11eb-a61d-c8348e03e0b8","bb604482-0c7f-11eb-9834-c8348e03e0b8","bb604483-0c7f-11eb-b808-c8348e03e0b8","bb604484-0c7f-11eb-bef2-c8348e03e0b8","bb604485-0c7f-11eb-b2cf-c8348e03e0b8","bb604486-0c7f-11eb-ab5c-c8348e03e0b8"]}},{"id":"microsoft.network/dnsresolverpolicies","type":"Microsoft.Network/dnsResolverPolicies","displayName":"DNS Resolver Policies","description":"DNS resolver policies allows you to monitor and manage resolution of DNS queries coming from virtual network.","related":{"tables":["AzureActivity","DNSQueryLogs"],"queries":["24310862-5ed4-41f6-b7b0-66176ac8a4f3"]}},{"id":"microsoft.eventgrid/namespaces","type":"Microsoft.EventGrid/namespaces","displayName":"Event Grid Namespaces","description":"All tables related to Azure Event Grid Namespace resource.","related":{"tables":["AzureActivity","AzureMetrics","EGNSuccessfulMqttConnections","EGNFailedMqttConnections","EGNMqttDisconnections","EGNFailedMqttPublishedMessages","EGNFailedMqttSubscriptions","EGNSuccessfulHttpDataPlaneOperations","EGNFailedHttpDataPlaneOperations","AzureDiagnostics"],"queries":["9b5542ef-7676-40ad-999d-efba45f42e9c","22db387f-49a3-4b3e-88a4-13b1b00728b8","7a684553-e9ad-4fd8-a31f-75c1a4db8d2c","56bf07f2-0029-4c3a-9eb1-22320fd92b39","60E4B8B4-31FA-4BA7-9155-44AF1DDA8BA3"]}},{"id":"microsoft.eventgrid/topics","type":"Microsoft.EventGrid/topics","displayName":"Event Grid Topics","description":"All tables related to Azure Event Grid Topics resource.","related":{"tables":["AzureActivity","AzureMetrics","AegDataPlaneRequests","AzureDiagnostics","AegDeliveryFailureLogs","AegPublishFailureLogs"],"queries":["1a5d3292-cb61-4372-bf32-0c013cb15625","14ed6864-b898-400d-9083-b811bca96cb5","09073e9b-334f-43b8-8b42-58ddf7e6b1e2","0acad5d4-9b87-11ea-b69c-c8348e02520c","0acf42ae-9b87-11ea-b093-c8348e02520c","be55aaa8-ec2b-11ea-8a0a-c8348e03e0b8"]}},{"id":"microsoft.eventhub/namespaces","type":"Microsoft.EventHub/namespaces","displayName":"Event Hubs","description":"All tables related to Azure Event Hubs resource.","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","AZMSApplicationMetricLogs","AZMSOperationalLogs","AZMSRunTimeAuditLogs","AZMSDiagnosticErrorLogs","AZMSVnetConnectionEvents","AZMSArchiveLogs","AZMSAutoscaleLogs","AZMSKafkaCoordinatorLogs","AZMSKafkaUserErrorLogs","AZMSCustomerManagedKeyUserLogs"],"queries":["eaa7957b-aecb-406b-be10-f48696b0ecehdel","8a0df091-26c3-4e64-a3b9-d2b2bd397c4e","c6b1a9cd-8b76-468d-8a00-b3be3040cf2b","2600882e-3766-4e90-8823-4f1285d4595c","719df79c-282d-49ff-9163-35542afe3e47","cc0aeb16-1fe2-43c5-b483-cc8aba72b41c","b1101646-c48a-4f18-83b9-2a3af4cd2c2b","b8df4aec-7c87-46e1-a6fb-d20b9c0e0ef0","bcb23e62-59f9-4b81-b7f9-91f2157c051f","b48bce62-0ab9-4b29-9d48-fd0602f175c3","8741ae6e-c9d1-4af4-8e8b-e139342c94cd","6e754b00-8d1b-4191-a332-fe3c746d64ee","eeafb4d2-cc77-45de-8ee4-bcc7f804fa9b","375f9d9e-29bd-44ba-84ef-f30bbf8edbbb","03935bbe-6dcb-4712-a695-cba2e583784f","88ab8b25-c3c5-4c97-a93f-8e3158dc487e","9216f2d9-9b82-11ea-ba13-c8348e02520c","921acbc5-9b82-11ea-bebf-c8348e02520c","921bdcea-9b82-11ea-ad5d-c8348e02520c","921e4dd0-9b82-11ea-abb1-c8348e02520c","9220983b-9b82-11ea-a82a-c8348e02520c"]}},{"id":"microsoft.network/azurefirewalls","type":"Microsoft.Network/azureFirewalls","displayName":"Firewalls","description":"All tables related to Azure Firewall Service.","related":{"tables":["AZFWNetworkRule","AZFWFatFlow","AZFWFlowTrace","AZFWApplicationRule","AZFWThreatIntel","AZFWNatRule","AZFWIdpsSignature","AZFWDnsQuery","AZFWInternalFqdnResolutionFailure","AZFWNetworkRuleAggregation","AZFWApplicationRuleAggregation","AZFWNatRuleAggregation","AZFWDnsFlowTrace","AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["5eea8814-60dd-4d3c-bec0-3c364c88efca","8146e954-5df5-4eaa-afe6-1cef6c1583cb","ddacb4dd-a7c6-4f36-9642-71a0fac3a34c","3d806161-ab30-4c7c-a4fc-9bae0622e531","dca5053f-af30-44dc-bfa7-089e61668991","ae4119c9-1e46-4b3f-b9a6-df570e93e6f9","2705d573-c84c-4b40-973c-2aba2407ff22","04205bbc-69b9-4c56-8ef6-f99814abfcba","616c413f-dc29-402c-851e-3b524865ce2a","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b","48aa0383-62e4-11ea-9e82-c8348e025209","48b065a4-62e4-11ea-930c-c8348e025209","48b192a3-62e4-11ea-89fd-c8348e025209","8b7ea3bd-0571-0eec-1a82-605a44e00989","acaaa91b-7585-2e37-9930-d455f72013e5"]}},{"id":"microsoft.dashboard/grafana","type":"Microsoft.Dashboard/grafana","displayName":"Azure Managed Workspace for Grafana","description":"Azure Managed Workspace for Grafana is a joint-1st party solution from Microsoft and Grafana Labs which provides the monitoring and observability from Grafana Labs with reliable, secure, and seamless integration into Azure cloud platform.","related":{"tables":["AzureActivity","AGSGrafanaLoginEvents","AGSGrafanaUsageInsightsEvents"],"queries":["b2bd1ca4-8a33-11ec-8fd3-00155dd7661c"]}},{"id":"microsoft.healthcareinterop/workspaces","type":"Microsoft.HealthcareInterop/workspaces","displayName":"HealthCare Interoperability Service","description":"Logs generated through HealthCare Interoperability Service and pushed to Azure Monitoring.","related":{"tables":["AHCIDiagnosticLogs"],"queries":["e2c1b8a7-4f8b-4e2a-9a3d-2c6e8f7d5b1c","e8a2f7c1-5b3d-4c9a-9e2f-7d1b6a4c2f8e"]}},{"id":"microsoft.healthcareapis/workspaces","type":"Microsoft.HealthcareApis/workspaces","displayName":"Health Data Services","description":"Logs generated through Health Data Services and pushed to Azure Monitoring.","related":{"tables":["AHDSMedTechDiagnosticLogs","AHDSDicomDiagnosticLogs","AHDSDicomAuditLogs"],"queries":["68299a2f-71a3-4795-a11c-9dfc7b2d0651","af396c53-a04e-43aa-8bd9-c9cf75f96318","3dfc6cd3-9545-43f3-b1b8-7c4813d1da5c","5c33c4fb-04cf-410e-9556-04509fb24090","f1aa373c-ecc6-49cd-835a-05ac38b0749f","5d9df8e3-7ff1-45f5-9569-411f6ffacfc7","c3346bdf-e3db-4af3-b6f7-5e1e73ce0d2b"]}},{"id":"microsoft.keyvault/vaults","type":"Microsoft.KeyVault/vaults","displayName":"Key Vaults","description":"Cloud applications and services use cryptographic keys and secrets to help keep information secure. Azure Key Vault safeguards these keys and secrets. When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).","related":{"tables":["AzureActivity","AzureMetrics","AZKVAuditLogs","AZKVPolicyEvaluationDetailsLogs","AzureDiagnostics"],"queries":["126a5c26-d357-4b03-a4bc-5e8fbd26a1b8","d196c718-afdf-4eb1-9849-4f236030f51b","10026928-5243-4850-82e5-e1c4c175bc15","163b3a0a-e23d-4648-aec6-72906be0c027","dcfebdea-1637-46b9-8452-1979e9e30251","79cf6219-a0c3-4cac-a011-e5c02fc7cada","be6a0cec-b2bc-4513-88ce-64c555f5bca6","b397218a-c6a7-4221-8265-c1fa29303883","7f5b14e9-a072-4d31-b73b-cd8de50c63b3","314645a8-79f8-487d-8dc0-7103fa5dbc7a","1986631a-103b-403b-9860-2eb03a9564c6","f35fd4ac-7121-4085-8204-b6700a59d84b","36fdb8a7-ee08-4390-8bc4-8686b9b0d4bb","d661e902-a0a1-34c4-3e41-537475821a79","4f39e42a-1858-28a8-7a2e-fae3ee9f08fc","6e21eddd-12a4-1d5d-23b3-aaf0b32737b9"]}},{"id":"microsoft.loadtestservice/loadtests","type":"Microsoft.LoadTestService/loadtests","displayName":"Azure Load Testing","description":"Azure Load Testing Service enables developers and testers to generate high-scale load that reveal actionable insights into app performance, scalability, and capacity with a fully managed service.","related":{"tables":["AzureActivity","AzureLoadTestingOperation"],"queries":["2a9d8818-5683-41cc-bedb-493c61a04bb6","a4b29234-b732-486e-9e5a-1d61af4aaf1e"]}},{"id":"microsoft.managednetworkfabric/networkdevices","type":"Microsoft.ManagedNetworkFabric/networkDevices","displayName":"Network Devices (Operator Nexus)","description":"Azure Operator Nexus is a carrier grade hybrid cloud platform built for mission critical mobile network applications. This table represents all the logs collected from the Nexus Network Fabric - Network Devices.","related":{"tables":["AzureMetrics","AzureActivity","MNFDeviceUpdates","MNFSystemStateMessageUpdates","MNFSystemSessionHistoryUpdates"],"queries":["96c338bf-610b-4231-83b5-df264ddbf749","f789e18e-9204-43f0-9656-ae305a7c56d3","53052d78-882f-46b7-a711-69dca0f58af4","ade0fc51-681d-490d-b8f5-216b3203e419","c21d56d3-8079-46ff-b056-9d5be6505e88","a1378514-505d-453b-a0a9-44cd62cd5228","6f7d4fb8-e91c-4fa3-aa6f-c695d21e5e1a"]}},{"id":"microsoft.documentdb/cassandraclusters","type":"Microsoft.DocumentDB/cassandraClusters","displayName":"Azure Managed Instance for Apache Cassandra","description":"All tables related to Azure Managed Instance for Apache Cassandra.","related":{"tables":["AzureActivity","CassandraAudit","CassandraLogs"],"queries":["7f99e5e3-4b53-4ac2-8b96-3f2a5f92c7f9","d2752945-c33f-4a6b-9128-e2f8e2dbf6a1"]}},{"id":"microsoft.datareplication/replicationvaults","type":"Microsoft.DataReplication/ReplicationVaults","displayName":"Azure Migrate Data Replication","description":"All tables related to Azure Migrate Data Replication Service.","related":{"tables":["ASRv2JobEvents","ASRv2HealthEvents","ASRv2ReplicationVaults","ASRv2ReplicationPolicies","ASRv2ReplicationExtensions","ASRv2ProtectedItems"]}},{"id":"microsoft.documentdb/mongoclusters","type":"Microsoft.DocumentDB/mongoClusters","displayName":"Azure Cosmos DB for MongoDB (vCore)","description":"Logs related to Azure Cosmos DB for MongoDB (vCore).","related":{"tables":["VCoreMongoRequests","AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["7c29ceda-72da-4398-befe-2a17722165b1","5bb1d784-35fa-4065-bcfe-d780877bb42a","9883e7d9-5df2-4ced-bd47-3fc5f34f3c7a","4ad830b9-b8b6-4e8e-a934-754d4ad2d959"]}},{"id":"microsoft.azuremonitordiagnosticsagents/datacollection","type":"Microsoft.AzureMonitorDiagnosticsAgents/DataCollection","displayName":"Azure Monitor Diagnostics Agents","description":"All tables for conditional data sets collected by Azure Monitor Diagnostics Agents via Data Collection Rules (DCRs).","related":{"tables":["DataSetRuns","DataSetOutput","PerfInsightsRun","PerfInsightsFindings","PerfInsightsImpactedResources"],"queries":["37325c2f-a267-4c55-8b85-3a315e9e50a3","e70b8048-60cc-485e-aa4c-13681020dc97"]}},{"id":"microsoft.dashboard/dashboard","type":"Microsoft.Dashboard/dashboard","displayName":"Azure Monitor Dashboard with Grafana","description":"Azure Monitor Dashboards with Grafana enable you to use Grafana's query, transformation, and visualization capability on data sources such as Azure Monitor, Azure Managed Prometheus, and Azure Resource Graph within an Azure Monitor workspace.","related":{"tables":["AzureActivity","AGSUpdateEvents"],"queries":["1b1df069-ae9b-4026-876e-09b8d1c4cf12"]}},{"id":"microsoft.monitor/pipelinegroups","type":"Microsoft.Monitor/pipelineGroups","displayName":"Azure Monitor pipeline","description":"Diagnostic logs for Azure Monitor pipeline","related":{"tables":["AzureMonitorPipelineLogErrors"],"queries":["d7f3a1b9-4c2e-48a6-b5d1-9e8f7c6a3b20"]}},{"id":"microsoft.azuredatacollection/amawindows","type":"Microsoft.AzureDataCollection/amaWindows","displayName":"Azure Monitor Agent (Windows)","description":"All tables related to AMA telemetry and diagnostics data."},{"id":"microsoft.insights/workloadmonitoring","type":"Microsoft.Insights/WorkloadMonitoring","displayName":"Workload Monitoring of Azure Monitor Insights","description":"Tables used by Azure Monitor Workload Monitoring for collection of diagnostic logs.","related":{"tables":["InsightsMetrics"],"queries":["0d32e6ff-9894-415e-a981-2e9e5f76bd78"]}},{"id":"microsoft.netapp/netappaccounts/capacitypools","type":"Microsoft.NetApp/netAppAccounts/capacityPools","displayName":"Azure NetApp Files","description":"All tables related to Azure NetApp Files.","related":{"tables":["ANFFileAccess","ANFTopClientReadIOPS","ANFTopClientWriteIOPS","ANFTopFileReadIOPS","ANFTopFileWriteIOPS"],"queries":["f6544502-3c0c-4e40-916d-bac6bb3ce8cf","b0398ff8-d74a-11ec-9d64-0242ac120002"]}},{"id":"microsoft.networkcloud/baremetalmachines","type":"Microsoft.NetworkCloud/bareMetalMachines","displayName":"Nexus BareMetal Machines","description":"Azure operator Nexus is a carrier grade hybrid cloud platform built for mission critical mobile network applications. It simplifies the provisioning of new network services and optimizes the deployment of network functions and applications into on premise data centers. This table collects the system & security logs of the baremetal machines.","related":{"tables":["AzureActivity","AzureMetrics","NCBMSystemLogs","NCBMSecurityLogs","NCBMSecurityDefenderLogs","NCBMBreakGlassAuditLogs"]}},{"id":"microsoft.networkcloud/clustermanagers","type":"Microsoft.NetworkCloud/clusterManagers","displayName":"Nexus Cluster Managers","description":"Azure Operator Nexus is a carrier grade hybrid cloud platform built for mission critical mobile network applications. It simplifies the provisioning of new network services and optimizes the deployment of network functions and applications into on premise data centers. This table collects the logs about deployment and upgrade performed of the cluster managed by the cluster manager.","related":{"tables":["AzureActivity","AzureMetrics","NCMClusterOperationsLogs"]}},{"id":"microsoft.networkcloud/clusters","type":"Microsoft.NetworkCloud/clusters","displayName":"Nexus Clusters","description":"Azure operator Nexus is a carrier grade hybrid cloud platform built for mission critical mobile network applications. It simplifies the provisioning of new network services and optimizes the deployment of network functions and applications into on premise data centers.This table collects the kubernetes container & vmorchestration logs of the clusters.","related":{"tables":["AzureActivity","AzureMetrics","NCCIDRACLogs","NCCKubernetesAPIAuditLogs","NCCKubernetesLogs","NCCPlatformOperationsLogs","NCCVMOrchestrationLogs"],"queries":["b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e"]}},{"id":"microsoft.networkcloud/storageappliances","type":"Microsoft.NetworkCloud/storageAppliances","displayName":"Nexus Storage Appliances","description":"Azure operator Nexus is a carrier grade hybrid cloud platform built for mission critical mobile network applications. It simplifies the provisioning of new network services and optimizes the deployment of network functions and applications into on premise data centers.This table collects the audit & alert logs of the Storage Appliances.","related":{"tables":["AzureActivity","AzureMetrics","NCSStorageAudits","NCSStorageAlerts","NCSStorageLogs"]}},{"id":"microsoft.network/loadbalancers","type":"Microsoft.Network/LoadBalancers","displayName":"Load Balancers","description":"Azure Load Balancer is a low latency and high throughput network-layer load balancer that enables you to improve the availability and scalability of your applications by distributing network traffic.","related":{"tables":["ALBHealthEvent","AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["8f2774ec-9662-4eff-bc18-b223ec9ce86d"]}},{"id":"microsoft.network/natgateways","type":"Microsoft.Network/NatGateways","displayName":"NAT Gateways","description":"Azure NAT Gateway is a fully managed and highly resilient Network Address Translation (NAT) service in Azure.","related":{"tables":["NatGatewayFlowlogsV1"],"queries":["652774ec-9662-4e1f-bc18-b223ec9ce36d","252274ec-9662-4e3f-bc18-b225ec9ce31d"]}},{"id":"microsoft.playfab/titles","type":"Microsoft.PlayFab/titles","displayName":"Azure PlayFab","description":"All tables related to Azure PlayFab Services.","related":{"tables":["PFTitleAuditLogs"]}},{"id":"microsoft.securityinsights/purview","type":"Microsoft.SecurityInsights/Purview","displayName":"Microsoft Defender for cloud","description":"All tables related to Microsoft Defender for cloud offerings.","related":{"tables":["PurviewDataSensitivityLogs"]}},{"id":"microsoft.purview/accounts","type":"Microsoft.Purview/accounts","displayName":"Microsoft.Purview/accounts","description":"All tables related to Azure Purview service offerings such as data discovery, sensitive data classification, and end-to-end data lineage.","related":{"tables":["AzureActivity","PurviewScanStatusLogs","PurviewDataSensitivityLogs","PurviewSecurityLogs"],"queries":["5a5e640c-37d6-4f21-93c2-3287fd420ea3"]}},{"id":"microsoft.quantum/provideraccounts","type":"Microsoft.Quantum/providerAccounts","displayName":"Azure Quantum Provider Accounts","description":"Audit logs for Azure Quantum Provider Account operations, covering job lifecycle, queue dispatch, and target intake management.","related":{"tables":["AzureActivity","QuantumProviderAccountJobAuditLogs","QuantumProviderAccountQueueAuditLogs","QuantumProviderAccountTargetAuditLogs"]}},{"id":"microsoft.quantum/workspaces","type":"Microsoft.Quantum/workspaces","displayName":"Azure Quantum Workspaces","description":"Audit logs for Azure Quantum Workspace operations, covering job lifecycle management such as creating, updating, and canceling jobs.","related":{"tables":["AzureActivity","QuantumWorkspaceJobAuditLogs"]}},{"id":"microsoft.recoveryservices/vaults","type":"Microsoft.RecoveryServices/Vaults","displayName":"Recovery Services Vaults","description":"All tables related to Azure site recovery service.","related":{"tables":["AzureActivity","ASRJobs","ASRReplicatedItems","AzureBackupOperations","AzureDiagnostics","CoreAzureBackup","AddonAzureBackupJobs","AddonAzureBackupAlerts","AddonAzureBackupPolicy","AddonAzureBackupStorage","AddonAzureBackupProtectedInstance"],"functions":["b65a317e-7513-4379-b5fc-a467d3daa1d9","29112523-50d8-4bb9-931f-47b8b3da558f"],"queries":["d7328548-c02f-4461-a86d-ddea98534a3c","8ae09b10-bba7-4059-a179-4dd802f9dd28","4e376b4a-24d9-4110-9640-4c427e80af43","1b37f929-735e-11ea-b6cc-c8348e02520c","1b3a3fbb-735e-11ea-a165-c8348e02520c","1b3ab4e9-735e-11ea-bd69-c8348e02520c","1b3c1ae5-735e-11ea-9058-c8348e02520c","1b3c664d-735e-11ea-8315-c8348e02520c","1b3cdc20-735e-11ea-a43a-c8348e02520c","1b3e105a-735e-11ea-bc03-c8348e02520c","1b3ead6e-735e-11ea-9bb2-c8348e02520c","1b3f2289-735e-11ea-b431-c8348e02520c"]}},{"id":"microsoft.cache/redisenterprise","type":"Microsoft.Cache/redisEnterprise","displayName":"Azure Cache for Redis Enterprise","description":"All tables related to Azure Cache for Redis Enterprise service.","related":{"tables":["REDConnectionEvents"],"queries":["ddd81f93-5320-4626-ac94-a938757326a4","42dfde83-f564-4282-854d-612dfda54abf","e1629bb4-4c6e-49a1-a826-5627804b3dcf","d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","e4c56072-f3d4-4d90-89af-7b94cf0a80e1"]}},{"id":"microsoft.relay/namespaces","type":"Microsoft.Relay/namespaces","displayName":"Relay","description":"All tables related to Azure Relay resource.","related":{"tables":["AzureActivity","AzureMetrics","AZMSVnetConnectionEvents","AZMSHybridConnectionsEvents"],"queries":["07097c10-af17-46fd-b8a0-65c405f8b299","d25850ef-feda-42dc-afdb-d6f527854b8b","942c6acb-1f7e-498e-b5fa-d3c30f787f61"]}},{"id":"microsoft.servicebus/namespaces","type":"Microsoft.ServiceBus/namespaces","displayName":"Service Bus","description":"All tables related to Azure Service Bus resource.","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","AZMSOperationalLogs","AZMSVnetConnectionEvents","AZMSRunTimeAuditLogs","AZMSApplicationMetricLogs","AZMSDiagnosticErrorLogs"],"queries":["eaa7957b-aecb-406b-be10-f48696b0ecdf","eaa7957b-aecb-406b-be10-f48696b0ecdfdel","e16d5b06-e193-4e8f-8f2c-e3dd04413d9e","2b7d7c31-a6f4-4fcc-857e-c40fd9ecd918","9edb2134-7a9d-4193-b727-1900e50b133d","5956fb69-ccc1-40a2-a7be-8cf35a3fc627","39525fb9-8431-4c02-826f-c610eaaeb9c1","e42b82a3-12b7-49d3-90da-cb8f0d15090c","5378867d-d538-4133-b9ad-b98d8e920995","7f71e893-1960-4080-b67f-1a06c5a79143","1b9a6421-8d31-4a38-ae8c-35f70ffafdb8","1b159023-07e2-4d37-9447-af7b6cc5cfc6","1bd9dbca-3306-4985-8043-b4cb8c1f21e7","26f1dcce-f504-41fc-8613-e0458cce591a","e71a5c12-1ac5-4784-9c99-ce483f11da8d","ad8246e6-68dd-4bb6-a94a-dddb9c1e35d1","066798a4-70b2-4a0e-badb-a551fa92603d","c58b9b88-9b80-11ea-9137-c8348e02520c","c58ea8c7-9b80-11ea-afe7-c8348e02520c","c591b611-9b80-11ea-8243-c8348e02520c","c593ffdc-9b80-11ea-9200-c8348e02520c","c59845a8-9b80-11ea-8a09-c8348e02520c"]}},{"id":"microsoft.azuresphere/catalogs","type":"Microsoft.AzureSphere/catalogs","displayName":"Azure Sphere","description":"All tables related to the Azure Sphere Service.","related":{"tables":["ASCAuditLogs","ASCDeviceEvents"],"queries":["483f4b2c-5325-441f-9ec4-edc9baefcdd4","24acfce7-569c-4e05-9145-e09752fae02c","0c4a1b53-4761-4793-88ee-b5e569a333c4","f718df22-98e8-4b32-a6d0-bfd05f725a42","5ef6030d-8c6a-44a0-8739-5797f36eea20"]}},{"id":"microsoft.sql/servers","type":"microsoft.sql/servers","displayName":"SQL Servers","description":"All tables related to SQL Servers.","related":{"tables":["AzureSQLQueryStoreWaitStatistics","AzureSQLAutomaticTuning","AzureSQLBlocks","AzureSQLDatabaseWaitStatistics","AzureSQLDeadlocks","AzureSQLErrors","AzureSQLQueryStoreRuntimeStatistics","AzureSQLResourceUsageStats","AzureSQLTimeouts","AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["44e16774-d990-4192-8fce-2e543e34633a","a1b2c3d4-e5f6-4192-8fce-2e543e34633b","a1b2c3d4-e5f6-4192-8fce-2e543e34633c","a1b2c3d4-e5f6-4192-8fce-2e543e34633d","a1b2c3d4-e5f6-4192-8fce-2e543e34633e","a1b2c3d4-e5f6-4192-8fce-2e543e34633f","a1b2c3d4-e5f6-4192-8fce-2e543e346341","a1b2c3d4-e5f6-4192-8fce-2e543e346343","a1b2c3d4-e5f6-4192-8fce-2e543e346345","a1b2c3d4-e5f6-4192-8fce-2e543e346348","59e7db22-9f52-11ea-b8de-c8348e02520c","59ecbd47-9f52-11ea-bc53-c8348e02520c","59f150f7-9f52-11ea-8681-c8348e02520c","59f34cde-9f52-11ea-a5c7-c8348e02520c"]}},{"id":"microsoft.standbypool/standbycontainergrouppools","type":"microsoft.standbypool/standbycontainergrouppools","displayName":"Microsoft.StandbyPool","description":"Standby pools improve scaling performance by pre-provisioning containers, which can be quickly moved into the container group, either in a running or stopped state, significantly reducing the time needed to scale out.","related":{"tables":["SCGPoolExecutionLog","SCGPoolRequestLog"],"queries":["aed2e616-52ae-4c8e-8562-af62c017718a","6f2a51a0-449a-4578-b715-4f634a4d084a"]}},{"id":"microsoft.standbypool/standbyvirtualmachinepools","type":"microsoft.standbypool/standbyvirtualmachinepools","displayName":"Microsoft.StandbyPool","description":"Standby pools improve scaling performance by pre-provisioning virtual machines, which can be quickly moved into the scale set, either in a running or stopped state, significantly reducing the time needed to scale out.","related":{"tables":["SVMPoolExecutionLog","SVMPoolRequestLog"],"queries":["d76e62a6-9777-4e9c-a455-1d2541deaaf2","485749e7-4fa6-4e11-80f7-ef1696cd7736"]}},{"id":"microsoft.networkfunction/azuretrafficcollectors","type":"Microsoft.NetworkFunction/AzureTrafficCollectors","displayName":"Azure Traffic Collector","description":"All tables related to Azure Traffic Collector.","related":{"tables":["AzureActivity","AzureMetrics","ATCExpressRouteCircuitIpfix","ATCPrivatePeeringMetadata","ATCMicrosoftPeeringMetadata"],"queries":["db83ff91-df3b-4d7d-b62f-559d49e7d63c","5c27eae1-f25b-46e1-b18b-c1cc11e35ddb","b40ab49e-3ef0-4c97-862b-207b98a68b02"]}},{"id":"microsoft.network/networkmanagers","type":"Microsoft.Network/networkManagers","displayName":"Azure Virtual Network Manager","description":"Azure Virtual Network Manager is a highly scalable, centralized network management solution that enables customers to configure the connectivity and security of network resources globally across subscriptions.","related":{"tables":["AzureActivity","AzureMetrics","AVNMNetworkGroupMembershipChange","AVNMRuleCollectionChange","AVNMConnectivityConfigurationChange","AVNMIPAMPoolAllocationChange"],"queries":["f4d4d8db-7fa4-4196-872f-c8235d23ee8e","70eca34a-da99-45bf-9d68-415eb5def7c3","7c5ca7f7-1d91-461b-b451-9bb10d8ebdde","10b9ae2f-97fd-4807-af5f-8039f9cc7491","32e84b39-f121-4053-8d37-111c385f3e1a","b09ac15b-67c3-4531-bbb6-b0e2dba38d73","e522b056-537a-4775-9e13-2bc6e83fcd9c","ed719e04-ef7e-4d72-b03f-14e429ce4a4f"]}},{"id":"microsoft.avs/privateclouds","type":"microsoft.avs/privateClouds","displayName":"AVS Private Cloud","description":"Azure VMware Solution offers private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure.","related":{"tables":["AVSVcSyslog","AVSEsxiFirewallSyslog","AVSEsxiSyslog","AVSNsxManagerSyslog","AVSNsxEdgeSyslog","AVSSyslog"],"queries":["c864821b-bcc9-4305-a0e1-37dcb9f1f82d","462adba2-ab3c-42ad-8279-ba34d5f3cd49","517e9bd0-4635-44cd-9ddc-6f799d319de2","76378a5b-a5ed-4ad1-b0fa-8831475066be","a00b5597-266a-49b4-be69-ebf5606677a6","5206e354-d7a9-4eec-b3e9-7e5255a932a0","cfcdfea7-2e51-45b0-9d09-62a35900b151","7aef15d0-37cf-4db0-9691-fddd8508210b","0fc4a89c-1430-4422-816b-f3ead837b9c8","9dccb0ff-36b5-4682-b6ab-e7a4f085d782","fe1dd542-afb3-4b72-88c0-02e00a34608a","d4737f7d-28ee-4969-bf67-9065fd911210","09a0e87c-6410-4316-b7be-80b6592ca8e4","4bc9187e-5aec-464a-ba2f-86f07d1bc42b","a3b9cb07-69f5-4034-9b3d-c5f4ee3655c7","637510f2-9609-4eed-ad8d-8efc0bfe442a","cbcf3a45-5896-4020-abb3-bdc0c0581319","2079cc76-82bd-4deb-beb7-595a66c8e7b0","254a4228-9e71-489f-ba2c-e47017afbaa3"]}},{"id":"microsoft.botservice/botservices","type":"Microsoft.BotService/botServices","displayName":"Bot Services","description":"All tables related to Azure Bot Service.","related":{"tables":["AzureActivity","ABSBotRequests"],"queries":["64f87548-08b9-4b7a-83af-c05315d36666","8b407dc8-15eb-4ab6-8ddc-b9fa4d71ea0a","bc1ef3cf-7f5d-4516-9464-3d192bddce3b","60f51b61-07de-4bd5-a0ee-e0d9cf82d340","10fc7fcb-95db-4b92-aeb7-36e8fdec7d31","b8e80791-6507-423b-8cba-0e0b320af1c3","fec44dbd-94cd-4dab-8c68-0b0b64c256de","599d9097-d85c-44a3-8284-55e525590f20","599d9097-d85c-44a3-8284-55e525590f21","599d9097-d85c-44a3-8284-55e525590f23","599d9097-d85c-44a3-8284-55e525590f24","599d9097-d85c-44a3-8284-55e525590f25","599d9097-d85c-44a3-8284-55e525534f97"]}},{"id":"microsoft.securityinsights/casemanagement","type":"Microsoft.SecurityInsights/CaseManagement","displayName":"Case Management","description":"All tables related to Case Management audit logs and entity field changes.","related":{"queries":["a1b2c3d4-1111-4aaa-bbbb-000000000001","a1b2c3d4-1111-4aaa-bbbb-000000000002","a1b2c3d4-1111-4aaa-bbbb-000000000003","a1b2c3d4-1111-4aaa-bbbb-000000000004","a1b2c3d4-1111-4aaa-bbbb-000000000005","a1b2c3d4-1111-4aaa-bbbb-000000000006","a1b2c3d4-1111-4aaa-bbbb-000000000007","a1b2c3d4-1111-4aaa-bbbb-000000000008","a1b2c3d4-1111-4aaa-bbbb-000000000009","a1b2c3d4-1111-4aaa-bbbb-000000000010","a1b2c3d4-1111-4aaa-bbbb-000000000011","a1b2c3d4-1111-4aaa-bbbb-000000000012","a1b2c3d4-1111-4aaa-bbbb-000000000013","a1b2c3d4-1111-4aaa-bbbb-000000000014"]}},{"id":"microsoft.chaos/experiments","type":"Microsoft.Chaos/experiments","displayName":"Chaos Experiment","description":"The experiment orchestration of chaos execution.","related":{"tables":["AzureActivity","ChaosStudioExperimentEventLogs"],"queries":["16191aba-3eee-4973-b338-7077300f32e1","151d25cf-7e9a-48eb-98ff-fe39a595ddff"]}},{"id":"microsoft.operationalinsights/workspaces","type":"Microsoft.OperationalInsights/Workspaces","displayName":"Log Analytics workspaces","description":"All tables related to Log Analytics Workspaces.","related":{"tables":["Event","WindowsFirewall","AzureMetrics","Perf","Syslog","LAQueryLogs","LASummaryLogs","AzureMetricsV2","LAJobLogs","OTelResources","OTelSpans","OTelEvents","OTelLogs","OTelTraces","OTelTracesAgent","AppGenAIContent"],"queries":["89e77e30-828d-4e3d-96a2-d28befa4275b","c6eb80df-d93e-451d-8a78-500adeb829ca","4a4819f6-4d4f-4c1e-8f9f-445c957af054","78b49d99-ccb7-4791-ba0c-73fbf2104daa","9edff33b-7951-4601-a50b-1da5fea7a127","3b374e0c-6e5c-4367-88a8-10d265ce5e42","323226e0-df9e-4287-92aa-3795cf8a964e","38d33331-aba2-43f7-92c5-c527123edbf6","bd465c3f-0a2c-4ab7-ad8b-43b616528363","3f8d4567-12ab-34cd-56ef-789012345678","1e2f3a4b-5c6d-7e8f-9012-3456789abcde","2a1b3c4d-6e7f-8901-bcde-f23456789abc"]}},{"id":"microsoft.cognitiveservices/accounts","type":"microsoft.cognitiveservices/accounts","displayName":"Cognitive Services","description":"Account for Cognitive Services resources","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.confidentialledger/ledgers","type":"Microsoft.ConfidentialLedger/Ledgers","displayName":"Azure confidential ledger","description":"Azure confidential ledger is a trusted, auditable data store ensuring highest levels of tamperproof integrity for sensitive data stored directly or via other data sources, such as Azure SQL database server, Azure Blob Storage and other connectors. It is suitable for audit logs/digest, confidential logs, and immutable records.","related":{"tables":["LedgerUserDefinedLogs","LedgerTransactionLogs","ACLTransactionLogs","ACLUserDefinedLogs"],"queries":["e159f354-4be5-40de-90cc-0152553aca5a","3f837a43-8382-465c-9681-cadd66b5755d","f986ae23-a5e3-4b1a-8c7f-d3209a0267a7","a68218d8-84d3-45ce-87c5-1ff89cbe9eaf"]}},{"id":"microsoft.connectedcache/cachenodes","type":"Microsoft.ConnectedCache/CacheNodes","displayName":"Microsoft Connected Cache","description":"ConnectedCache diagnostic logs, LogAnalytics tables","related":{"tables":["AzureActivity","AzureMetrics","MCCEventLogs"]}},{"id":"microsoft.connectedvehicle/platformaccounts","type":"Microsoft.ConnectedVehicle/platformAccounts","displayName":"Microsoft Connected Vehicle Platform","description":"Microsoft.ConnectedVehicle diagnostic log export, LogAnalytics tables","related":{"tables":["AzureActivity","AzureMetrics","MCVPOperationLogs","MCVPAuditLogs"]}},{"id":"microsoft.network/networkwatchers/connectionmonitors","type":"Microsoft.Network/NetworkWatchers/Connectionmonitors","displayName":"Network Watcher - Connection Monitor","description":"All tables related to Network Watcher - Connection Monitor","related":{"tables":["AzureActivity","NWConnectionMonitorTestResult","NWConnectionMonitorPathResult","NWConnectionMonitorDNSResult"],"queries":["8a9e48ac-20be-4074-8118-9366e73d8dac","da3145ca-5cb9-43f4-afcc-0544bc320d8d","a756c739-e5cb-4bf1-9b37-4d58d5a49e2d"]}},{"id":"microsoft.app/managedenvironments","type":"Microsoft.App/managedEnvironments","displayName":"Container Apps","description":"Logs for Azure Container Apps Environments configured with Azure Monitor support. Logs pushed to this Log Analytics resource originate from Shoebox Logs.","related":{"tables":["AzureActivity","ContainerAppConsoleLogs","ContainerAppSystemLogs","AppEnvSpringAppConsoleLogs","AppEnvSessionConsoleLogs","AppEnvSessionPoolEventLogs","AppEnvSessionLifecycleLogs","ContainerAppHTTPLogs"],"queries":["36891d32-455c-4492-9681-a06713a17de0","191c185d-0bb0-4690-a8cd-51a38289b9c0","9db05ad5-c9f7-4136-882e-a5bebb798cf1","e5922e5d-6e1c-4bb8-a0ba-eb64414622a6","10b27cd1-2881-481a-aa4e-7a7b310fe3af","67abc9cc-f88e-4d0f-9b47-51bbff409682","f94b4370-78dd-40ad-9b22-f3461f9d8446","cbb070f5-c424-41ff-96ab-f3e6e31e18f2","cf1dc664-075c-4fb6-962c-0280edb652a0","8dbbc541-1c2b-4985-8e5c-fbb3e908bd0d","5c9510de-ae67-4f1d-afa8-97d8e458182c","9bc303aa-0156-42d0-a4ea-5795de314b01"]}},{"id":"microsoft.d365customerinsights/instances","type":"Microsoft.D365CustomerInsights/instances","displayName":"Dynamics 365 Customer Insights","description":"All tables related to Customer Insights","related":{"tables":["AzureActivity","CIEventsAudit","CIEventsOperational"],"queries":["d42180dc-be37-4b53-9c02-302848dfff5f","6fabff7b-d466-43a6-b5e4-e91acd00a155","5de254d1-fd54-4468-a243-6756670c51ca","c72b0389-6dc7-40de-9e90-ce5ade614d46","427943d1-85ad-4fc2-b268-3da41e4a6c1a","e71bcfbf-4518-41ea-b013-80e249d62c28","bd46892d-853b-4b2e-a72d-040189673031","3888a9d5-61f3-43e1-af05-40cf805d0dc2"]}},{"id":"microsoft.databricks/workspaces","type":"Microsoft.Databricks/workspaces","displayName":"Azure Databricks Services","description":"Tables related to Databricks workspaces.","related":{"tables":["AzureActivity","AzureMetrics","DatabricksBrickStoreHttpGateway","DatabricksDashboards","DatabricksCloudStorageMetadata","DatabricksPredictiveOptimization","DatabricksDataMonitoring","DatabricksIngestion","DatabricksMarketplaceConsumer","DatabricksLineageTracking","DatabricksFilesystem","DatabricksApps","DatabricksClusterPolicies","DatabricksDataRooms","DatabricksGroups","DatabricksMarketplaceProvider","DatabricksOnlineTables","DatabricksRBAC","DatabricksRFA","DatabricksVectorSearch","DatabricksWebhookNotifications","DatabricksWorkspaceFiles","DatabricksLakeviewConfig","DatabricksFiles","DatabricksBudgetPolicyCentral","DatabricksAccounts","DatabricksClusters","DatabricksDBFS","DatabricksInstancePools","DatabricksJobs","DatabricksNotebook","DatabricksSQL","DatabricksSQLPermissions","DatabricksSSH","DatabricksSecrets","DatabricksTables","DatabricksWorkspace","DatabricksFeatureStore","DatabricksGenie","DatabricksGlobalInitScripts","DatabricksIAMRole","DatabricksMLflowAcledArtifact","DatabricksMLflowExperiment","DatabricksRemoteHistoryService","DatabricksGitCredentials","DatabricksWebTerminal","DatabricksDatabricksSQL","DatabricksCapsule8Dataplane","DatabricksClamAVScan","DatabricksClusterLibraries","DatabricksDeltaPipelines","DatabricksModelRegistry","DatabricksPartnerHub","DatabricksRepos","DatabricksServerlessRealTimeInference","DatabricksUnityCatalog"],"queries":["e2505eec-f620-4fbb-87e7-eb447d608a04"]}},{"id":"microsoft.insights/datacollectionrules","type":"Microsoft.Insights/datacollectionrules","displayName":"Data Collection Rules","description":"Diagnostic logs for DCR-based data collection","related":{"tables":["DCRLogErrors"],"queries":["d7d0e750-f20c-4d13-8887-2d088f25bb68"]}},{"id":"microsoft.dbformysql/flexibleservers","type":"Microsoft.DBForMySQL/flexibleServers","displayName":"Azure Database for MySQL Flexible Servers","description":"All tables related to Azure Database for MySQL Flexible Servers.","related":{"tables":["AzureActivity","AzureDiagnostics","AzureMetrics","MySqlAuditLogs","MySqlSlowLogs"],"queries":["09097f08-6a4b-4747-a251-21dd4237d99a","4fec14fe-d662-4b6f-a3a6-4a6bfcfe55cb","83c3b089-8510-4925-8614-f7f36a04af0b"]}},{"id":"microsoft.dbforpostgresql/flexibleservers","type":"Microsoft.DBForPostgreSQL/flexibleServers","displayName":"Azure Database for PostgreSQL Flexible Servers","description":"All tables related to Azure Database for PostgreSQL Flexible Servers.","related":{"tables":["AzureActivity","AzureDiagnostics","AzureMetrics","PGSQLPgStatActivitySessions","PGSQLDbTransactionsStats","PGSQLQueryStoreRuntime","PGSQLQueryStoreWaits","PGSQLAutovacuumStats","PGSQLServerLogs","PGSQLPgBouncer","PGSQLQueryStoreQueryText"],"functions":["bd5b5b75-dad2-40f2-b2f1-a58a0b41106d","7625213e-e8e7-433c-9f64-fdc984ad7ee0","cd3f45c0-2b70-42d9-bbad-cbbe7f3ee715","86401b72-78ca-46bd-a1ef-2f63d9230a5c","d6dad52a-5669-4cb4-bbbe-d5d1e4f9435d","2d003852-e92b-49b3-b12e-164332b0edab","f7a72ca9-df71-4cfb-811a-ea70469f3e3f"],"queries":["6c056893-0853-4a39-9638-35a5b0644363","61d8a45e-1589-489f-8d69-792c36fa8967","80ddf123-662f-408d-b1c9-1efcaee4ea25","3c0316ed-8069-4b75-8247-519398618f34","8c11b79a-eff0-439c-a54c-519a0cdc30cf","abca51a5-f135-4977-af75-46670f36017c","c50219bc-5393-40c6-b7aa-d5ac8cd065b8","c8e78040-e38f-46d1-a4ca-ec3fa1ea3c92","faffa3cc-01d7-4c65-9dcd-15c65d8db91f","54526cff-06de-4bec-bfa5-6909c04908bb","b61211bc-abef-4e01-b6f5-9154166f9021","8c1d6f16-f409-4be5-a36e-e7366e91fbc8","0f906ebd-a275-4f19-afb8-66956e3de6ba","d8825350-6728-45cd-8120-edf428e459f1","f41d96e1-a466-434c-96ba-f7ae31601398","bd908e0d-680a-40b9-88c2-b7fedf053c96","98ce5af3-de4d-45ac-91dc-b8a42f9bd2a4","f749c7ac-5407-4926-a42f-b8c684d6b169","6cba4bad-1a95-4970-9fc6-1a5f6936187b","c5ec4e2d-c7b3-42c3-9150-6ec344d62ee3","73917797-b07e-495f-874e-337d5c089123","3412a5f6-4520-4ac5-bd10-6b137a30845e","f88e66dd-2057-47d3-9758-3aab93c7602a"]}},{"id":"microsoft.devcenter/devcenters","type":"Microsoft.DevCenter/devcenters","displayName":"Dev Centers","description":"Dev Center is an Azure Service which will enable dev teams to self-serve development environments in the cloud, adhering to corporate security standards.","related":{"tables":["AzureActivity","AzureMetrics","DevCenterDiagnosticLogs","DevCenterResourceOperationLogs","DevCenterBillingEventLogs","DevCenterAgentHealthLogs","DevCenterConnectionLogs"],"queries":["44a38a05-1147-4795-bd5e-fa808308375f","51e6c592-e4f1-d373-e927-aab82f9c1044","25f8bafd-7cf8-4eb9-a10b-b8e23442f666","000c951d-5d77-4590-ab98-813149c42682","be18b9bb-7cde-4b04-961a-b08db7f51882"]}},{"id":"microsoft.devopsinfrastructure/pools","type":"Microsoft.DevOpsInfrastructure/pools","displayName":"Managed DevOps Pools","description":"Compliant compute to be used in Azure DevOps/Github pipelines.","related":{"tables":["AzureActivity","MDPResourceLog"]}},{"id":"microsoft.discovery/bookshelves","type":"Microsoft.Discovery/bookshelves","displayName":"Microsoft Discovery Bookshelves","description":"Knowledge base resources in the Microsoft Discovery platform for managing and querying domain knowledge.","related":{"tables":["AzureActivity","DiscoveryBookshelfAuditLogs"],"queries":["6b8cd500-15a6-4311-a97b-806710922c5a","c7ce5ec8-5650-443b-9690-f79167d4ad28","4fc5e32f-d276-4f01-b513-d28ff85ff632"]}},{"id":"microsoft.discovery/supercomputers","type":"Microsoft.Discovery/supercomputers","displayName":"Microsoft Discovery Supercomputers","description":"High-performance computing resources in the Microsoft Discovery platform for running large-scale scientific workloads.","related":{"tables":["AzureActivity","DiscoverySupercomputerAuditLogs"],"queries":["11e2a947-7cac-4932-b08c-833ca8ed4b66","54954c67-9753-4acb-b9c4-647ed5eb8962","09eb47e3-0af5-4434-9e49-a71e5c3ceeb4"]}},{"id":"microsoft.discovery/workspaces","type":"Microsoft.Discovery/workspaces","displayName":"Microsoft Discovery Workspaces","description":"Collaborative AI/ML workspace resources in the Microsoft Discovery platform.","related":{"tables":["AzureActivity","DiscoveryWorkspaceAuditLogs"],"queries":["3b6c64fc-9624-45d4-8ca9-387fb3996ecf","f17b9109-4747-4ce4-94d1-bffc4bc04e18","4aa5f9aa-2eea-4297-95b4-37143a962df5"]}},{"id":"microsoft.durabletask/schedulers","type":"Microsoft.DurableTask/schedulers","displayName":"Durable Task Schedulers","description":"Logs for Azure Durable Task Schedulers configured with Azure Monitor support. Logs pushed to this Log Analytics resource originate from Shoebox Logs.","related":{"tables":["AzureActivity","DurableTaskSchedulerLogs"],"queries":["dc826897-f00f-4d3d-8f4f-1c8a370a0e78","1e6825d2-847b-4027-a2d7-699d8875f6eb"]}},{"id":"microsoft.dynamics/fraudprotection/purchase","type":"Microsoft.Dynamics/FraudProtection/Purchase","displayName":"Microsoft.Dynamics.FraudProtection/purchase","description":"All tables related to Dynamics Fraud Protection service offerings such as purchase, purchase status, bank event, refund, chargeback."},{"id":"microsoft.experimentation/experimentworkspaces","type":"Microsoft.Experimentation/experimentWorkspaces","displayName":"Experiment Workspace","description":"All tables related to Experimentation service.","related":{"tables":["AzureActivity","AEWAuditLogs","AEWComputePipelinesLogs","AEWAssignmentBlobLogs","AEWExperimentAssignmentSummary","AEWExperimentScorecards","AEWExperimentScorecardMetricPairs"],"queries":["4a8a8d90-af11-1302-7556-02c1a6c4287f","307938f2-3ebe-e1dd-e6cd-60181b631133","c6b38466-c4e7-4b51-59c6-9dc6ab8b7d56","8abfa818-c87f-81c7-99ef-fa38d0c750b3","bcec51fd-9e72-40a8-b01b-6d3fd16e0fb6","967eb9bf-2d91-4a86-8115-18ee8b458d0e","7f870b0a-b457-4221-a739-20bf3ece31f3"]}},{"id":"microsoft.hdinsight/clusters","type":"Microsoft.HDInsight/Clusters","displayName":"HDInsight Clusters","description":"All tables related to HDInsight Service.","related":{"tables":["AzureActivity","HDInsightKafkaLogs","HDInsightKafkaMetrics","HDInsightHBaseLogs","HDInsightHBaseMetrics","HDInsightStormLogs","HDInsightStormMetrics","HDInsightStormTopologyMetrics","HDInsightGatewayAuditLogs","HDInsightAmbariSystemMetrics","HDInsightAmbariClusterAlerts","HDInsightSparkApplicationEvents","HDInsightSparkBlockManagerEvents","HDInsightSparkEnvironmentEvents","HDInsightJupyterNotebookEvents","HDInsightSparkExecutorEvents","HDInsightSparkExtraEvents","HDInsightSparkJobEvents","HDInsightSparkSQLExecutionEvents","HDInsightSparkStageEvents","HDInsightSparkStageTaskAccumulables","HDInsightSparkTaskEvents","HDInsightSparkLogs","HDInsightSecurityLogs","HDInsightRangerAuditLogs","HDInsightHiveAndLLAPLogs","HDInsightHiveAndLLAPMetrics","HDInsightHadoopAndYarnLogs","HDInsightHadoopAndYarnMetrics","HDInsightOozieLogs","HDInsightHiveQueryAppStats","HDInsightHiveTezAppStats"]}},{"id":"microsoft.healthdataaiservices/deidservices","type":"Microsoft.HealthDataAIServices/deidServices","displayName":"Azure Health Data Services de-identification service","description":"Logs generated through Azure Health Data Services de-identification service and pushed to Azure Monitoring.","related":{"tables":["AHDSDeidAuditLogs"]}},{"id":"microsoft.intune/operations","type":"microsoft.intune/operations","displayName":"Intune Specialist Reports.","description":"Intune Specialist Reports.","related":{"tables":["Windows365AuditLogs"]}},{"id":"microsoft.aadiam/tenants","type":"microsoft.aadiam/tenants","displayName":"Azure Active Directory Logs","description":"All tables related to Azure Active Directory logs.","related":{"tables":["AADB2CRequestLogs"],"queries":["0672f0f4-b973-486e-8f05-25f93f3799cb","d6cf92b1-3b52-4b8b-b5c6-c4c1a0d657ee","e16559ad-9ff2-418b-b194-8bccf6fb184c","cdeed2a7-e6b7-4e08-bd8e-a7d9d6ec08a8","6b26cc79-2a2f-4d29-9caa-bd14690e53ed","29ccaaf9-d25b-4aec-8b2b-3047a16516f9","e3e89b71-9c05-46e9-a981-6ec61edbd52d","000c3177-e775-4c3b-8425-c346af81389d","d02256eb-1eae-46e9-b63b-4e389f6ce0ae","ae89676f-3dbe-495a-a5e6-b9673afe98ca","58719d71-dd9e-4c0c-9405-2e3d5a47f10a","f3b8ad66-b178-49bf-b165-31c2896c406b","9e1062d5-b526-42d0-9d46-80ec8604da4d","62ae5228-928d-4ef8-a383-3d3793dec41c"]}},{"id":"microsoft.compute/virtualmachines/extensions","type":"Microsoft.Compute/VirtualMachines/Extensions","displayName":"Azure virtual machine extensions","description":"Understand monitoring agent status. Keep track of agents deployed in Azure or Azure Arc-connected environments.","related":{"tables":["AMAHealth"]}},{"id":"microsoft.compute/virtualmachines","type":"Microsoft.Compute/VirtualMachines","displayName":"Virtual machines","description":"Understand monitoring agents status. Keep track of agents deployed in Azure, other cloud environments, or on-premises","related":{"tables":["Heartbeat","W3CIISLog","AzureActivity","AzureMetrics","ADAssessmentRecommendation","ADReplicationResult","ComputerGroup","ContainerLog","DataSetOutput","DataSetRuns","DnsEvents","DnsInventory","SecurityBaselineSummary","SQLAssessmentRecommendation","ConfigurationChange","ConfigurationData","Event","Perf","PerfInsightsFindings","PerfInsightsImpactedResources","PerfInsightsRun","ProtectionStatus","SecurityBaseline","SecurityEvent","Syslog","Update","UpdateRunProgress","UpdateSummary","VMBoundPort","VMConnection","VMComputer","VMProcess","WindowsFirewall","WireData","InsightsMetrics","HealthStateChangeEvent","CommonSecurityLog"],"queries":["c8f597f3-9251-468a-86b3-d94ed8ea996d","bdbc27e8-3f5d-4981-9050-5ed7f63615a8","ba8b1839-7334-11ea-bed0-c8348e02520c","ba8e256b-7334-11ea-99d3-c8348e02520c","35883956-d397-42e6-a820-01eaceb11471","32b49610-7500-4578-a909-b937a976ebfe","d2f75376-07d4-4ef7-b3b4-36a97d5b6228","f4ee7d36-fcae-4d21-879b-e11f9a831590","6810d165-9ec6-4e87-84e4-800d74cf85ad","b6aa1541-5290-41c5-9bc3-48e26fd6f899","10eeb5b8-140d-4790-a509-e6f2d62c6abe","d78e5c0b-190f-42b3-9b90-43758415fab2","e7e0e961-d151-41fd-9062-260808ae1190","ccbfe85d-b880-4ec2-8760-c382d17db131","820798dc-cd18-4f1a-b7f0-1163f78e3935","8318f5a7-adba-41d0-8170-c5af5b31e494","f7a287bb-a9ab-44c1-942f-1ec5c03e388e","043360e8-9071-46fe-8ae2-1c27eeca2d7b","5cd45fcf-8566-11ea-821c-c8348e02520c","5cd6f7ed-8566-11ea-a2a1-c8348e02520c","5cd745fe-8566-11ea-9fa7-c8348e02520c","5cd79425-8566-11ea-ab11-c8348e02520c","5cd7e251-8566-11ea-b5f3-c8348e02520c","5cd85792-8566-11ea-b77a-c8348e02520c","51c067a6-a025-11ea-a1b8-c8348e02520c","51c43753-a025-11ea-b382-c8348e02520c","51c6ccf0-a025-11ea-93fd-c8348e02520c","51d5d5cb-a025-11ea-a80b-c8348e02520c","51d64afb-a025-11ea-a30b-c8348e02520c","51d84768-a025-11ea-a170-c8348e02520c","51d8e30c-a025-11ea-a73e-c8348e02520c","51da42ca-a025-11ea-8b9b-c8348e02520c","51db05ee-a025-11ea-93b5-c8348e02520c","51db7b14-a025-11ea-96a8-c8348e02520c","51dcdaa5-a025-11ea-8887-c8348e02520c","51dd28da-a025-11ea-9725-c8348e02520c","51dd9de7-a025-11ea-99e2-c8348e02520c"]}},{"id":"microsoft.logic/integrationaccounts","type":"Microsoft.Logic/integrationAccounts","displayName":"Integration Account.","description":"Diagnostics data for B2B messages in Azure Logic Apps. After you set up B2B communication between trading partners in your integration account, those partners can exchange messages by using protocols such as AS2, X12, and EDIFACT. To check that this communication works the way you expect, you can enable monitoring in your integration account. These minitoring logs appear here.","related":{"tables":["AzureActivity","LIATrackingEvents"]}},{"id":"microsoft.machinelearningservices/workspaces","type":"Microsoft.MachineLearningServices/workspaces","displayName":"Machine Learning","description":"All tables related to OnlineEndpoints.","related":{"tables":["AzureActivity","AmlOnlineEndpointConsoleLog","AmlOnlineEndpointTrafficLog","AmlOnlineEndpointEventLog","AzureMetrics","AmlComputeClusterEvent","AmlComputeClusterNodeEvent","AmlComputeJobEvent","AmlRunStatusChangedEvent","AmlComputeCpuGpuUtilization","AmlComputeInstanceEvent","AmlDataLabelEvent","AmlDataSetEvent","AmlDataStoreEvent","AmlDeploymentEvent","AmlEnvironmentEvent","AmlInferencingEvent","AmlModelsEvent","AmlPipelineEvent","AmlRunEvent"],"queries":["a5c31bf6-314c-4c77-9144-eacc566de521","a3e072ef-5aa5-484a-9641-11485b55cb42","ddc56a57-a0a1-442d-b738-a600bca740f8","3fe8395a-8be3-46ac-9e04-f134ad813588","bb1d1cd0-b41e-428a-956b-15090b9e836e","f8741bb2-5e77-4b74-b2e0-726b1853a495","8d0b6135-2074-4e4f-8ad1-dd4c589562f8","8ba385dd-d37a-4240-b8d6-a39d4fbea568","ca209759-fcc0-40b3-afc3-fc0194b022ac","3b3a2331-4f85-43fe-956e-916ffa4af31d","7c64371a-7305-4213-8b63-d60407569f86","93b4628f-0bc4-40dc-84f9-927ecee32ff4","1e7c9aa6-8c97-4d20-b5ba-fca641339521"]}},{"id":"microsoft.machinelearningservices/registries","type":"Microsoft.MachineLearningServices/registries","displayName":"Machine Learning","description":"All tables related to Registries.","related":{"tables":["AzureActivity","AmlRegistryReadEventsLog","AmlRegistryWriteEventsLog"],"queries":["efb1f6c6-6498-4eba-9f42-71ca1b4ae3ee"]}},{"id":"microsoft.confidentialledger/managedccfs","type":"Microsoft.ConfidentialLedger/ManagedCCFs","displayName":"Azure Managed CCF","description":"Managed CCF is a platform service that runs the Confidential Consortium Framework(CCF). Customers can host confidential applications on it.","related":{"tables":["CCFApplicationLogs"],"queries":["3d08f663-9b40-4dcb-824c-e073806d5257"]}},{"id":"microsoft.security/security","type":"Microsoft.Security/Security","displayName":"Microsoft Defender for Cloud","description":"All tables related to Microsoft Defender for Cloud.","related":{"tables":["SecurityAttackPathData"],"queries":["bdb7da24-8f5f-422d-927e-14b06c75a407","5a1c1fd7-a9c7-428a-a804-64d0b46d1c18","ca4f4032-55e0-48c9-aac1-aa14d6ff21d3","1e4f66c0-41e2-45ff-864f-39e9d7a4f492","1558bfb7-2aa3-49e1-8386-f4f8509e514c"]}},{"id":"microsoft.securityinsights/mde","type":"Microsoft.SecurityInsights/MDE","displayName":"Azure Sentinel MDE","description":"All Microsoft Defender for Endpoints (MDE) tables related to Azure Sentinel."},{"id":"microsoft.monitor/accounts","type":"Microsoft.Monitor/accounts","displayName":"Azure Monitor Workspace","description":"Schema for generating metrics insights for Azure Monitor Workspaces.","related":{"tables":["AMWMetricsUsageDetails"]}},{"id":"microsoft.media/mediaservices","type":"Microsoft.Media/mediaservices","displayName":"Media Services","description":"All tables related to Azure Media Services","related":{"tables":["AzureActivity","AzureMetrics","AMSKeyDeliveryRequests","AMSMediaAccountHealth","AMSLiveEventOperations","AMSStreamingEndpointRequests","AzureDiagnostics"],"queries":["8b5511d4-2df9-445f-ac8c-183615aeff4f","b098e967-079a-4467-898a-8568b6f96f6a","e5d93d90-7ff9-4c4d-b46f-5bc037afa284","7308fa13-7b01-48d3-b9b6-8ac464ba5b3f","fba0fd35-f822-4df0-bc10-2ca0d9041d63","ecdcd5a9-ac4e-4e24-9ce6-bcb9b2e0cfa6","1b582828-0234-4b71-9949-c9e08be3bc04","3a2a2aea-8ada-497f-8ff1-e3a01c2469da"]}},{"id":"microsoft.orbital/geocatalogs","type":"Microsoft.Orbital/geocatalogs","displayName":"Microsoft Planetary Computer Pro","description":"All tables related to Microsoft Planetary Computer Pro","related":{"tables":["MPCIngestionLogs"]}},{"id":"microsoft.azureplaywrightservice/accounts","type":"Microsoft.AzurePlaywrightService/accounts","displayName":"Microsoft Playwright Testing","description":"Microsoft Playwright Testing is a fully managed service that uses the cloud to enable you to run Playwright tests with much higher parallelization across different operating system-browser combinations simultaneously.","related":{"tables":["AzureActivity","AzureMetrics"],"queries":["26e8acf3-e27d-4d7b-9718-31bda68a0b1d","e198f4d4-6420-4506-a965-f752b002f744"]}},{"id":"microsoft.graph/tenants","type":"Microsoft.Graph/tenants","displayName":"Microsoft Graph Logs","description":"All tables related to Microsoft Graph logs.","related":{"tables":["AzureActivity","SigninLogs","AuditLogs"],"queries":["a697d547-302a-4092-a3ad-b3cb8e43c204","a697d547-302a-4092-a3ad-b3cb8e43c205"]}},{"id":"microsoft.networkanalytics/dataproducts","type":"Microsoft.NetworkAnalytics/DataProducts","displayName":"Azure Operator Insights - Data Product","description":"A high performance analytics solution, targeted at telecoms operators. Telemetry data is sent from customer systems to Azure, where it is processed and stored. The data is then made available for analysis and visualization via 2 ADXs.","related":{"tables":["AzureActivity","AzureMetrics","AOIDigestion","AOIDatabaseQuery","AOIStorage"],"queries":["839b634d-aa61-4eeb-9826-e42b57a650dc","4caba217-a14b-4690-934f-d57b9ccbd1da","9788de8c-73da-4b6f-b259-28f89c8f8964","1d326b1d-b84f-475a-9ce6-78dc33d33461","2f7096f6-093c-4c1d-bd85-b47737aa1aa7","0bd960eb-b761-4ff6-bf0e-73bc57590734","30005149-f6be-42fc-871c-65b45fbb7891"]}},{"id":"microsoft.network/networksecurityperimeters","type":"Microsoft.Network/NetworkSecurityPerimeters","displayName":"Network Security Perimeters","description":"Network Security Perimeters allow administrators to define logical network isolation boundaries and configure common external access controls for PaaS resources.","related":{"tables":["NSPAccessLogs"]}},{"id":"microsoft.network/networkvirtualappliances","type":"Microsoft.Network/NetworkVirtualAppliances","displayName":"Network Virtual Appliance","description":"All tables related to Network Virtual Appliance.","related":{"tables":["AzureActivity","AzureMetrics","ADGSyslogEvent"],"queries":["30acf699-84cb-4c65-ad46-b2ad151ebc55"]}},{"id":"nginx.nginxplus/nginxdeployments","type":"NGINX.NGINXPLUS/nginxDeployments","displayName":"NGINXaaS","description":"NGINXaaS is an Azure-native solution co-developed by F5 and Microsoft.","related":{"tables":["NGXOperationLogs","NGXSecurityLogs","NginxUpstreamUpdateLogs"],"queries":["eff2d4f3-9a25-4a3e-9434-b1ce56ff7d8c","55b0b24b-dd8a-4f91-a797-2c0eae9ea440","4d51c78c-2124-4637-8fd1-0450556306bc","26551BF0-E908-4C30-8199-335F7CC86520"]}},{"id":"microsoft.onlineexperimentation/workspaces","type":"Microsoft.OnlineExperimentation/workspaces","displayName":"Online Experiment Workspace","description":"All tables related to Online Experimentation service.","related":{"tables":["AzureActivity","OEWAuditLogs","OEWExperimentAssignmentSummary","OEWExperimentScorecards","OEWExperimentScorecardMetricPairs"],"queries":["a7cb524f-2347-4ed2-a9ff-3ce04cb87913","3964f9a7-6371-445c-924f-9efdaef758ca","1e349818-951d-456b-b4b5-90dc93330b98"]}},{"id":"microsoft.openenergyplatform/energyservices","type":"Microsoft.OpenEnergyPlatform/energyServices","displayName":"Azure Data Manager for Energy","description":"Open Energy Platform diagnostic log.","related":{"tables":["OEPAirFlowTask","OEPElasticOperator","OEPElasticsearch","OEPAuditLogs","OEPDataplaneLogs"],"queries":["df341dc6-ff0a-4579-b23e-d84b22419c91","b3e13991-72f2-4b47-aaa1-37ea6c4bcae9","b6e48dd7-12b6-494a-b164-52df19d45a9d","29adebd2-37b1-44fc-a684-422431bf0ddd","3ac59a15-04e1-4474-9b8d-8046477d177e","91d7b5a5-93b8-4a8f-8875-b5c511bc9e41","7f9d3e8f-df6d-4156-93c7-0877c1000716","ea5e6919-17ea-4cc9-880c-0626d5a351f3","6e113596-c393-4745-b93f-c371d452d94f","394023dd-9607-44b9-8f6d-45740903d67a","c646d0fd-7eee-44d1-ae13-0791e3f7b766"]}},{"id":"microsoft.openlogisticsplatform/workspaces","type":"Microsoft.OpenLogisticsPlatform/Workspaces","displayName":"Microsoft.OpenLogisticsPlatform/Workspaces","description":"This manifest holds schemas related to Open Logistics Platform.","related":{"tables":["OLPSupplyChainEvents","OLPSupplyChainEntityOperations"],"queries":["a4d5c564-f185-450d-9024-ac003c123456","a4d5c564-f185-450d-9024-ac003c456789"]}},{"id":"oracle.database/cloudvmclusters","type":"Oracle.Database/cloudVmClusters","displayName":"Oracle Cloud","description":"Oracle Cloud logs.","related":{"tables":["OracleCloudDatabase"],"queries":["a4934395-ec10-438d-8dfa-b01b44f86c65"]}},{"id":"oracle.database/cloudexadatainfrastructures","type":"Oracle.Database/cloudExadataInfrastructures","displayName":"Oracle Exadata Infrastructure","description":"Oracle Exadata Infrastructure logs.","related":{"queries":["def050d2-9447-4229-8a62-b980bb38ca9a"]}},{"id":"microsoft.powerbi/tenants","type":"Microsoft.PowerBI/tenants","displayName":"Power BI Datasets","description":"Operational logs from Power BI datasets. Supports artifacts in a customer tenant.","related":{"tables":["PowerBIDatasetsTenant"]}},{"id":"microsoft.powerbi/tenants/workspaces","type":"Microsoft.PowerBI/tenants/workspaces","displayName":"Power BI Datasets","description":"Operational logs from Power BI datasets. Supports artifacts in a customer workspace.","related":{"tables":["PowerBIDatasetsWorkspace"]}},{"id":"microsoft.securityinsights/cef","type":"Microsoft.SecurityInsights/CEF","displayName":"Azure Sentinel CEF Table","description":"All data types related to the CommonSecurityLog table","related":{"tables":["CommonSecurityLog"],"queries":["1cf50156-0581-4890-8563-e04def3dbd26","86016240-9a8e-4aa3-8195-73609ef95294"]}},{"id":"microsoft.securityinsights/datacollection","type":"Microsoft.SecurityInsights/dataCollection","displayName":"Azure Sentinel data collection","description":"All tables related to data collection in Sentinel.","related":{"queries":["64ded722-608e-472b-a3dd-17f94b7cac07","6307514a-d00a-4ada-a0fb-087b72bee4f5"]}},{"id":"microsoft.securityinsights/alibabacloudnetworking","type":"Microsoft.SecurityInsights/AlibabaCloudNetworking","displayName":"Azure Sentinel AlibabaCloudNetworking","description":"All tables related to AlibabaCloudNetworking."},{"id":"microsoft.securityinsights/anomalies","type":"Microsoft.SecurityInsights/Anomalies","displayName":"Azure Sentinel Anomaly Table","description":"Anomalies generated by Azure Sentinel Anomaly analytics rules.","related":{"queries":["d343d7e2-9407-485a-96e5-8fb5d0031ee2","650380ee-8027-4dc3-8763-c338222be64a"]}},{"id":"microsoft.securityinsights/amazon","type":"Microsoft.SecurityInsights/Amazon","displayName":"Azure Sentinel Amazon","description":"All tables related to Amazon.","related":{"queries":["8d9fc68f-84a8-4186-9675-952013133dc9","44640527-2945-467a-a5db-fcaf8b11f1b1","affffc71-5531-497d-ae2b-6d536ae12784"]}},{"id":"microsoft.securityinsights/amazoneks","type":"Microsoft.SecurityInsights/AmazonEKS","displayName":"Azure Sentinel Amazon EKS","description":"AWS EKS audit logs connector for Microsoft Sentinel."},{"id":"microsoft.securityinsights/crowdstrike","type":"Microsoft.SecurityInsights/CrowdStrike","displayName":"Azure Sentinel CrowdStrike","description":"All tables related to CrowdStrike.","related":{"queries":["f8a1b2c3-4d5e-6f7a-8b9c-0d1e2f3a4b5c","a9b8c7d6-5e4f-3a2b-1c0d-9e8f7a6b5c4d","b1c2d3e4-f5a6-7b8c-9d0e-1f2a3b4c5d6e","4e44198b-0072-4be0-a2aa-60b8804da78f","e2eb04f4-fce9-58e6-aa56-86d12e79e496","440a414a-17dd-54a7-8ad6-ec077680bcb1"]}},{"id":"microsoft.securityinsights/gcp","type":"Microsoft.SecurityInsights/GCP","displayName":"Azure Sentinel GCP","description":"All tables related to GCP.","related":{"queries":["0b4777dd-730e-4b8b-8a13-2bb21f5626c1"]}},{"id":"microsoft.securityinsights/ilumio","type":"Microsoft.SecurityInsights/Ilumio","displayName":"Azure Sentinel Ilumio","description":"All Ilumio tables related to Azure Sentinel.","related":{"queries":["32e805e5-fe72-4141-aac4-f49c8ae6d03c"]}},{"id":"microsoft.securityinsights/impervacloud","type":"Microsoft.SecurityInsights/ImpervaCloud","displayName":"Azure Sentinel ImpervaCloud","description":"All tables related to ImpervaCloud.","related":{"queries":["335fcdf9-4712-4176-8266-d19eab3e64a0"]}},{"id":"microsoft.securityinsights/llmactivity","type":"Microsoft.SecurityInsights/LLMActivity","displayName":"Log Analytics LLM Activity","description":"Audit logs for Microsoft Copilot and other AI workloads collected in Log Analytics.","related":{"queries":["a1b2c3d4-e5f6-7890-abcd-ef1234567890","b2c3d4e5-f6g7-8901-bcde-f12345678901","c3d4e5f6-g7h8-9012-cdef-123456789012","d4e5f6g7-h8i9-0123-defg-234567890123","e5f6g7h8-i9j0-1234-efgh-345678901234","f6g7h8i9-j0k1-2345-fghi-456789012345"]}},{"id":"microsoft.securityinsights/securityinsights/mcas","type":"Microsoft.SecurityInsights/securityInsights/MCAS","displayName":"Azure Sentinel MCAS","description":"All Microsoft Defender for Cloud App (MCAS) table related to Azure Sentinel.","related":{"queries":["f3e18c86-c0aa-4d1a-8f30-6e8c6cd3cad2"]}},{"id":"microsoft.securityinsights/mda","type":"Microsoft.SecurityInsights/MDA","displayName":"Azure Sentinel MDA","description":"All Microsoft Defender Alerts (MDA) tables related to Azure Sentinel.","related":{"queries":["ad9ab554-0b90-4eca-b39a-7871b96d23f4","be15042c-877f-4842-8e66-5bdb4355bcde"]}},{"id":"microsoft.securityinsights/securityinsights/mdc","type":"Microsoft.SecurityInsights/securityInsights/MDC","displayName":"Azure Sentinel MDC","description":"All Microsoft Defender for Cloud (MDC) table related to Azure Sentinel.","related":{"queries":["9ad198e4-a2d5-4a5c-926d-fc67f1941a9f","56a5cc12-e9d0-4b30-b566-2b28952db73b","6068c9c7-ce57-40ee-9cb2-bcf4023e9963","55cf1c68-c638-42eb-84d8-7e76eced6737","20c91d09-47f6-4b2b-8d22-4ef6e6c2b8c4","3b623afd-c690-47fd-9304-e3f678ad715b","76a0586c-7122-4fc4-abd0-348a6b852174","0d531240-ad3d-4714-91a9-3e36bf51a607","0cd8d3ed-6d62-4bf4-b854-3a5ca4b8c25c"]}},{"id":"microsoft.securityinsights/mdi","type":"Microsoft.SecurityInsights/MDI","displayName":"Azure Sentinel MDI","description":"All Microsoft Defender for Endpoints (MDI) tables related to Azure Sentinel.","related":{"queries":["6c605c9c-6eca-4945-8a42-18833ad3cf42","68b79dce-2343-49e7-a1a1-1e9c61cc9888","09be64ab-51be-4f8c-8c03-17243fbfdfbc","67e621ec-0a84-412a-ac48-1cfd80f30a43"]}},{"id":"microsoft.securityinsights/mdo","type":"Microsoft.SecurityInsights/MDO","displayName":"Azure Sentinel MDO","description":"All Microsoft Defender for Endpoints (MDO) tables related to Azure Sentinel.","related":{"queries":["44fc0e47-dc0e-4d77-8fcb-0e7aa58b7e92","824be1eb-27b7-44e9-97b6-ceba952b5301","90f66bc3-2a34-4ea7-8849-2a0c1abb9a75","d826f137-f675-459e-a758-5acbc604ce90","d353de41-be6b-4bd0-9c88-62f8db108f09","4759e733-d0b0-4415-bd31-72b9765994d6","a2cdbdc7-3abb-426d-a77f-771d6bf5a4f9","fb42f174-b844-4416-8033-9f40cd9162a4","11769810-ba17-4663-bdc3-d6114617aadd"]}},{"id":"microsoft.securityinsights/microsoftpurview","type":"Microsoft.SecurityInsights/MicrosoftPurview","displayName":"Microsoft Purview","description":"Audit logs for Microsoft Purview solutions collected by Azure Sentinel.","related":{"queries":["4e7a449a-ae3f-4100-9598-197f4a43abc1"]}},{"id":"microsoft.securityinsights/office365","type":"Microsoft.SecurityInsights/Office365","displayName":"Azure Sentinel Office 365","description":"Audit logs for Office 365 collected by Azure Sentinel.","related":{"queries":["8df595d6-7c32-4257-8280-90182a32c23a","d5f248e0-45a6-45a7-9bd2-8ef963d39a05","d6a06676-95e8-4632-b949-44bc00f0793f"]}},{"id":"microsoft.securityinsights/okta","type":"Microsoft.SecurityInsights/Okta","displayName":"Azure Sentinel Okta","description":"All Okta tables related to Azure Sentinel.","related":{"queries":["054777d1-722e-4b86-512d-2bb21f562cc1"]}},{"id":"microsoft.securityinsights/powerplatform","type":"Microsoft.SecurityInsights/PowerPlatform","displayName":"Microsoft Sentinel Power Platform.","description":"Audit logs for Power Platform collected by Microsoft Sentinel.","related":{"queries":["d5eec317-3dee-4aa9-92ec-28af5f25242f","8c391e1d-f7d0-4a0b-bab1-a0fc8978e108","af2a6875-f636-497f-a721-10070b187d3a","65800d1d-80dd-4792-a147-5ce60fdd84bb","9fb56969-bd66-46b7-9c43-1aae797a302a","52f7ea87-5e0f-4366-90fa-d73f627b3bc6"]}},{"id":"microsoft.operationalinsights/workspaces/tables","type":"Microsoft.OperationalInsights/workspaces/tables","displayName":"Azure Sentinel Qualys Knowledge Base","description":"All Qualys Knowledge Base tables related to Azure Sentinel.","related":{"queries":["63b0b1fc-ec04-4485-900d-a656aa32111e","3b26c2e7-62eb-4cb1-b350-1afbdac2d7e0"]}},{"id":"microsoft.securityinsights/rapid7insightvmcloud","type":"Microsoft.SecurityInsights/Rapid7InsightVMCloud","displayName":"Azure Sentinel Rapid7 InsightVM Cloud Connector","description":"All Rapid7 InsightVM Cloud tables related to Azure Sentinel.","related":{"queries":["9a3c7b7e-2a9f-4e4a-9f3c-3e2d8b1c5a67","7c5e2d1f-4b3a-8c9e-0d1f-2a3b4c5d6e7f"]}},{"id":"microsoft.securityinsights/salesforce","type":"Microsoft.SecurityInsights/Salesforce","displayName":"Azure Sentinel Salesforce","description":"All tables related to Salesforce.","related":{"queries":["291d06cf-e4b6-43e2-aa5d-45b2fcd74d6b","e8215b69-4cfe-4e8e-9d8e-cec354bd3ecb","3459bf35-3c3c-5d12-b6f6-e01431cbf19b","e2ffe7a8-d457-5cfa-8f76-ddc2c2a38fc9"]}},{"id":"microsoft.securityinsights/sap","type":"Microsoft.SecurityInsights/SAP","displayName":"Azure Sentinel SAP","description":"All SAP tables related to Azure Sentinel.","related":{"queries":["180e9e53-1653-4483-aab8-9f55725e8a63","e0b79a1a-edf7-4a0e-9ed4-8a0ae14d3a85"]}},{"id":"microsoft.securityinsights/securityinsights","type":"Microsoft.SecurityInsights/securityInsights","displayName":"Azure Sentinel","description":"All tables related to Azure Sentinel.","related":{"tables":["SecurityAlert","WindowsEvent","SecurityEvent","DnsAuditEvents","AggregatedSecurityAlert","SentinelBehaviorInfo","SentinelBehaviorEntities"],"functions":["a152e090-0c01-4ecf-825b-f95512bbaccf","30e646df-c60a-4fc0-ad20-b42c2f3be07d","edb65ae4-a2b8-5321-9f93-57a81f552023","38425253-f081-5574-8d01-1ef25366d20c","6004200a-ea4c-5963-8ea7-7411196da9b8","36a1bf66-3208-5df0-9964-04ec9bb2ea98","3d93296d-00b9-5e04-8126-edd84e9ff112","8db4427b-54d0-5f94-87f9-5e7a8d2b8370","89909bc5-63b2-590b-b3b3-e8f5bea2fcfd","1fb5bab9-8bf8-5745-bb46-1858f0bdca77","af841918-ea4a-515c-bb21-0a7a5bc741fc","a3969e5c-574a-526d-937a-f347c8c77929","cf296479-dace-5fb4-906c-a270dcee23d8","9acfdefa-84a4-531b-a67c-296df42d9e4f","a22d978f-3944-5ad8-9452-757225af75b0","5fe2edb1-cf39-5039-bf18-5abc1bae5f4c","9c002e33-2ecf-409e-b665-645ebff50636","e316c508-8b3f-5198-88b0-8fd97672a930","c6259971-9108-5987-9e17-56cf8fc1ae52","d2f30bd8-b742-50ac-b597-8e87631d5ab5","7deeb113-dcc0-59d7-87cb-c24333c61527","73f523ef-c4c8-5d6d-8344-e4426d763242","020f486b-2b61-5a05-ac2e-fea3e90e4611","3609ce33-4573-50d6-b32b-501da4bbd9b8","93c664d8-6aca-5fba-84dc-93e372845c58"],"queries":["dcd68ba6-0656-43f8-8c16-21ed36226048","bffd4ec5-3957-408c-9831-3f49a4614e93","2ceeb9da-0e43-44b8-b0c7-9debf01d0d89","aecb76d9-4063-422b-8837-9f4dba347a56"]}},{"id":"microsoft.securityinsights/thehive","type":"Microsoft.SecurityInsights/TheHive","displayName":"Azure Sentinel TheHive","description":"TheHive data connector provides the capability to ingest case, alert, and task data from TheHive platform into Microsoft Sentinel. The connector supports DCR-based ingestion time transformations that parse the received security event data into custom columns for better query performance."},{"id":"microsoft.securityinsights/threatintelligence","type":"Microsoft.SecurityInsights/ThreatIntelligence","displayName":"Microsoft Sentinel Threat Intelligence.","description":"All tables related to Microsoft Sentinel Threat Intelligence.","related":{"tables":["ThreatIntelObjects","ThreatIntelIndicators","ThreatIntelExportOperation"]}},{"id":"microsoft.securityinsights/trellix","type":"Microsoft.SecurityInsights/Trellix","displayName":"Azure Sentinel Trellix","description":"All tables related to Trellix.","related":{"queries":["9448aa98-3680-40c1-8a3e-d67f0e9c64f7"]}},{"id":"microsoft.securityinsights/tvm","type":"Microsoft.SecurityInsights/TVM","displayName":"Azure Sentinel TVM","description":"All Threat & Vulnerability Management (TVM) tables related to Azure Sentinel.","related":{"functions":["967d69e8-0b42-460b-935a-9ca4b41a6996","7eabe0ef-f8fb-46c4-86cb-9b0fd77057bc"],"queries":["09786294-08ad-48b1-b467-55ff30e7ca28","7014f07d-00e7-48ae-85df-df5913ee6174","a894f0af-bb74-4525-bf5a-7e0faaf345d4"]}},{"id":"microsoft.securityinsights/watchlists","type":"Microsoft.SecurityInsights/Watchlists","displayName":"Azure Sentinel Watchlist","description":"All tables related to Azure Sentinel Watchlists.","related":{"queries":["94477231-37df-47e8-88a1-862e04d16a75","d2812a18-ed70-4a01-b124-0f1bf86e86ac","957d87b7-6acf-4cae-85b0-c45c65e69d0d","cc80f907-6e9d-4ec0-99f6-e6dbc2ecd528"]}},{"id":"microsoft.securityinsights/agenteventnormalized","type":"Microsoft.SecurityInsights/AgentEventNormalized","displayName":"Microsoft Sentinel Agent Event ASim schema","description":"The Microsoft Sentinel Agent Events normalized table stores events using the Agent Event ASIM normalized schema associated with security events, ensuring consistent and efficient analysis across different data sources.","related":{"tables":["ASimAgentEventLogs"],"queries":["86ec7263-b38a-4b73-b0cd-0939156545a6"]}},{"id":"microsoft.securityinsights/alerteventnormalized","type":"Microsoft.SecurityInsights/AlertEventNormalized","displayName":"Microsoft Sentinel Alert Event ASim schema","description":"The Microsoft Sentinel alert events normalized table stores events using the Alert Event ASIM normalized schema associated with security events, ensuring consistent and efficient analysis across different data sources.","related":{"tables":["ASimAlertEventLogs"],"functions":["f2f715dd-4437-5581-9e3a-9849f31b7b2e","20975018-f4a1-55fd-a19e-8ace398c873b","aaafb27a-fbee-5e52-b2da-c8f2add85b53","878a4bf8-ab5a-5910-8d27-3c4ce0d268fb","9dd6654b-6c4e-5f69-9d97-426d62969a41","615e1a81-ff4f-551a-adce-d0bfaa46ac4e","10fc7e1a-23ed-5034-a89f-d3485b7667ef","d1813ef1-05a5-5e65-a5d7-e8f399c64e3b","17446833-46a4-5ac6-9739-17ec9ce6c6e7","e1d01bce-bb0a-5771-95d9-e6927c9803ca"],"queries":["9fe432a8-1b0a-4cb5-8878-0825e01c66fa"]}},{"id":"microsoft.securityinsights/asimtables","type":"Microsoft.SecurityInsights/ASimTables","displayName":"Microsoft Sentinel ASim","description":"All tables related to ASim - see https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-schemas","related":{"tables":["ASimDhcpEventLogs","ASimFileEventLogs","ASimUserManagementActivityLogs","ASimRegistryEventLogs"],"functions":["0b52622c-efc0-598a-9f5b-bbb3eaa1a1b2","2ba8a52f-8c63-506e-b52d-2fb281e363be","b2728627-cc75-5d63-ac2e-7948afe330a7","006342ba-acb0-54f9-abac-9e8d77e5cca1","3912cecf-a0fd-554f-a102-a4490a0c379b","dc6b50a3-d19d-519f-9ddf-71ee933244bc","0078aa34-7c78-5df5-aae9-34584eec0e62","6891f070-90fe-572f-81cd-82858392278a","d8d50a40-7f2f-546a-b7e0-5e1b645e4326","ed507fbd-5ed6-5691-a314-83a588b86c30","772cfc0a-fa4a-57e9-81fa-2aea1c62c16e","c3eac87f-f4e3-5e2c-b77d-fe9811c31c72","6698263a-5e7c-5d52-8b59-2b2100e45954","16c6a3b1-24d5-509c-a568-3dda0deda604","5ed013bc-6070-5d6a-ace5-30b451f75b8b","62ef56d4-509c-5f92-a5e4-264b93c6fff2","6bb41b84-2964-571b-a653-0f5039c50af8","5121531d-7e18-56eb-ab30-77af4fefd829","8814d910-64c1-565b-aa6a-0e6fd05f0e37","f76bd818-694c-58bc-99ff-a552b43db6b6","f0586352-639f-538d-a91e-ce9701d3c92a","ed15fe6c-29f1-5bdf-a190-f24bb012b6a2","f2b38451-801c-5a14-93b4-659c6f07b516","d2f23ee9-87c4-5a3b-9c20-8f602f24c005","e0e6bed3-9153-5831-b09e-05325637a8ef","a18af53e-f058-5b49-bcd6-73f2ec59da4f","bc2c82fe-fafd-5ffc-8665-bd7b1bb6ab0b","f2098813-1799-53cc-a8ad-8047b4f2d80e","528bfedf-922a-5b1c-b2c2-bd6470ee94e9","8691e151-39ce-582a-b524-7f54b65eea26","c1fbbe4b-04c8-5e0e-a89e-9217180f089c","100f0e91-b95c-5beb-80cf-17e776ee7393","ab79e25b-194f-593a-86c1-b0f0398e0749","21ac799a-7fab-51e2-b708-5a3a0966c572","963f96dc-fb52-5e0e-9801-20afc546066b","373bc56b-9e24-5106-9592-644341642719","83325eec-c8cc-5790-ba09-a45873ca3498","77ed9d57-1e22-5298-bb95-f857e2c06b2f","ae8924bb-3358-5474-856c-32915255733e","701de73a-ce34-51a4-b7e0-7d4f1eae80a4","f48e9583-3107-5b75-bcb4-8fa6b344cc72","68815256-8748-5527-987c-0eaf06283fa5","93448a67-dbab-5c6e-b14d-89ab7db2b316","b86d87fd-aeb5-5a46-9f74-e4b50a0205f9","76d067a3-4cb1-5032-8baa-8168393e91c4","4765afde-a6fc-5a38-863f-72ec306ed465","2e8e7c1a-5104-5885-b659-d26e17f9af4c","cce83520-0fd8-5bff-88a1-14a21dbd431c","d3e75b28-3354-5d5b-813a-1f82deb43217","002f8919-da28-5edc-9480-9c679de0e646","5c3e07b7-f5e1-5829-bea5-9760a8433fbe","137e5ce5-8fc3-5083-b9b3-b7a476008b0a","d29fe90a-0a0e-5143-bf67-76c8cd791bf1","84ad59fb-630a-529f-87f3-87c45ad38820","1aff9978-3622-55f6-8892-2fd7877667d4","35332196-f904-5e15-8d2e-d5a05150593e","61b00b6e-dda8-5932-a906-948f9bb7365e","a43850a6-f2f3-53cc-babe-cfb0767e7f70","4307fca3-d9f8-5aa4-b086-c4aa15308cdb","224cf01f-0221-5923-abf8-1cc94412bff9","1255cda1-6244-5213-9ac0-e9c70be77046","421a3eaf-8242-501c-a0e1-71f1d4352bae","3c6c520c-7ab5-54fb-8591-5dc17f3390bb","8b81bec8-5153-5410-99d9-c3540fb3da49","d6059a71-ae14-5e4e-8cfb-1ff54c3eb450","c5d2c296-d5e6-56b7-9f2c-2a5a398ebe62","00e37d77-ff2d-5c92-bbba-0ba865661020","77446755-f919-5a23-9f96-6be9e657a2e7","3fdab32c-6915-573f-b1c0-a6733a48c5a2","1af05a29-0c94-5018-b197-e7d99ce83356","ac5ae0be-532a-5fb9-b7dd-11fde8f2d53f","8f528a9b-4a04-53cb-9fc1-5f07a9517902","aaa811e7-673b-50a0-ba97-27ddee2d40b5","886ba633-7fbf-502b-900b-0c0e36d121c9","cfcb20a0-e0bb-58e4-86ae-fe9630bbfe73","cb4d38a6-00ef-579b-ac76-e2f55bec7579","1b96e561-b300-5a7e-933d-9fa98b4518ef","fbf9e04d-8ad2-5e0d-9ad7-fb655bc29bf3","92893c93-bc5c-5379-a55c-6606ef842d92","3589c230-1df7-54c2-b179-7780bafa7229","2d1289e4-fe5c-5f46-bbbf-537d05de8ce5","12d89e36-3e8e-5e54-8fd5-ba969eb266e6","a72948d5-3d8a-5164-91b7-b5f718391a84","0cf3c1bf-2658-565e-9154-c468d4e14ddd","a2395934-e85c-5da1-a1f0-07a298219d34","cd7d5892-fe13-5d47-9c11-8ad77413e1d1","5d59511a-8bd8-59ba-b49a-c7fc5e7011c3","9c36adf5-007b-59d1-9443-5e7f4b35af86","ee2df6e1-b687-580c-8a94-e9e1e7eefcfc","a2b31e99-d831-58b9-b18c-ac9304e2c1a1","39152ac1-2a72-530c-86be-1711210a28b2","4fbbf424-f21e-51a2-ae26-a33b354125b8","c8c97676-3c0b-56a9-b735-607b9176185e","76af9035-4665-5009-8281-60ae1485a98c","9cbf2c15-f05c-5385-8f28-6ae28a427608","ab36b294-4cfa-5980-9aa9-902a4e25448f","be182916-38f9-564c-b476-fe81169d7e84","e37de94c-ac58-56c0-8ec7-0b673722bb1b","18fdeceb-99ab-5194-9098-7cbb5980f991","4661400d-2647-54cf-bd02-6e02e56054f3","3f46b554-47ea-5f12-9cb5-324c2cb09ac9","1534d8aa-acc0-5be4-b089-6d503ce07e41","e5a16770-bfb2-5305-886a-4e41d9cd8a08"]}},{"id":"microsoft.securityinsights/assetentitynormalized","type":"Microsoft.SecurityInsights/AssetEntityNormalized","displayName":"Microsoft Sentinel Asset Entity ASim schema","description":"The Microsoft Sentinel Asset Entitys normalized table stores events using the Asset Entity ASIM normalized schema associated with security events, ensuring consistent and efficient analysis across different data sources.","related":{"tables":["ASimAssetEntityLogs"],"functions":["d6e93572-2746-5e8e-a185-66dfbe3c53a5","b848c19f-41ad-56e2-ab88-e2e207e0d097","871ad8e0-44b4-5444-9bf3-dae96693ea50","ce8dc00d-0dad-5f50-ad9b-8e1f63fc2cf3","c889aaaa-70f7-5c1a-9bee-d18908f72ae7"],"queries":["9fe432a8-1b0a-4cb5-8878-0825e01c66fb"]}},{"id":"microsoft.securityinsights/auditeventnormalized","type":"Microsoft.SecurityInsights/AuditEventNormalized","displayName":"Microsoft Sentinel Audit Event ASim schema","description":"The Microsoft Sentinel audit events normalized table stores events using the Audit Event ASIM normalized schema associated with the audit trail of information systems.","related":{"tables":["ASimAuditEventLogs"],"functions":["2e568486-7d77-5798-9dc5-433bb6562e68","56612ec1-3218-5ec1-b32c-33c80359f1a0","d9a8d31a-f20d-5a66-bc08-ca7888a58ae4","74fd6481-7b1b-59cf-9851-e52156150f78","7d890293-0dcb-5584-bf7b-d615f9cb7f70","b6c41b2e-2d38-529d-b32f-2edc38ba6d62","0c327f99-0200-54ca-8a72-f427cc0ae101","b5ec674b-3a68-5feb-8fb1-f769fbb085f3","02b4eeed-157c-5172-b75c-151fcfd068ac","f16f12cd-dd7b-51e3-8c99-2ed4d857bb31","cb8ce4aa-25e2-5141-a5b4-337c24285e3d","55a6be07-1def-5523-92b4-f63c80049713","723f7b25-c699-5469-9ac6-1b5704a2b63a","569d9b71-efa7-52d9-9150-03214bc7e742","2e444f79-0b97-5b7b-967b-1e3f9605e1e2","e61fa185-7fbc-5367-a10c-45e05f1c7eee","721cf9fc-2ce7-51fc-bf6b-da02a715fedc","c298eab0-cb86-5053-ad52-404467af7507","f1022015-c977-5720-9d94-b64c4a5d5636","d6bacb8f-166f-5712-9bbb-cffd517caf31","4a54ec8c-be13-5974-bf97-ecbaa51d3a5e","719d3b89-0644-5cc5-ba2e-53eac0ee8207","46ffe79a-a94f-53e3-88cb-b9a178c9c932","e0efc4c1-efd6-5481-a2b1-0e3fd1cb6684","963fd114-e2de-522f-86ef-2e6b7edcfea1","aa0ba80d-de2a-5ab2-8329-1369094df8b4","22c176d1-ff14-5e53-8045-c2ffdda4051a","2ce6a16e-0477-5513-9727-033e4a21887a","e40a1659-cd0a-5d18-bd5c-c02e366ae3ff","dd2fa0d1-84ff-519c-87d9-2dc811b31b69","8cd8a334-35a9-5099-9075-443aa11153eb","a9b3ece6-cc53-58e8-8516-1e91acd1879e","0fbae1e3-fc59-5107-829b-378d2e27f899","4afeff4a-c2ec-5d92-8381-84fa785697b6","be6b7eb2-46ef-533f-bfda-a362aa51533d","89f5221e-bf52-5de4-b682-31c555f3b899","727bba25-3447-547a-b5c5-dcb64d01a803","00ae3977-67b8-55d7-8d60-99810ae80682","c66a7dfe-5675-523b-9456-e91ef524749a","a14dc84f-df91-5a5e-8dfb-0163a6f6c5e1","cca20c2b-be0c-5a07-88d3-7fb44877fe15","90f5395e-b33b-589d-aaf0-3aba1a47cbad","c7ad76a3-09e5-52e3-9850-500243ec2f83","781b072f-53cc-5e7e-8118-d227d0298aac","dfa1aaf1-da4e-56a1-87c6-f18149b9ae4a","75415d02-834f-5c29-b882-d86be4f7aca1","6ed977f4-618e-5e00-bcad-8d4793548b0d","71bc574f-91da-5cc1-833f-512b05ad4b20","a61f383c-f498-5703-b19f-f10189cc4b17","216c9995-fad4-5d6b-9ec2-0d5887731a81","38ee78f3-fc07-5cdd-b0b6-cfd041f902c0","ef4bb54e-38e4-551f-8ae0-ab5a6d73cd05","d1f104fb-fa94-5f31-a28f-62f72bc72797","c8f65535-a11d-566a-bcdc-43bcce9135c3","7a9bcf3d-f393-5317-be98-05bce368ca2c","59c91f71-5d02-52be-b61a-8fc22951a4e7","d96d827f-ae67-5d97-8af9-ef56d2f12fe9","cb0dcbc7-0d55-5ec6-8067-b9e2fcd531a1","82914f3f-2b23-54fb-a3c8-9c2d318e8244"]}},{"id":"microsoft.securityinsights/authenticationevent","type":"Microsoft.SecurityInsights/AuthenticationEvent","displayName":"Microsoft Sentinel Authentication Event ASIM schema","description":"The Microsoft Sentinel authentication events normalized table stores events using the Authentication Event ASIM normalized schema associated, for example, with the user authentication, sign-in, and sign-out.","related":{"tables":["ASimAuthenticationEventLogs"],"functions":["26a0f406-f0ce-5fb0-92c0-2926b7756f65","b48a2e8f-2564-5b1e-8244-1691b0e87633","ac388398-fdf9-5f7a-ac58-55c75ac0e1b5","df14d375-8404-51b6-9f09-e3212e11a2a6","38d46b58-a32a-5b23-9ba6-05f04c0b52ac","a97d800b-106f-5bf0-97b0-994addb824a9","df313bea-5248-5e8c-a6d7-e6bddb5f8717","5ba5660e-2a1e-52ae-adc9-1d6b08d2bb7d","3d808d88-0cb7-5b96-9a3f-065416db0095","8e9089e8-76a0-5b58-8ebd-5266f7f06868","79308517-f1d5-5954-8d16-4260c90dd272","1fcfe820-c75e-5952-bc58-8f3e80f842c2","3aefb468-db13-5f6b-bbdb-3ffde1bd1317","bab57609-83c6-5faf-97a6-905beae9323b","56288712-29ec-5df6-9a3f-81efe80ea649","7eb6a2df-9e8f-53bc-aacd-234841774da4","4d58d107-a6ab-5bc5-90dd-2b0087cf4f50","b0bf4756-4723-592f-9b7f-232c93628cf7","776c6a6c-6923-59a4-9618-2abd13114785","6b75cb62-2433-589d-b618-44eda2b07f9b","ba94da36-305b-5ad0-8bd0-1edfda438da9","91783af5-c270-5b96-b955-910c3ee5b681","068cd71c-44ec-5d95-9288-6d7b7b94a4cf","127348e8-cc78-556e-b503-a764a1f5e862","a0a3d98c-e4c7-596a-a832-ca57ac301fd2","601063a8-2ad6-51b2-8269-a9bf88793338","9b17aa5d-f557-5cce-b0d3-ca069f133bcc","89348ee3-6aeb-5a04-ad1d-d48b1a7ba686","446d84be-f8c7-55b1-89d5-a41d63796936","e75d711c-4e13-5c99-b771-065c8a65a21e","440cc65c-1f24-58d7-a03c-5a7b32559cfa","faa9385d-b3b4-5150-8caa-686d73034598","045e9ce2-e479-57cd-a473-f49ee8bf1bb9","a5b9b3eb-d502-5361-97fb-eaa2de5f683c","5a6f419c-70b8-5f97-8d14-994ac6d2af24","c388dfc7-dc9f-5b2c-acc6-be7dc5b05fe2","2aa4e228-ebd8-5e57-b13a-cc8a8777fee9","7765aa9d-5d8c-5760-ab75-7827c9d8378d","4253b281-edf2-54a7-8b4c-ed6d82562842","090947e4-eb27-50d5-b0aa-295684c0f504","6d31c590-f1cf-5977-ad0e-98760e4adaf2","58a9982a-10a7-5375-aa43-cf2c92919cd1","6d1a0114-0988-51c4-968e-ae724bbc0741","a883fc10-c239-51ff-92e8-d2ee3ebb7a56","472a0def-2c79-538e-b25c-6151f6e8ec56","ac3bfd92-4174-57a1-9383-f1cb7f87bc90","810886bf-781f-53eb-af42-85fec417b5db","4bbfb554-ba4f-5ba4-b72e-e707efe0b1e2","987bc689-20d4-5536-ab25-20c43137212a","28711922-7194-5661-9b56-0084740d77a3","49e89c0a-0759-5596-92af-91ec2817b0a8","474823eb-1dcf-5681-9ac4-e78d35e2d0ae","1b3a8c0f-cdf7-5b95-a7e6-0f7c1aae0c85","3c6c7bcb-d601-5f76-9c0b-9287b3b24925","4b77cf85-b9c1-55e4-a544-45af35831796","8f408c7b-683f-5f90-94fa-1e74e99de73d","ade252fa-dc3a-5c25-94b8-26ba24b4dfdb","cb619d81-23ad-57a5-899b-a5060af6f0ac","a2042972-25d1-5987-b479-b41ba55669a0","c1805e82-df76-57fa-989c-2d999ffda47d","b5880c46-266d-5876-93ff-30ab99682d8e","1be457d9-37da-557e-b848-c876083c4195","f1fc2811-bd43-5dab-98a8-cb28d397eaa9","87ddc195-2d14-51b3-8d0d-92d249accb62","88822288-e98c-56f2-921b-6304ef0b1aa3","7950b63d-a675-5cfe-b3ab-c373006726cb","ae0dcae3-a4a7-5963-9f92-cbd1cf533bee","8e638efe-df2e-5c8f-9761-847fa2687a8f","7d89135b-ec75-5276-b490-1670d85993c9","3d021f21-b9b5-5da5-95de-d121c54a3652","23ede1f9-100a-53de-a0e0-2f9898af2954","a0a3d428-f331-5baa-a242-0055471f44be","169a3ea2-bd40-56a1-89db-9ddfe487faaa","3ca213f1-7c16-5b8c-bdb2-c8d24097d73b","686d1b26-62f3-5e14-9f94-c36d07c303b5","ee68e59b-fb60-5079-9533-ecd5b5389520","9e9fc152-813f-5ae6-86c6-a8ddc51f5641","c861b54b-80b4-50b1-94c8-60249c6365d5","7d84bff8-d85a-58f5-bf51-6e60c8aa885d","491394d2-fda2-5a10-8488-48ecd3cc4ada","52b80ba7-df6b-5a81-8c78-37b2df8656e4","2b85b99d-5d3d-5c81-a79f-dd379ee52c24","7126b721-8c8f-5cc9-a4ae-1ffd4ff65c0d","ce767a8d-658c-573a-96f8-f7bb9ca56020","67dba2e2-0111-5fb2-80f3-c09291dcb28f","01d425b3-4ea5-58b6-ad05-dd382aa75727","51a34575-887b-514c-9d0a-84db2c759525","332fd5d3-95b2-574b-94a7-5b056115defb","004e41c2-2cf4-57eb-9131-855fea21e0cb","296533c8-1431-52d4-b4d3-440bd01bd983","51222627-761c-5c9c-82d6-f673193610e2","7e67c8a0-0ef5-533e-8559-9e359be23a78","b7527ae5-d322-50e4-9abc-c2ada6b97733","763a8f5c-6449-5e00-9ef2-e3f9443ea07c","0758d388-f402-5004-8e98-4b8d58d4e68e","23c7e460-b763-5c3b-90f3-76bee46f0501","a3b2c0db-8614-5720-aa27-b0d88120ed03","4eb8dfab-5b98-5312-9eae-59eddaf4d723","c33f5553-01b5-5f89-92cd-61bdadcbaea3"]}},{"id":"microsoft.securityinsights/dnsnormalized","type":"Microsoft.SecurityInsights/DnsNormalized","displayName":"Microsoft Sentinel DNS activity ASim schema","description":"All data types related to the ASimDnsActivityLogs table, for example windows DNS events.","related":{"tables":["ASimDnsActivityLogs"],"functions":["cba623d4-dcc5-523b-97f1-902c04bc14bd","d01fc365-24f6-587e-8c30-2e450ab7ca81","c39af2d5-ce82-5bad-ab3d-fee798dde336","9e586f9b-925b-5830-a979-d510cab99dd3","bd97655a-1311-54f6-b344-3f997c69ef73","ee29d8bf-9567-5c21-b060-d2a95de59682","6766687b-e8f2-5e29-b8e4-09001a6a2106","a1712e60-355e-5946-a25a-bbc9c187ec6b","bbe046de-19c5-5557-ab27-4df676195bdb","1d6a9420-068e-53fb-b07d-84a46dcba3e9","37684ffa-7f8f-5053-b9e8-589618aabde4","3f54a213-5941-52f2-81da-ec2ddd8037d8","06afff4c-4b38-54c4-a744-56e63428e412","764d1d4f-0832-57bc-b6fb-67ca754c1866","355c44cb-79ef-53dd-8cf2-d942d8021c69","7ba58875-d3d2-5a57-8b33-7a1653f5ad48","233ba9c2-c98b-5dd7-b8ea-cfae04cad57d","78cce07f-cd1a-513b-8332-d1d1ee4bbd19","8d7388e5-da2f-5315-9226-05e2f75c299e","0d7559dd-7bbd-55b8-9ca4-fe389c945329","3177d4de-9896-56e5-b318-1723498e94db","20c9220c-935f-5596-8378-81c7ca594434","b7822d73-2b22-54a2-8356-8704b1699648","547ab839-511a-594c-8541-6188a6a56c4a","3cb1e1a4-566e-5476-8d7b-a582b523a32a","460afa13-3ef0-5c8f-a3d6-64a593beb628","46c5e6ec-3431-5f99-b361-0ae03353ac6a","ab6ef070-1f88-59c1-a0a3-511fb1140500","88752599-6da7-55bc-a71e-c49278aa9f91","c563481d-d8ba-58ca-bd83-e5033f370715","f3daf1da-2284-57e7-90a2-122d1ca8a1fc","1d4ab680-de7f-5a17-b787-6cd634995e4a","0f3b2de2-15fa-5ea2-a7e7-3f5adc3691cc","3da27875-fa0c-5f10-8ddf-abc6f8b7c8a6","7ad17758-6e1b-5ca9-911e-6b64cdd3d1fe","0b2a8509-ddf3-56e7-9e4a-bc6ea62275f0","7a82d264-ada7-56a4-87b9-bd8e395a9f38","87d6f873-5ad7-51af-bbde-6ff91f2762cb","74e8ea21-f1d7-5647-884c-9be0570cef82","36030c6d-4196-5c11-bd02-44e8770888f9","b23b0698-ede3-539a-949d-5cb282c6a7ca","c1cc7004-9b76-573c-8a24-fc451c5b9f96","697d7a3f-2e46-5c87-befb-33779577dbd6","eeb3cb96-5e24-57cb-9a13-44ffcf9393be","9bbff54e-107c-571f-99a8-490be4696855","ef5b91c9-43f4-582c-a8f6-12ef90f6802f","3e08df47-9631-5b5a-98df-180d315eda4d","5f982731-7285-5515-9f4b-765a1496f7d5","3cd64d79-6e5a-57e4-b0bf-74d4b19b98cc","02153d00-0817-56d3-b321-9cfe843a92c3","5f0e9e37-72b5-533e-8e35-1ed932fe3084","bfdd6394-ae64-5290-82c1-55a36afed3dd","2d9a69e2-3201-542c-bea8-051759a39af8","8e48ee40-bfa8-5488-8d7d-85ca2cf47b7b","704ec65f-8a60-56b9-a055-f9895167993c","49f387d7-a884-541a-8b40-9ab4f7888d92","8b9637e8-b0b0-5a6a-bf53-9334621b50ca","4a183e31-7207-5300-ac05-db11c690822b","2a486c0d-35ec-5bd7-a12c-99f70a5002a7","c1596326-3460-5ad0-a612-59e167280101","deefabef-75d6-5587-8d3b-4022938682a5","fc7155c4-0d2d-575b-b014-efe5ec8f1461","bcaeb6c1-14b2-502e-9d32-2d988dc732f6","554a060b-7206-5e58-b2d5-14ab58dca532","e334b735-bfe1-5b11-8fa4-82e121336d27","70fea7f8-d50d-5dc9-bfc1-58e92bede9f6","b052f410-754b-5cbb-a24d-c88c78bbafad","47f91632-cd30-5d96-aa10-01e864bb9148","c476dc64-cefe-5543-98a4-8530a0a48964"],"queries":["083f9ca4-df5c-43d1-951c-0dc34ea73db1","30963fe3-2352-42de-94af-43ef3f63b1e3"]}},{"id":"microsoft.securityinsights/networksessionnormalized","type":"Microsoft.SecurityInsights/NetworkSessionNormalized","displayName":"Microsoft Sentinel Network Session ASim schema","description":"The Microsoft Sentinel network session normalization schema represents an IP network activity.","related":{"tables":["ASimNetworkSessionLogs"],"functions":["816f3388-03fa-5540-aa97-63c5b7c7c32c","ed0b0f98-3578-5a1b-8434-69543bb411cd","4ed288c0-dcba-552a-91dc-b4c5f2e3d05a","1670afab-1460-5c11-bbfc-eec173edb62c","242ae4aa-16e9-5a96-b75b-ea51ae629f1e","282d4349-0db6-5ac5-a769-fcede4a77bb9","1196120e-827c-57b8-9366-14ed9c34d7e8","37cf01dd-9020-5af1-927b-e0e405390f02","d9791bb4-97fb-5b4d-8660-5a6ff2a3df1e","58d7054c-f8bc-5279-9d1d-97b3bc2595cc","b4289b5a-1661-5712-923d-82e20333e87e","26e44d1f-f6ab-546d-8001-0a0f26267fcf","0802950d-28b9-56de-a05a-6a887a6611ab","cd0aa1b1-d08c-59af-a032-9b463c90101a","8e17ba20-e2da-58f6-bf1d-b7eb5273b3c5","51010255-1487-5347-a517-a56e8a3061f8","4176d863-56f3-5701-8d54-da92408ac5e5","922e05ef-0941-587f-a2e3-34a062e53888","2722ab8e-1141-5636-97cd-4c416669a402","ab36ec57-c9a0-5291-8aec-d848bc3757e3","123c03bc-6d03-53ca-8027-8a1172717fbe","fb1c0a95-92fa-56ec-9e88-e79dba5ba6b6","4ae5bd55-29f1-597f-9158-8ffd95a2fbd5","41e93b7d-a101-55b1-a38a-a6f53db3d5a5","3cf99445-20d2-5de8-9c1c-0e83745991f0","c6f2ffa9-e5dc-52de-bb89-5ae52f529882","6bc54658-a37a-515e-844f-3263d82a6e1b","d2f1abd3-3815-5e54-9da5-7478b0c956b8","aabe34e4-524c-5c64-b514-05e82d6d7158","04fc8565-21c5-5d76-a24e-3bbe5d05ed6b","8856ddd1-8bdd-538f-b007-13b6bc37da38","ed4cbf37-ca1f-5b41-bd3c-8a9aa0f424c4","5f7e57b5-9301-5a4a-9df4-aa09373300c9","3278e078-9adb-58a5-8dab-0136b69e0754","3d74887b-4a91-55a3-b8a7-8eb437fcf2ed","b6f80673-9685-5486-939e-0d8427f0ab42","18cec1b9-295c-57ba-85b4-bdbe2b014f7e","b7f8ff2a-274f-50b1-be1a-38bff328a942","6d9ba913-7800-5bc6-8c12-5c8003d402d3","f72bedb2-6af8-5f65-a153-1a5880771538","5721e7ee-ece3-50a0-b342-e17b5b389a45","c4c2c7f0-6344-529c-8e94-e4455d60e104","d79c96eb-ddd8-5e1d-8d90-5197f02ffcd3","2d51a07c-c2c7-5425-8f5e-162d0f1f9005","3b99a232-e260-562e-a503-13993a879f59","43261809-eb88-597e-8efa-26bff1194394","3c29786d-858d-596b-9cf9-4256677c69b1","d8b3754f-61e3-57d3-8acf-0e19df9f5477","e55278df-daa7-5d5c-934c-19afc6d3f13e","3884854a-6d4e-52f2-9725-03044e787b76","6de16aaf-29eb-5a55-b863-8935487a9bec","a559199e-b624-52f2-b029-73a9535421da","ec935ea2-52a9-59c4-90f1-d9402a477805","77083011-7edc-5791-8618-f1f9158ea41b","00efb338-e9e3-514d-a25f-4c37f14f4898","1c61f70e-ed3a-57bc-8461-05248f2034dd","956cb456-b35e-55da-b341-ce1e36f7bd03","67a14dba-d3c4-53fa-be3b-3cbf03e1d79d","cf4579e4-8c1d-575b-8deb-3d0d5ee6406a","7e6f7906-9973-5dbb-8483-8dfd15a8c157","1631c13d-6a8b-597b-8440-499670ea27a9","4748f1b3-6d39-5d11-a600-bf03380b3238","c8497248-ea1a-5d15-a5fe-92b4bcec0b24","5045a3bb-5eb2-5bd1-82d1-d441e2483389","8e1ce13e-2ccf-5987-98a5-a8bcd674a6e4","7879fedd-58f2-5d1f-bfbe-30175f1214bb","8042fcb0-0832-5410-b5f0-07f88ffe1542","5d4e8758-105c-57a1-b7f0-94917a97b44d","14780bc9-6124-576d-bb4e-beba8925b1ba","d8a5216c-6199-50ba-baca-36790a8c67ec","c965ce5a-9e94-53e4-9c87-fadf4fcb7d34","f9197aaa-d494-5ec6-a8d8-f73e7bcf4813","0af07881-11c6-5021-b383-84ffcfec7464","1aaa6ee7-e89b-593e-a415-7cd39411b8e9","75c736eb-4f5a-5812-b660-2ba38634317a","c6800e07-60e2-5d99-ab45-b7560783d9f7","80e7c5a5-e464-5d40-a919-7d6016fd5139","d231873c-84b4-5f5a-bce5-beb249ecc66a","3131be79-e850-5c85-8506-d81f4b94e2ce","790aa4c4-22c5-5e22-9c90-2cde73b11753","d7cc9882-2480-56d0-a51d-7de5e4b9191e","a152e47c-bec2-5b9a-81ba-1f8acb6b9fb2","37e82ca7-5e24-53bf-9347-232e6693f457","b9adf131-c494-5194-adfb-b3b8e8cd1fe2","417479ee-8547-5670-90d5-c9f0ae9f69de","148d8e98-a0ae-5957-8dd4-b240015cf846","8b201351-4549-5c55-b121-a96bf9118650","a8bdb9c2-f4fc-5529-a6aa-8b0bb0a7ee6d","85642a47-664d-5495-883e-7ae653ff0846","0aa9c175-dcbc-5b95-8b66-56e58ae6826a","7a73b552-bd0b-5211-9ec7-e44dfabb98d9","f1a00484-9cb0-5d8f-afdc-030f12d9ec38","5c3903bc-49c4-5758-8fe6-d73654b884e6","aa4d9df2-a67e-5d97-9fa4-3ed4e6737955","9dc3310e-a065-5101-9af5-fa051525a12f","0edddb52-93bd-5f90-afac-edb3146c008b","837ae332-8b20-5dbd-b04b-9e9860b38bfc","d1318796-2366-5895-b841-ccd7ca1c52c9","6cddbedf-d394-5fa7-898b-d963693c6721","0d7864b9-9bac-553c-a79c-0d649e897d32","addc9f66-7971-566d-b08d-996089aeb5de","a95e86b0-2f20-52f1-b671-09d21c66437d","f54b0991-1e8d-5250-90fe-3e6595674a8a","68d40ff0-9463-53e3-ad76-37a0622a2898","fbcb34a1-deef-534b-a2dd-4ae8238cea6e","591de502-56a5-54d6-89ab-4833dd64ed20","0b1fbfb4-302a-5732-ba05-92f2d94f1eed","e23a78f6-7d17-54f5-960e-323f884c66a8","d81086d3-e6da-5654-bde5-dae00abcebeb","7ce918b7-a9ed-5c4f-b0c7-70fadc2c1f9f","09585ee7-9d88-5777-bc4a-cbae33245b13","0c2c2e0f-dc1f-52fa-b9da-36b52a23d3a9","af797219-5c17-5da4-b443-3caf50fc8801","b6d17033-720a-5de2-9a90-519f75b8416a","541bc2b4-1f59-5bd1-bd1e-bf4a12b9eabf","cefbbe26-cc18-5c86-9bfc-6dcab2180042","3e9030df-c50b-593f-a88f-f0ccc84e827c","d3be83df-5cb8-50de-9621-8e57ad13d0b4","bbe13f75-3038-553f-b8bf-7c479bc22d04","8028ab03-8201-5a4f-9972-89356634aa79","c2d9e50d-0cdd-593e-9a14-f2d2f1cca848","0b513511-eef1-5848-9f69-6ea73071105c","9e8643f9-f7c9-5801-9776-8b89e2050180","dfffb01d-51c4-5d60-a565-df866a05e870","d8eb6aa6-9268-55da-9d9f-5ca487a9bcd1","6db4636c-e1f0-5889-88f2-48a76cbf4f7d","d8a4137f-d6fe-5db6-a6ce-56f50cc2e0f8","c16e7c03-d7a2-5511-8cab-f53e1cce0633","295989f1-465a-51be-95f8-0d70971fcfef","6f171db5-d77b-574f-8a92-2ef49c27dc84","a193f5ee-962e-5185-9711-1f3966c17550","5637b37c-34be-55c7-8b71-c0d9bd2c8a2b","bc2b4e1e-10f0-59bc-b81f-17446082c5f0","3ce73260-a1e1-582d-a8fa-7e4c1fbb75af","af77b66f-bbc9-56c2-aad0-4ea27366d870","a09dd048-0e87-5220-8a5c-70c7dcb90691","950f5409-8df0-52b6-a016-6645aefcd374","9a3e11a6-6b46-55cb-a5b9-5acfa32b112b","a8a1c15f-a18b-5f78-859b-cba700840d48"]}},{"id":"microsoft.securityinsights/processeventnormalized","type":"Microsoft.SecurityInsights/ProcessEventNormalized","displayName":"Microsoft Sentinel Process Event ASim schema","description":"The Microsoft Sentinel process events normalized table stores events using the Process Event ASIM normalized schema associated with creation or termination of a process.","related":{"tables":["ASimProcessEventLogs"],"functions":["288dc9cb-d02f-5d56-b7c6-4599a5b0b032","bab3d2d1-014b-5126-86fd-c056a66f1135","3e198abb-e072-54c4-9e43-cb58532c6c2a","61274267-54b5-58aa-806f-04de1fef09d9","1f4691cc-50e5-5a48-b6cc-386060a34432","c56934e7-4163-5759-a386-bb5e45191eb0","254ced33-035d-5472-8a2e-7d4824d4fcab","19c7a3a2-0074-56fd-8c77-01417d1b69a5","6278495d-5353-535f-bc22-88360e92c8c0","bc0f4951-ac01-5f72-a974-0d3b042fd931","7e5a666f-961c-55cb-9e4a-fdf89c099447","de7edaa1-fac2-506c-98d7-1dbf1257755a","12eb8e3f-749c-5427-a64f-e7a6af3faf0a","26baf752-5748-51f5-8eb7-83d85adf2cb8","e05b7046-f392-500f-9804-bea9748c51c1","3c05ca86-de65-5921-916a-9b9dac58b3c6","43307d74-4e34-5cd9-a9f0-ee381f0b347f","7a91f3e8-0c29-57e1-b380-da2a801882e6","b34c18bf-43d0-5e28-83ed-deee72ee74ff","5c84f668-05ab-5d6e-b390-c97ba4d10d34","d0c84fb1-70c4-5f05-b9ea-ea264d3f91b8","a981fd67-71ab-5e13-b87e-3632666d745f","18e56d86-053e-549f-9c0d-c3970f46d478","495ed966-fdd2-5238-9cc4-eeb576e459b3","3b46381c-04ce-522a-8a52-72625636d689","7c617f08-970c-5884-9ea5-e07dd5c3dfe8","7be9bc58-2ebe-58d2-9923-08fc23e4f679","9bb77b98-9da2-55c3-895c-c27feaccf670","92130422-ba25-5b51-b0b0-5b9b790e6ebb","c5f1b49b-1dfe-5d35-8ed5-09a816424ddf","2f31c831-b45d-50f9-b4ef-fe4f5f39c044","04d7a06e-8462-5f8a-bb07-2d7863c3122c","d666a9f7-14e2-5924-b009-3a2db5f1ff02","21828232-0edd-522c-bc39-43765d87aebe","aae50b80-5462-5d2d-a6c2-663e11d4cb1f","c2df6f83-0b5e-5545-9cae-fcbfb97528f5","b193f90e-d81c-5b07-bdf9-f442f02fdeb5","5e589d20-639d-51df-8cfc-6250ab0fe546","ae009c38-3679-51d1-94c1-ecbb3a58fd77","b1a1232f-41f1-5ca7-b831-4b762fe4c8ec","97aaca87-4943-5a1d-ad15-18351f032864","5613f237-db83-5a0f-8780-60bc6bdcb67a","c4f57756-0989-52d2-b462-a0cdd592cc60","d9520006-de34-5672-b0cc-787476767a7a","d12f2b19-d484-51cc-ac09-da72cdda25ac","5af48b34-382c-5de9-b942-6a39d3e5ecc2","f3aadd2e-71b1-5331-b9a4-bbffc003f778","1150e4b9-e0bf-5244-a32b-a4c6d16ad42a","130955c9-c74c-5779-a42a-cd24be011e4b","703b746a-1815-5a4f-b932-239289d4fa4f","176a740a-4523-5f75-a135-3fb04cfbebf0","8126a19b-9eec-59a4-aa68-ca3199401d87","ce54b2ef-09a6-5778-9163-990f3157d6a8","0fa6b099-3f32-58e5-b97e-2ab6c5f0c6c0","42f6b318-eefb-5436-9c4e-614bb78d905d","073534ec-5b44-5933-91a1-3b0fc64f23c0","78a1805f-dbe6-5fa4-92f1-8b25f20badfd","c37f494d-410c-51dd-82b5-b9c2b2d0760c"]}},{"id":"microsoft.securityinsights/websessionlogs","type":"Microsoft.SecurityInsights/WebSessionLogs","displayName":"Azure Sentinel Web Session Logs","description":"All tables related to Web Session Logs. - see https://learn.microsoft.com/en-us/azure/sentinel/web-normalization-schema.","related":{"tables":["ASimWebSessionLogs"],"functions":["842563f8-c0c6-564b-b70a-8eb0cf3cc5ab","56a8defd-3b2a-5281-81c9-24522c51052f","29bae92d-e879-5c1c-b702-dda9f4953353","bd437462-80e2-55dc-a5e5-2f36cc5a3bc1","5698d436-975a-5019-bb60-364cb9d4591d","1950a5c6-57ea-5972-93fb-487fb03213bd","63091b21-f597-5f96-b0cf-766cf25e8a09","b041f11f-14f1-515d-8561-2039b527a875","9e10882a-c0bf-5392-8358-9fc4b8c23f96","2edbed7b-129d-59c9-8afb-31ba31d10a44","5dabe1db-06c0-53d9-865b-50fed81cdaef","82bd4748-6c5d-505a-9b69-83ee6241d0b7","6766a411-0a1d-5300-ab9b-e47bcf39b630","594302dd-80b9-53d0-9fd7-931c395b0ba5","09473163-8c9a-57f9-9ecd-00df0c71b862","d3856611-8bd1-52a1-bd43-d74c4d401ca3","9d82073d-6b2d-5959-ac70-34fc8915545a","942f7015-0858-50dd-b3a1-ea23bc395e0b","0a1a141b-2243-5275-87ad-5f5ba0a0a818","3f8b03e0-e95c-585d-a6c1-72cb23058c63","0f0bfea6-c81f-5b2d-ae10-6042c2fae264","342c83a1-c87d-5f13-84c1-f5b241c4d244","45483341-e59d-565f-8c67-3b6b920374f3","d4b6ca42-6305-5094-b814-ffdbd22663fb","3c6c1d83-f581-5604-949a-ba64d7949fa7","460926e6-800a-577e-86a9-799bb8d375ca","2424ad34-e613-5906-a22e-59666a3b13c8","98dc2b4a-9239-527e-b5e1-518d926a0c87","9a241dc1-9a8a-5810-a3f7-f1229fb1f2a5","d5ffffe3-6545-5e38-9547-ba42d802963f","1e4a9783-ebfa-548d-950a-dcebdeff40fd","6a32c22d-1617-5ab9-9868-8bda79135cbe","d6c30943-04b8-5e10-ba49-d2bf86f18362","4fec4bb7-e66e-5d95-9f1c-e330ff756391","9ea8ffac-eac2-5aaa-b31a-fca5e6c76d9b","220c024e-c004-5a42-8bbb-9ce9f6fc4ee5","593270fa-7236-582c-ba03-6f71f5b84471","f362af26-1d94-58de-b6ab-6f86560af853","42f3f10f-253e-53b8-8059-53ea3a0c442a","40d5cefb-6185-57af-bafd-72101ab562fc","31b740e7-598d-5c33-a4d8-cff376292c02","dae05563-8462-5711-8351-9a4772e4c729","42d1b18f-abde-5a05-a911-79165d21eab1","f24bc7f1-8418-5667-bcbd-ecf84f7e2284","c2e506a7-2989-5e71-8cae-10c49855d431","b6375b9f-7ca6-5f77-be85-3631c19242a2","eda0fd87-5e4a-554b-be5c-cff59d3ce07a","e061dea2-6572-555c-8d35-ab675dbcc310","fd81f29b-7bac-5411-a20d-a06aaa20224d","577d78f4-8a19-5485-b2d0-2d76804d3a9b","93521939-ad22-5090-bcd7-35d1b7cc18fa","215fc6ab-b6fe-5e5e-8550-1369e65fab3e","38f0a0e7-4b55-5ec1-a0a7-3040b9b97751","e55841f8-8ec4-5c48-a286-a29e17f3ca05","d367d573-36bf-5820-8a87-6e0f51c229f6","33f7b64a-a938-5d12-a1e5-9457e688e9b9","2420a4b3-1758-54af-bb7f-906f762865fa","8052c91c-d8f8-5f92-8a2a-82a7710dd73e","e3e500c9-c7ee-5711-bdd4-75d16e835a87","82d93f1a-1917-5897-bbda-a1dd80c6ba0e","046cb5bd-2e6f-5d88-8791-1e0c3de4b327","065e3f27-1508-5603-ad00-f05ee67778a1","b7fb35fe-659f-5db8-b204-e8da026493c5","3e729a7c-5a0b-5fe2-91c2-24283b90a16b"]}},{"id":"microsoft.storage/storageaccounts","type":"Microsoft.Storage/storageAccounts","displayName":"Storage Accounts","related":{"tables":["AzureActivity","AzureMetrics","StorageTableLogs","StorageQueueLogs","StorageFileLogs","StorageBlobLogs"],"queries":["0a9a8546-8566-11ea-85d3-c8348e02520c","0a9be4e3-8566-11ea-bb0a-c8348e02520c","0a9d1db1-8566-11ea-86f4-c8348e02520c","0a9d6b7a-8566-11ea-8fbe-c8348e02520c","0a9de0a6-8566-11ea-96d1-c8348e02520c","0a9e2ecc-8566-11ea-95b0-c8348e02520c"]}},{"id":"microsoft.storageinsights/storagecollectionrules","type":"Microsoft.StorageInsights/storageCollectionRules","displayName":"Storage Collection Rules","description":"All tables related to Storage Insights Service"},{"id":"microsoft.storagecache/amlfilesytems","type":"Microsoft.StorageCache/amlFilesytems","displayName":"Azure Managed Lustre","description":"Azure Managed Lustre provides an easy-to-deploy, fully managed Lustre file system for on-demand use with data stored in Azure Blob.","related":{"tables":["AzureActivity","AzureMetrics","AFSAuditLogs"],"queries":["c4cdf677-7d39-4fc9-9894-e2264e719916","1ef86e81-77c6-467a-a7a6-f5769f1df2f2"]}},{"id":"microsoft.storagecache/caches","type":"Microsoft.StorageCache/caches","displayName":"Azure HPC Cache","description":"Log Analytics tables for Microsoft Azure HPC Cache","related":{"tables":["StorageCacheOperationEvents","StorageCacheUpgradeEvents","StorageCacheWarningEvents"],"queries":["84dd84da-6817-4482-92a6-4bcb3ec96cb6","cee04e51-5743-4b8e-9913-6d50f3813742","1d18a296-9f63-4753-a271-cc9e38e32e5a","aa3b3c6e-70e0-4d36-89d3-8ff32afb2c09","4b6de6c1-0bc4-4056-bb4b-07feaea2b6f3"]}},{"id":"microsoft.storagemover/storagemovers","type":"Microsoft.StorageMover/storageMovers","displayName":"Azure Storage Mover","description":"All tables related to Azure Storage Mover.","related":{"tables":["AzureActivity","AzureMetrics","StorageMoverCopyLogsFailed","StorageMoverCopyLogsTransferred","StorageMoverJobRunLogs","StorageMoverAuditLogs"],"queries":["df057014-305f-4fa9-8522-18ccf8caaa22"]}},{"id":"microsoft.synapse/workspaces","type":"Microsoft.Synapse/workspaces","displayName":"Synapse Workspaces","description":"All tables related to Synapse.","related":{"tables":["AzureActivity","SynapseRbacOperations","SynapseGatewayApiRequests","SynapseSqlPoolExecRequests","SynapseSqlPoolRequestSteps","SynapseSqlPoolDmsWorkers","SynapseSqlPoolWaits","SynapseSqlPoolSqlRequests","SynapseIntegrationPipelineRuns","SynapseLinkEvent","SynapseIntegrationActivityRuns","SynapseIntegrationTriggerRuns","SynapseBigDataPoolApplicationsEnded","SynapseBuiltinSqlPoolRequestsEnded","SQLSecurityAuditEvents","SynapseScopePoolScopeJobsEnded","SynapseScopePoolScopeJobsStateChange","AzureMetrics","SynapseDXCommand","SynapseDXFailedIngestion","SynapseDXIngestionBatching","SynapseDXQuery","SynapseDXSucceededIngestion","SynapseDXTableUsageStatistics","SynapseDXTableDetails"],"queries":["f355a34a-0902-469d-a20d-126b6abe9647"]}},{"id":"microsoft.network/networkwatchers/trafficanalytics","type":"Microsoft.Network/NetworkWatchers/TrafficAnalytics","displayName":"Network Watcher - Traffic Analytics","description":"All tables related to Network Watcher - Traffic Analytics","related":{"queries":["a2995731-5c93-42bc-894e-704789d8deba"]}},{"id":"microsoft.updatecompliance/updatecompliance","type":"microsoft.updatecompliance/updatecompliance","displayName":"Update Compliance","description":"Update compliance tables. A complete list of Update Compliance tables can be viewed when filtering by solution.","related":{"queries":["6c73ae0a-50af-46ee-9ff1-e19b1d3d9a0b","367b4e64-9488-45f8-94fa-88905a332c73"]}},{"id":"microsoft.videoindexer/accounts","type":"Microsoft.VideoIndexer/accounts","displayName":"Video Indexer","description":"All tables related to Video Indexer","related":{"tables":["VIAudit","VIIndexing"],"queries":["b81828c9-f1b6-4901-8705-744199b363c5","ed8f4b3c-4e68-47a7-98d8-86e8dae96466","a933b563-1729-4a4a-aae6-0918df2a3762","260cbcfa-559a-416b-b97d-31c385b384be","9ddee6d4-c94d-411d-8fb9-ee10fc74502b","8a09c867-4caf-4a3c-ae4a-d8bd5c2b0263"]}},{"id":"microsoft.edge/diagnostics","type":"Microsoft.Edge/diagnostics","displayName":"workload orchestration","description":"workload orchestration is a cloud-native, cross-platform orchestrator that simplifies and streamlines the deployment, management, and update of different application solutions across different edge environments.","related":{"tables":["AzureActivity","AzureDiagnostics","WOUserAudits","WOUserDiagnostics"],"queries":["f6dd9440-131a-478c-a85d-815c5ee81fc6","5bac9c74-6e1e-4a67-8693-9661cc3fdb1e","b3bdb478-5088-4179-a6f9-669e1b97f2d6"]}},{"id":"microsoft.desktopvirtualization/hostpools","type":"Microsoft.DesktopVirtualization/hostPools","displayName":"Desktop Virtualization Host Pools","description":"Windows Virtual Desktop Host Pools.","related":{"tables":["WVDAgentHealthStatus","WVDMultiLinkAdd","AzureActivity","AzureMetrics","WVDConnections","WVDErrors","WVDCheckpoints","WVDManagement","WVDHostRegistrations","WVDConnectionNetworkData","WVDSessionHostManagement","WVDAutoscaleEvaluationPooled","WVDConnectionGraphicsDataPreview"],"queries":["9301ac33-090c-4cb5-b841-dc31c5d1ce13","7409e5d2-1178-4487-8f11-fb38a1a368ac","b544376e-b9ef-11ea-afad-c8348e03e0b8","b544ac5e-b9ef-11ea-9479-c8348e03e0b8","b544d256-b9ef-11ea-a8fb-c8348e03e0b8","b544d257-b9ef-11ea-8a32-c8348e03e0b8","b544d258-b9ef-11ea-840c-c8348e03e0b8","b544d259-b9ef-11ea-b62a-c8348e03e0b8","b544d25a-b9ef-11ea-9067-c8348e03e0b8","b544d25b-b9ef-11ea-b824-c8348e03e0b8","b544d25c-b9ef-11ea-94c4-c8348e03e0b8","b544d25d-b9ef-11ea-870f-c8348e03e0b8","b544d25e-b9ef-11ea-96fb-c8348e03e0b8","39382287-7d94-4b21-a8ee-e2f08b55f721","304217d6-6dcf-498e-b052-8fda82967980","66f7c5e9-bf9f-4ce8-b1d9-5f74c9e58749","2a537cac-6349-435a-8bbd-4cf2d1d3819a","a92ee56d-4ba3-49f5-9966-bd66cb58063f","91eb68a2-9d4f-4e83-86e3-323f414b4b96","7fb96445-e76f-41dc-8edb-22803c52c8af"]}},{"id":"microsoft.zerotrustsegmentation/segmentationmanagers","type":"Microsoft.ZeroTrustSegmentation/segmentationManagers","displayName":"Zero Trust Segmentation","description":"Tables related to Zero Trust Segmentation.","related":{"tables":["ZTSRequest","ZTSJobStatus","AzureActivity"],"queries":["716e9029-57e3-485d-87f4-97497192d3cb"]}},{"id":"default","type":"default","displayName":"Default schema for a resource","related":{"tables":["AzureActivity"]}},{"id":"subscription","type":"subscription","displayName":"Azure Subscription","related":{"tables":["AzureActivity"]}},{"id":"resourcegroup","type":"resourceGroup","displayName":"Azure Resource Group","related":{"tables":["AzureActivity"]}},{"id":"microsoft.signalrservice/webpubsub","type":"Microsoft.SignalRService/WebPubSub","displayName":"SignalR Service WebPubSub","related":{"tables":["AzureActivity","WebPubSubHttpRequest","WebPubSubMessaging","WebPubSubConnectivity"]}},{"id":"microsoft.insights/components","type":"microsoft.insights/components","displayName":"Application Insights","related":{"tables":["AzureActivity","AppAvailabilityResults","AppBrowserTimings","AppDependencies","AppEvents","AppMetrics","AppPageViews","AppPerformanceCounters","AppRequests","AppSystemEvents","AppTraces","AppExceptions"],"queries":["3391637e-7394-489f-b190-e5786da9c8e7","7deda973-b5cf-4c58-a4e7-f41cc30555fc","20ad87bf-b901-4d0b-b548-0f65a6c1210b","47a8646f-f2e5-45b7-9e27-63b4235d1137","d31cc37e-b086-4ab2-9dad-742d6a4d46c6","bada9215-5cf1-4723-9c2e-9f91e2c13738","33447b49-182b-4b6f-a26b-e2267279df81","59cfa403-4b7c-4610-b650-de70dc4af480","0e39010e-0b8e-4698-a435-e1ffa3451896","58147e09-cf5b-4a47-99c4-a5aedbb7c32c","87bcb1a9-2519-4671-a450-bb2971575507","58a835f6-b86f-4d79-a800-26f1d5265a76","7f050aba-bfab-11ea-995b-c8348e03e0b8","91e3ee17-bfab-11ea-bad1-c8348e03e0b8","55ca5870-bfab-11ea-ac5f-c8348e03e0b8","95035ec2-bfab-11ea-a608-c8348e03e0b8","9a9283e8-bfab-11ea-b7f5-c8348e03e0b8","9f16b134-bfab-11ea-99c3-c8348e03e0b8","e40b84ff-bfab-11ea-9407-c8348e03e0b8","ed941c7f-bfab-11ea-8dd3-c8348e03e0b8","fdfc57ce-bfab-11ea-ba10-c8348e03e0b8","1ab9dc94-bfac-11ea-8dcb-c8348e03e0b8","26172a26-bfac-11ea-9c5e-c8348e03e0b8","321b088f-bfac-11ea-b703-c8348e03e0b8"]}},{"id":"microsoft.desktopvirtualization/applicationgroups","type":"Microsoft.DesktopVirtualization/applicationGroups","displayName":"Desktop Virtualization Application Groups","related":{"tables":["AzureActivity","AzureMetrics","WVDErrors","WVDCheckpoints","WVDManagement"],"queries":["b544376e-b9ef-11ea-afad-c8348e03e0b8","b544ac5e-b9ef-11ea-9479-c8348e03e0b8","b544d256-b9ef-11ea-a8fb-c8348e03e0b8","b544d25b-b9ef-11ea-b824-c8348e03e0b8"]}},{"id":"microsoft.desktopvirtualization/workspaces","type":"Microsoft.DesktopVirtualization/workspaces","displayName":"Desktop Virtualization workspaces","related":{"tables":["AzureActivity","AzureMetrics","WVDFeeds","WVDErrors","WVDCheckpoints","WVDManagement"],"queries":["b544376e-b9ef-11ea-afad-c8348e03e0b8","b544ac5e-b9ef-11ea-9479-c8348e03e0b8","b544d256-b9ef-11ea-a8fb-c8348e03e0b8","b544d25b-b9ef-11ea-b824-c8348e03e0b8"]}},{"id":"microsoft.timeseriesinsights/environments","type":"Microsoft.TimeSeriesInsights/environments","displayName":"Time Series Insights Environments","related":{"tables":["AzureActivity","AzureMetrics","TSIIngress"],"queries":["35aa1317-608e-11eb-9456-b831b58816f3","35aa1318-608e-11eb-a734-b831b58816f3","35aa1319-608e-11eb-8fa0-b831b58816f3"]}},{"id":"microsoft.workloadmonitor/monitors","type":"Microsoft.WorkloadMonitor/monitors","displayName":"Workload Monitor","related":{"tables":["AzureActivity","AzureMetrics"]}},{"id":"microsoft.analysisservices/servers","type":"microsoft.analysisservices/servers","displayName":"Analysis Services","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.batch/batchaccounts","type":"microsoft.batch/batchaccounts","displayName":"Batch Accounts","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["14b2fa58-8560-11ea-b457-c8348e02520c","7bbc0cff-8560-11ea-9ac3-c8348e02520c","7e6d856a-8560-11ea-9a95-c8348e02520c","837689e6-8560-11ea-9a45-c8348e02520c","898689c9-8560-11ea-bb44-c8348e02520c"]}},{"id":"microsoft.appplatform/spring","type":"Microsoft.AppPlatform/Spring","displayName":"Azure Spring Apps","related":{"tables":["AzureActivity","AzureMetrics","AppPlatformLogsforSpring","AppPlatformSystemLogs","AppPlatformIngressLogs","AppPlatformBuildLogs","AppPlatformContainerEventLogs"],"queries":["758fc257-7359-11ea-9fad-c8348e02520c","759342e9-7359-11ea-bb5a-c8348e02520c","7593b6c0-7359-11ea-88c8-c8348e02520c","8393bf25-50e9-e88d-23b3-afabe2d845e9","6b63ba82-9e35-babe-0386-96b648bb1a56","d1a21eb9-4d9e-0e21-a81d-7e78dc488f84","c6f0918a-a022-4273-9737-05312ae54211","bfdd0f36-f300-425f-b149-65c21f652297"]}},{"id":"microsoft.signalrservice/signalr","type":"Microsoft.SignalRService/SignalR","displayName":"SignalR","related":{"tables":["AzureActivity","AzureMetrics","SignalRServiceDiagnosticLogs"],"queries":["7cef51e4-3e2a-4090-9227-9d5940c8e542","0d314981-ea13-468d-9693-08f17978b07c","ee407f4b-01d9-4867-99d6-b69f9cbc48fb","23669822-eee9-4fc7-ad01-3002e4e1f2c7","14f5f1bb-1d32-4c36-8cec-3fb5669f116b","bd1a9d5b-a31e-4b0e-8e32-ae4fdf667edd","4c761634-8075-45d0-bb0a-17020cedd849","d1fadd92-2480-461a-b576-9fd63214c197","ef05fc29-2ade-40c0-8a2b-a5e44c96d864","b95779e5-8cae-4d4e-9caa-8d4c463946a2","73336bb3-52b5-4005-8130-45c6385ae708"]}},{"id":"microsoft.containerregistry/registries","type":"Microsoft.ContainerRegistry/registries","displayName":"Container Registries","related":{"tables":["AzureActivity","AzureMetrics","ContainerRegistryLoginEvents","ContainerRegistryRepositoryEvents"],"queries":["590ef5ae-7354-11ea-8b23-c8348e02520c","96578d25-6dbf-475c-a6fd-adcafd97a138","5911dbf1-7354-11ea-b34d-c8348e02520c"]}},{"id":"microsoft.kusto/clusters","type":"Microsoft.Kusto/Clusters","displayName":"Azure Data Explorer Clusters","related":{"tables":["AzureActivity","AzureMetrics","FailedIngestion","SucceededIngestion","ADXIngestionBatching","ADXCommand","ADXQuery","ADXTableUsageStatistics","ADXTableDetails","ADXJournal"],"queries":["a42903db-1d24-11eb-88c1-c8348e03e0b8","a42903d9-1d24-11eb-afcb-c8348e03e0b8","a42903da-1d24-11eb-9b58-c8348e03e0b8","a42903df-1d24-11eb-99e3-c8348e03e0b8","a42903e0-1d24-11eb-9739-c8348e03e0b8","a42903de-1d24-11eb-ae49-c8348e03e0b8","a42903dd-1d24-11eb-9fdf-c8348e03e0b8","a42903dc-1d24-11eb-a6ff-c8348e03e0b8","a42903e3-1d24-11eb-a60d-c8348e03e0b8","a42903e2-1d24-11eb-a6da-c8348e03e0b8","a42903e4-1d24-11eb-83c0-c8348e03e0b8","a42903e5-1d24-11eb-bf99-c8348e03e0b8","a42903e6-1d24-11eb-9ef5-c8348e03e0b8","a42903e7-1d24-11eb-944e-c8348e03e0b8","a42903e8-1d24-11eb-bc91-c8348e03e0b8","a42903e1-1d24-11eb-ab6e-c8348e03e0b8"]}},{"id":"microsoft.blockchain/blockchainmembers","type":"Microsoft.Blockchain/blockchainMembers","displayName":"Azure Blockchain Service","related":{"tables":["AzureActivity","AzureMetrics","BlockchainApplicationLog","BlockchainProxyLog"]}},{"id":"microsoft.eventgrid/domains","type":"Microsoft.EventGrid/domains","displayName":"Event Grid Domains","related":{"tables":["AzureActivity","AzureMetrics","AegDeliveryFailureLogs","AegPublishFailureLogs","AegDataPlaneRequests"],"queries":["0ad18cad-9b87-11ea-9184-c8348e02520c","0ad29e51-9b87-11ea-9bee-c8348e02520c","be55f9e0-ec2b-11ea-a6d1-c8348e03e0b8"]}},{"id":"microsoft.eventgrid/partnernamespaces","type":"Microsoft.EventGrid/partnerNamespaces","displayName":"Event Grid Partner Namespaces","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","AegPublishFailureLogs","AegDataPlaneRequests"]}},{"id":"microsoft.eventgrid/partnertopics","type":"Microsoft.EventGrid/partnerTopics","displayName":"Event Grid Partner Topics","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","AegDeliveryFailureLogs"]}},{"id":"microsoft.eventgrid/systemtopics","type":"Microsoft.EventGrid/systemTopics","displayName":"Event Grid System Topics","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","AegDeliveryFailureLogs"]}},{"id":"microsoft.conenctedvmwarevsphere/virtualmachines","type":"Microsoft.ConenctedVMwarevSphere/VirtualMachines","displayName":"VMware","related":{"tables":["AzureActivity","AzureMetrics","ADAssessmentRecommendation","ADReplicationResult","ComputerGroup","ContainerLog","DnsEvents","DnsInventory","SecurityBaselineSummary","SQLAssessmentRecommendation","ConfigurationChange","ConfigurationData","Event","Heartbeat","Perf","ProtectionStatus","SecurityBaseline","SecurityEvent","Syslog","Update","UpdateRunProgress","UpdateSummary","VMBoundPort","VMConnection","VMComputer","VMProcess","W3CIISLog","WindowsFirewall","WireData","InsightsMetrics","HealthStateChangeEvent","CommonSecurityLog"]}},{"id":"microsoft.azurestackhci/virtualmachines","type":"Microsoft.AzureStackHCI/VirtualMachines","displayName":"Azure Local","related":{"tables":["AzureActivity","AzureMetrics","ADAssessmentRecommendation","ADReplicationResult","ComputerGroup","ContainerLog","DnsEvents","DnsInventory","SecurityBaselineSummary","SQLAssessmentRecommendation","ConfigurationChange","ConfigurationData","Event","Heartbeat","Perf","ProtectionStatus","SecurityBaseline","SecurityEvent","Syslog","Update","UpdateRunProgress","UpdateSummary","VMBoundPort","VMConnection","VMComputer","VMProcess","W3CIISLog","WindowsFirewall","WireData","InsightsMetrics","HealthStateChangeEvent","CommonSecurityLog"]}},{"id":"microsoft.scvmm/virtualmachines","type":"Microsoft.SCVMM/VirtualMachines","displayName":"System Center Virtual Machine Manager","related":{"tables":["AzureActivity","AzureMetrics","ADAssessmentRecommendation","ADReplicationResult","ComputerGroup","ContainerLog","DnsEvents","DnsInventory","SecurityBaselineSummary","SQLAssessmentRecommendation","ConfigurationChange","ConfigurationData","Event","Heartbeat","Perf","ProtectionStatus","SecurityBaseline","SecurityEvent","Syslog","Update","UpdateRunProgress","UpdateSummary","VMBoundPort","VMConnection","VMComputer","VMProcess","W3CIISLog","WindowsFirewall","WireData","InsightsMetrics","HealthStateChangeEvent","CommonSecurityLog"]}},{"id":"microsoft.compute/virtualmachinescalesets","type":"Microsoft.Compute/virtualMachineScaleSets","displayName":"Virtual Machine Scale Sets","related":{"tables":["AzureActivity","AzureMetrics","ConfigurationChange","ConfigurationData","ContainerLog","DataSetOutput","DataSetRuns","Event","Heartbeat","Perf","PerfInsightsFindings","PerfInsightsImpactedResources","PerfInsightsRun","ProtectionStatus","SecurityBaseline","SecurityEvent","Syslog","Update","UpdateRunProgress","UpdateSummary","VMBoundPort","VMConnection","VMComputer","VMProcess","W3CIISLog","WindowsFirewall","WireData","InsightsMetrics","CommonSecurityLog"],"queries":["ddf44599-d5a6-11ea-930c-c8348e03e0b8","ddf4459a-d5a6-11ea-a6e8-c8348e03e0b8","ddf4459b-d5a6-11ea-85e5-c8348e03e0b8","ddf4459c-d5a6-11ea-bcd7-c8348e03e0b8","ddf4459d-d5a6-11ea-b154-c8348e03e0b8","ddf4459e-d5a6-11ea-b023-c8348e03e0b8","ddf4459f-d5a6-11ea-b7ce-c8348e03e0b8","ddf445a0-d5a6-11ea-8c67-c8348e03e0b8"]}},{"id":"microsoft.azurestackhci/clusters","type":"Microsoft.AzureStackHCI/clusters","displayName":"Azure Local","related":{"tables":["Perf","Event"],"queries":["993e8088-d4af-46bd-bb26-2eb6ef2873d2","d180b15e-73ee-4275-8f99-a5b5a7e8cb97","0542e63c-e978-4f1a-a141-2675e0d49e88","7d2e183d-421e-4240-a1f6-6c139473ec27","dbd3ee2d-b50b-4def-9955-0e3d0576eeca","4445a657-aced-497b-a588-a86f845e4ea7","bed7fb50-cd96-48a4-80f9-3976b0529235","b82a0150-a330-49ba-ae11-81a950b55a5b","a03eab02-f73b-493f-90ff-e0223bfb4ce1","8adbd857-a7a7-44fb-9ab4-c11743fc21f2","b90c8414-fce6-478f-b372-a80827a3c7f9"]}},{"id":"microsoft.hybridcontainerservice/provisionedclusters","type":"Microsoft.HybridContainerservice/Provisionedclusters","displayName":"Azure Arc Provisioned Clusters","related":{"tables":["AzureActivity","AzureDiagnostics","AzureMetrics","ContainerImageInventory","ContainerInventory","ContainerLog","ContainerLogV2","ContainerNodeInventory","ContainerServiceLog","KubeEvents","KubeNodeInventory","KubePodInventory","KubePVInventory","KubeServices","KubeMonAgentEvents","InsightsMetrics","Perf","Syslog","Heartbeat"]}},{"id":"microsoft.insights/autoscalesettings","type":"Microsoft.Insights/AutoscaleSettings","displayName":"Azure Monitor autoscale settings","related":{"tables":["AzureActivity","AzureMetrics","AutoscaleEvaluationsLog","AutoscaleScaleActionsLog"],"queries":["f82e2799-dd42-11ea-9ea5-c8348e03e0b8","f82e75b8-dd42-11ea-b884-c8348e03e0b8","f82e75b9-dd42-11ea-a8b1-c8348e03e0b8","f82e75ba-dd42-11ea-a077-c8348e03e0b8"]}},{"id":"microsoft.devices/iothubs","type":"Microsoft.Devices/IotHubs","displayName":"IoT Hub","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","InsightsMetrics"],"queries":["79ff4844-6154-11ea-aec5-c8348e025209","7a01741c-6154-11ea-b256-c8348e025209","7a01e758-6154-11ea-8513-c8348e025209","7a02356e-6154-11ea-9f6e-c8348e025209","7a02aa98-6154-11ea-be45-c8348e025209","7a02f8bb-6154-11ea-ae08-c8348e025209","27374154-3ae9-5c0f-047b-059790771ae2","2fb22203-1815-2061-2dcf-f2f162ee3334","fde796bf-52b0-120a-7bff-444d8f9a60ed"]}},{"id":"microsoft.servicefabric/clusters","type":"Microsoft.ServiceFabric/clusters","displayName":"Service Fabric Clusters","related":{"tables":["AzureActivity","AzureMetrics"]}},{"id":"microsoft.logic/workflows","type":"Microsoft.Logic/workflows","displayName":"Logic Apps","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","LogicAppWorkflowRuntime"],"queries":["83d6b912-8565-11ea-a50d-c8348e02520c","83d88aba-8565-11ea-9c59-c8348e02520c","83d8d8ae-8565-11ea-bb97-c8348e02520c","83d94dca-8565-11ea-aceb-c8348e02520c"]}},{"id":"microsoft.automation/automationaccounts","type":"Microsoft.Automation/AutomationAccounts","displayName":"Automation account","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","Heartbeat","Update","UpdateSummary","UpdateRunProgress"],"queries":["a5e5e3f2-773b-11ea-b11e-c8348e02520c","a5eac4ad-773b-11ea-83e6-c8348e02520c","a5ee200a-773b-11ea-8e01-c8348e02520c","a5efcdbd-773b-11ea-8034-c8348e02520c","a5f2180e-773b-11ea-a27d-c8348e02520c","a5f28cd0-773b-11ea-8000-c8348e02520c","a5f4136f-773b-11ea-90bb-c8348e02520c","a5f48946-773b-11ea-b628-c8348e02520c","a5f65d8f-773b-11ea-8092-c8348e02520c","a5f6f9b3-773b-11ea-83b3-c8348e02520c","a5f795e5-773b-11ea-aa8e-c8348e02520c","a5fb8d87-773b-11ea-9f44-c8348e02520c"]}},{"id":"microsoft.datafactory/factories","type":"Microsoft.DataFactory/factories","displayName":"Data factories","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics","ADFActivityRun","ADFPipelineRun","ADFTriggerRun","ADFSandboxActivityRun","ADFSandboxPipelineRun","ADFSSISIntegrationRuntimeLogs","ADFSSISPackageEventMessageContext","ADFSSISPackageEventMessages","ADFSSISPackageExecutableStatistics","ADFSSISPackageExecutionComponentPhases","ADFSSISPackageExecutionDataStatistics"],"queries":["a6428837-f7fb-11ea-bb94-c8348e03e0b8","a6428838-f7fb-11ea-af2d-c8348e03e0b8","a6428839-f7fb-11ea-aa48-c8348e03e0b8","a642883a-f7fb-11ea-8c76-c8348e03e0b8","a642883b-f7fb-11ea-ae71-c8348e03e0b8","a642883c-f7fb-11ea-a8e7-c8348e03e0b8","a642883d-f7fb-11ea-9dfe-c8348e03e0b8","a642883e-f7fb-11ea-95c6-c8348e03e0b8","a642883f-f7fb-11ea-832d-c8348e03e0b8"]}},{"id":"microsoft.datalakestore/accounts","type":"Microsoft.DataLakeStore/accounts","displayName":"Data Lake Storage Gen1","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.datalakeanalytics/accounts","type":"Microsoft.DataLakeAnalytics/accounts","displayName":"Data Lake Analytics","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.powerbidedicated/capacities","type":"microsoft.powerbidedicated/capacities","displayName":"Power BI Embedded","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.datashare/accounts","type":"Microsoft.DataShare/accounts","displayName":"Data Share","related":{"tables":["AzureActivity","AzureMetrics","MicrosoftDataShareSentSnapshotLog","MicrosoftDataShareReceivedSnapshotLog"],"queries":["fa0c8117-6153-11ea-8cb3-c8348e025209","fa0ef211-6153-11ea-8bab-c8348e025209","fa1078e9-6153-11ea-a498-c8348e025209","fa112e83-6153-11ea-b11d-c8348e025209","fa117c9a-6153-11ea-9c29-c8348e025209","fa11cab7-6153-11ea-8733-c8348e025209","fa1320ea-6153-11ea-90da-c8348e025209","fa136ede-6153-11ea-857e-c8348e025209"]}},{"id":"microsoft.sql/managedinstances","type":"Microsoft.Sql/managedInstances","displayName":"SQL Managed Instances","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["67756e5c-735e-11ea-a1fc-c8348e02520c","67787b98-735e-11ea-8214-c8348e02520c","6778f0c8-735e-11ea-9bcd-c8348e02520c","67798d1e-735e-11ea-9066-c8348e02520c"]}},{"id":"microsoft.sql/servers/databases","type":"Microsoft.Sql/servers/databases","displayName":"SQL Databases","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["59e7db22-9f52-11ea-b8de-c8348e02520c","59ecbd47-9f52-11ea-bc53-c8348e02520c","59f150f7-9f52-11ea-8681-c8348e02520c","59f34cde-9f52-11ea-a5c7-c8348e02520c"]}},{"id":"microsoft.dbformysql/servers","type":"Microsoft.DBforMySQL/servers","displayName":"Azure Database for MySQL Servers","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["39530689-8564-11ea-a825-c8348e02520c","3953c9e1-8564-11ea-90b5-c8348e02520c","395417f2-8564-11ea-a1fa-c8348e02520c","39559e97-8564-11ea-b62e-c8348e02520c","3955ecb1-8564-11ea-9064-c8348e02520c"]}},{"id":"microsoft.dbforpostgresql/servers","type":"Microsoft.DBforPostgreSQL/servers","displayName":"Azure Database for PostgreSQL Servers","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["f057bedc-8564-11ea-bde7-c8348e02520c","f059e1be-8564-11ea-baa5-c8348e02520c","f05a2fd3-8564-11ea-b82c-c8348e02520c","f05a7df3-8564-11ea-8cd4-c8348e02520c","f05af337-8564-11ea-8713-c8348e02520c","f05b415a-8564-11ea-8e4c-c8348e02520c","f05c7a2c-8564-11ea-9d91-c8348e02520c","f05cc7e5-8564-11ea-bd57-c8348e02520c","f05d162a-8564-11ea-9b09-c8348e02520c","f05d8b32-8564-11ea-be76-c8348e02520c","f05dd951-8564-11ea-a396-c8348e02520c","f05f601a-8564-11ea-9958-c8348e02520c","f05ffc32-8564-11ea-8128-c8348e02520c","f0604a53-8564-11ea-9866-c8348e02520c","f061a449-8564-11ea-8a9c-c8348e02520c","f0621953-8564-11ea-904e-c8348e02520c"]}},{"id":"microsoft.dbforpostgresql/serversv2","type":"Microsoft.DBforPostgreSQL/serversv2","displayName":"Azure Database for PostgreSQL Servers V2","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.dbformariadb/servers","type":"Microsoft.DBforMariaDB/servers","displayName":"Azure Database for MariaDB Servers","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["18879673-8564-11ea-b38b-c8348e02520c","188a2ec5-8564-11ea-b3bc-c8348e02520c","188aa3a9-8564-11ea-bf1e-c8348e02520c","188b66fe-8564-11ea-b1c6-c8348e02520c","188bdc5b-8564-11ea-be3c-c8348e02520c"]}},{"id":"microsoft.devices/provisioningservices","type":"Microsoft.Devices/ProvisioningServices","displayName":"Device Provisioning Services","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.network/expressroutecircuits","type":"Microsoft.Network/expressRouteCircuits","displayName":"ExpressRoute Circuits","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["c5992ffc-9b80-11ea-8243-c8348e02520c","c5997e17-9b80-11ea-8e07-c8348e02520c","c59b04a4-9b80-11ea-9429-c8348e02520c","c59b52d1-9b80-11ea-abe2-c8348e02520c","c59bc801-9b80-11ea-a673-c8348e02520c","c59c161a-9b80-11ea-b8e4-c8348e02520c"]}},{"id":"microsoft.network/frontdoors","type":"Microsoft.Network/frontdoors","displayName":"Front Doors","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["3dedfcff-6154-11ea-b43b-c8348e025209","3df04ba0-6154-11ea-a4a9-c8348e025209","3df099bd-6154-11ea-950e-c8348e025209","3df22024-6154-11ea-bb45-c8348e025209","3df26e48-6154-11ea-8a19-c8348e025209","3df2e36e-6154-11ea-954a-c8348e025209","3df49151-6154-11ea-99f0-c8348e025209","3df4df3b-6154-11ea-a9a8-c8348e025209"]}},{"id":"microsoft.network/networkinterfaces","type":"Microsoft.Network/networkinterfaces","displayName":"Network Interfaces","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.network/networksecuritygroups","type":"Microsoft.Network/NetworkSecurityGroups","displayName":"Network Security Groups","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["a6428840-f7fb-11ea-9f84-c8348e03e0b8","a6428841-f7fb-11ea-a564-c8348e03e0b8","a6428842-f7fb-11ea-9339-c8348e03e0b8","c04f8b4c-8f78-8652-28db-d12cb5296bcb"]}},{"id":"microsoft.network/publicipaddresses","type":"Microsoft.Network/PublicIpAddresses","displayName":"Public IP Addresses","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["a6428840-f7fb-11ea-9f84-c8348e03e0b8","a6428841-f7fb-11ea-a564-c8348e03e0b8","a6428842-f7fb-11ea-9339-c8348e03e0b8"]}},{"id":"microsoft.network/trafficmanagerprofiles","type":"Microsoft.Network/trafficmanagerprofiles","displayName":"Traffic Manager Profiles","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["92237ddb-9b82-11ea-805c-c8348e02520c"]}},{"id":"microsoft.network/virtualnetworkgateways","type":"Microsoft.Network/virtualNetworkGateways","displayName":"Virtual Network Gateways","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["f82e75bb-dd42-11ea-8cee-c8348e03e0b8","f82e75bc-dd42-11ea-bd9c-c8348e03e0b8","f82e75bd-dd42-11ea-8c4d-c8348e03e0b8","f82e75be-dd42-11ea-bdca-c8348e03e0b8","f82e75bf-dd42-11ea-98ce-c8348e03e0b8","f82e75c0-dd42-11ea-8d89-c8348e03e0b8","f82e75c1-dd42-11ea-a974-c8348e03e0b8","f82e75c2-dd42-11ea-a2f7-c8348e03e0b8"]}},{"id":"microsoft.network/vpngateways","type":"Microsoft.Network/vpnGateways","displayName":"Virtual Private Network Gateways","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.network/virtualnetworks","type":"Microsoft.Network/virtualNetworks","displayName":"Virtual Networks","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["a6428840-f7fb-11ea-9f84-c8348e03e0b8","a6428841-f7fb-11ea-a564-c8348e03e0b8","a6428842-f7fb-11ea-9339-c8348e03e0b8"]}},{"id":"microsoft.search/searchservices","type":"Microsoft.Search/searchServices","displayName":"Search Services","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"]}},{"id":"microsoft.streamanalytics/streamingjobs","type":"microsoft.streamanalytics/streamingjobs","displayName":"Stream Analytics jobs","related":{"tables":["AzureActivity","AzureMetrics","AzureDiagnostics"],"queries":["b4d66462-3b14-48e0-8f73-69963f167e07","5ee61bc5-7ab3-4ea6-bd8a-894199439250","b90dfde7-6647-431a-ba33-a8d15ce03cfd","787bfae4-3b13-4edf-b04c-df38392915f0","b8c03410-f001-4b97-9cd7-0e0f133dec66","3d9fb8b2-befb-4583-8c92-1da2bf3411b4","4d078508-6a71-4f6d-8408-74cc20ad7867","aa09b62c-25ef-446e-b7b3-a950aef7800f","8fb2034b-6c12-47bc-838b-b657bd5f5300","b1c25cc3-f90b-4514-8391-283ca87952bd","33fb2c35-1ffd-4325-9f93-0a23ccf6d0d4","052020ef-b3ca-4980-8c22-cd02e0471ee2","a5921654-c003-4486-8122-60092622db9f","1ba813c0-8d01-4837-b8b4-ea954aa2c02d","c64e6268-9405-45fa-acce-e59dea7054fe","1c4e1e99-3d45-4125-ab76-320c8fdd3413","ec788186-ccc0-43fd-b974-1def808dfa21","801fa603-7ed8-4a4a-b028-5b0ff6277eb5","5b86398a-8291-40ce-8d97-c534997f61e6","366f2856-ffd7-4f9b-9c42-862e3b201f3c"]}},{"id":"microsoft.network/bastionhosts","type":"Microsoft.Network/bastionHosts","displayName":"Bastions","related":{"tables":["AzureActivity","AzureMetrics","MicrosoftAzureBastionAuditLogs"]}},{"id":"microsoft.healthcareapis/services","type":"Microsoft.HealthcareApis/services","displayName":"Azure API for FHIR","related":{"tables":["AzureActivity","AzureMetrics","MicrosoftHealthcareApisAuditLogs"]}}],"queries":[{"id":"00d2b78e-df02-42d4-ae3a-27db94a534fc","displayName":"Frequent users endpoint callers (AAD Graph)","description":"Gets list of apps and service principals calling users endpoint in AAD Graph.","body":"AADGraphActivityLogs\r\n| where RequestUri has \"users\"\r\n| summarize NumRequests = count() by AppId, ServicePrincipalId, UserId\r\n| sort by NumRequests desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.azureadgraph/tenants"],"tables":["AADGraphActivityLogs"]}},{"id":"c4ee740a-6d0e-4a87-b998-663d2d36fca0","displayName":"Failed groups endpoint requests (AAD Graph)","description":"Gets a list of failed requests to group entities in AAD Graph, by apps and service principals.","body":"AADGraphActivityLogs\r\n| where ResultSignature == \"403\"\r\n| where RequestUri has \"groups\"\r\n| summarize UniqueRequests = dcount(RequestId) by AppId, ServicePrincipalId, UserId\r\n| sort by UniqueRequests desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.azureadgraph/tenants"],"tables":["AADGraphActivityLogs"]}},{"id":"f47ac10b-58cc-4372-a567-0e02b2c3d479","displayName":"Dropped network low Logs","description":"Get all the network flow logs that were dropped.","body":"RetinaNetworkFlowLogs\r\n| where Verdict == \"DROPPED\"\r\n| limit 100\r\n","tags":{"Topic":["Security","Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["RetinaNetworkFlowLogs"]}},{"id":"d3b07384-d9a0-4c9d-8f00-6e7a9e7a8b0d","displayName":"Top 10 network flow log metrics","description":"Get the network flow log metrics for the top 10 source and destination ips by total bytes sent and received.","body":"let TopSourceIPs = \r\n RetinaNetworkFlowLogs\r\n | summarize TotalPacketsSent = sum(PacketsSent) by SourceIP = IP.Source\r\n | extend MetricCategory = \"Top Source IPs by Packets Sent\"\r\n | project MetricCategory, Entity = SourceIP, Value = TotalPacketsSent\r\n | top 10 by Value desc;\r\n\r\nlet TopDestinationIPs = \r\n RetinaNetworkFlowLogs\r\n | summarize TotalPacketsReceived = sum(PacketsReceived) by DestinationIP = IP.Destination\r\n | extend MetricCategory = \"Top Destination IPs by Packets Received\"\r\n | project MetricCategory, Entity = DestinationIP, Value = TotalPacketsReceived\r\n | top 10 by Value desc;\r\n\r\nlet TopSourceIPsByBytes = \r\n RetinaNetworkFlowLogs\r\n | summarize TotalBytesSent = sum(BytesSent) by SourceIP = IP.Source\r\n | extend MetricCategory = \"Top Source IPs by Bytes Sent\"\r\n | project MetricCategory, Entity = SourceIP, Value = TotalBytesSent\r\n | top 10 by Value desc;\r\n\r\nlet TopDestinationIPsByBytes = \r\n RetinaNetworkFlowLogs\r\n | summarize TotalBytesReceived = sum(BytesReceived) by DestinationIP = IP.Destination\r\n | extend MetricCategory = \"Top Destination IPs by Bytes Received\"\r\n | project MetricCategory, Entity = DestinationIP, Value = TotalBytesReceived\r\n | top 10 by Value desc;\r\n\r\nlet TopProtocols = \r\n RetinaNetworkFlowLogs\r\n | summarize TotalUsage = count() by Protocol\r\n | extend MetricCategory = \"Top Protocols by Usage\"\r\n | project MetricCategory, Entity = Protocol, Value = TotalUsage\r\n | top 10 by Value desc;\r\n\r\nTopSourceIPs\r\n| union TopDestinationIPs\r\n| union TopSourceIPsByBytes\r\n| union TopDestinationIPsByBytes\r\n| union TopProtocols","tags":{"Topic":["Security","Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["RetinaNetworkFlowLogs"]}},{"id":"571b97f3-d68b-41eb-b1ac-6c40a38fbb4d","displayName":"Dropped network low Logs","description":"Get all the network flow logs that were dropped.","body":"ContainerNetworkLogs\r\n| where Verdict == \"DROPPED\"\r\n| limit 100\r\n","tags":{"Topic":["Security","Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["ContainerNetworkLogs"]}},{"id":"54bb9cdf-3eb8-4f1b-bb39-a2e578bceecb","displayName":"Top 10 network flow log metrics","description":"Get the network flow log metrics for the top 10 source and destination ips by total bytes sent and received.","body":"let TopSourceIPs = \r\n ContainerNetworkLogs\r\n | summarize TotalIngressFlowCount = sum(IngressFlowCount) by SourceIP = IP.Source\r\n | extend MetricCategory = \"Top Source IPs by IngressFlowCount\"\r\n | project MetricCategory, Entity = SourceIP, Value = TotalIngressFlowCount\r\n | top 10 by Value desc;\r\n\r\nlet TopDestinationIPs = \r\n ContainerNetworkLogs\r\n | summarize TotalEgressFlowCount = sum(EgressFlowCount) by DestinationIP = IP.Destination\r\n | extend MetricCategory = \"Top Destination IPs by Egress Flows\"\r\n | project MetricCategory, Entity = DestinationIP, Value = TotalEgressFlowCount\r\n | top 10 by Value desc;\r\n\r\nlet TopSourceIPsByBytes = \r\n ContainerNetworkLogs\r\n | summarize TotalBytesSent = sum(BytesSent) by SourceIP = IP.Source\r\n | extend MetricCategory = \"Top Source IPs by Bytes Sent\"\r\n | project MetricCategory, Entity = SourceIP, Value = TotalBytesSent\r\n | top 10 by Value desc;\r\n\r\nlet TopDestinationIPsByBytes = \r\n ContainerNetworkLogs\r\n | summarize TotalBytesReceived = sum(BytesReceived) by DestinationIP = IP.Destination\r\n | extend MetricCategory = \"Top Destination IPs by Bytes Received\"\r\n | project MetricCategory, Entity = DestinationIP, Value = TotalBytesReceived\r\n | top 10 by Value desc;\r\n\r\nlet TopProtocols = \r\n ContainerNetworkLogs\r\n | summarize TotalUsage = count() by Protocol\r\n | extend MetricCategory = \"Top Protocols by Usage\"\r\n | project MetricCategory, Entity = Protocol, Value = TotalUsage\r\n | top 10 by Value desc;\r\n\r\nTopSourceIPs\r\n| union TopDestinationIPs\r\n| union TopSourceIPsByBytes\r\n| union TopDestinationIPsByBytes\r\n| union TopProtocols","tags":{"Topic":["Security","Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["ContainerNetworkLogs"]}},{"id":"b30699d3-efa7-4341-acad-b0d745f57061","displayName":"Top 100 Log Messages by Edge Action Version","description":"Top 100 log messages emitted by an action, grouped by action version.","body":"EdgeActionConsoleLog\r\n| summarize InvocationCount = count() by EdgeActionVersion, LogMessage\r\n| top 100 by InvocationCount","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.cdn/edgeactions"],"tables":["EdgeActionConsoleLog","EdgeActionServiceLog"]}},{"id":"c72d1185-3401-4e65-9a9b-424730f26288","displayName":"Internal Errors by Edge Action Version","description":"Count of internal errors emitted by Edge Actions, grouped by action version.","body":"EdgeActionServiceLog\r\n| where LogMessage contains \"Internal Error\"\r\n| summarize ErrorCount = count() by EdgeActionVersion","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.cdn/edgeactions"],"tables":["EdgeActionServiceLog"]}},{"id":"a4d5c564-f185-450d-9024-ac003c4f96a9","displayName":"Status of farm management operations for a farmer","description":"Retrieves logs indicating the status (success or failure) for operations performed in the FarmManagement logs category for a farmer.","body":"AgriFoodFarmManagementLogs\r\n| summarize Count = count() by OperationName, ResultSignature\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"tables":["AgriFoodFarmManagementLogs"]}},{"id":"97234902-0236-4821-a438-d52c8a80a8ba","displayName":"Job execution statistics for a farmer","description":"Retrieves the status of job processing for a farmer.","body":"AgriFoodJobProcessedLogs\r\n| summarize Count = count() by FarmerId, ResultType, OperationName\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"tables":["AgriFoodJobProcessedLogs"]}},{"id":"f3518255-2374-448a-878a-d5d4457da11c","displayName":"Failed authorization","description":"Identifies a list of users who failed to access your resource and the reason for this failure.","body":"AgriFoodApplicationAuditLogs\r\n| where OperationName startswith \"Data Plane Authentication\"\r\n| where ResultType == \"Failure\"\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"tables":["AgriFoodApplicationAuditLogs"]}},{"id":"b093d561-a33c-4997-a3b1-cb82f2b97c05","displayName":"Status of all operations for a farmer","description":"Aggregates failures and successes across categories for a farmer.","body":"((AgriFoodFarmManagementLogs | where FarmerId != \"\" | summarize AgriFoodFarmManagementLogsCount=count() by FarmerId, ResultType))\r\n| join kind=fullouter (( AgriFoodSatelliteLogs | where FarmerId != \"\" | summarize AgriFoodSatelliteLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodWeatherLogs | where FarmerId != \"\" | summarize AgriFoodWeatherLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodJobProcessedLogs | where FarmerId != \"\" | summarize AgriFoodJobProcessedLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodFarmOperationLogs | where FarmerId != \"\" | summarize AgriFoodFarmOperationLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodInsightLogs | where FarmerId != \"\" | summarize AgriFoodInsightLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodProviderAuthLogs | where FarmerId != \"\" | summarize AgriFoodProviderAuthLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| join kind=fullouter (( AgriFoodModelInferenceLogs | where FarmerId != \"\" | summarize AgriFoodModelInferenceLogsCount=count() by FarmerId, ResultType)) on FarmerId, ResultType\r\n| project FarmerId = coalesce(FarmerId, FarmerId1, FarmerId2, FarmerId3, FarmerId4, FarmerId5, FarmerId6, FarmerId7), AgriFoodFarmManagementLogsCount, AgriFoodSatelliteLogsCount, AgriFoodWeatherLogsCount, AgriFoodJobProcessedLogsCount, AgriFoodFarmOperationLogsCount, AgriFoodInsightLogsCount, AgriFoodProviderAuthLogsCount, AgriFoodModelInferenceLogsCount, ResultType = coalesce(ResultType, ResultType1, ResultType2, ResultType3, ResultType4, ResultType5, ResultType6, ResultType7)\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"]}},{"id":"26b400a2-3108-4cdd-bdc9-b6889b0ecfb7","displayName":"Usage trend for top 100 farmers based on the operations performed","description":"Retrieves a list of top 100 farmers based on the number of hits received across categories.","body":"((AgriFoodFarmManagementLogs | where FarmerId != \"\" | summarize AgriFoodFarmManagementLogsCount=count() by FarmerId))\r\n| join kind=fullouter (( AgriFoodSatelliteLogs | where FarmerId != \"\" | summarize AgriFoodSatelliteLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodWeatherLogs | where FarmerId != \"\" | summarize AgriFoodWeatherLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodJobProcessedLogs | where FarmerId != \"\" | summarize AgriFoodJobProcessedLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodFarmOperationLogs | where FarmerId != \"\" | summarize AgriFoodFarmOperationLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodInsightLogs | where FarmerId != \"\" | summarize AgriFoodInsightLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodProviderAuthLogs | where FarmerId != \"\" | summarize AgriFoodProviderAuthLogsCount=count() by FarmerId)) on FarmerId\r\n| join kind=fullouter (( AgriFoodModelInferenceLogs | where FarmerId != \"\" | summarize AgriFoodModelInferenceLogsCount=count() by FarmerId)) on FarmerId\r\n| project FarmerId = coalesce(FarmerId, FarmerId1, FarmerId2, FarmerId3, FarmerId4, FarmerId5, FarmerId6, FarmerId7), AgriFoodFarmManagementLogsCount, AgriFoodSatelliteLogsCount, AgriFoodWeatherLogsCount, AgriFoodJobProcessedLogsCount, AgriFoodFarmOperationLogsCount, AgriFoodInsightLogsCount, AgriFoodProviderAuthLogsCount, AgriFoodModelInferenceLogsCount\r\n| take 100 \r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"]}},{"id":"5d179a0d-ce8a-40ed-89d0-5a5eef4f5891","displayName":"Throttled Requests","description":"Lists of throttled requests to the App Config Service.","body":"// This query helps retrieve logs for throttled requests during past one hour.\r\nAACHttpRequest\r\n| where StatusCode == 429 and TimeGenerated > ago(1h)\r\n| sort by TimeGenerated desc\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.appconfiguration/configurationstores"],"tables":["AACHttpRequest"]}},{"id":"a9d9a6a2-de65-4f82-aca1-17f78df08b34","displayName":"Most common server errors","description":"Lists the most common error Status Code and a corresponding count.","body":"// This query helps retrieve logs for failed requests during past one hour by status code. \r\nAACHttpRequest\r\n| where StatusCode >= 500 and TimeGenerated > ago(1h)\r\n| summarize ErrorCount=count() by StatusCode\r\n| project StatusCode, ErrorCount\r\n| sort by ErrorCount desc\r\n","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.appconfiguration/configurationstores"],"tables":["AACHttpRequest"]}},{"id":"d3556a69-bce6-4f66-8611-5c41237c7593","displayName":"Most Active Clients by IP Address","description":"Lists the most common IP Addresses to communicate with the App Config Service.","body":"// This query helps count requests by top 10 most active client IP addresses. \r\nAACHttpRequest\r\n| summarize Count=count() by ClientIPAddress\r\n| project ClientIPAddress, Count\r\n| sort by Count desc\r\n| limit 10\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.appconfiguration/configurationstores"],"tables":["AACHttpRequest"]}},{"id":"feb88498-7f52-4cbc-9893-a0eef24f8790","displayName":"Most recent delete key-value operations","description":"List the most recent deleting key-value operations in App Config data plane.","body":"// This query helps retrieve the most recent 10 audit logs for deleting key-value operations in App Configuration data plane.\r\nAACAudit\r\n| where EventCategory == \"ApplicationManagement\" and OperationName == \"delete-keyvalue\"\r\n| where TimeGenerated > ago(1h)\r\n| sort by TimeGenerated desc\r\n| limit 10\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.appconfiguration/configurationstores"],"tables":["AACAudit"]}},{"id":"865a3ded-aeb4-473a-9f60-1af94374b5a2","displayName":"Most recent client error","description":"Lists the most recent failures because of client error.","body":"// This query helps list the most recent 10 audit logs for failures because of client error. \r\nAACAudit\r\n| where ResultType == \"ClientError\" and TimeGenerated > ago(1h)\r\n| sort by TimeGenerated desc\r\n| limit 10\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.appconfiguration/configurationstores"],"tables":["AACAudit"]}},{"id":"c3cf794b-5617-4eb8-95fa-66aa2a2678df","displayName":"Client requests per hour","description":"Count of client requests hourly.","body":"AGCAccessLogs\r\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId\r\n| render timechart","tags":{"Topic":["AGC Access Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.servicenetworking/trafficcontrollers"],"tables":["AGCAccessLogs"]}},{"id":"e7766bc6-9d49-4b09-93ed-e564d7593be3","displayName":"5xx HTTP responses per hour","description":"Count of client requests that resulted in 5xx responses hourly.","body":"AGCAccessLogs\r\n| where HttpStatusCode > 499 and HttpStatusCode 399 and HttpStatusCode threshold\r\n| summarize count() by OperationName, _ResourceId","tags":{"Topic":["Usage","Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","security"],"resourceTypes":["microsoft.attestation/attestationproviders"],"tables":["AzureAttestationDiagnostics"]}},{"id":"c8258837-c1bd-456c-961f-14bf71748f79","displayName":"How active has this Attestation provider been?","description":"Line chart showing trend of Attestation provider requests volume, per operation over time.","body":"AzureAttestationDiagnostics\r\n| where TimeGenerated > ago(1d)\r\n| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour\r\n| render timechart","tags":{"Topic":["Usage","Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","security"],"resourceTypes":["microsoft.attestation/attestationproviders"],"tables":["AzureAttestationDiagnostics"]}},{"id":"d6aaf873-8082-4960-aba0-146eb0414a27","displayName":"Who is calling this attestation provider?","description":"List of callers identified by their IP address and AAD UPN with their request count.","body":"AzureAttestationDiagnostics\r\n| summarize count() by CallerIpAddress, tostring(Identity.callerAadUPN)","tags":{"Topic":["Usage","Diagnostics","Alerts","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","security"],"resourceTypes":["microsoft.attestation/attestationproviders"],"tables":["AzureAttestationDiagnostics"]}},{"id":"9b285dc2-6dc7-454a-aaa0-d3113cdb8825","displayName":"Have there been any changes to attestation policy?","description":"List of successful Attestation provider requests to change the attestation policy or policy signing certificates.","body":"// To create an alert for this query, click '+ New alert rule'\r\nlet policyOperations = pack_array(\r\n \"AddPolicyCertificate\",\r\n \"AddPolicyManagementCertificate\",\r\n \"AddPolicyManagementCertificates\",\r\n \"RemovePolicyCertificate\",\r\n \"RemovePolicyManagementCertificate\",\r\n \"RemovePolicyManagementCertificates\",\r\n \"ResetAttestationPolicy\",\r\n \"SetCurrentPolicy\",\r\n \"SetCurrentPolicyWithHttpMessagesAsync\",\r\n \"SetEffectiveAttestationPolicy\",\r\n \"DeleteCurrentPolicy\",\r\n \"DeletePolicy\"\r\n);\r\nAzureAttestationDiagnostics\r\n| where toint(ResultSignature) == 200\r\n| where policyOperations contains OperationName\r\n| take 100","tags":{"Topic":["Usage","Diagnostics","Alerts","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","security"],"resourceTypes":["microsoft.attestation/attestationproviders"],"tables":["AzureAttestationDiagnostics"]}},{"id":"07f7133f-baae-444c-a1a1-2e0b6caf09c2","displayName":"Have there been any errors attempting to configure the attestation policy?","description":"List of any errors attempting to configure the attestation policy or policy signing certificates.","body":"// To create an alert for this query, click '+ New alert rule'\r\nlet policyOperations = pack_array(\r\n \"AddPolicyCertificate\",\r\n \"AddPolicyManagementCertificate\",\r\n \"AddPolicyManagementCertificates\",\r\n \"PrepareToSetPolicy\",\r\n \"PrepareToUpdatePolicy\",\r\n \"RemovePolicyCertificate\",\r\n \"RemovePolicyManagementCertificate\",\r\n \"RemovePolicyManagementCertificates\",\r\n \"ResetAttestationPolicy\",\r\n \"SetCurrentPolicy\",\r\n \"SetCurrentPolicyWithHttpMessagesAsync\",\r\n \"SetEffectiveAttestationPolicy\",\r\n \"DeleteCurrentPolicy\",\r\n \"DeletePolicy\"\r\n);\r\nAzureAttestationDiagnostics\r\n| where toint(ResultSignature) >= 300\r\n| where policyOperations contains OperationName\r\n| take 100","tags":{"Topic":["Usage","Diagnostics","Alerts","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","security"],"resourceTypes":["microsoft.attestation/attestationproviders"],"tables":["AzureAttestationDiagnostics"]}},{"id":"7147966e-f714-405b-b243-2c2d69e8b3fe","displayName":"Unique Redis client IP addresses","description":"Unique Redis client IP addresses that have connected to the cache.","body":"ACRConnectedClientList\r\n| summarize count() by ClientIp\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redis"],"tables":["ACRConnectedClientList"]}},{"id":"b0743562-0414-4fb9-a14b-fb1cfd5242b9","displayName":"Redis client connections per hour","description":"Redis client connections per hour within the specified IP address range.","body":"let IpRange = \"10.1.1.0/24\";\r\nACRConnectedClientList\r\n// For particular datetime filtering, add '| where TimeGenerated between (StartTime .. EndTime)'\r\n| where ipv4_is_in_range(ClientIp, IpRange)\r\n| summarize ConnectionCount = sum(ClientCount) by TimeRange = bin(TimeGenerated, 1h)\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redis"],"tables":["ACRConnectedClientList"]}},{"id":"c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a","displayName":"Microsoft Entra authentication audit log","description":"Logging Microsoft Entra authentication audit events.","body":"source\r\n| project\r\n TimeGenerated = todatetime(['time']),\r\n Location = location,\r\n OperationName = operationName,\r\n CacheName = tostring(properties.tenant),\r\n Message = tostring(properties.auditLog.message),\r\n Authentication = tostring(properties.auditLog.authentication),\r\n Username = tostring(properties.auditLog.username),\r\n IpAddress = tostring(properties.auditLog.ipAddress),\r\n ClientId = tostring(properties.auditLog.clientId),\r\n ClientName = tostring(properties.auditLog.clientName),\r\n Lifetime = tostring(properties.auditLog.lifeTime),\r\n RoleInstance = toint(properties.roleInstance)","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redis"],"tables":["ACREntraAuthenticationAuditLog"]}},{"id":"e1d8c76d-8a12-4e91-a04d-1aa38423af60","displayName":"Are there any slow requests?","description":"List of Cloud HSM requests taking longer than 1 second.","body":"let threshold=1000;\r\nCloudHsmServiceOperationAuditLogs\r\n| where DurationMs > threshold\r\n| summarize count() by OperationName, _ResourceId","tags":{"Topic":["Alerts","Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.hardwaresecuritymodules/cloudhsmclusters"],"tables":["CloudHsmServiceOperationAuditLogs"]}},{"id":"78169da5-08d5-4abb-a419-8abcae4b8279","displayName":"How active has this Cloud HSM been?","description":"Line chart showing trend of Cloud HSM requests volume, per operation over time.","body":"CloudHsmServiceOperationAuditLogs\r\n| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour\r\n| render timechart","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.hardwaresecuritymodules/cloudhsmclusters"],"tables":["CloudHsmServiceOperationAuditLogs"]}},{"id":"711f80bd-d89f-4c07-84f6-e053b0d5c8ed","displayName":"Are there any failures?","description":"Count of failed requests by request type","body":"CloudHsmServiceOperationAuditLogs\r\n| where ResultType == \"Failure\"\r\n| summarize count() by ResultSignature, _ResourceId","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.hardwaresecuritymodules/cloudhsmclusters"],"tables":["CloudHsmServiceOperationAuditLogs"]}},{"id":"afece89a-eed3-4aa4-ba30-dfb7edd8b429","displayName":"Chat operations","description":"Returns all distinct combinations of chat operation and version pairs.","body":"ACSChatIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSChatIncomingOperations"]}},{"id":"d72355a1-1cc9-405c-bfbb-02dfc41cfd5f","displayName":"Calculate chat operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each chat operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSChatIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSChatIncomingOperations"]}},{"id":"f2291767-c2a3-4865-8f70-f4f5adca5dd2","displayName":"Top 5 IP addresses per chat operation","description":"For every chat operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSChatIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSChatIncomingOperations"]}},{"id":"9812504c-00a6-42c4-9cd6-b1532480a3cf","displayName":"Chat operational errors","description":"List every chat error ordered by recency.","body":"ACSChatIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSChatIncomingOperations"]}},{"id":"4a0cdc80-bf62-498e-98e8-e52804a8a766","displayName":"Chat operation result counts","description":"For every chat operation, count the types of returned results.","body":"ACSChatIncomingOperations\r\n| summarize Count = count() by OperationName, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSChatIncomingOperations"]}},{"id":"2e541dc6-bf82-4fcc-9e57-1faedbbfa48a","displayName":"List distinct SMS operations","description":"Returns all distinct combinations of SMS operation and version pairs.","body":"ACSSMSIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSSMSIncomingOperations"]}},{"id":"c0e3ac32-7bc7-45b0-bbd1-4f2ab8abc70e","displayName":"Calculate SMS operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each SMS operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSSMSIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSSMSIncomingOperations"]}},{"id":"f3712c70-6f28-4cb2-9ff1-ba35854115a2","displayName":"Top 5 IP addresses per SMS operation","description":"For every SMS operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSSMSIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSSMSIncomingOperations"]}},{"id":"66ffdd36-8574-4622-b269-d4965e5d8b1d","displayName":"SMS operational errors","description":"List every SMS error ordered by recency.","body":"ACSSMSIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSSMSIncomingOperations"]}},{"id":"28e284cb-faf4-4577-92a6-1fa73eed18bc","displayName":"SMS operation result counts","description":"For every SMS operation, count the types of returned results.","body":"ACSSMSIncomingOperations\r\n| summarize Count = count() by OperationName, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSSMSIncomingOperations"]}},{"id":"8dc3bc93-2339-4035-8a92-b67f48f5d972","displayName":"Get long calls","description":"Retrive all the calls that lasted longer than an hours.","body":"ACSBillingUsage\r\n| tolower(UsageType) == \"audio\" // only look at records that are calls\r\n| extend Length = EndTime - StartTime\r\n| where Length > 1h // return if the call is greater than an hour","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSBillingUsage"]}},{"id":"ca2d21c4-ac33-4ac0-88a9-ee2208e01ab7","displayName":"Usage breakdown","description":"Get the total usage for each mode per hour (note that the first and last hours displayed will represent partial data).","body":"ACSBillingUsage\r\n| summarize Usage=sum(Quantity) by UsageType, bin(TimeGenerated, 1h) // count the number of units for each type of usage, per hour\r\n| render columnchart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSBillingUsage"]}},{"id":"050dc234-d6a1-4408-8c5e-dc61d81a2f57","displayName":"Record count breakdown","description":"Get the unique number of usage records for each mode per hour (note that the first and last hours displayed will represent partial data).","body":"ACSBillingUsage\r\n| summarize Occurences=dcount(RecordId) by UsageType, bin(TimeGenerated, 1h) // count the number of unique records for each type of usage, per hour\r\n| render columnchart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSBillingUsage"]}},{"id":"d5195a1a-c7ab-4f2a-8720-6b3f5c544df0","displayName":"List distinct auth operations","description":"Returns all distinct combinations of auth operation and version pairs.","body":"ACSAuthIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAuthIncomingOperations"]}},{"id":"cc68c95a-8de0-4c40-8394-537a00437ea7","displayName":"Calculate auth operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each auth operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSAuthIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAuthIncomingOperations"]}},{"id":"056f1614-fffa-4286-be6b-fd614dfa4dc5","displayName":"Top 5 IP addresses per auth operation","description":"For every auth operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSAuthIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAuthIncomingOperations"]}},{"id":"be71a17c-5ffd-4215-ab19-2ead19f56396","displayName":"Auth operational errors","description":"List every auth error ordered by recency.","body":"ACSAuthIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAuthIncomingOperations"]}},{"id":"cf4f8822-721b-4bf0-91a8-6d0b7937047c","displayName":"Auth operation result counts","description":"For every auth operation, count the types of returned results.","body":"ACSAuthIncomingOperations\r\n| summarize Count = count() by OperationName, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAuthIncomingOperations"]}},{"id":"ed999090-4bc2-4704-ba16-ff0223930a4d","displayName":"Participants per call","description":"Calculates the average number of participants per call.","body":"ACSCallSummary\r\n// Get the distinct participants in a call\r\n| distinct CorrelationId, ParticipantId, EndpointId\r\n// Count the participants and distinct calls\r\n| summarize num_participants=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of distinct participants per call\r\n| extend avg_participants = toreal(num_participants) / toreal(num_calls)\r\n| project num_participants, num_calls, avg_participants","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"1a2b3c4d-e5f6-7a8b-9c0d-1e2f3a4b5c6d","displayName":"Participants per call","description":"Calculates the average number of participants per call.","body":"ACSCallSummaryUpdates\r\n// Get the distinct participants in a call\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId, EndpointId\r\n// Count the participants and distinct calls\r\n| summarize num_participants=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of distinct participants per call\r\n| extend avg_participants = toreal(num_participants) / toreal(num_calls)\r\n| project num_participants, num_calls, avg_participants","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"f46854c3-fa37-4b92-8675-ce838000949b","displayName":"Participant Phone Numbers","description":"Lists the phone numbers of the participants in the call. (Phone numbers come from ACSBillingUsage table).","body":"ACSCallSummary\r\n// Get the calls with CallType as Group\r\n| where CallType == 'Group'\r\n| project CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n// Join with ACSBillingUsage data on ParticipantId\r\n| join kind=leftouter (ACSBillingUsage\r\n | where isnotempty(ParticipantId)\r\n | project ParticipantId, UserIdA, UserIdB, StartTime, Quantity)\r\n on ParticipantId\r\n// Combine with calls of CallType P2P\r\n| union (ACSCallSummary\r\n| where CallType == 'P2P'\r\n| project CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n// Join with ACSBillingUsage data on CorrelationId\r\n| join kind=leftouter (ACSBillingUsage\r\n | where isnotempty(ParticipantId)\r\n | project CorrelationId, ParticipantId, UserIdA, UserIdB, StartTime, Quantity)\r\n on CorrelationId)\r\n| order by CallStartTime, ParticipantStartTime","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary","ACSBillingUsage"]}},{"id":"7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b","displayName":"Participant Phone Numbers","description":"Lists the phone numbers of the participants in the call. (Phone numbers come from ACSBillingUsage table).","body":"ACSCallSummaryUpdates\r\n// Get the calls with CallType as Group\r\n| where CallType == 'Group'\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n| project CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n// Join with ACSBillingUsage data on ParticipantId\r\n| join kind=leftouter (ACSBillingUsage\r\n | where isnotempty(ParticipantId)\r\n | project ParticipantId, UserIdA, UserIdB, StartTime, Quantity)\r\n on ParticipantId\r\n// Combine with calls of CallType P2P\r\n| union (ACSCallSummaryUpdates\r\n| where CallType == 'P2P'\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n| project CorrelationId, ParticipantId, ParticipantStartTime, ParticipantDuration, EndpointType, CallType, CallStartTime, PstnParticipantCallType\r\n// Join with ACSBillingUsage data on CorrelationId\r\n| join kind=leftouter (ACSBillingUsage\r\n | where isnotempty(ParticipantId)\r\n | project CorrelationId, ParticipantId, UserIdA, UserIdB, StartTime, Quantity)\r\n on CorrelationId)\r\n| order by CallStartTime, ParticipantStartTime","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates","ACSBillingUsage"]}},{"id":"6d9f94e6-0421-4611-b43a-c9a8f409b83b","displayName":"Participants per group call","description":"Produces a histogram of the number of participants in group calls.","body":"ACSCallSummary\r\n// Filter out all P2P calls to calculate only participants in Group calls\r\n| where CallType == 'Group'\r\n// Get the distinct participants in a call\r\n| distinct CorrelationId, ParticipantId\r\n// Count the number of participants per call\r\n| summarize num_participants=count() by CorrelationId\r\n// Aggregate the numbers of participants per call (e.g. if there are three calls\r\n// with 5 participants, this will produce a row [num_participants=5, participant_counts=3])\r\n| summarize participant_counts=count() by num_participants\r\n| order by num_participants asc \r\n| render columnchart with (xcolumn = num_participants, title=\"Number of participants per group call\")","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b","displayName":"Participants per group call","description":"Produces a histogram of the number of participants in group calls.","body":"ACSCallSummaryUpdates\r\n// Filter out all P2P calls to calculate only participants in Group calls\r\n| where CallType == 'Group'\r\n// Get the distinct participants in a call\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId\r\n// Count the number of participants per call\r\n| summarize num_participants=count() by CorrelationId\r\n// Aggregate the numbers of participants per call (e.g. if there are three calls\r\n// with 5 participants, this will produce a row [num_participants=5, participant_counts=3])\r\n| summarize participant_counts=count() by num_participants\r\n| order by num_participants asc \r\n| render columnchart with (xcolumn = num_participants, title=\"Number of participants per group call\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"7f49ca30-a69f-45fd-b06f-d2b5271587da","displayName":"Call type ratio","description":"Produces a pie chart of the proportion of call types (P2P and group calls).","body":"ACSCallSummary\r\n// Count distinct calls (dcount(CorrelationId)) per call type\r\n| summarize call_types=dcount(CorrelationId) by CallType\r\n| render piechart title=\"Call Type Ratio\"","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f","displayName":"Call type ratio","description":"Produces a pie chart of the proportion of call types (P2P and group calls).","body":"ACSCallSummaryUpdates\r\n// Count distinct calls (dcount(CorrelationId)) per call type\r\n| summarize call_types=dcount(CorrelationId) by CallType\r\n| render piechart title=\"Call Type Ratio\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"a7cc4b34-b191-4d3a-8fac-830ed3321e45","displayName":"Call duration histogram","description":"Produces a histogram of call durations in seconds.","body":"ACSCallSummary\r\n// Get the distinct combinations of CorrelationId, CallDuration\r\n| distinct CorrelationId, CallDuration\r\n// Count call duration bins (60 second intervals)\r\n| summarize duration_counts=count() by bin(CallDuration, 60)\r\n| order by CallDuration asc\r\n| render columnchart with (xcolumn = CallDuration, title=\"Call duration histogram\")","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d","displayName":"Call duration histogram","description":"Produces a histogram of call durations in seconds.","body":"ACSCallSummaryUpdates\r\n// Get the distinct combinations of CorrelationId, CallDuration\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, CallDuration\r\n// Count call duration bins (60 second intervals)\r\n| summarize duration_counts=count() by bin(CallDuration, 60)\r\n| order by CallDuration asc\r\n| render columnchart with (xcolumn = CallDuration, title=\"Call duration histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"912d4bfd-f025-4f8d-909e-2936b7796eb8","displayName":"Call duration percentiles","description":"Calculates the average call duration in seconds, as well as the 50%, 90%, and 99% call duration percentiles.","body":"ACSCallSummary\r\n// Get the distinct combinations of CorrelationId, CallDuration\r\n| distinct CorrelationId, CallDuration\r\n// Calculate average and percentiles (50%, 90%, and 99%) of call durations (in seconds)\r\n| summarize avg(CallDuration), percentiles(CallDuration, 50, 90, 99)","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"023e5cae-a136-5a9e-010f-1047c8807fc9","displayName":"Call duration percentiles","description":"Calculates the average call duration in seconds, as well as the 50%, 90%, and 99% call duration percentiles.","body":"ACSCallSummaryUpdates\r\n// Get the distinct combinations of CorrelationId, CallDuration\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, CallDuration\r\n// Calculate average and percentiles (50%, 90%, and 99%) of call durations (in seconds)\r\n| summarize avg(CallDuration), percentiles(CallDuration, 50, 90, 99)","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"df398179-e2b2-418d-bfae-95faf858c0cf","displayName":"Daily calls","description":"Produces a histogram of calls made per day in the last week.","body":"ACSCallSummary\r\n// To filter out calls made over a week ago, uncomment the next line\r\n// | where CallStartTime > ago(7d)\r\n// Get the distinct combinations of CorrelationId and CallStartTime\r\n| distinct CorrelationId, CallStartTime\r\n// Adds a new column with the call start day\r\n| extend day = floor(CallStartTime, 1d)\r\n// Count the number of calls per day\r\n| summarize event_count=count() by day\r\n| sort by day asc\r\n| render columnchart title=\"Number of calls per day\"","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"d62bf65f-66b7-482f-b296-83f2ca4e19d8","displayName":"Daily calls","description":"Produces a histogram of calls made per day in the last week.","body":"ACSCallSummaryUpdates\r\n// To filter out calls made over a week ago, uncomment the next line\r\n// | where CallStartTime > ago(7d)\r\n// Get the distinct combinations of CorrelationId and CallStartTime\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, CallStartTime\r\n// Adds a new column with the call start day\r\n| extend day = floor(CallStartTime, 1d)\r\n// Count the number of calls per day\r\n| summarize event_count=count() by day\r\n| sort by day asc\r\n| render columnchart title=\"Number of calls per day\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"444fcb48-73f7-49b4-bc43-852418bbd394","displayName":"Hourly calls","description":"Produces a histogram of calls made per hour in the last day.","body":"ACSCallSummary\r\n// Get the distinct combinations of CorrelationId and CallStartTime\r\n| distinct CorrelationId, CallStartTime\r\n// Adds a new column with the call start hour\r\n| extend hour = floor(CallStartTime, 1h)\r\n// Count the number of calls per hour\r\n| summarize event_count=count() by hour\r\n| sort by hour asc\r\n| render columnchart title=\"Number of calls per hour in last day\"","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"f94860c-a83f-44cb-88bd-3fc8d2ab5510","displayName":"Hourly calls","description":"Produces a histogram of calls made per hour in the last day.","body":"ACSCallSummaryUpdates\r\n// Get the distinct combinations of CorrelationId and CallStartTime\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, CallStartTime\r\n// Adds a new column with the call start hour\r\n| extend hour = floor(CallStartTime, 1h)\r\n// Count the number of calls per hour\r\n| summarize event_count=count() by hour\r\n| sort by hour asc\r\n| render columnchart title=\"Number of calls per hour in last day\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"98481911-2a32-4b68-b7bb-8065ffc25376","displayName":"Endpoints per call","description":"Calculates the average number of distinct endpoints per call.","body":"ACSCallSummary\r\n// Get the distinct combinations of CorrelationId and EndpointId\r\n| distinct CorrelationId, EndpointId\r\n// Count all endpoints and distinct calls\r\n| summarize num_endpoints=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of distinct endpoints per call\r\n| extend avg_endpoints = toreal(num_endpoints) / toreal(num_calls)\r\n| project num_endpoints, num_calls, avg_endpoints","tags":{"Topic":["EndpointInformation"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"fc661805-ba40-45c5-84f0-1afa40af255d","displayName":"Endpoints per call","description":"Calculates the average number of distinct endpoints per call.","body":"ACSCallSummaryUpdates\r\n// Get the distinct combinations of CorrelationId and EndpointId\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, EndpointId\r\n// Count all endpoints and distinct calls\r\n| summarize num_endpoints=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of distinct endpoints per call\r\n| extend avg_endpoints = toreal(num_endpoints) / toreal(num_calls)\r\n| project num_endpoints, num_calls, avg_endpoints","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"16168079-3eda-4f8e-b486-51a592299b87","displayName":"SDK version ratio","description":"Produces a pie chart of the proportion of SDK versions used by participants.","body":"ACSCallSummary\r\n// Get the distinct participants in a call\r\n| distinct CorrelationId, ParticipantId, EndpointId, SdkVersion\r\n// Count participants that are using a particular SDK\r\n| summarize sdk_counts=count() by SdkVersion\r\n| order by SdkVersion asc\r\n| render piechart title=\"SDK Version Ratio\"\r\n","tags":{"Topic":["EndpointInformation"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"2f874bbe-63ac-479a-ba4e-858c0607b2ac","displayName":"SDK version ratio","description":"Produces a pie chart of the proportion of SDK versions used by participants.","body":"ACSCallSummaryUpdates\r\n// Get the distinct participants in a call\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId, EndpointId, SdkVersion\r\n// Count participants that are using a particular SDK\r\n| summarize sdk_counts=count() by SdkVersion\r\n| order by SdkVersion asc\r\n| render piechart title=\"SDK Version Ratio\"\r\n","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"4a3ef465-671d-4759-815e-c6bd2769da61","displayName":"OS version ratio","description":"Produces a pie chart of the proportion of OS versions used by participants.","body":"ACSCallSummary\r\n// Get the distinct participants in a call\r\n| distinct CorrelationId, ParticipantId, EndpointId, OsVersion\r\n// Simplified OS version name by searching for a specific OS keyword\r\n// and performs a different string split operation per OS type\r\n| extend simple_os = case( indexof(OsVersion, \"Android\") != -1, tostring(split(OsVersion, \";\")[0]),\r\n indexof(OsVersion, \"Darwin\") != -1, tostring(split(OsVersion, \":\")[0]),\r\n indexof(OsVersion, \"Windows\") != -1, tostring(split(OsVersion, \".\")[0]),\r\n OsVersion\r\n )\r\n// Count the participants that are using a particular OS version\r\n| summarize os_counts=count() by simple_os\r\n| order by simple_os asc\r\n| render piechart title=\"OS Version Ratio\"","tags":{"Topic":["EndpointInformation"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummary"]}},{"id":"d13a7541-aeee-425f-89e6-33795d8e1e23","displayName":"OS version ratio","description":"Produces a pie chart of the proportion of OS versions used by participants.","body":"ACSCallSummaryUpdates\r\n// Get the distinct participants in a call\r\n| summarize arg_max(CallUpdatesVersion, *) by CorrelationId, ParticipantId, EndpointId, OsVersion\r\n// Simplified OS version name by searching for a specific OS keyword\r\n// and performs a different string split operation per OS type\r\n| extend simple_os = case( indexof(OsVersion, \"Android\") != -1, tostring(split(OsVersion, \";\")[0]),\r\n indexof(OsVersion, \"Darwin\") != -1, tostring(split(OsVersion, \":\")[0]),\r\n indexof(OsVersion, \"Windows\") != -1, tostring(split(OsVersion, \".\")[0]),\r\n OsVersion\r\n )\r\n// Count the participants that are using a particular OS version\r\n| summarize os_counts=count() by simple_os\r\n| order by simple_os asc\r\n| render piechart title=\"OS Version Ratio\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"693cc58e-1b66-41f2-b83e-d92de385aace","displayName":"Streams per call","description":"Calculates the average number of streams per call.","body":"ACSCallDiagnostics\r\n// Count the streams and distinct calls\r\n| summarize num_streams=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of streams per call\r\n| extend avg_streams = toreal(num_streams) / toreal(num_calls)","tags":{"Topic":["MediaStreams"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"07dd8389-c27d-4fbe-8b52-8506a933be06","displayName":"Streams per call","description":"Calculates the average number of streams per call.","body":"ACSCallDiagnosticsUpdates\r\n// Count the streams and distinct calls\r\n| summarize num_streams=count(), num_calls=dcount(CorrelationId)\r\n// Calculate the average number of streams per call\r\n| extend avg_streams = toreal(num_streams) / toreal(num_calls)","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"e94fbeb3-4642-4ccf-b138-82c39dede64c","displayName":"Streams per call histogram","description":"Produces a histogram of number of streams per call.","body":"ACSCallDiagnostics\r\n// Counts the number of streams per call \r\n| summarize streams_per_call=count() by CorrelationId\r\n// Aggregates the numbers of streams per call (e.g. if there are 7 calls that have 6 streams,\r\n// this will produce a row [streams_per_call=6, stream_counts=7])\r\n| summarize stream_counts=count() by streams_per_call\r\n| order by streams_per_call asc\r\n| render columnchart title=\"Streams per call histogram\"","tags":{"Topic":["MediaStreams"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"985dcc97-d950-413f-a024-9e12640775a9","displayName":"Streams per call histogram","description":"Produces a histogram of number of streams per call.","body":"ACSCallDiagnosticsUpdates\r\n// Counts the number of streams per call \r\n| summarize streams_per_call=count() by CorrelationId\r\n// Aggregates the numbers of streams per call (e.g. if there are 7 calls that have 6 streams,\r\n// this will produce a row [streams_per_call=6, stream_counts=7])\r\n| summarize stream_counts=count() by streams_per_call\r\n| order by streams_per_call asc\r\n| render columnchart title=\"Streams per call histogram\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallSummaryUpdates"]}},{"id":"4944e5c6-520d-41b4-84e6-9c9cc4b564ec","displayName":"Media type ratio","description":"Produces a pie chart of the proportion of streams of a particular media types.","body":"ACSCallDiagnostics\r\n// Count the number of streams per media type\r\n| summarize media_types=count() by MediaType\r\n| render piechart title=\"Media Type Ratio\"","tags":{"Topic":["MediaStreams"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"141e074c-7563-4d02-8e03-41fbb2be1f39","displayName":"Media type ratio","description":"Produces a pie chart of the proportion of streams of a particular media types.","body":"ACSCallDiagnosticsUpdates\r\n// Count the number of streams per media type\r\n| summarize media_types=count() by MediaType\r\n| render piechart title=\"Media Type Ratio\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"f240c320-03bb-4562-ad29-8282c706778d","displayName":"Transport type ratio","description":"Produces a pie chart of the proportion of streams using a particular transport types.","body":"ACSCallDiagnostics\r\n// Count the number of streams per transport type\r\n| summarize transport_types=count() by TransportType\r\n| render piechart title=\"Transport Type Ratio\"","tags":{"Topic":["MediaStreams"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"2b6d1a2b-3c4d-5e6f-7e6f-4d3c9d8b2b6d","displayName":"Transport type ratio","description":"Produces a pie chart of the proportion of streams using a particular transport types.","body":"ACSCallDiagnosticsUpdates\r\n// Count the number of streams per transport type\r\n| summarize transport_types=count() by TransportType\r\n| render piechart title=\"Transport Type Ratio\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"7fe223e8-c01b-482a-9578-4fb0f0fa86af","displayName":"Average telemetry values","description":"Calculates the average values for the six telemetry fields.","body":"ACSCallDiagnostics\r\n// Calculate the average value for each of the six telemetry fields\r\n| summarize Avg_JitterAvg=avg(JitterAvg),\r\n Avg_JitterMax=avg(JitterMax),\r\n Avg_RoundTripTimeAvg=avg(RoundTripTimeAvg),\r\n Avg_RoundTripTimeMax=avg(RoundTripTimeMax),\r\n Avg_PacketLossRateAvg=avg(PacketLossRateAvg),\r\n Avg_PacketLossRateMax=avg(PacketLossRateMax)","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"1e2d3c4b-5a6f-7e8d-9c0b-1a2b3c4d5e6f","displayName":"Average telemetry values","description":"Calculates the average values for the six telemetry fields.","body":"ACSCallDiagnosticsUpdates\r\n// Calculate the average value for each of the six telemetry fields\r\n| summarize Avg_JitterAvg=avg(JitterAvg),\r\n Avg_JitterMax=avg(JitterMax),\r\n Avg_RoundTripTimeAvg=avg(RoundTripTimeAvg),\r\n Avg_RoundTripTimeMax=avg(RoundTripTimeMax),\r\n Avg_PacketLossRateAvg=avg(PacketLossRateAvg),\r\n Avg_PacketLossRateMax=avg(PacketLossRateMax)","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"b87b8817-e3ee-4bfc-87b3-e07176865011","displayName":"Jitter average histogram","description":"Produces a histogram of average jitter per stream.","body":"ACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(JitterAvg)\r\n// Count jitter values by 10 millisecond intervals\r\n| summarize JitterAvg_counts=count() by bin(JitterAvg, 10)\r\n| order by JitterAvg asc\r\n| render columnchart with (xcolumn = JitterAvg, title=\"JitterAvg histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"7e6f5d4c-3b2a-1d0c-9e8b-7a6f5d4c3b2a","displayName":"Jitter average histogram","description":"Produces a histogram of average jitter per stream.","body":"ACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(JitterAvg)\r\n// Count jitter values by 10 millisecond intervals\r\n| summarize JitterAvg_counts=count() by bin(JitterAvg, 10)\r\n| order by JitterAvg asc\r\n| render columnchart with (xcolumn = JitterAvg, title=\"JitterAvg histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"f94f0759-ed97-45dd-bdc3-d856e2c93ea4","displayName":"Jitter max histogram","description":"Produces a histogram of max jitter per stream.","body":"ACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(JitterMax)\r\n// Count jitter values by 10 millisecond intervals\r\n|summarize JitterMax_counts=count() by JitterMax\r\n| order by JitterMax asc\r\n| render columnchart with (xcolumn = JitterMax, title=\"JitterMax histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"5e6f7e8d-9c0b-1a2b-3c4d-5e6f7e8d9c0b","displayName":"Jitter max histogram","description":"Produces a histogram of max jitter per stream.","body":"ACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(JitterMax)\r\n// Count jitter values by 10 millisecond intervals\r\n|summarize JitterMax_counts=count() by JitterMax\r\n| order by JitterMax asc\r\n| render columnchart with (xcolumn = JitterMax, title=\"JitterMax histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"6309ad3f-f611-4c95-a627-5ba6b1eda4d4","displayName":"Packet loss rate average histogram","description":"Produces a histogram of average packet loss rate per stream.","body":"ACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(PacketLossRateAvg)\r\n// Count packet loss rate values within an inverval of 0.01 (1%)\r\n| summarize PacketLossRateAvg_counts=count() by bin(PacketLossRateAvg, 0.01)\r\n| order by PacketLossRateAvg asc\r\n| render columnchart with (xcolumn = PacketLossRateAvg, title=\"PacketLossRateAvg histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"5e6f7e6f-4d3c-9d8b-2b6d-1a2b3c4d5e6f","displayName":"Packet loss rate average histogram","description":"Produces a histogram of average packet loss rate per stream.","body":"ACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(PacketLossRateAvg)\r\n// Count packet loss rate values within an inverval of 0.01 (1%)\r\n| summarize PacketLossRateAvg_counts=count() by bin(PacketLossRateAvg, 0.01)\r\n| order by PacketLossRateAvg asc\r\n| render columnchart with (xcolumn = PacketLossRateAvg, title=\"PacketLossRateAvg histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"61e410fb-0923-4837-a93b-b68b771dc7f5","displayName":"Packet loss rate max histogram","description":"Produces a histogram of max packet loss rate per stream.","body":"ACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(PacketLossRateMax)\r\n// Count packet loss rate values within an inverval of 0.01 (1%)\r\n|summarize PacketLossRateMax_counts=count() by bin(PacketLossRateMax, 0.01)\r\n| order by PacketLossRateMax asc\r\n| render columnchart with (xcolumn = PacketLossRateMax, title=\"PacketLossRateMax histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"7e8d9c0b-1a2b-3c4d-5e6f-7e8d9c0b1a2b","displayName":"Packet loss rate max histogram","description":"Produces a histogram of max packet loss rate per stream.","body":"ACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(PacketLossRateMax)\r\n// Count packet loss rate values within an inverval of 0.01 (1%)\r\n| summarize PacketLossRateMax_counts=count() by bin(PacketLossRateMax, 0.01)\r\n| order by PacketLossRateMax asc\r\n| render columnchart with (xcolumn = PacketLossRateMax, title=\"PacketLossRateMax histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"ff582702-6d8c-4487-bcb7-584fc3f5c223","displayName":"Round trip time average histogram","description":"Produces a histogram of average round trip time per stream.","body":"// RoundTripTime Average Histogram\r\nACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(RoundTripTimeAvg)\r\n// Count round trip time values by 10 millisecond intervals\r\n|summarize RoundTripTimeAvg_counts=count() by bin(RoundTripTimeAvg, 10)\r\n| order by RoundTripTimeAvg asc\r\n| render columnchart with (xcolumn = RoundTripTimeAvg, title=\"RoundTripTimeAvg histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"1a2b3c4d-5e6f-7e8d-9c0b-1a2b3c4d5e6f","displayName":"Round trip time average histogram","description":"Produces a histogram of average round trip time per stream.","body":"// RoundTripTime Average Histogram\r\nACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(RoundTripTimeAvg)\r\n// Count round trip time values by 10 millisecond intervals\r\n|summarize RoundTripTimeAvg_counts=count() by bin(RoundTripTimeAvg, 10)\r\n| order by RoundTripTimeAvg asc\r\n| render columnchart with (xcolumn = RoundTripTimeAvg, title=\"RoundTripTimeAvg histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"b77fadc5-0e2b-4d97-958a-8069988150be","displayName":"Round trip time max histogram","description":"Produces a histogram of max round trip time per stream.","body":"ACSCallDiagnostics\r\n// Filter null values\r\n| where isnotnull(RoundTripTimeMax)\r\n// Count round trip time values by 10 millisecond intervals\r\n|summarize RoundTripTimeMax_counts=count() by bin(RoundTripTimeMax, 10)\r\n| order by RoundTripTimeMax asc\r\n| render columnchart with (xcolumn = RoundTripTimeMax, title=\"RoundTripTimeMax histogram\")","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"7e6f4d3c-9d8b-2b6d-1a2b-3c4d5e6f7e6f","displayName":"Round trip time max histogram","description":"Produces a histogram of max round trip time per stream.","body":"ACSCallDiagnosticsUpdates\r\n// Filter null values\r\n| where isnotnull(RoundTripTimeMax)\r\n// Count round trip time values by 10 millisecond intervals\r\n|summarize RoundTripTimeMax_counts=count() by bin(RoundTripTimeMax, 10)\r\n| order by RoundTripTimeMax asc\r\n| render columnchart with (xcolumn = RoundTripTimeMax, title=\"RoundTripTimeMax histogram\")","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"4a074c0d-6343-46df-b9dc-c693f1cc54c5","displayName":"Jitter quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor jitter quality.","body":"ACSCallDiagnostics\r\n// Classify the jitter quality as Poor or Good based on\r\n// whether the average jitter is higher than 30 milliseconds\r\n| project JitterQuality = iff(JitterAvg > 30, \"Poor\", \"Good\")\r\n// Counts the number of streams per jitter quality\r\n| summarize count() by JitterQuality\r\n| render piechart title=\"Jitter Quality\"","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"3c4d5e6f-7e6f-4d3c-9d8b-2b6d1a2b3c4d","displayName":"Jitter quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor jitter quality.","body":"ACSCallDiagnosticsUpdates\r\n// Classify the jitter quality as Poor or Good based on\r\n// whether the average jitter is higher than 30 milliseconds\r\n| project JitterQuality = iff(JitterAvg > 30, \"Poor\", \"Good\")\r\n// Counts the number of streams per jitter quality\r\n| summarize count() by JitterQuality\r\n| render piechart title=\"Jitter Quality\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"c8bf3142-c260-4062-8a92-b7b22ba14c90","displayName":"Packet loss rate quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor packet loss rate quality.","body":"ACSCallDiagnostics\r\n// Classify packet loss rate quality as Poor or Good based on\r\n// whether the average packet loss rate is higher than 10%\r\n| project PacketLossRateQuality = iff(PacketLossRateAvg > 0.1, \"Poor\", \"Good\")\r\n// Count the number of streams per packet loss rate quality\r\n| summarize count() by PacketLossRateQuality\r\n| render piechart title=\"Packet Loss Rate Quality\"","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"4d3c9d8b-2b6d-1a2b-3c4d-5e6f7e6f4d3c","displayName":"Packet loss rate quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor packet loss rate quality.","body":"ACSCallDiagnosticsUpdates\r\n// Classify packet loss rate quality as Poor or Good based on\r\n// whether the average packet loss rate is higher than 10%\r\n| project PacketLossRateQuality = iff(PacketLossRateAvg > 0.1, \"Poor\", \"Good\")\r\n// Count the number of streams per packet loss rate quality\r\n| summarize count() by PacketLossRateQuality\r\n| render piechart title=\"Packet Loss Rate Quality\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"c1815bd9-9000-4477-8a47-7ec598b3d482","displayName":"Round trip time quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor round trip time quality.","body":"ACSCallDiagnostics\r\n// Classifying the round trip time quality as Poor or Good based on\r\n// whether the average round trip time is higher than 500 milliseconds\r\n| project RoundTripTimeQuality = iff(RoundTripTimeAvg > 500, \"Poor\", \"Good\")\r\n// Count the number of streams per round trip time quality\r\n| summarize count() by RoundTripTimeQuality\r\n| render piechart title=\"Round Trip Time Quality\"","tags":{"Topic":["Telemetry"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnostics"]}},{"id":"3c4d5e6f-7e8d-9c0b-1a2b-3c4d5e6f7e8d","displayName":"Round trip time quality ratio","description":"Produces a pie chart of the proportion of streams with good or poor round trip time quality.","body":"ACSCallDiagnosticsUpdates\r\n// Classifying the round trip time quality as Poor or Good based on\r\n// whether the average round trip time is higher than 500 milliseconds\r\n| project RoundTripTimeQuality = iff(RoundTripTimeAvg > 500, \"Poor\", \"Good\")\r\n// Count the number of streams per round trip time quality\r\n| summarize count() by RoundTripTimeQuality\r\n| render piechart title=\"Round Trip Time Quality\"","tags":{"Topic":["CallDiagnosticsUpdates"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallDiagnosticsUpdates"]}},{"id":"4E309B85-22D3-4D75-96FA-E507BED0DFC4","displayName":"Email failed deliveries by recipient ID","description":"List recipients and failed delivery status.","body":"ACSEmailStatusUpdateOperational\r\n| where isnotempty(RecipientId)\r\n| where DeliveryStatus != \"Delivered\"\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSEmailStatusUpdateOperational"]}},{"id":"9E690E1D-16C2-4476-A233-ECD3D3EC3815","displayName":"Email Failed Deliveries by Message Id","description":"List message ids and failed status.","body":"ACSEmailStatusUpdateOperational\r\n| where isempty(RecipientId) \r\n| where DeliveryStatus != \"OutForDelivery\"\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSEmailStatusUpdateOperational"]}},{"id":"60802B04-BD2C-455E-B18D-ABCE28675B11","displayName":"Email Send Request Summary","description":"Summary of send mail requests.","body":"ACSEmailSendMailOperational\r\n| summarize TotalMessageCount = dcount(CorrelationId),\r\n TotalSize = sum(Size),\r\n AvgSizePerMessage = avg(Size),\r\n AvgRecipientsPerMessage = avg(UniqueRecipientsCount),\r\n AvgAttachmentsPerMessage = avg(AttachmentsCount),\r\n SizeAvg = avg(Size) ","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSEmailSendMailOperational"]}},{"id":"44E70EDA-FA17-4B40-BF7A-4CD476525EB4","displayName":"Email Bounced and Suppressed Recipients","description":"List recipients that have been dropped due to a hard bounce or suppressed due to customer managed opt-outs.","body":"ACSEmailStatusUpdateOperational\r\n| where DeliveryStatus == \"Bounced\" or DeliveryStatus == \"Suppressed\"\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSEmailStatusUpdateOperational"]}},{"id":"e89a42f7-5318-4ca1-a0d9-2f105543a1bf","displayName":"Call Recording operations","description":"Returns all distinct combinations of call recording operation and version pairs.","body":"ACSCallRecordingIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"7d6310c2-4c88-45c4-9e4d-9feab95f84f8","displayName":"Calculate Call Recording operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each call recording operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSCallRecordingIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"d64d18e9-1c75-4b3b-a6c9-acd67a6f55f6","displayName":"Top 5 IP addresses per Call Recording operation","description":"For every call recording operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSCallRecordingIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"8db4823c-7f3d-4d5a-89db-5b5f5eb2a4a9","displayName":"Call Recording operational errors","description":"List every call recording error ordered by recency.","body":"ACSCallRecordingIncomingOperations\r\n| where ResultType == \"Failure\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"a4b6d7c9-8e6f-4a3b-81c3-1f9d6e7b8a2c","displayName":"Call Recording operation result counts","description":"For every call recording operation, count the types of returned results.","body":"ACSCallRecordingIncomingOperations\r\n| summarize Count = count() by OperationName, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"6f935ea8-7c95-4f6b-a13a-16af03485d29","displayName":"Call Recording logs by ID","description":"Queries Call Recording logs for a particular call connection ID or correlation ID.","body":"ACSCallRecordingIncomingOperations\r\n//| where CorrelationId == \"\" // This can be uncommented to filter on a specific correlation ID\r\n//| where CallConnectionId == \"\" // This can be uncommented to filter on a specific call connection ID\r\n| project CorrelationId, CallConnectionId, OperationName, OperationVersion\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingIncomingOperations"]}},{"id":"f06635bd-c6ed-4052-b2d9-074bc8fa9f79","displayName":"Call Recording duration histogram","description":"Produces a histogram of call recording durations in seconds.","body":"ACSCallRecordingSummary\r\n| distinct RecordingId, RecordingLength\r\n// Count call duration bins (60 second intervals)\r\n| summarize duration_counts=count() by bin(RecordingLength, 6000)\r\n| order by RecordingLength asc\r\n| render columnchart with (xcolumn = RecordingLength, title=\"Recording duration histogram\")","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"b5716eb0-b7ed-4748-9c3f-ace527fc382a","displayName":"Call Recording duration percentiles","description":"Calculates the average call recording duration in seconds, as well as the 50%, 90%, and 99% call duration percentiles.","body":"ACSCallRecordingSummary\r\n// Get the distinct combinations of RecordingId, RecordingLength\r\n| distinct RecordingId, RecordingLength\r\n// Calculate average and percentiles (50%, 90%, and 99%) of call durations (in seconds)\r\n| summarize avg(RecordingLength), percentiles(RecordingLength, 50, 90, 99)","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"9aeac264-1f94-4b63-a1e7-afff335dadde","displayName":"Call Recording's end reason ratio","description":"Produces a pie chart of the proportion of call recording's end reason.","body":"ACSCallRecordingSummary\r\n// Count distinct calls (dcount(CorrelationId)) per call type\r\n| summarize call_types=dcount(RecordingId) by RecordingEndReason\r\n| render piechart title=\"Recording End Reason Ratio\"","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"0462291d-ba25-4268-8440-6135184e6f7b","displayName":"Daily Call Recordings","description":"Produces a histogram of recordings made per day in the last week.","body":"ACSCallRecordingSummary\r\n// To filter out recordings made over a week ago, uncomment the next line\r\n// | where TimeGenerated > ago(7d)\r\n// Get the distinct combinations of RecordingId and CallStartTime\r\n| distinct RecordingId, TimeGenerated\r\n// Adds a new column with the call start day\r\n| extend day = floor(TimeGenerated, 1d)\r\n// Count the number of calls per day\r\n| summarize event_count=count() by day\r\n| sort by day asc\r\n| render columnchart title=\"Number of recordings per day\"","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"42d970fa-0354-4325-b9c2-bc47f7cbd46b","displayName":"Hourly Call Recordings","description":"Produces a histogram of recordings made per hour in the last day.","body":" ACSCallRecordingSummary\r\n // To filter out recordings made over a day ago, uncomment the next line\r\n | where TimeGenerated > ago(1d)\r\n // Get the distinct combinations of RecordingId and TimeGenerated\r\n | distinct RecordingId, TimeGenerated\r\n // Adds a new column with the call start hour\r\n | extend hour = floor(TimeGenerated, 1h)\r\n // Count the number of calls per hour\r\n | summarize event_count=count() by hour\r\n | sort by hour asc\r\n | render columnchart title=\"Number of recordings per hour in last day\"","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"421c4968-ba9a-41fb-8f3e-0b43837e5b79","displayName":"Call Recording's mode ratio","description":"Produces a pie chart of the proportion of recording modes (content/format types).","body":"ACSCallRecordingSummary\r\n| summarize count() by ContentType, FormatType\r\n| extend ContentFormat = strcat(ContentType, \"/\", FormatType)\r\n| project ContentFormat, count_\r\n| render piechart title=\"Recording by mode (content/format types)\"","tags":{"Topic":["CallRecordingOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallRecordingSummary"]}},{"id":"894a51a8-1e91-4ac1-b7d8-156894eb06c2","displayName":"Job Router operations","description":"Returns all distinct combinations of job router operation and version pairs.","body":"ACSJobRouterIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSJobRouterIncomingOperations"]}},{"id":"7fb10cd3-ed0f-4a4b-a00c-a039d3e6ccbc","displayName":"Calculate Job Router operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each chat operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSJobRouterIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSJobRouterIncomingOperations"]}},{"id":"a634f34d-b0b7-4e06-9f63-9323011e23ea","displayName":"Top 5 IP addresses per Job Router operation","description":"For every job router operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSJobRouterIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSJobRouterIncomingOperations"]}},{"id":"6d965ac8-a8c6-4831-80d3-5c51275100d5","displayName":"Job Router operational errors","description":"List every job router error ordered by recency.","body":"ACSJobRouterIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSJobRouterIncomingOperations"]}},{"id":"6f1bc254-caa7-4598-a714-d3ec267e2eee","displayName":"Job Router operation result counts","description":"For every job router operation, count the types of returned results.","body":"ACSJobRouterIncomingOperations\r\n| summarize Count = count() by OperationName, OperationVersion, ResultType, SdkType, EntityType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSJobRouterIncomingOperations"]}},{"id":"61a39dfb-f069-4639-a650-ef6c292cfc7b","displayName":"Rooms operational errors","description":"List rooms error ordered by recency.","body":"ACSRoomsIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSRoomsIncomingOperations"]}},{"id":"25852cd3-2216-49ad-a492-6778b4854c5c","displayName":"Rooms operation result counts","description":"For every rooms operation, count the types of returned results.","body":"ACSRoomsIncomingOperations\r\n| summarize Count = count() by OperationName, OperationVersion, ResultType, ResultSignature\r\n| order by OperationName asc, Count desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSRoomsIncomingOperations"]}},{"id":"b061d0cf-21c1-4b76-b890-caf0dd3ce71e","displayName":"Rooms operation summary","description":"The average statistics of room properties such as participants count for operation version 2024-04-15.","body":"ACSRoomsIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| where OperationVersion == \"2024-04-15\" \r\n| summarize TotalRoomCount = dcount(RoomId),\r\n AvgAddedParticipantsCount = avg(AddedRoomParticipantsCount),\r\n AvgRemovedParticipantsCount = avg(RemovedRoomParticipantsCount),\r\n AvgUpsertedParticipantsCount = avg(UpsertedRoomParticipantsCount),\r\n AvgRoomLifespan = avg(RoomLifespan),\r\n SumPstnDialoutEnabled=countif(PstnDialOutEnabled==1)","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSRoomsIncomingOperations"]}},{"id":"7f3d1936-3775-429b-bfd7-dc9b2ba60c64","displayName":"Call Automation operations","description":"Returns all distinct combinations of call automation operation and version pairs.","body":"ACSCallAutomationIncomingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"40461cde-9c28-4bb0-a227-f6a1a7467541","displayName":"Calculate Call Automation operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each call automation operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSCallAutomationIncomingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"b42ac607-c76d-438a-b76a-33acb4e54138","displayName":"Top 5 IP addresses per Call Automation operation","description":"For every call automation operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSCallAutomationIncomingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"b67c8c54-3f67-47b2-b452-16fb84ed417c","displayName":"Call Automation operational errors","description":"List every call automation error ordered by recency.","body":"ACSCallAutomationIncomingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"9e8fe6f0-8c27-4177-aa41-e49f1e7450be","displayName":"Call Automation operation result counts","description":"For every call automation operation, count the types of returned results.","body":"ACSCallAutomationIncomingOperations\r\n| summarize Count = count() by OperationName, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"78bcf04a-0b38-4996-9f4e-7372e9c2d020","displayName":"Call Automation logs for call connection ID","description":"Queries Call Automation logs for a particular call connection ID.","body":"ACSCallAutomationIncomingOperations\r\n//| where CallConnectionId == \"\" // This can be uncommented to filter on a specific call connection ID\r\n| limit 100\r\n","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"98d0fd24-6a32-435f-96ac-2581938a8416","displayName":"Call Automation API operations on a call","description":"Returns all Call Automation API operation and version pairs for a specific call (correlation ID).","body":"ACSCallAutomationIncomingOperations\r\n//| where CorrelationId == \"\" // This can be uncommented to filter on a specific correlation ID\r\n| project CorrelationId, OperationName, OperationVersion\r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"440010c7-039e-4ef3-9e9e-edd4d3771257","displayName":"CallDiagnostics log for CallAutomation API call","description":"Queries the diagnostics log for a call which was interacted with by Call Automation API using correlation ID.","body":"ACSCallAutomationIncomingOperations \r\n//| where CorrelationId == \"\" // This can be uncommented to filter on a specific correlation ID\r\n| join kind=inner\r\n (ACSCallDiagnostics)\r\n on CorrelationId\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations","ACSCallDiagnostics"]}},{"id":"7a167d23-5ea5-481e-bbb6-fd19699af0ba","displayName":"CallSummary log for CallAutomation API call","description":"Queries the summary log for a call which was interacted with by Call Automation API using correlation ID.","body":"ACSCallAutomationIncomingOperations \r\n//| where CorrelationId == \"\" // This can be uncommented to filter on a specific correlation ID\r\n| join kind=inner\r\n (ACSCallSummary)\r\n on CorrelationId\r\n| limit 100\r\n","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations","ACSCallSummary"]}},{"id":"b91f0d9c-d737-426a-8f82-ae437dd9f96a","displayName":"Overall call rating","description":"Query the call survey data and show the overall call rating pie chart.","body":"ACSCallSurvey\r\n//Uncomment the conditions below if you use different rating scale for the same category, which is uncommon. \r\n//| where isempty(OverallRatingScoreLowerBound) or OverallRatingScoreLowerBound >= 1\r\n//| where isempty(OverallRatingScoreUpperBound) or OverallRatingScoreUpperBound = 1\r\n//| where isempty(AudioRatingScoreUpperBound) or AudioRatingScoreUpperBound = 1\r\n//| where isempty(VideoRatingScoreUpperBound) or VideoRatingScoreUpperBound = 1\r\n//| where isempty(ScreenshareRatingScoreUpperBound) or ScreenshareRatingScoreUpperBound = todatetime(queryConditions_startTime)\r\n | extend CallEndTime = CallStartTime + totimespan(strcat(tostring(CallDuration), 's'))\r\n | where isempty(queryConditions_endTime) or CallEndTime = todatetime(queryConditions_startTime)\r\n | where isempty(queryConditions_endTime) or CallClientTimeStamp 30, \"Poor\", \"Good\"),\r\n__JitterBufferQuality = iff(JitterBufferSizeAvg > 200, \"Poor\", \"Good\"),\r\n__PacketLossRateQuality = iff(PacketLossRateAvg > 0.1, \"Poor\", \"Good\"),\r\n__RoundTripTimeQuality = iff(RoundTripTimeAvg > 500, \"Poor\", \"Good\"),\r\n__HealedDataRatioQuality = iff(HealedDataRatioAvg > 0.1, \"Poor\", \"Good\"),\r\n__VideoFrameRateQuality = iff((VideoFrameRateAvg 25000 and MediaType == 'ScreenSharing') or \r\n(RecvFreezeDurationPerMinuteInMs > 6000 and MediaType == 'Video'), \"Poor\", \"Good\"),\r\n__VideoResolutionHeightQuality = iff((RecvResolutionHeight 0, 'Poor', 'Good') | project Quality, numOfPoorStreams, CorrelationId);\r\n// rating\r\nlet ratingInfo = materialize(ACSCallSurvey\r\n| where CallId in (relatedCalls)\r\n| extend OverallRatingScoreUpperBound = iff(isnotempty(OverallRatingScoreUpperBound), OverallRatingScoreUpperBound, 5)\r\n| summarize hint.strategy = shuffle Rating = avg(OverallRatingScore*5.0/OverallRatingScoreUpperBound) by CallId\r\n| project CorrelationId=CallId, Rating);\r\n// client operation issues\r\nlet rangeEventsWithCorrelation = dynamic(['UserFacingDiagnostics']);\r\nlet pointEvents = dynamic([\r\n'SelectedMicrophoneChanged', 'SelectedSpeakerChanged', 'OptimalVideoCount-changed', 'State-changed', 'CallMode-changed',\r\n'IsMuted-changed', 'IsIncomingAudioMuted-changed', 'Id-changed', 'Role-changed', 'SelectedDevice-changed', 'PageHidden',\r\n'OptimalVideoCountChanged', 'StateChanged', 'IsMutedChanged', 'IsIncomingAudioMutedChanged', 'SelectedDeviceChanged']);\r\n// We need clientIds to get all operations before call is established.\r\nlet callClientIds = materialize(ACSCallClientOperations\r\n| where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n| where CallClientTimeStamp between (searchTimeLowerBound..searchTimeUpperBound)\r\n| where ParticipantId in (relatedParticipants) or CallId in (relatedCalls)\r\n| distinct ClientInstanceId, ParticipantId, CallId);\r\n//\r\nlet allOperations =\r\nmaterialize(callClientIds | join kind=rightouter hint.strategy=shuffle\r\n(ACSCallClientOperations\r\n| where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n| where CallClientTimeStamp between (searchTimeLowerBound..searchTimeUpperBound)\r\n| where ParticipantId in (relatedParticipants) or CallId in (relatedCalls) or (isempty(CallId) and isempty(ParticipantId) and ClientInstanceId in ((callClientIds | distinct ClientInstanceId))) \r\n| where isnotempty(OperationName) and OperationName != 'CallClientOperations'\r\nand isnotempty(OperationId) and isnotempty(CallClientTimeStamp))\r\non ClientInstanceId\r\n| extend ParticipantId = coalesce(ParticipantId1, ParticipantId), CallId = coalesce(CallId1, CallId)\r\n| project-away ParticipantId1, ClientInstanceId1, CallId1\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId, OperationName, CallClientTimeStamp);\r\n//\r\nlet correlatedOperations = materialize(allOperations\r\n| where OperationName in (rangeEventsWithCorrelation)\r\n| extend OperationPayload = todynamic(OperationPayload)\r\n| extend \r\nUFDQuality = coalesce(tostring(OperationPayload.DiagnosticQuality), tostring(OperationPayload.diagnosticQuality)),\r\nUFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged))\r\n| extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n| extend OperationPayloadNew = bag_pack(tostring(CallClientTimeStamp), OperationPayload)\r\n| project-away ResultType\r\n| summarize hint.strategy = shuffle\r\narg_max(TimeGenerated, *), ResultType = iff(countif(UFDQuality != 'Good')>0, 'Failed', 'Succeeded'), \r\nOperationStartTime = min(CallClientTimeStamp), OperationEndTime = max(CallClientTimeStamp),\r\nOperationPayloadPacked = make_bag(OperationPayloadNew) by OperationId, UFDType, CallId\r\n| extend ResultType = iff(UFDType has_any (\"SpeakingWhileMicrophoneIsMuted\", \"SpeakerMuted\"), 'Succeeded', ResultType), OperationName = UFDType\r\n| where ResultType !in ('Succeeded', 'Success', 'ExpectedError'));\r\n//\r\nlet nonCorrelatedOperations = materialize(allOperations\r\n| where OperationName !in (rangeEventsWithCorrelation)\r\n| extend OperationId = coalesce(hash_sha256(strcat(OperationId, tostring(CallClientTimeStamp), OperationName)), tostring(new_guid()))\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId, CallId\r\n| where ResultType !in ('Succeeded', 'Success', 'ExpectedError'));\r\nlet clientOperationIssues = \r\nmaterialize(union nonCorrelatedOperations, correlatedOperations\r\n| summarize hint.strategy = shuffle numOfBadOperations=count() by OperationName, CallId\r\n| extend badClientOperations = bag_pack(OperationName, numOfBadOperations)\r\n| summarize hint.strategy = shuffle badClientOperations = make_bag(badClientOperations), numOfBadOperations = sum(numOfBadOperations) by CorrelationId=CallId);\r\n////\r\nsearchedCalls \r\n| join kind=leftouter hint.strategy=shuffle clientTypeInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle ParticipantTypeInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle OsInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle SdkInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle qualityInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle ratingInfo on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle clientOperationIssues on CorrelationId\r\n| join kind=leftouter hint.strategy=shuffle totalNumOfParticipants on CorrelationId\r\n| extend numOfPoorStreams = coalesce(numOfPoorStreams, 0)\r\n| extend\r\ndrops=bag_pack('Call Ended Ungracefully', numOfDroppedParticipant),\r\nbadMediaStreams = bag_pack('Poor Media Streams', numOfPoorStreams),\r\nIssues = coalesce(numOfBadOperations, 0) + numOfDroppedParticipant + numOfPoorStreams\r\n| extend\r\nIssuesBreakdown=bag_merge(drops, badClientOperations, badMediaStreams)\r\n| project \r\nCallId=CorrelationId, \r\nCallStartTime, \r\nCallEndTime, \r\nCallType, \r\nParticipantType, \r\nSdkVersion, \r\nOsVersion,\r\nParticipants=participantsCount, \r\nClientType, \r\nQuality=iff(badClientOperations contains 'Network', 'Poor', iff(isempty(Quality), 'Unknown', Quality)), \r\nRating=case(isempty(Rating), 'Unknown', Rating>=4.5, 'Good', Rating >=3, 'Average', 'Poor'),\r\nNumOfDroppedParticipant = numOfDroppedParticipant,\r\nNumOfPoorStreams = numOfPoorStreams,\r\nIssues,\r\nIssuesBreakdown\r\n| order by CallStartTime desc\r\n| where CallStartTime >= ago(7days)","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientOperations","ACSCallSummary","ACSCallDiagnostics","ACSCallSurvey"]}},{"id":"e23137ab2-1ba3-2526-a3eb-14bd1bc1gb31","displayName":"Search all user facing diagnostics in a call","description":"Find all user facing diagnostics for all participants in a call by callId.","body":"// Replace queryConditions_callId with the callId you want to investigate.\r\ndeclare query_parameters(queryConditions_callId:string = 'replace-with-your-callId');\r\nACSCallClientOperations\r\n| where CallId == queryConditions_callId\r\n| where OperationName == 'UserFacingDiagnostics'\r\n| extend\r\n UFDQuality = tostring(OperationPayload.DiagnosticQuality),\r\n UFDType = tostring(OperationPayload.DiagnosticChanged)\r\n| extend UFDType = strcat(toupper(substring(UFDType, 0, 1)),substring(UFDType, 1))\r\n| project CallId, ParticipantId, CallClientTimeStamp, UFDType, UFDQuality, OperationId\r\n| order by OperationId, CallClientTimeStamp","tags":{"Topic":["CallClientOperations"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientOperations"]}},{"id":"b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","displayName":"Search all participants in a call","description":"Find all participants in a call by callId, and return the details of the participants.This query is also used in Call Diagnostics to search for participants.","body":"// Set queryConditions_callId to be the CallId you want to query.\r\n// Note this query is used in Call Diagnostics to get all the participant entities of a call.\r\ndeclare query_parameters(queryConditions_callId:string = 'replace-with-your-callId');\r\n // Temporary subcodes mapping table used in CDC ingestion query\r\nlet SubCodesMapping = datatable(\r\n message: string,\r\n webConfig_overrideMessage: string,\r\n webConfig_legacyMessage: string,\r\n nativeConfig_overrideMessage: string,\r\n code: real,\r\n subCode: real,\r\n resultCategories: string,\r\n clientOrService: string\r\n) [\r\n// Copy paste the data from above script here\r\n\"Failed to initialize CallClient. Please try again, if issue persists, gather browser console logs, and contact Azure Communication Services support.\",\"\",\"Failed to initialize CallClient\",\"\",\"500\",\"40000\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent. Please try again, if issue persists, gather browser console logs, and contact Azure Communication Services support.\",\"\",\"Failed to create CallAgent\",\"\",\"409\",\"40001\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create TeamsCallAgent. Please try again, if issue persists, gather browser console logs, and contact Azure Communication Services support.\",\"\",\"Failed to create TeamsCallAgent\",\"\",\"409\",\"40002\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create a URL object with the ICE server URL provided.\",\"\",\"Error processing relay information. Possibly invalid url: {0}\",\"\",\"400\",\"40003\",\"ExpectedError\",\"client\",\r\n\"The ICE server url must contain 'turn', 'turns', or 'stun'.\",\"\",\"Error processing relay information. Unrecognized schema\",\"\",\"400\",\"40004\",\"ExpectedError\",\"client\",\r\n\"Failed setup proxy, the url is too short\",\"\",\"\",\"\",\"400\",\"40005\",\"ExpectedError\",\"client\",\r\n\"Failed setup proxy, the protocol is not https or http\",\"\",\"\",\"\",\"400\",\"40006\",\"ExpectedError\",\"client\",\r\n\"Failed to create a URL object with the proxy URL provided.\",\"\",\"Setup failed. Proxy url is invalid: {0}\",\"\",\"400\",\"40007\",\"ExpectedError\",\"client\",\r\n\"CallClient instance can support only one CallAgent or TeamsCallAgent create new CallClient instance to create new CallAgent or TeamsCallAgent\",\"\",\"\",\"\",\"400\",\"40008\",\"ExpectedError\",\"client\",\r\n\"EmergencyCountryCode is invalid, max length is 10\",\"\",\"\",\"\",\"400\",\"40009\",\"ExpectedError\",\"client\",\r\n\"ACS Web Calling SDK must be used through https, file:, or localhost\",\"\",\"\",\"\",\"400\",\"40100\",\"ExpectedError\",\"client\",\r\n\"Failed to create CallAgent, timeout during initialization of the calling base stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to create stack base due to timeout during initialization\",\"\",\"408\",\"40101\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, failure during initialization of the calling base stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to create stack base due to failure in intialization\",\"\",\"500\",\"40102\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, failure to initialize calling user stack because calling base stack failed to create. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Base stack failed to create\",\"\",\"500\",\"40103\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, timeout during initialization of the calling user stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"User stack init timeout\",\"\",\"408\",\"40104\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, failure during initialization of the calling user stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"User stack init failed\",\"\",\"500\",\"40105\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set configurations for the calling stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Unable to parse configuration\",\"\",\"500\",\"40106\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set user configurations for calling stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to set configuration for stack\",\"\",\"500\",\"40107\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get device manager due to internal call stack undefined. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to get device manager due to internal call stack undefined\",\"\",\"500\",\"40108\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set configuration parameters for the calling stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to initialize callclient\",\"\",\"500\",\"40109\",\"UnexpectedClientError\",\"client\",\r\n\"Fetched undefined configurations for the calling stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Found undefined configs in ECS response: {0}\",\"\",\"500\",\"40110\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to connect to Azure Communication Services infrastructure. Please try again and check the browser's network requests. If the requests keep failing, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Failed to create trouter service\",\"\",\"500\",\"40111\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize connection to Azure Communication Services infrastructure. Please try again and check the browser's network requests. If the requests keep failing, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Signaling init failed\",\"\",\"500\",\"40112\",\"UnexpectedClientError\",\"client\",\r\n\"Already connected to Azure Communication Services infrastructure. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Signaling service already initialized\",\"\",\"500\",\"40113\",\"ExpectedError\",\"client\",\r\n\"Failed to connect to Azure Communication Services infrastructure, timeout during initialization. Please try again and check the browser's network requests. If the requests keep failing, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Signaling init timeout, request took longer than {0} ms\",\"\",\"408\",\"40114\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, unable to initialize connection to Azure Communication Services infrastructure. Please try again and check the browser's network requests. If the requests keep failing, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Signaling failed to initialize.\",\"\",\"412\",\"40115\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, media failure during initialization of the calling user stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"40116\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, signaling failure during initialization of the calling user stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"40117\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create CallAgent, internal stack failure during initialization of the calling user stack. Please try again, if issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"40118\",\"UnexpectedClientError\",\"client\",\r\n\"Using proxy or custom TURN for calls involving Teams is disabled\",\"\",\"\",\"\",\"403\",\"40200\",\"ExpectedError\",\"client\",\r\n\"Failed to parse AccessToken\",\"\",\"\",\"\",\"500\",\"40201\",\"UnexpectedClientError\",\"client\",\r\n\"Call to yourself is not supported.\",\"\",\"\",\"\",\"400\",\"40202\",\"ExpectedError\",\"client\",\r\n\"Call Agent is already disposed\",\"\",\"\",\"\",\"409\",\"40203\",\"ExpectedError\",\"client\",\r\n\"Teams Call Agent is already disposed\",\"\",\"\",\"\",\"409\",\"40204\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to CallAgent event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"40205\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from CallAgent event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"40206\",\"ExpectedError\",\"client\",\r\n\"Device type must be msft-acs-mesh-deviceType-v2 to join immersive call\",\"\",\"\",\"\",\"400\",\"40207\",\"ExpectedError\",\"client\",\r\n\"Failed to start or join call, call stack did not initialize\",\"\",\"\",\"\",\"500\",\"40208\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid join locator specified.\",\"\",\"Invalid call configuration\",\"\",\"400\",\"40209\",\"ExpectedError\",\"client\",\r\n\"The provided Teams meeting link is invalid.\",\"\",\"Invalid meeting link\",\"\",\"400\",\"40210\",\"ExpectedError\",\"client\",\r\n\"The provided Teams For Life meeting link is invalid.\",\"\",\"Invalid TFL meeting link\",\"\",\"400\",\"40211\",\"ExpectedError\",\"client\",\r\n\"Starting a group call must include thread ID in StartTeamsGroupCallOptions.\",\"\",\"\",\"\",\"400\",\"40212\",\"ExpectedError\",\"client\",\r\n\"Starting a one to one with thread ID is invalid.\",\"\",\"\",\"\",\"400\",\"40213\",\"ExpectedError\",\"client\",\r\n\"Display name is not allowed to be set for Teams users.\",\"\",\"\",\"\",\"400\",\"40214\",\"ExpectedError\",\"client\",\r\n\"Display name is too long.\",\"\",\"\",\"\",\"400\",\"40215\",\"ExpectedError\",\"client\",\r\n\"Failed to create CallAgent. Please try again, if issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"40216\",\"UnexpectedClientError\",\"client\",\r\n\"Attempted to get AccessToken before initialization\",\"\",\"\",\"\",\"422\",\"40217\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid push notification data provided. No 'incomingCallContext' key found in the PushNotificatitonData.\",\"\",\"Invalid push notification data provided\",\"\",\"400\",\"40218\",\"ExpectedError\",\"client\",\r\n\"Failed to handle push notification\",\"\",\"\",\"\",\"500\",\"40219\",\"UnexpectedClientError\",\"client\",\r\n\"Incoming Call push notification payload provided has too many keys. Only 'incomingCallContext' key is expected in the PushNotificatitonData.\",\"\",\"Invalid Incoming Call push notification payload provided\",\"\",\"400\",\"40220\",\"ExpectedError\",\"client\",\r\n\"Invalid push notification data provided. No 'incomingCallContext' key found in the PushNotificatitonData.\",\"\",\"No 'incomingCallContext' provided in event payload\",\"\",\"400\",\"40221\",\"ExpectedError\",\"client\",\r\n\"The decoded 'incomingCallContext' data is invalid.\",\"\",\"Invalid Incoming Call push notification payload data provided\",\"\",\"400\",\"40222\",\"ExpectedError\",\"client\",\r\n\"Incoming Call is already being processed\",\"\",\"\",\"\",\"400\",\"40223\",\"ExpectedError\",\"client\",\r\n\"Failed to handle Incoming Call push notification\",\"\",\"\",\"\",\"500\",\"40224\",\"UnexpectedClientError\",\"client\",\r\n\"Missed call\",\"\",\"\",\"\",\"400\",\"40225\",\"ExpectedError\",\"client\",\r\n\"AssertIsObject failed. : userIds must be object\",\"\",\"\",\"\",\"400\",\"40226\",\"ExpectedError\",\"client\",\r\n\"AssertNotNull failed. : userIds cannot be null\",\"\",\"\",\"\",\"400\",\"40227\",\"ExpectedError\",\"client\",\r\n\"Failed to create CallAgent, an instance of CallAgent associated with this identity already exists. Please dispose the existing CallAgent, or create a new one with a different identity.\",\"\",\"Failed to create call agent, call agent for this ACS Id already exists\",\"\",\"409\",\"40228\",\"ExpectedError\",\"client\",\r\n\"CallAgent must be created only with ACS token\",\"\",\"\",\"\",\"403\",\"40229\",\"ExpectedError\",\"client\",\r\n\"Failed to create TeamsCallAgent, an instance of TeamsCallAgent associated with this identity already exists. Please dispose the existing TeamsCallAgent before creating a new one.\",\"\",\"Failed to create call agent, call agent for this ACS Id already exists\",\"\",\"409\",\"40230\",\"ExpectedError\",\"client\",\r\n\"TeamsCallAgent must be created only with Teams token\",\"\",\"\",\"\",\"403\",\"40231\",\"ExpectedError\",\"client\",\r\n\"Failed to get token\",\"\",\"\",\"\",\"409\",\"40232\",\"UnexpectedClientError\",\"client\",\r\n\"Refreshed AccessToken User Id doesnt match initial User Id.\",\"\",\"\",\"\",\"400\",\"40233\",\"ExpectedError\",\"client\",\r\n\"Access token is expired and failed to fetch a valid one after retries.\",\"\",\"\",\"\",\"400\",\"40234\",\"ExpectedError\",\"client\",\r\n\"AccessToken expired\",\"\",\"\",\"\",\"401\",\"40235\",\"ExpectedError\",\"client\",\r\n\"Action not allowed.\",\"\",\"\",\"\",\"403\",\"40236\",\"ExpectedError\",\"client\",\r\n\"Failed to hangup call.\",\"\",\"\",\"\",\"500\",\"40237\",\"UnexpectedServerError\",\"client\",\r\n\"Joining a Teams for life meeting is not supported\",\"\",\"\",\"\",\"400\",\"40238\",\"ExpectedError\",\"client\",\r\n\"Failed to get raw device stream track\",\"\",\"\",\"\",\"500\",\"40600\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get raw device stream track, make sure there is available device\",\"\",\"\",\"\",\"412\",\"40601\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get device manager.\",\"\",\"\",\"\",\"500\",\"40602\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to DeviceManager event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"40603\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from DeviceManager event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"40604\",\"ExpectedError\",\"client\",\r\n\"Unable to access device manager\",\"\",\"\",\"\",\"500\",\"40605\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to enumerate speakers, it is not supported to enumerate/select speakers on Android Chrome, iOS Safari, nor MacOS Safari.\",\"\",\"This device does not support speaker enumeration.\",\"\",\"405\",\"40606\",\"ExpectedError\",\"client\",\r\n\"Microphone selection timed out.\",\"\",\"\",\"\",\"408\",\"40607\",\"UnexpectedClientError\",\"client\",\r\n\"There was an issue with selecting the microphone\",\"\",\"\",\"\",\"500\",\"40608\",\"UnexpectedClientError\",\"client\",\r\n\"Speaker selection timed out.\",\"\",\"\",\"\",\"408\",\"40609\",\"UnexpectedClientError\",\"client\",\r\n\"There was an issue with selecting the speaker\",\"\",\"\",\"\",\"500\",\"40610\",\"UnexpectedClientError\",\"client\",\r\n\"This device does not support speaker selection.\",\"\",\"\",\"\",\"405\",\"40611\",\"ExpectedError\",\"client\",\r\n\"At least one permission must be requested\",\"\",\"\",\"\",\"400\",\"40612\",\"ExpectedError\",\"client\",\r\n\"Failed to obtain permission to use microphone and/or camera, it was denied or it failed. Please ensure to allow the permissions in the browser's setttings and in the OS setttings.\",\"\",\"Permissions not granted or failed: {0}\",\"\",\"400\",\"40613\",\"ExpectedError\",\"client\",\r\n\"Failed to ask for device permissions Please ensure to allow the permissions in the browser's setttings and in the OS setttings and try again. If issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to get audio video permissions\",\"\",\"500\",\"40614\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid AudioDeviceInfo object passed in. Ensure it has an Id.\",\"\",\"The device argument is invalid\",\"\",\"400\",\"40615\",\"ExpectedError\",\"client\",\r\n\"The device is not selectable\",\"\",\"\",\"\",\"400\",\"40616\",\"ExpectedError\",\"client\",\r\n\"Attempted invalid operation during Emergency Call.\",\"\",\"{0} operation is not allowed during Emergency Call\",\"\",\"500\",\"41000\",\"ExpectedError\",\"client\",\r\n\"{0} failed\",\"\",\"\",\"\",\"500\",\"41001\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to get remote audio stream, getMediaStream returned undefined\",\"\",\"\",\"\",\"500\",\"41002\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to get remote audio stream, getMediaStream returned error\",\"\",\"\",\"\",\"500\",\"41003\",\"UnexpectedClientError\",\"client\",\r\n\"Getting raw audio media stream is currently disabled by Azure Communication Services.\",\"\",\"Getting raw audio media strema is currently dissabled\",\"\",\"409\",\"41004\",\"ExpectedError\",\"client\",\r\n\"Failed to accept the Incoming Call\",\"\",\"\",\"\",\"500\",\"41005\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to accept the incoming call, it is not in the Ringing state. Subcscribe to CallAgent's 'incomingCall' event to accept the incoming call.\",\"\",\"Call cannot be accepted because it is not in Ringing state\",\"\",\"400\",\"41006\",\"ExpectedError\",\"client\",\r\n\"Failed to reject the incoming call, it is not in the Ringing state. Subcscribe to CallAgent's 'incomingCall' event to reject the incoming call.\",\"\",\"Call cannot be rejectd because it is not in Ringing state\",\"\",\"400\",\"41007\",\"ExpectedError\",\"client\",\r\n\"Failed to get raw stream from local audio stream\",\"\",\"\",\"\",\"500\",\"41008\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set raw input audio stream\",\"\",\"\",\"\",\"500\",\"41009\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to unset raw input audio stream\",\"\",\"\",\"\",\"500\",\"41010\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to process audio because the calling stack is undefined. Please collect browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to process audio because of internal call stack error\",\"\",\"500\",\"41011\",\"UnexpectedClientError\",\"client\",\r\n\"Removing local video stream due to video fail UFD being raised before call connected. Please ensure to allow video permissions in the browser's setttings and in the OS setttings, and ensure the camera device is not being used by another process.\",\"\",\"Removing local video stream due to video fail UFD being raised before call connected. UFD: {0}, value: {1}, call direction: {2}\",\"\",\"409\",\"41012\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to stop audio on microphone device not functioning or capture mute event {0} with value {1}\",\"\",\"\",\"\",\"400\",\"41013\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to instantiate the Call\",\"\",\"\",\"\",\"500\",\"41014\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to mute microphone. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to mute microphone\",\"\",\"500\",\"41015\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to unmute microphone. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to unmute microphone\",\"\",\"400\",\"41016\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to recover the microphone audio after bad microphone UFD recovered. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to unmute and start audio, microphone device not functioning\",\"\",\"410\",\"41017\",\"UnexpectedClientError\",\"client\",\r\n\"Mute other participants is currently disabled by ACS service.\",\"\",\"Mute other participants disabled.\",\"\",\"403\",\"41018\",\"ExpectedError\",\"client\",\r\n\"Failed to mute all remote participants\",\"\",\"\",\"\",\"500\",\"41019\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to mute incoming audio\",\"\",\"\",\"\",\"500\",\"41020\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to unmute incoming audio\",\"\",\"\",\"\",\"500\",\"41021\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to send DTMF tone\",\"\",\"\",\"\",\"400\",\"41022\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid value passed to DtfmTone\",\"\",\"\",\"\",\"422\",\"41023\",\"ExpectedError\",\"client\",\r\n\"Failed to start audio before starting video\",\"\",\"\",\"\",\"500\",\"41024\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start video, LocalVideoStream instance is invalid or empty. Please pass in a LocalVideoStream instance.\",\"\",\"Failed to start video, localVideoStream cannot be null\",\"\",\"400\",\"41025\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, localVideoStream is not an instance of LocalVideoStream\",\"\",\"\",\"\",\"400\",\"41026\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, video is already started.\",\"\",\"Failed to start video, local video is already on\",\"\",\"400\",\"41027\",\"ExpectedError\",\"client\",\r\n\"Failed to set media stream\",\"\",\"\",\"\",\"500\",\"41028\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start video\",\"\",\"\",\"\",\"500\",\"41029\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to stop video, video is already stopped.\",\"\",\"Failed to stop video, local video is already off\",\"\",\"400\",\"41030\",\"ExpectedError\",\"client\",\r\n\"Failed to start video because the calling stack is undefined. Please gether browser console logs, .HAR files, and contact Aure Communication Services support.\",\"\",\"Failed to process video because of internal call stack error\",\"\",\"500\",\"41031\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to stop video, invalid argument. LocalVideoStream used as an input is currently not being sent.\",\"\",\"Invalid LocalVideoStream, this LocalVideoStream is not being sent\",\"\",\"400\",\"41032\",\"ExpectedError\",\"client\",\r\n\"Failed to hold the call. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to hold call\",\"\",\"500\",\"41033\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to resume the call.Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to resume call\",\"\",\"500\",\"41034\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start screen share, screen share is already started.\",\"\",\"Failed to start screen share, screen share is already on. Must stop and start again.\",\"\",\"400\",\"41035\",\"ExpectedError\",\"client\",\r\n\"Failed to start raw screen sharing, localVideoStream is not an instance of LocalVideoStream\",\"\",\"\",\"\",\"400\",\"41036\",\"ExpectedError\",\"client\",\r\n\"Unable to get media stream from local video stream for raw media screen sharing. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Unable to get media stram from local video stream for screen sharing\",\"\",\"500\",\"41037\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set raw media stream for screen sharing. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to set media stream for screen sharing\",\"\",\"422\",\"41038\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get raw screen sharing stream. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to get media stream for screen sharing\",\"\",\"422\",\"41039\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start screen sharing\",\"\",\"\",\"\",\"500\",\"41040\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to stop screen share, screen share is already stopped.\",\"\",\"Failed to stop screen share, screen share is already off\",\"\",\"400\",\"41041\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to Call event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"41042\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from Call event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"41043\",\"ExpectedError\",\"client\",\r\n\"Only single LocalVideoStream is supported currently\",\"\",\"\",\"\",\"400\",\"41044\",\"ExpectedError\",\"client\",\r\n\"Stream is not an instance of LocalVideoStream\",\"\",\"\",\"\",\"400\",\"41045\",\"ExpectedError\",\"client\",\r\n\"Only single LocalAudioStream is supported currently\",\"\",\"\",\"\",\"400\",\"41046\",\"ExpectedError\",\"client\",\r\n\"Stream is not an instance of LocalAudioStream\",\"\",\"\",\"\",\"400\",\"41047\",\"ExpectedError\",\"client\",\r\n\"Failed to start video during call setup process. Please ensure to allow video permissions in the browser's setttings and in the OS setttings, and ensure the camera device is not being used by another process.\",\"\",\"Video failed to start during call-{0} process.\",\"\",\"410\",\"41048\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start audio during call setup process. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Audio failed to start during call-{0} process.\",\"\",\"400\",\"41049\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to force isAvailable flag to False during large meeting\",\"\",\"\",\"\",\"500\",\"41050\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to dispose view in large meeting\",\"\",\"\",\"\",\"500\",\"41051\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to add unkown participant.\",\"\",\"\",\"\",\"400\",\"41052\",\"ExpectedError\",\"client\",\r\n\"Participant is already in the call.\",\"\",\"{0} is already in the call\",\"\",\"400\",\"41053\",\"ExpectedError\",\"client\",\r\n\"Failed to remove the specified participant. The participant is not in the call.\",\"\",\"{0} is not in the call.\",\"\",\"400\",\"41054\",\"ExpectedError\",\"client\",\r\n\"Add participant failed: thread ID is missing in options.\",\"\",\"\",\"\",\"400\",\"41055\",\"ExpectedError\",\"client\",\r\n\"Failed to start or join to the call, Teams Enterprise voice policy is not enabled for this Azure Communication Services resource. Follow the tutorial online to enable it.\",\"\",\"Teams Enterprise voice is not enabled. Teams user is not eligible to make PSTN call\",\"\",\"412\",\"41056\",\"ExpectedError\",\"client\",\r\n\"Failed to get server call Id\",\"\",\"\",\"\",\"500\",\"41057\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get the MediaStream to initialize the Volume indicator. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"failed to getMediaStreamTrack\",\"\",\"500\",\"41058\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to setup volume calcualtor using AudioContext, please retry getVolumeindicator on a working audio stream with exponential backoff\",\"\",\"\",\"\",\"500\",\"41059\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to Volume Indicator event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"400\",\"41060\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from Volume Indicator event, unknown event name.\",\"\",\"Not able to unsubscribe to event {0}, unknown event name\",\"\",\"400\",\"41061\",\"ExpectedError\",\"client\",\r\n\"Failed to setup volume calculator, please retry after exponential backoff\",\"\",\"\",\"\",\"500\",\"41062\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get serverCallId, serverCallId is empty\",\"\",\"\",\"\",\"404\",\"41063\",\"UnexpectedClientError\",\"client\",\r\n\"Setting call constraint is currently disabled by ACS service.\",\"\",\"Setting call constraints is disabled\",\"\",\"409\",\"41064\",\"ExpectedError\",\"client\",\r\n\"Error setting call constraints at call setup. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Error setting call constraints at call {0}\",\"\",\"500\",\"41065\",\"UnexpectedClientError\",\"client\",\r\n\"Error setting call constraints during mid-call\",\"\",\"\",\"\",\"500\",\"41066\",\"UnexpectedClientError\",\"client\",\r\n\"Error settting video constraints during call settup or mid-call. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Error setting video constraints during call stage: {0}\",\"\",\"500\",\"41067\",\"UnexpectedClientError\",\"client\",\r\n\"Error setting video constraints during call accept\",\"\",\"\",\"\",\"500\",\"41068\",\"UnexpectedClientError\",\"client\",\r\n\"Error setting video constraints during call start\",\"\",\"\",\"\",\"500\",\"41069\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set call constraints during mid call\",\"\",\"\",\"\",\"500\",\"41070\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start screen share, call is not in Connected state. Subscribe to the Call's 'statteChanged' event to know when the call is connected.\",\"\",\"Failed to start screen sharing. Call must be in connected state\",\"\",\"412\",\"41071\",\"ExpectedError\",\"client\",\r\n\"Failed to stop screen sharing. Call must be in connected state\",\"\",\"\",\"\",\"412\",\"41072\",\"ExpectedError\",\"client\",\r\n\"Failed to get or set custom MediaStream, this functionality is currently disabled by Azure Communication Services.\",\"\",\"Accessing raw media stream is currently not enabled\",\"\",\"412\",\"41073\",\"ExpectedError\",\"client\",\r\n\"The raw media stream function is currently not available\",\"\",\"\",\"\",\"500\",\"41074\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start raw screen sharing, localVideoStream doesn't contain a raw media stream\",\"\",\"\",\"\",\"400\",\"41075\",\"ExpectedError\",\"client\",\r\n\"Failed to start audio stream.\",\"\",\"\",\"\",\"500\",\"41076\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to stop video.\",\"\",\"\",\"\",\"500\",\"41077\",\"UnexpectedClientError\",\"client\",\r\n\"Incoming call is already unplaced\",\"\",\"\",\"\",\"400\",\"41078\",\"ExpectedError\",\"client\",\r\n\"Failed to reject call\",\"\",\"\",\"\",\"500\",\"41079\",\"UnexpectedServerError\",\"client\",\r\n\"Failed to start local audio device\",\"\",\"\",\"\",\"400\",\"41080\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to Select Virtual Device.\",\"\",\"\",\"\",\"400\",\"41081\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to Unselect Virtual Device.\",\"\",\"\",\"\",\"400\",\"41082\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start raw audio, localAudioStream doesn't contain a raw media stream. To start raw audio, the LocalAudioStream passed in, must be constructed with a MediaStream object.\",\"\",\"\",\"\",\"400\",\"41083\",\"ExpectedError\",\"client\",\r\n\"Failed to stop raw audio, localAudioStream doesn't contain a raw media stream. To stop raw audio, the current LocalAudioStream in the call must have a MediaStream as the source.\",\"\",\"\",\"\",\"400\",\"41084\",\"ExpectedError\",\"client\",\r\n\"Thread ID is invalid.\",\"\",\"\",\"\",\"400\",\"41085\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to Lobby event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"41800\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from Lobby event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"41801\",\"ExpectedError\",\"client\",\r\n\"Current conversation type doesn't support lobby admit and reject\",\"\",\"\",\"\",\"400\",\"41802\",\"ExpectedError\",\"client\",\r\n\"Participant is already in the meeting.\",\"\",\"{0} is already in the meeting\",\"\",\"400\",\"41803\",\"ExpectedError\",\"client\",\r\n\"Participant is not in the lobby.\",\"\",\"{0} is not in the lobby\",\"\",\"400\",\"41804\",\"ExpectedError\",\"client\",\r\n\"only Organizer, Co-organizer or Presenter can admit/reject participants from lobby\",\"\",\"\",\"\",\"403\",\"41805\",\"ExpectedError\",\"client\",\r\n\"Failed to admit participants in the lobby\",\"\",\"\",\"\",\"500\",\"41806\",\"UnexpectedServerError\",\"client\",\r\n\"Participant list is empty\",\"\",\"\",\"\",\"400\",\"41807\",\"ExpectedError\",\"client\",\r\n\"Lobby is not enabled for this meeting\",\"\",\"\",\"\",\"400\",\"41808\",\"ExpectedError\",\"client\",\r\n\"Failed to reject participants from the lobby\",\"\",\"\",\"\",\"500\",\"41809\",\"UnexpectedServerError\",\"client\",\r\n\"Failed to fetch Teams user policies and settings cannot proceed, because teams user Id was not found in the AccessToken.\",\"\",\"Caller's MicrosoftTeamsUserIdentifier wasn't provided. Fetching Teams user policies and settings cannot proceed\",\"\",\"400\",\"41900\",\"ExpectedError\",\"client\",\r\n\"Error Fetching Teams user policy from ACS MiddleTier Service\",\"\",\"\",\"\",\"500\",\"41901\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to derive emergency policy from ACS MiddleTier Service response\",\"\",\"\",\"\",\"500\",\"41902\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to fetch Teams calling policy from ACS MiddleTier Service response. Please try again, if the issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Unable to fetch teamsCallingPolicy from ACS MiddleTier Service response\",\"\",\"500\",\"41903\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to fetch Teams meeting policy from ACS MiddleTier Service response. Please try again, if the issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Unable to fetch teamsMeetingPolicy from ACS MiddleTier Service response\",\"\",\"500\",\"41904\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to fetch feature types from ACS MiddleTier Service response. Please try again, if the issue persists, gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"Unable to fetch featureTypes from ACS MiddleTier Service response\",\"\",\"500\",\"41905\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to create thread for the Teams User groupcall from ACS MiddleTier Service response\",\"\",\"\",\"\",\"500\",\"41906\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to add particpant for the thread for Teams groupcall from ACS MiddleTier Service\",\"\",\"\",\"\",\"500\",\"41907\",\"UnexpectedServerError\",\"client\",\r\n\"Mute other participants is disabled by ACS service.\",\"\",\"Mute other participants disabled.\",\"\",\"403\",\"42000\",\"ExpectedError\",\"client\",\r\n\"Failed to mute specific participant\",\"\",\"\",\"\",\"500\",\"42001\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to RemoteParticipant event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"42002\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from RemoteParticipant event, unknown event name.\",\"\",\"Not able to unsubscribe to event {0}, unknown event name\",\"\",\"422\",\"42003\",\"ExpectedError\",\"client\",\r\n\"The scenario to soft mute a PSTN participant is not supported.\",\"\",\"\",\"\",\"405\",\"42004\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, video device is being used by another process/application. Stop your camera from being used in the other process/application and try again.\",\"\",\"Video operation failure SourceUnavailableError\",\"\",\"412\",\"43000\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, permission was not granted to use selected video device. Ensure video device permissions are allowed in the browser's settings and in the system's setttings.\",\"\",\"Video operation failure PermissionDeniedError\",\"\",\"403\",\"43001\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, unknown error. Please try again. If the issue persists, contact Azure Communication Services support.\",\"\",\"Video operation failure UnknownFailureForVideoOperation\",\"\",\"500\",\"43002\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create local video stream, source was not of type VideoDeviceInfo or MediaStream\",\"\",\"\",\"\",\"400\",\"43003\",\"ExpectedError\",\"client\",\r\n\"Failed to switch video device, invalid input. Input must be of a VideoDeviceInfo type.\",\"\",\"Failed to switch source, source was not of type VideoDeviceInfo\",\"\",\"400\",\"43004\",\"ExpectedError\",\"client\",\r\n\"Failed to switch video device, unable to switch to the same video device, it's already selected.\",\"\",\"Unable to switch to the same source\",\"\",\"400\",\"43005\",\"ExpectedError\",\"client\",\r\n\"Unable to get device type\",\"\",\"\",\"\",\"500\",\"43006\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get raw video stream. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to get media stream\",\"\",\"500\",\"43007\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set media stream source is not MediaStream\",\"\",\"\",\"\",\"400\",\"43008\",\"ExpectedError\",\"client\",\r\n\"Failed to set raw video stream. Found undefined function. Gather browser console logs and contact Azure Communication Services support.\",\"\",\"Unable ot set media stream\",\"\",\"500\",\"43009\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to set raw video stream. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to set media stream\",\"\",\"500\",\"43010\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to LocalVideoStream event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"43011\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from LocalVideoStream event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"43012\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, no video devices found. Ensure video devices are plugged in and enabled in the system settings.\",\"\",\"Video operation failure DevicesNotFoundError\",\"\",\"412\",\"43013\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, error requesting media stream. Please try again, if issue persists, contact Azure Communication Services support.\",\"\",\"Video operation failure MediaStreamRequestError\",\"\",\"412\",\"43014\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start video, media stream request timed out. PLease allow permission on the browser's prompt to access the camera and try again.\",\"\",\"Video operation failure MediaStreamRequestTimedout\",\"\",\"412\",\"43015\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, permissions denied by system. Ensure video device permissions are allowed in the browser's settings and in the system's setttings.\",\"\",\"Video operation failure PermissionsDeniedBySystem\",\"\",\"412\",\"43016\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, unsupported stream. Please try again, if issue persists, contact Azure Communication Services support.\",\"\",\"Video operation failure UnsupportedStream\",\"\",\"412\",\"43017\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start video, failed to set constraints. Please try again, if issue persists, contact Azure Communication Services support.\",\"\",\"Video operation failure ConstraintNotSatisfiedError\",\"\",\"412\",\"43018\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start video, no device selected. Please ensure to pass a LocalVideoStream constructed with a VideoDeviceInfo and try again. If issue persists, contact Azure Communication Services support.\",\"\",\"Video operation failure noDeviceSelected\",\"\",\"412\",\"43019\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to RemoteVideoStream event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"43100\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from RemoteVideoStream event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"43101\",\"ExpectedError\",\"client\",\r\n\"Not able to get media stream\",\"\",\"\",\"\",\"500\",\"43102\",\"UnexpectedClientError\",\"client\",\r\n\"The remote video stream is currently not available, subscribe to the stream's isAvailable property to get notified when it is ready to get the raw media stream.\",\"\",\"The stream is currently not availalbe, subscribe to stream.isAvailable property to get notified when it is ready to get media stream\",\"\",\"400\",\"43103\",\"ExpectedError\",\"client\",\r\n\"Failed to subscribe to media stream, timeout\",\"\",\"\",\"\",\"408\",\"43104\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get media stream\",\"\",\"\",\"\",\"500\",\"43105\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to subscribe to media stream, muted\",\"\",\"\",\"\",\"408\",\"43106\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get raw media stream\",\"\",\"\",\"\",\"500\",\"43107\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to render video stream, this stream is not available. Subscribe to the stream's isAvailable property to get notified when the remote participant has their video on and the stream is available for rendering.\",\"\",\"Failed to create view, remote stream is not available\",\"\",\"412\",\"43200\",\"ExpectedError\",\"client\",\r\n\"Failed to start stream, already disposed\",\"\",\"\",\"\",\"405\",\"43201\",\"ExpectedError\",\"client\",\r\n\"Failed to render video stream, this stream is not longer available. Remote participant turned their video off.\",\"\",\"Failed to start stream, stream became unavailable\",\"\",\"404\",\"43202\",\"ExpectedError\",\"client\",\r\n\"Failed to render video stream, rendering timed out while waiting for video frames. Please try again, if issue persists, contact Azure Communication Services support.\",\"\",\"Failed to render stream, timeout\",\"\",\"408\",\"43203\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to render video stream, failed to subscribe to video on the Azure Communication Services infrastructure. Please try again, if issue persists, contact Azure Communication Services support.\",\"\",\"Failed to start stream, fail to subscribe\",\"\",\"500\",\"43204\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start stream, internal error\",\"\",\"\",\"\",\"500\",\"43205\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to updateScalingMode, failed to update\",\"\",\"\",\"\",\"500\",\"43206\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to start stream, disposing stream because participant is not a dominant speaker in the large meeting\",\"\",\"\",\"\",\"405\",\"43207\",\"ExpectedError\",\"client\",\r\n\"Failed to start stream, disposing stream because remote video stream is disposing\",\"\",\"\",\"\",\"405\",\"43208\",\"ExpectedError\",\"client\",\r\n\"Failed to render video stream, VideoStreamRenderer was disposed during initialization process.\",\"\",\"Failed to start stream, disposing stream\",\"\",\"405\",\"43209\",\"ExpectedError\",\"client\",\r\n\"Failed to dispose VideoStreamRenderer, it is already disposed.\",\"\",\"Failed to dispose stream, already disposed\",\"\",\"400\",\"43210\",\"ExpectedError\",\"client\",\r\n\"Failed to dispose remote renderer\",\"\",\"\",\"\",\"500\",\"43211\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create VideoStreamRendererView, videoStream must be either LocalVideoStream or RemoteVideoStream type\",\"\",\"\",\"\",\"400\",\"43212\",\"ExpectedError\",\"client\",\r\n\"Failed to dispose, VideoStreamRendererView is disposed\",\"\",\"\",\"\",\"400\",\"43213\",\"ExpectedError\",\"client\",\r\n\"Failed to render, stream disposed\",\"\",\"\",\"\",\"400\",\"43214\",\"ExpectedError\",\"client\",\r\n\"Failed to updateScalingMode, VideoStreamRendererView is disposed\",\"\",\"\",\"\",\"400\",\"43215\",\"ExpectedError\",\"client\",\r\n\"Failed to updateScalingMode, wrong scalingMode value\",\"\",\"\",\"\",\"400\",\"43216\",\"ExpectedError\",\"client\",\r\n\"Failed to dispose view\",\"\",\"\",\"\",\"500\",\"43217\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create VideoStreamRenderer, videoStream must be either LocalVideoStream or RemoteVideoStreamCommon type\",\"\",\"\",\"\",\"400\",\"43218\",\"ExpectedError\",\"client\",\r\n\"Failed to create view, VideoStreamRenderer is disposed\",\"\",\"\",\"\",\"400\",\"43219\",\"ExpectedError\",\"client\",\r\n\"Failed to create view, maximum number of active RemoteVideoStream views has been reached. You can dispose of a previous one in order to create new one.\",\"\",\"Failed to create view, maximum number of {0} active RemoteVideoStream has been reached\",\"\",\"400\",\"43220\",\"ExpectedError\",\"client\",\r\n\"Failed to create view\",\"\",\"\",\"\",\"500\",\"43221\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to dispose, VideoStreamRendererView is already disposed\",\"\",\"\",\"\",\"400\",\"43222\",\"ExpectedError\",\"client\",\r\n\"Unknown stream type\",\"\",\"\",\"\",\"400\",\"43223\",\"ExpectedError\",\"client\",\r\n\"Failed to dispose local renderer\",\"\",\"\",\"\",\"500\",\"43224\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create local audio stream, source is not of type AudioDeviceInfo or MediaStream\",\"\",\"\",\"\",\"400\",\"43600\",\"ExpectedError\",\"client\",\r\n\"Failed to create local audio stream, source is not a microphone\",\"\",\"\",\"\",\"400\",\"43601\",\"ExpectedError\",\"client\",\r\n\"Failed to get media stream source is not AudioDeviceInfo or MediaStream\",\"\",\"\",\"\",\"500\",\"43602\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to switch stream on local audio, source is not of type MediaStream\",\"\",\"\",\"\",\"400\",\"43603\",\"ExpectedError\",\"client\",\r\n\"Failed to create local audio stream, source is not a microphone\",\"\",\"\",\"\",\"400\",\"43604\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to LocalAudioStream event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"43605\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from LocalAudioStream event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"43606\",\"ExpectedError\",\"client\",\r\n\"Failed to switch audio device, unable to switch to the same audio device, it's already selected.\",\"\",\"\",\"\",\"400\",\"43607\",\"ExpectedError\",\"client\",\r\n\"Failed to start audio, unknown error. Please try again. If the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"43608\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to parse PhoneNumberIdentifier object\",\"\",\"\",\"\",\"422\",\"44000\",\"ExpectedError\",\"client\",\r\n\"Unable to parse MicrosoftTeamsUserIdentifier object\",\"\",\"\",\"\",\"422\",\"44001\",\"ExpectedError\",\"client\",\r\n\"Unable to parse MicrosoftTeamsAppIdentifier object\",\"\",\"\",\"\",\"422\",\"44002\",\"ExpectedError\",\"client\",\r\n\"Unable to parse Identifier object, please check the syntax\",\"\",\"\",\"\",\"422\",\"44003\",\"ExpectedError\",\"client\",\r\n\"Invalid CommunicationUser identifier specified\",\"\",\"\",\"\",\"422\",\"44004\",\"ExpectedError\",\"client\",\r\n\"Invalid MicrosoftTeamsUser rawId specified\",\"\",\"\",\"\",\"422\",\"44005\",\"ExpectedError\",\"client\",\r\n\"Invalid MicrosoftTeamsUser microsoftTeamsUserId specified\",\"\",\"\",\"\",\"422\",\"44006\",\"ExpectedError\",\"client\",\r\n\"Invalid MicrosoftTeamsApp rawId specified\",\"\",\"\",\"\",\"422\",\"44007\",\"ExpectedError\",\"client\",\r\n\"Invalid MicrosoftTeamsApp teamsAppId specified\",\"\",\"\",\"\",\"422\",\"44008\",\"ExpectedError\",\"client\",\r\n\"Invalid identifier specified, please specify an id\",\"\",\"\",\"\",\"422\",\"44009\",\"ExpectedError\",\"client\",\r\n\"Unable to parse Identifier object\",\"\",\"\",\"\",\"422\",\"44010\",\"ExpectedError\",\"client\",\r\n\"AssertIsArrayOfIdentifiers failed. : userIds must be array of CommunicationIdentifier\",\"\",\"\",\"\",\"422\",\"44011\",\"ExpectedError\",\"client\",\r\n\"No cloud prefix found in identity\",\"\",\"\",\"\",\"409\",\"44012\",\"ExpectedError\",\"client\",\r\n\"Config is empty\",\"\",\"\",\"\",\"500\",\"44100\",\"UnexpectedServerError\",\"client\",\r\n\"Missing ACS config key\",\"\",\"\",\"\",\"500\",\"44101\",\"UnexpectedServerError\",\"client\",\r\n\"Error while merging config\",\"\",\"\",\"\",\"500\",\"44102\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize telemetry\",\"\",\"\",\"\",\"500\",\"44103\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize telemetry\",\"\",\"\",\"\",\"500\",\"44104\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to create and initialize telemetry logger for tenant. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Failed to create and initialize telemetry logger for {0}\",\"\",\"500\",\"44105\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to flush telemetry\",\"\",\"\",\"\",\"500\",\"44106\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize telemetry logger\",\"\",\"\",\"\",\"500\",\"44107\",\"UnexpectedClientError\",\"client\",\r\n\"No CommunicationTokenCredential provided\",\"\",\"\",\"\",\"401\",\"44108\",\"ExpectedError\",\"client\",\r\n\"AccessToken is empty\",\"\",\"\",\"\",\"401\",\"44109\",\"ExpectedError\",\"client\",\r\n\"Failed to get AccessToken\",\"\",\"\",\"\",\"401\",\"44110\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid token\",\"\",\"\",\"\",\"401\",\"44111\",\"ExpectedError\",\"client\",\r\n\"Failed to parse AccessToken\",\"\",\"\",\"\",\"401\",\"44112\",\"ExpectedError\",\"client\",\r\n\"AccessToken does not contain 'voip' or 'voip.join' scope\",\"\",\"\",\"\",\"401\",\"44113\",\"ExpectedError\",\"client\",\r\n\"Wrong AccessToken scope format. Scope is expected to be a string that contains 'voip'\",\"\",\"\",\"\",\"401\",\"44114\",\"ExpectedError\",\"client\",\r\n\"AccessToken does not contain ACS resource Id\",\"\",\"\",\"\",\"401\",\"44115\",\"ExpectedError\",\"client\",\r\n\"AccessToken does not contain ACS user Id\",\"\",\"\",\"\",\"401\",\"44116\",\"ExpectedError\",\"client\",\r\n\"Failed to parse AccessToken\",\"\",\"\",\"\",\"401\",\"44117\",\"UnexpectedClientError\",\"client\",\r\n\"Operation timed out\",\"\",\"\",\"\",\"408\",\"44118\",\"UnexpectedClientError\",\"client\",\r\n\"Error while trying to start or stop echo cancellation. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Error while trying to {0} echo cancellation\",\"\",\"500\",\"45000\",\"UnexpectedClientError\",\"client\",\r\n\"Error while trying to start or stop noise suppression. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Error while trying to {0} noise suppression\",\"\",\"500\",\"45001\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to AudioEffects event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"400\",\"45002\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from AudioEffects event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"400\",\"45003\",\"ExpectedError\",\"client\",\r\n\"Setting audio effects is currently disabled by Azure Communication Services.\",\"\",\"Setting audio effects is disabled.\",\"\",\"403\",\"45004\",\"ExpectedError\",\"client\",\r\n\"Audio effects feature is disposed. Create a new AudioEffects feature instance.\",\"\",\"\",\"\",\"400\",\"45005\",\"ExpectedError\",\"client\",\r\n\"Current source is not supported\",\"\",\"\",\"\",\"415\",\"45006\",\"ExpectedError\",\"client\",\r\n\"Failed to get device manager to start effects.\",\"\",\"\",\"\",\"500\",\"45007\",\"UnexpectedClientError\",\"client\",\r\n\"Audio effects feature is disposed. Create a new AudioEffects feature instance.\",\"\",\"\",\"\",\"400\",\"45008\",\"ExpectedError\",\"client\",\r\n\"Failed to get device manager to stop effects.\",\"\",\"\",\"\",\"500\",\"45009\",\"UnexpectedClientError\",\"client\",\r\n\"Internal error - DM missing\",\"\",\"\",\"\",\"500\",\"45010\",\"UnexpectedClientError\",\"client\",\r\n\"EffectProvider not available\",\"\",\"\",\"\",\"500\",\"45011\",\"UnexpectedClientError\",\"client\",\r\n\"Internal error - stack aec provider missing\",\"\",\"\",\"\",\"500\",\"45012\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid effect provided\",\"\",\"\",\"\",\"400\",\"45013\",\"ExpectedError\",\"client\",\r\n\"Invalid or no echo cancellation effect provided\",\"\",\"\",\"\",\"400\",\"45014\",\"ExpectedError\",\"client\",\r\n\"Invalid or no noise suppression effect provided\",\"\",\"\",\"\",\"400\",\"45015\",\"ExpectedError\",\"client\",\r\n\"Unsupported effect specified. Please specify a supported audio effect.\",\"\",\"{0} is not supported.\",\"\",\"415\",\"45016\",\"UnexpectedClientError\",\"client\",\r\n\"Error while checking support\",\"\",\"\",\"\",\"501\",\"45017\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid or no auto gain control effect provided\",\"\",\"\",\"\",\"400\",\"45018\",\"ExpectedError\",\"client\",\r\n\"Error while trying to start or stop auto gain control. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Error while trying to {0} auto gain control\",\"\",\"500\",\"45019\",\"UnexpectedClientError\",\"client\",\r\n\"Error setting browser audio processing flags\",\"\",\"\",\"\",\"500\",\"45020\",\"UnexpectedClientError\",\"client\",\r\n\"Error starting audio effects.\",\"\",\"\",\"\",\"500\",\"45021\",\"UnexpectedClientError\",\"client\",\r\n\"Error stopping audio effects.\",\"\",\"\",\"\",\"500\",\"45022\",\"UnexpectedClientError\",\"client\",\r\n\"Error disposing audio effects feature.\",\"\",\"\",\"\",\"500\",\"45023\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid call survey. Please submit a survey options.\",\"\",\"{0}.\",\"\",\"400\",\"45100\",\"ExpectedError\",\"client\",\r\n\"Failed to submit survery, timedout. Please try again, if issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"\",\"\",\"408\",\"45101\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize Captions.\",\"\",\"\",\"\",\"500\",\"45200\",\"UnexpectedClientError\",\"client\",\r\n\"Captions feature is currently disabled by Azure Communication services.\",\"\",\"Feature is not enabled.\",\"\",\"412\",\"45201\",\"ExpectedError\",\"client\",\r\n\"Spoken language requested is not supported.\",\"\",\"\",\"\",\"400\",\"45202\",\"ExpectedError\",\"client\",\r\n\"Captions feature is disabled in meeting policy.\",\"\",\"\",\"\",\"403\",\"45203\",\"ExpectedError\",\"client\",\r\n\"Captions feature is disabled in calling policy.\",\"\",\"\",\"\",\"403\",\"45204\",\"ExpectedError\",\"client\",\r\n\"Could not start captions.\",\"\",\"\",\"\",\"500\",\"45205\",\"UnexpectedClientError\",\"client\",\r\n\"Cannot update spoken language as captions has not started.\",\"\",\"\",\"\",\"400\",\"45206\",\"ExpectedError\",\"client\",\r\n\"Set spoken language is currently disabled by Azure Communication Services.\",\"\",\"Set spoken language is not enabled.\",\"\",\"412\",\"45207\",\"ExpectedError\",\"client\",\r\n\"Unable to update spoken language. Failed to get token.\",\"\",\"\",\"\",\"401\",\"45208\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to update spoken language.\",\"\",\"\",\"\",\"500\",\"45209\",\"UnexpectedClientError\",\"client\",\r\n\"Cannot update caption language as captions has not started.\",\"\",\"\",\"\",\"400\",\"45210\",\"ExpectedError\",\"client\",\r\n\"Set caption language is currently disabled by Azure Communication Services.\",\"\",\"Set caption language is not enabled.\",\"\",\"412\",\"45211\",\"ExpectedError\",\"client\",\r\n\"Set caption language failed. Teams premium license is needed to use this feature.\",\"\",\"\",\"\",\"401\",\"45212\",\"ExpectedError\",\"client\",\r\n\"Caption language requested is not supported.\",\"\",\"\",\"\",\"400\",\"45213\",\"ExpectedError\",\"client\",\r\n\"Null token\",\"\",\"\",\"\",\"401\",\"45214\",\"ExpectedError\",\"client\",\r\n\"Unable to update caption language.\",\"\",\"\",\"\",\"500\",\"45215\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to fetch policy for Teams Captions.\",\"\",\"\",\"\",\"500\",\"45216\",\"UnexpectedClientError\",\"client\",\r\n\"Captions already active\",\"\",\"\",\"\",\"400\",\"45217\",\"ExpectedError\",\"client\",\r\n\"Captions feature is not active.\",\"\",\"\",\"\",\"400\",\"45218\",\"ExpectedError\",\"client\",\r\n\"Operation in progress\",\"\",\"\",\"\",\"400\",\"45219\",\"ExpectedError\",\"client\",\r\n\"Spoken language already set\",\"\",\"\",\"\",\"400\",\"45220\",\"ExpectedError\",\"client\",\r\n\"Unable to update caption language as Captions is not active.\",\"\",\"\",\"\",\"400\",\"45221\",\"ExpectedError\",\"client\",\r\n\"Caption language already set.\",\"\",\"\",\"\",\"400\",\"45222\",\"ExpectedError\",\"client\",\r\n\"Captions status already set.\",\"\",\"\",\"\",\"400\",\"45223\",\"ExpectedError\",\"client\",\r\n\"Captions is not supported.\",\"\",\"\",\"\",\"400\",\"45224\",\"ExpectedError\",\"client\",\r\n\"Failed to update endpoint metadata\",\"\",\"\",\"\",\"500\",\"45225\",\"UnexpectedClientError\",\"client\",\r\n\"Cannot start captions as call state is not connected.\",\"\",\"\",\"\",\"400\",\"45226\",\"ExpectedError\",\"client\",\r\n\"DataChannel has been disposed\",\"\",\"\",\"\",\"500\",\"45300\",\"UnexpectedClientError\",\"client\",\r\n\"Sender is not ready\",\"\",\"\",\"\",\"500\",\"45301\",\"UnexpectedClientError\",\"client\",\r\n\"No available channel id\",\"\",\"\",\"\",\"500\",\"45302\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid channel id\",\"\",\"\",\"\",\"400\",\"45303\",\"ExpectedError\",\"client\",\r\n\"Invalid bitrateInKbps\",\"\",\"\",\"\",\"400\",\"45304\",\"ExpectedError\",\"client\",\r\n\"Invalid participants\",\"\",\"\",\"\",\"400\",\"45305\",\"ExpectedError\",\"client\",\r\n\"Too many participants\",\"\",\"\",\"\",\"400\",\"45306\",\"ExpectedError\",\"client\",\r\n\"No valid participant\",\"\",\"\",\"\",\"400\",\"45307\",\"ExpectedError\",\"client\",\r\n\"Message data is empty\",\"\",\"\",\"\",\"400\",\"45308\",\"ExpectedError\",\"client\",\r\n\"The size of message data is too large\",\"\",\"\",\"\",\"400\",\"45309\",\"ExpectedError\",\"client\",\r\n\"Invalid message length\",\"\",\"\",\"\",\"500\",\"45310\",\"UnexpectedClientError\",\"client\",\r\n\"The buffer is full. Please wait and try again\",\"\",\"\",\"\",\"500\",\"45311\",\"UnexpectedClientError\",\"client\",\r\n\"The sender has been closed\",\"\",\"\",\"\",\"400\",\"45312\",\"ExpectedError\",\"client\",\r\n\"Currently there is no available reliable channel\",\"\",\"\",\"\",\"500\",\"45313\",\"UnexpectedClientError\",\"client\",\r\n\"Currently there is no available unreliable channel\",\"\",\"\",\"\",\"500\",\"45314\",\"UnexpectedClientError\",\"client\",\r\n\"Unable allocate the channel because a channel with the same channelId has already been allocated\",\"\",\"\",\"\",\"500\",\"45315\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid bitrate\",\"\",\"\",\"\",\"400\",\"45316\",\"ExpectedError\",\"client\",\r\n\"Traffic is limited\",\"\",\"\",\"\",\"400\",\"45317\",\"ExpectedError\",\"client\",\r\n\"Failed to send message.\",\"\",\"\",\"\",\"500\",\"45318\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to DataChannel event, unknown event name.\",\"\",\"Not able to {0} subscribe to event {1}, unknown event name\",\"\",\"422\",\"45319\",\"ExpectedError\",\"client\",\r\n\"Wrong argument type specified.\",\"\",\"TypeError: Expect '{0}' to be of type '{1}'\",\"\",\"400\",\"45320\",\"ExpectedError\",\"client\",\r\n\"Wrong value specified.\",\"\",\"ValueError: Expect '{0}' to be '{1}'\",\"\",\"400\",\"45321\",\"ExpectedError\",\"client\",\r\n\"Cannot find the channelId specified.\",\"\",\"Cannot find the channelId {0}\",\"\",\"400\",\"45322\",\"ExpectedError\",\"client\",\r\n\"Failed to create the sender.\",\"\",\"\",\"\",\"500\",\"45323\",\"UnexpectedClientError\",\"client\",\r\n\"Mapped to an incorrect value type. Please gather browser console logs and contact Azure Communication Services support.\",\"\",\"Mapped to an incorrect value type={0}, diagnostic value={1}, for diagnostic {2}\",\"\",\"500\",\"45400\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to UserFacingDiagnostics event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"45401\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from UserFacingDiagnostics event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"45402\",\"ExpectedError\",\"client\",\r\n\"Failed to map diagnostic quality level. Please gather browser console logs and contact Azure Communication Services support.\",\"\",\"Cannot map ts quality level {0} for {1}\",\"\",\"500\",\"45403\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to LiveStream event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"45500\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribefrom LiveStream event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"45501\",\"ExpectedError\",\"client\",\r\n\"Invalid aggregationInterval value range.\",\"\",\"\",\"\",\"400\",\"45502\",\"ExpectedError\",\"client\",\r\n\"invalid dataPointsPerAggregation value range.\",\"\",\"\",\"\",\"400\",\"45503\",\"ExpectedError\",\"client\",\r\n\"MediaStatsCallFeature has been disposed.\",\"\",\"\",\"\",\"400\",\"45504\",\"ExpectedError\",\"client\",\r\n\"Invalid aggregationInterval value range.\",\"\",\"\",\"\",\"400\",\"45550\",\"ExpectedError\",\"client\",\r\n\"invalid dataPointsPerAggregation value range.\",\"\",\"\",\"\",\"400\",\"45551\",\"ExpectedError\",\"client\",\r\n\"MediaStatsCallFeature has been disposed.\",\"\",\"\",\"\",\"400\",\"45552\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to OptimalVideoCount event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"45600\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from OptimalVideoCount event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"45601\",\"ExpectedError\",\"client\",\r\n\"Failed to set default microphone or speaker with error\",\"\",\"\",\"\",\"412\",\"45700\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to return call diagnostic information.\",\"\",\"\",\"\",\"500\",\"45701\",\"UnexpectedClientError\",\"client\",\r\n\"Timeout in checking media stream status\",\"\",\"\",\"\",\"500\",\"45702\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get existing call agent or create a new one\",\"\",\"\",\"\",\"500\",\"45703\",\"UnexpectedClientError\",\"client\",\r\n\"Test call failed to connect\",\"\",\"\",\"\",\"500\",\"45704\",\"UnexpectedClientError\",\"client\",\r\n\"Call failed to render video.\",\"\",\"\",\"\",\"500\",\"45705\",\"UnexpectedClientError\",\"client\",\r\n\"Test call failed hang up the call\",\"\",\"\",\"\",\"500\",\"45706\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get video call media stats\",\"\",\"\",\"\",\"500\",\"45707\",\"UnexpectedClientError\",\"client\",\r\n\"Call timed out to connect. Please try again, if the issue persists, gather browser console logs and contact Azure Communication Services support.\",\"\",\"Call timeout after {0}\",\"\",\"408\",\"45708\",\"UnexpectedClientError\",\"client\",\r\n\"Could not initialize raise hand feature.\",\"\",\"\",\"\",\"500\",\"45750\",\"UnexpectedClientError\",\"client\",\r\n\"Could not change a participant state.\",\"\",\"\",\"\",\"500\",\"45751\",\"UnexpectedServerError\",\"client\",\r\n\"Could not change a participant state.\",\"\",\"\",\"\",\"500\",\"45752\",\"UnexpectedServerError\",\"client\",\r\n\"Could not change a participant state.\",\"\",\"\",\"\",\"500\",\"45753\",\"UnexpectedServerError\",\"client\",\r\n\"Could not change a participant state.\",\"\",\"\",\"\",\"500\",\"45754\",\"UnexpectedServerError\",\"client\",\r\n\"Could not change a participant state.\",\"\",\"\",\"\",\"500\",\"45755\",\"UnexpectedServerError\",\"client\",\r\n\"Lower hands request failed because participant list is empty.\",\"\",\"\",\"\",\"400\",\"45756\",\"ExpectedError\",\"client\",\r\n\"Raise hands request failed because participant list is empty.\",\"\",\"\",\"\",\"400\",\"45757\",\"ExpectedError\",\"client\",\r\n\"Call is not connected yet to send reaction\",\"\",\"\",\"\",\"400\",\"45800\",\"ExpectedError\",\"client\",\r\n\"Reaction send is not supported for 1:1 direct calling with teams identity\",\"\",\"\",\"\",\"400\",\"45801\",\"ExpectedError\",\"client\",\r\n\"Unable to register listener due to meeting policy\",\"\",\"\",\"\",\"403\",\"45802\",\"ExpectedError\",\"client\",\r\n\"Unable to deregister listener due to meeting policy\",\"\",\"\",\"\",\"403\",\"45803\",\"ExpectedError\",\"client\",\r\n\"Unable to send reaction due to meeting policy\",\"\",\"\",\"\",\"403\",\"45804\",\"ExpectedError\",\"client\",\r\n\"Could not create state service proxy web-socket connection\",\"\",\"\",\"\",\"500\",\"45805\",\"UnexpectedServerError\",\"client\",\r\n\"Could not create sync map to exchange reaction\",\"\",\"\",\"\",\"500\",\"45806\",\"UnexpectedServerError\",\"client\",\r\n\"Unable to handle send reaction\",\"\",\"\",\"\",\"400\",\"45807\",\"ExpectedError\",\"client\",\r\n\"Unable to handle send reaction\",\"\",\"\",\"\",\"500\",\"45808\",\"UnexpectedClientError\",\"client\",\r\n\"Unable to parse reaction\",\"\",\"\",\"\",\"500\",\"45809\",\"UnexpectedClientError\",\"client\",\r\n\"Not able to subscribe to Reation event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"45810\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from Reaction event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"45811\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to Recording event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"45850\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from Recording event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"45851\",\"ExpectedError\",\"client\",\r\n\"Recording status already set.\",\"\",\"\",\"\",\"400\",\"45852\",\"ExpectedError\",\"client\",\r\n\"Bad request. All participants are already spotlighted\",\"\",\"\",\"\",\"400\",\"45900\",\"ExpectedError\",\"client\",\r\n\"Internal Error. Start spotlight for participants failed\",\"\",\"\",\"\",\"500\",\"45901\",\"UnexpectedServerError\",\"client\",\r\n\"Failed to start spotlight. Reached the maximum number of participants that can be Spotlighted.\",\"\",\"startSpotlight failed. {0} is the max number of participants that can be Spotlighted\",\"\",\"400\",\"45902\",\"ExpectedError\",\"client\",\r\n\"Failed to spotlight. User does not have a Presenter or Organizer role.\",\"\",\"{0} spotlight failed. User does not have a Presenter or Organizer role in {1}\",\"\",\"403\",\"45903\",\"ExpectedError\",\"client\",\r\n\"Spotlight feature is not enabled\",\"\",\"\",\"\",\"400\",\"45904\",\"ExpectedError\",\"client\",\r\n\"StartSpotlight failed. Participant list is empty\",\"\",\"\",\"\",\"400\",\"45905\",\"ExpectedError\",\"client\",\r\n\"Teams meeting audio conferencing feature is only available in meetings\",\"\",\"\",\"\",\"400\",\"45950\",\"ExpectedError\",\"client\",\r\n\"The Teams meeting audio conferencing details feature is disabled by ACS service.\",\"\",\"Teams meeting audio conferencing details feature is disabled\",\"\",\"405\",\"45951\",\"ExpectedError\",\"client\",\r\n\"Teams meeting audio conferencing details are not available before joining the Teams meeting\",\"\",\"\",\"\",\"400\",\"45952\",\"ExpectedError\",\"client\",\r\n\"Teams meeting audio conferencing details are not available in Lobby\",\"\",\"\",\"\",\"400\",\"45953\",\"ExpectedError\",\"client\",\r\n\"Teams meeting audio conferencing details is not configured\",\"\",\"\",\"\",\"400\",\"45954\",\"UnexpectedClientError\",\"client\",\r\n\"Error retrieving Teams meeting audio conferencing details\",\"\",\"\",\"\",\"500\",\"45955\",\"UnexpectedServerError\",\"client\",\r\n\"Transcription status already set.\",\"\",\"\",\"\",\"400\",\"46000\",\"ExpectedError\",\"client\",\r\n\"Transfer to target failed\",\"\",\"\",\"\",\"500\",\"46050\",\"UnexpectedClientError\",\"client\",\r\n\"Transfer is not supported in this call.\",\"\",\"\",\"\",\"400\",\"46051\",\"ExpectedError\",\"client\",\r\n\"Transfer target is not recognized.\",\"\",\"\",\"\",\"400\",\"46052\",\"ExpectedError\",\"client\",\r\n\"Invalid target participant type detected.\",\"\",\"Invalid target participant type detected: {0}.\",\"\",\"400\",\"46053\",\"ExpectedError\",\"client\",\r\n\"UnmixedAudio is not available.\",\"\",\"\",\"\",\"500\",\"46100\",\"UnexpectedClientError\",\"client\",\r\n\"The operation cannot be done because there is a pending operation\",\"\",\"\",\"\",\"400\",\"46101\",\"ExpectedError\",\"client\",\r\n\"The operation is not supported in peer-to-peer call\",\"\",\"\",\"\",\"400\",\"46102\",\"ExpectedError\",\"client\",\r\n\"Unmixed audio has been enabled\",\"\",\"\",\"\",\"400\",\"46103\",\"ExpectedError\",\"client\",\r\n\"Unmixed audio has been disabled\",\"\",\"\",\"\",\"400\",\"46104\",\"ExpectedError\",\"client\",\r\n\"Unmixed audio has been disposed\",\"\",\"\",\"\",\"400\",\"46105\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe or unsubscibe to UnmixedAudio event, unknown event name.\",\"\",\"Unable to {0} to event {1}, unknown event name\",\"\",\"422\",\"46106\",\"ExpectedError\",\"client\",\r\n\"Wrong argument type specified.\",\"\",\"TypeError: Expect '{0}' to be of type '{1}'\",\"\",\"400\",\"46107\",\"ExpectedError\",\"client\",\r\n\"Wrong value specified.\",\"\",\"ValueError: Expect '{0}' to be '{1}'\",\"\",\"400\",\"46108\",\"ExpectedError\",\"client\",\r\n\"Invalid state.\",\"\",\"Invalid state: {0}\",\"\",\"400\",\"46109\",\"ExpectedError\",\"client\",\r\n\"Unknown error\",\"\",\"\",\"\",\"500\",\"46110\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to enable unmixed audio: AudioContext={0}, UnmixedAudio={1}\",\"\",\"\",\"\",\"500\",\"46111\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to disable unmixed audio: AudioContext={0}, UnmixedAudio={1}\",\"\",\"\",\"\",\"500\",\"46112\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to initialize unmixed audio.\",\"\",\"\",\"\",\"500\",\"46113\",\"UnexpectedClientError\",\"client\",\r\n\"Video effects feature is currently disabled by Azure Communication Services.\",\"\",\"Disabled.\",\"\",\"403\",\"46150\",\"ExpectedError\",\"client\",\r\n\"VideoEffects feature is disposed. Create a new VideoEffects Feature instance.\",\"\",\"\",\"\",\"400\",\"46151\",\"ExpectedError\",\"client\",\r\n\"Current source is unsupported to use effects\",\"\",\"\",\"\",\"415\",\"46152\",\"ExpectedError\",\"client\",\r\n\"Failed to get device manager to start effects.\",\"\",\"\",\"\",\"500\",\"46153\",\"UnexpectedClientError\",\"client\",\r\n\"EffectProvider not available\",\"\",\"\",\"\",\"500\",\"46154\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get WebCV provider.\",\"\",\"\",\"\",\"500\",\"46155\",\"UnexpectedClientError\",\"client\",\r\n\"Effect is not supported.\",\"\",\"\",\"\",\"501\",\"46156\",\"UnexpectedClientError\",\"client\",\r\n\"VideoEffects feature is disposed. Create a new VideoEffects Feature instance.\",\"\",\"\",\"\",\"400\",\"46157\",\"UnexpectedClientError\",\"client\",\r\n\"Failed to get device manager to stop effects.\",\"\",\"\",\"\",\"500\",\"46158\",\"UnexpectedClientError\",\"client\",\r\n\"Invalid effect provided\",\"\",\"\",\"\",\"400\",\"46159\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to event {event}, unknown event name\",\"\",\"\",\"\",\"400\",\"46160\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe event {event}, unknown event name\",\"\",\"\",\"\",\"400\",\"46161\",\"ExpectedError\",\"client\",\r\n\"Timed promise; rejected.\",\"\",\"\",\"\",\"408\",\"46162\",\"UnexpectedClientError\",\"client\",\r\n\"Error while checking support\",\"\",\"\",\"\",\"501\",\"46163\",\"UnexpectedClientError\",\"client\",\r\n\"Error starting video effects\",\"\",\"\",\"\",\"500\",\"46164\",\"UnexpectedClientError\",\"client\",\r\n\"Error stopping video effects\",\"\",\"\",\"\",\"500\",\"46165\",\"UnexpectedClientError\",\"client\",\r\n\"Error disposing video effects feature\",\"\",\"\",\"\",\"500\",\"46166\",\"UnexpectedClientError\",\"client\",\r\n\"Effect is not available. Try again when the effect is initialized and available\",\"\",\"\",\"\",\"500\",\"46167\",\"UnexpectedClientError\",\"client\",\r\n\"Effect can not be enabled because of Teams Policy\",\"\",\"\",\"\",\"403\",\"46168\",\"ExpectedError\",\"client\",\r\n\"Local Recording feature is only available in meetings\",\"\",\"\",\"\",\"400\",\"46200\",\"ExpectedError\",\"client\",\r\n\"Local Recording feature is currently disabled by Azure Communication Service.\",\"\",\"Local Recording feature is disabled\",\"\",\"405\",\"46201\",\"ExpectedError\",\"client\",\r\n\"Not able to subscribe to LocalRecording event, unknown event name.\",\"\",\"Not able to subscribe to event {0}, unknown event name\",\"\",\"422\",\"46202\",\"ExpectedError\",\"client\",\r\n\"Not able to unsubscribe from LocalRecording event, unknown event name.\",\"\",\"Not able to unsubscribe event {0}, unknown event name\",\"\",\"422\",\"46203\",\"ExpectedError\",\"client\",\r\n\"Failed to start video, permission was not granted to use selected video device. Ensure video device permissions are allowed in the browser's settings and in the system's setttings.\",\"\",\"Video operation failure permissionDeniedError\",\"\",\"403\",\"43001\",\"ExpectedError\",\"client\",\r\n\"Call ended successfully by local participant.\",\"\",\"\",\"\",\"0\",\"0\",\"Success\",\"service\",\r\n\"Call ended for all users by the meeting organizer.\",\"\",\"\",\"\",\"0\",\"4097\",\"Success\",\"service\",\r\n\"Call ended because user disconnected from the call abruptly, this may be a result of a user closing the application that hosted the call, eg a user terminated application, closed browser of browser tab without proper hang-up.\",\"\",\"\",\"\",\"0\",\"4521\",\"ExpectedError\",\"service\",\r\n\"Call ended for this participant as it was removed from the conversation by another participant.\",\"\",\"\",\"\",\"0\",\"5000\",\"Success\",\"service\",\r\n\"Call ended successfully, as all callee endpoints declined the call.\",\"\",\"\",\"\",\"0\",\"5003\",\"Success\",\"service\",\r\n\"This conversation has ended as only one participant was remaining in the conversation.\",\"\",\"\",\"\",\"0\",\"5010\",\"Success\",\"service\",\r\n\"This conversation has ended as no one else has joined the group call.\",\"\",\"\",\"\",\"0\",\"5013\",\"Success\",\"service\",\r\n\"\",\"\",\"\",\"\",\"0\",\"5014\",\"Success\",\"service\",\r\n\"Call ended for this participant as it was removed from the conversation by another participant.\",\"\",\"\",\"\",\"0\",\"5300\",\"Success\",\"service\",\r\n\"Removed from the Teams meeting lobby by another participant.\",\"\",\"\",\"\",\"0\",\"5854\",\"Success\",\"service\",\r\n\"Removed from Teams meeting lobby due to inactivity timeout.\",\"\",\"\",\"\",\"0\",\"5855\",\"Success\",\"service\",\r\n\"Call ended by Azure Communication Services platform.\",\"\",\"\",\"\",\"0\",\"7000\",\"Success\",\"service\",\r\n\"Call ended by service because transfer completed successfully.\",\"\",\"\",\"\",\"0\",\"7015\",\"Success\",\"service\",\r\n\"Call is ended.\",\"\",\"\",\"\",\"0\",\"540000\",\"\",\"service\",\r\n\"Call ended successfully by remote PSTN participant.\",\"\",\"\",\"\",\"0\",\"560000\",\"Success\",\"service\",\r\n\"Error from CreateUsageRequest: User is not entitled to call this destination.\",\"\",\"\",\"\",\"400\",\"580040\",\"ExpectedError\",\"service\",\r\n\"Unauthenticated identity.\",\"\",\"\",\"\",\"401\",\"10009\",\"UnexpectedClientError\",\"service\",\r\n\"Call ended, as it has been marked as a spam and got blocked.\",\"\",\"\",\"\",\"403\",\"510403\",\"ExpectedError\",\"service\",\r\n\"Call was forbidden, cancelled or rejected\",\"\",\"\",\"\",\"403\",\"560403\",\"UnexpectedClientError\",\"service\",\r\n\"Call failed, unable to start or join to a call with given Id, call does not exist. Please check if provided id is correct, and if the call did not end already and try again.\",\"\",\"\",\"\",\"404\",\"404\",\"UnexpectedClientError\",\"service\",\r\n\"Call failed, unable to start or join to a call with given Id, call does not exist. Please check if provided id is correct, and if the call did not end already and try again.\",\"\",\"\",\"\",\"404\",\"4500\",\"ExpectedError\",\"service\",\r\n\"Phone number not found.\",\"\",\"\",\"\",\"404\",\"560404\",\"ExpectedError\",\"service\",\r\n\"Call failed, callee failed to finalize call setup, most likely callee lost network or terminated the application abruptly. Ensure clients are connected and available.\",\"\",\"\",\"\",\"408\",\"10057\",\"ExpectedError\",\"service\",\r\n\"\",\"\",\"\",\"\",\"408\",\"10325\",\"UnexpectedClientError\",\"service\",\r\n\"Gateway (SBC) failover timer expired.\",\"\",\"\",\"\",\"408\",\"500001\",\"ExpectedError\",\"service\",\r\n\"The called party did not respond.\",\"\",\"\",\"\",\"408\",\"560408\",\"\",\"service\",\r\n\"Media dropped during connect.\",\"\",\"\",\"\",\"410\",\"3100\",\"ExpectedError\",\"service\",\r\n\"\",\"\",\"\",\"\",\"410\",\"3101\",\"\",\"service\",\r\n\"\",\"\",\"\",\"\",\"410\",\"3112\",\"\",\"service\",\r\n\"Participant was removed from the call by the Azure Communication Services infrastructure due to loss of media connectivity with Azure Communication Services infrastructure, this usually happens if participant leaves the call abruptly or looses network connectivity. If participant wants to continue the call, it should reconnect.\",\"\",\"\",\"\",\"410\",\"301005\",\"UnexpectedClientError\",\"service\",\r\n\"\",\"\",\"\",\"\",\"429\",\"5029\",\"ExpectedError\",\"service\",\r\n\"This call has exceeded the maximum call lifetime.\",\"\",\"\",\"\",\"429\",\"10110\",\"ExpectedError\",\"service\",\r\n\"Unable to deliver message to client application. Please ensure the client application is successfully sending netwwork requests to Azure Communication Services.\",\"\",\"\",\"\",\"430\",\"10315\",\"\",\"service\",\r\n\"Unable to deliver message to client application. Please ensure the client application is successfully sending netwwork requests to Azure Communication Services.\",\"\",\"\",\"\",\"430\",\"10317\",\"\",\"service\",\r\n\"\",\"\",\"\",\"\",\"480\",\"10037\",\"ExpectedError\",\"service\",\r\n\"Remote client endpoint not registered. Please ensure the client application is successfully sending netwwork requests to Azure Communication Services.\",\"\",\"\",\"\",\"480\",\"10076\",\"ExpectedError\",\"service\",\r\n\"No answer.\",\"\",\"\",\"\",\"480\",\"560480\",\"UnexpectedServerError\",\"service\",\r\n\"Incomplete/Invalid callee address.\",\"\",\"\",\"\",\"484\",\"560484\",\"\",\"service\",\r\n\"Call ended because remote PSTN participant was busy. The number called was already in a call or having technical issues.\",\"\",\"\",\"\",\"486\",\"560486\",\"Success\",\"service\",\r\n\"Call ended successfully as caller cancelled the call.\",\"\",\"\",\"\",\"487\",\"0\",\"Success\",\"service\",\r\n\"Call canceled, locally declined, ended due to an endpoint mismatch issue, or failed to generate media offer.\",\"\",\"\",\"\",\"487\",\"4501\",\"\",\"service\",\r\n\"Call was accepted elsewhere, by another endpoint of this user.\",\"\",\"\",\"\",\"487\",\"10003\",\"Success\",\"service\",\r\n\"Call was canceled on timeout, no callee endpoint accepted on time. Ensure that user saw the notification and try to initiate that call again.\",\"\",\"\",\"\",\"487\",\"10004\",\"ExpectedError\",\"service\",\r\n\"Call ended successfully as it was declined by all callee endpoints.\",\"\",\"\",\"\",\"487\",\"10024\",\"Success\",\"service\",\r\n\"Call canceled, locally declined, ended due to an endpoint mismatch issue, or failed to generate media offer.\",\"\",\"\",\"\",\"487\",\"540200\",\"Success\",\"service\",\r\n\"Call ended successfully as caller cancelled the call.\",\"\",\"\",\"\",\"487\",\"540487\",\"Success\",\"service\",\r\n\"Call cancelled by originator.\",\"\",\"\",\"\",\"487\",\"560487\",\"\",\"service\",\r\n\"Call ended as application did not provide a valid Azure Communication Services token.\",\"\",\"\",\"\",\"495\",\"4507\",\"UnexpectedClientError\",\"service\",\r\n\"Azure Communication Services infrastructure error. Please gather browser console logs, .HAR file, and contact Azure Communication Services support.\",\"\",\"\",\"\",\"500\",\"10045\",\"\",\"service\",\r\n\"Unexpected server error\",\"\",\"\",\"\",\"503\",\"560503\",\"UnexpectedServerError\",\"service\",\r\n\"Call ended successfully as it was declined by callee.\",\"\",\"\",\"\",\"603\",\"0\",\"Success\",\"service\",\r\n];\r\nlet participants = materialize(ACSCallSummary\r\n| where CorrelationId == queryConditions_callId\r\n| where ParticipantId != CorrelationId and isnotempty(ParticipantId)\r\n| distinct ParticipantId, CallType);\r\n// For P2P case, we at most take 2 participants from the query.\r\nlet numOfResultRows = iff(toscalar(participants | project CallType | take 1) == 'P2P', 2, 1000);\r\nlet serviceSideParticipants = materialize(ACSCallSummary\r\n| where CorrelationId == queryConditions_callId\r\n// some participants don't have startTime, we use callStartTime instead.\r\n| extend ParticipantStartTime = coalesce(ParticipantStartTime, CallStartTime)\r\n| extend ParticipantEndTime = coalesce(ParticipantStartTime + 1s*ParticipantDuration, ParticipantStartTime + 10ms)\r\n| extend ParticipantEndSubCode = toreal(ParticipantEndSubCode)\r\n| join kind=leftouter hint.strategy=shuffle SubCodesMapping on $left.ParticipantEndSubCode == $right.subCode\r\n| extend EndReason = message\r\n| extend Rank = iff(isempty(ParticipantId) and CallType == 'P2P' and EndpointType == 'VoIP', -1, 1)\r\n| where CorrelationId != ParticipantId\r\n| extend ParticipantId = coalesce(ParticipantId, Identifier, EndpointId)\r\n| extend ParticipantId = iff(ParticipantId == 'Redacted', strcat('RedactedParticipant-', EndpointType, '-Identifier-', Identifier), ParticipantId)\r\n| extend EndpointId = iff(EndpointId == 'Redacted', strcat('RedactedEndpoint-', EndpointType, '-Identifier-', Identifier), EndpointId)\r\n| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by ParticipantId\r\n| extend CallDroppedUngracefully = ResultCategory contains 'Unexpected'\r\n| project\r\n ParentEntityId = CorrelationId,\r\n ParentEntityType = 'Call',\r\n EntityType = 'Participant',\r\n EntityId = ParticipantId,\r\n Server_EntityStartTime=ParticipantStartTime,\r\n Server_EntityEndTime=ParticipantEndTime,\r\n Server_EntityDuration=ParticipantDuration,\r\n EntityDisplayName = strcat('Participant-', ParticipantId),\r\n Server_EndReasonCode = toint(ParticipantEndReason),\r\n Server_EndReasonSubCode = toint(ParticipantEndSubCode),\r\n Server_EndReasonPhrase = EndReason,\r\n Server_ResultCategory = ResultCategory,\r\n Server_Identifer = Identifier,\r\n Server_EndpointId = EndpointId,\r\n Server_EndpointType = EndpointType,\r\n Server_ParticipantType = ParticipantType,\r\n Server_SdkVersion = SdkVersion,\r\n Server_OsVersion = OsVersion,\r\n Server_PstnParticipantCallType = PstnParticipantCallType,\r\n Server_CallDroppedUngracefully = CallDroppedUngracefully,\r\n GroupName = \"lifeCycle\");\r\n//\r\nlet sdkTypeRegex = @\"( .*-communication-calling)\";\r\nlet clientSideParticipants = materialize(ACSCallClientOperations\r\n| where ParticipantId in (participants) or CallId == queryConditions_callId\r\n| where isnotempty(OperationName) and OperationName != 'CallClientOperations' \r\nand isnotempty(OperationId) and isnotempty(CallClientTimeStamp)\r\n| where OperationName !in ('CallModeChanged', 'IdChanged')\r\n| extend OperationId = coalesce(hash_sha256(strcat(OperationId, tostring(CallClientTimeStamp), OperationName)), tostring(new_guid()))\r\n| summarize hint.strategy = shuffle arg_max(CallId, *) by OperationId\r\n| where isnotempty(ParticipantId)\r\n| extend OS = parse_user_agent(UserAgent, 'os').OperatingSystem\r\n| extend Browser = parse_user_agent(UserAgent, 'browser').Browser\r\n| extend OsVersion = strcat(OS.Family, \" \", OS.MajorVersion,'.', OS.MinorVersion)\r\n| extend Browser = strcat(Browser.Family, ' ', Browser.MajorVersion, '.', Browser.MinorVersion)\r\n| extend SDKType = extract(sdkTypeRegex, 1, UserAgent)\r\n| project OperationId, ParticipantId, CallId, CallClientTimeStamp, OperationName, OperationPayload, OsVersion, SdkVersion, ResultSignature, ResultType, UserAgent, Browser, SDKType\r\n| extend OperationPayload = todynamic(OperationPayload)\r\n| extend \r\n UFDQuality = coalesce(tostring(OperationPayload.DiagnosticQuality), tostring(OperationPayload.diagnosticQuality)),\r\n UFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged)),\r\n isUFD = OperationName == 'UserFacingDiagnostics',\r\n State = tostring(OperationPayload.NewState)\r\n| extend \r\n ResultType = iff(isUFD, iff(UFDQuality != 'Good' and not(UFDType has_any (\"SpeakingWhileMicrophoneIsMuted\", \"SpeakerMuted\")), 'Failed', 'Succeeded'), ResultType),\r\n CallDroppedUngracefully = iff(OperationName in ('EnterCall', 'Join', 'Hangup', 'StartCall', 'AcceptIncomingCall'), ResultType !in ('Succeeded', 'Success', 'ExpectedError'), bool(null)),\r\n Client_EndReasonCode = iff(OperationName in ('EnterCall', 'Join', 'Hangup', 'StartCall', 'AcceptIncomingCall'), toint(OperationPayload.Code), int(null)),\r\n Client_EndReasonSubCode = iff(OperationName in ('EnterCall', 'Join', 'Hangup', 'StartCall', 'AcceptIncomingCall'), toint(OperationPayload.SubCode), int(null)),\r\n Client_EndReasonPhrase = iff(OperationName in ('EnterCall', 'Join', 'Hangup', 'StartCall', 'AcceptIncomingCall'), tostring(OperationPayload.FailureReason), ''),\r\n Client_ResultCategory = iff(OperationName in ('EnterCall', 'Join', 'Hangup', 'StartCall', 'AcceptIncomingCall'), OperationPayload.ResultCategory, ''),\r\n ParticipantStartTime = iff(OperationName in ('Join', 'StartCall', 'EnterCall', 'AcceptIncomingCall') or State == 'Connected', CallClientTimeStamp, datetime(null)),\r\n ParticipantEndTime = iff(OperationName == 'Hangup' or State == 'Disconnected', CallClientTimeStamp, datetime(null))\r\n| summarize hint.strategy = shuffle arg_max(CallId, *), ResultType = iff(countif(ResultType !in ('Succeeded', 'Success', 'ExpectedError')) > 0, 'Failed', 'Succeeded'),\r\n CallDroppedUngracefully = take_any(CallDroppedUngracefully),\r\n ParticipantStartTimeApprox = min(CallClientTimeStamp), \r\n ParticipantEndTimeApprox = max(CallClientTimeStamp) by ParticipantId\r\n| extend \r\n ParticipantStartTime = coalesce(ParticipantStartTime, ParticipantStartTimeApprox),\r\n ParticipantEndTime = coalesce(ParticipantEndTime, ParticipantEndTimeApprox)\r\n| project\r\n ParentEntityId = queryConditions_callId,\r\n ParentEntityType = 'Call',\r\n EntityId = ParticipantId,\r\n EntityType = 'Participant',\r\n EntityDisplayName = strcat('Participant-', ParticipantId),\r\n Client_EntityStartTime=ParticipantStartTime,\r\n Client_EntityEndTime=ParticipantEndTime,\r\n Client_EntityDuration=tolong((ParticipantEndTime - ParticipantStartTime)/1s),\r\n Client_ParticipantType = 'ACS',\r\n Client_EndpointType = 'VoIP',\r\n Client_SdkVersion = SdkVersion,\r\n Client_OsVersion = OsVersion,\r\n Client_Browser = Browser,\r\n Client_SdkType = SDKType,\r\n Client_Insights_HasIssues = ResultType == 'Failed',\r\n Client_EndReasonCode,\r\n Client_EndReasonSubCode,\r\n Client_EndReasonPhrase,\r\n Client_ResultCategory,\r\n Client_CallDroppedUngracefully = CallDroppedUngracefully,\r\n GroupName = \"lifeCycle\");\r\n// Merge participantEntities from service side and client side, and if the participant exists in both sides, we take the one with higher Rank.\r\nunion serviceSideParticipants, clientSideParticipants\r\n| summarize \r\n ParentEntityId = take_any(ParentEntityId),\r\n ParentEntityType = take_any(ParentEntityType),\r\n EntityType = take_any(EntityType),\r\n EntityDisplayName = take_any(EntityDisplayName),\r\n Client_EntityStartTime = take_any(Client_EntityStartTime),\r\n Client_EntityEndTime = take_any(Client_EntityEndTime),\r\n Client_EntityDuration = take_any(Client_EntityDuration),\r\n Client_ParticipantType = take_any(Client_ParticipantType),\r\n Client_EndpointType = take_any(Client_EndpointType),\r\n Client_SdkVersion = take_any(Client_SdkVersion),\r\n Client_OsVersion = take_any(Client_OsVersion),\r\n Client_Insights_HasIssues = take_any(Client_Insights_HasIssues),\r\n Client_EndReasonCode = take_any(Client_EndReasonCode),\r\n Client_EndReasonSubCode = take_any(Client_EndReasonSubCode),\r\n Client_EndReasonPhrase = take_any(Client_EndReasonPhrase),\r\n Client_ResultCategory = take_any(Client_ResultCategory),\r\n Client_CallDroppedUngracefully = take_any(Client_CallDroppedUngracefully),\r\n Server_EntityStartTime = take_any(Server_EntityStartTime),\r\n Server_EntityEndTime = take_any(Server_EntityEndTime),\r\n Server_EntityDuration = take_any(Server_EntityDuration),\r\n Server_EndReasonCode = take_any(Server_EndReasonCode),\r\n Server_EndReasonSubCode = take_any(Server_EndReasonSubCode),\r\n Server_EndReasonPhrase = take_any(Server_EndReasonPhrase),\r\n Server_ResultCategory = take_any(Server_ResultCategory),\r\n Server_Identifer = take_any(Server_Identifer),\r\n Server_EndpointId = take_any(Server_EndpointId),\r\n Server_EndpointType = take_any(Server_EndpointType),\r\n Server_ParticipantType = take_any(Server_ParticipantType),\r\n Server_SdkVersion = take_any(Server_SdkVersion),\r\n Server_OsVersion = take_any(Server_OsVersion),\r\n Client_Browser = take_any(Client_Browser),\r\n Client_SDKType = take_any(Client_SdkType),\r\n Server_PstnParticipantCallType = take_any(Server_PstnParticipantCallType),\r\n Server_CallDroppedUngracefully = take_any(Server_CallDroppedUngracefully),\r\n GroupName = take_any(GroupName) by EntityId\r\n| extend CallDroppedUngracefully = coalesce(Client_CallDroppedUngracefully, Server_CallDroppedUngracefully)\r\n| extend\r\n // We prioritize the client side information over server side information.\r\n EntityStartTime = coalesce(Client_EntityStartTime, Server_EntityStartTime),\r\n EntityEndTime = coalesce(Client_EntityEndTime, Server_EntityEndTime),\r\n EntityDuration = coalesce(Client_EntityDuration, Server_EntityDuration),\r\n EntityPayload = bag_pack(\r\n 'EndReasonCode', coalesce(Client_EndReasonCode, Server_EndReasonCode),\r\n // Server side log doesn't have EndReasonSubCode, so we use client side EndReasonSubCode if it exists.\r\n 'EndReasonSubCode', coalesce(Client_EndReasonSubCode, Server_EndReasonSubCode),\r\n 'EndReasonPhrase', coalesce(Client_EndReasonPhrase, Server_EndReasonPhrase),\r\n 'ResultCategory', coalesce(Client_ResultCategory, Server_ResultCategory),\r\n 'ParticipantId', EntityId,\r\n 'CallDroppedUngracefully', CallDroppedUngracefully,\r\n 'Identifier', Server_Identifer,\r\n 'EndpointId', Server_EndpointId,\r\n // From service log ACSCallSummary it has actual ParticipantType, SdkVersion and OsVersion columns. \r\n // So we prioritize to use them to be consistent with the participants that can only be found in service log.\r\n 'ParticipantType', coalesce(Server_ParticipantType, Client_ParticipantType),\r\n 'EndpointType', Server_EndpointType,\r\n 'SdkVersion', coalesce(Server_SdkVersion, Client_SdkVersion),\r\n 'OsVersion', coalesce(Server_OsVersion, Client_OsVersion),\r\n 'Browser', Client_Browser,\r\n 'SDKType', Client_SDKType,\r\n 'PstnParticipantCallType', Server_PstnParticipantCallType\r\n ),\r\n // A participant is considered to have issues if it's dropped ungracefully or having client operations failures.\r\n Insights_HasIssues = Client_Insights_HasIssues or CallDroppedUngracefully,\r\n Insights_Payload = bag_pack(\r\n 'EndReasonCode', coalesce(Client_EndReasonCode, Server_EndReasonCode),\r\n // Server side log doesn't have EndReasonSubCode, so we use client side EndReasonSubCode if it exists.\r\n 'EndReasonSubCode', coalesce(Client_EndReasonSubCode, Server_EndReasonSubCode),\r\n 'EndReasonPhrase', coalesce(Client_EndReasonPhrase, Server_EndReasonPhrase),\r\n 'ResultCategory', coalesce(Client_ResultCategory, Server_ResultCategory),\r\n 'ParticipantId', EntityId,\r\n 'CallDroppedUngracefully', CallDroppedUngracefully\r\n )\r\n| project \r\n ParentEntityId,\r\n ParentEntityType,\r\n EntityId,\r\n EntityType,\r\n EntityDisplayName,\r\n EntityStartTime,\r\n EntityEndTime,\r\n EntityDuration,\r\n EntityPayload,\r\n Insights_HasIssues, \r\n Insights_Payload,\r\n GroupName","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientOperations","ACSCallSummary","ACSCallDiagnostics","ACSCallSurvey"]}},{"id":"c22325ab2-5ea1-3436-a5eb-14ad2ac4gb31","displayName":"Check network quality of all participants in a call","description":"Check the network quality of all participants in a call based on media stats and network UFD.","body":"// This query is used in Call Diagnostics to check if a participant has any poor network quality in a specific call.\r\n// First we check the media stats of that participant in the ACSCallDiagnostics to see if any of the metrics cross the threshold defined.\r\n// Then we check if the participant has any bad network related UFDs in ACSCallClientOperations log. \r\n// Finally, if the participant has any poor media metric or any bad network UFD, we flag that participant to be poor network quality in Call Diagnostic tool.\r\n// Replace queryConditions_callId with the callId you want to investigate.\r\n// Note this query is used in Call Diagnostics to determine participant with poor network quality.\r\ndeclare query_parameters(queryConditions_callId: string = 'replace-with-your-callId');\r\nlet rangeEventsWithCorrelation = dynamic(['UserFacingDiagnostics']);\r\nlet pointEvents = dynamic([\r\n 'SelectedMicrophoneChanged', 'SelectedSpeakerChanged', 'OptimalVideoCount-changed', 'State-changed', 'CallMode-changed',\r\n 'IsMuted-changed', 'IsIncomingAudioMuted-changed', 'Id-changed', 'Role-changed', 'SelectedDevice-changed', 'PageHidden',\r\n 'OptimalVideoCountChanged', 'StateChanged', 'IsMutedChanged', 'IsIncomingAudioMutedChanged', 'SelectedDeviceChanged']);\r\nlet participants = materialize(ACSCallSummary\r\n | where CorrelationId == queryConditions_callId\r\n | where ParticipantId != CorrelationId and isnotempty(ParticipantId)\r\n | extend CallEndTime = CallStartTime + 1s * CallDuration\r\n | distinct ParticipantId, CallStartTime, CallEndTime);\r\nlet OperationsTimestampLowerBound = max_of(toscalar(participants | project CallStartTime | take 1) - 2h, ago(365d));\r\nlet OperationsTimestampUpperBound = min_of(toscalar(participants | project CallEndTime | take 1) + 2h, now() + 365d);\r\n// We need clientIds to get all operations before call is established.\r\nlet callClientIds = materialize(ACSCallClientOperations\r\n | where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n | where ParticipantId in ((participants | project ParticipantId)) or CallId == queryConditions_callId\r\n | where CallClientTimeStamp between (OperationsTimestampLowerBound..OperationsTimestampUpperBound)\r\n | distinct ClientInstanceId, ParticipantId);\r\n//\r\nlet allOperations = \r\n materialize(ACSCallClientOperations\r\n | where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n | where CallClientTimeStamp between (OperationsTimestampLowerBound..OperationsTimestampUpperBound)\r\n | where ParticipantId in ((participants | project ParticipantId)) or CallId == queryConditions_callId or (isempty(CallId) and isempty(ParticipantId) and ClientInstanceId in ((callClientIds | distinct ClientInstanceId)))\r\n | where isnotempty(OperationName) and OperationName != 'CallClientOperations' \r\n and isnotempty(OperationId) and isnotempty(CallClientTimeStamp)\r\n | join kind=leftouter hint.strategy=shuffle callClientIds on ClientInstanceId \r\n | extend ParticipantId = coalesce(ParticipantId, ParticipantId1)\r\n | project-away ParticipantId1, ClientInstanceId1\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId, OperationName, CallClientTimeStamp);\r\n//\r\nlet correlatedOperations = materialize(allOperations\r\n | where OperationName in (rangeEventsWithCorrelation)\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend\r\n UFDQuality = tostring(OperationPayload.DiagnosticQuality),\r\n UFDType = tostring(OperationPayload.DiagnosticChanged)\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend OperationPayloadNew = bag_pack(tostring(CallClientTimeStamp), OperationPayload)\r\n | project-away ResultType\r\n // Make sure the UFD payload are aggregated in time-asc order.\r\n | order by CallClientTimeStamp asc\r\n | summarize hint.strategy = shuffle \r\n arg_max(TimeGenerated, *), ResultType = iff(countif(UFDQuality != 'Good') > 0, 'Failed', 'Succeeded'), \r\n OperationStartTime = min(CallClientTimeStamp), OperationEndTime = max(CallClientTimeStamp),\r\n OperationPayloadPacked = make_bag(OperationPayloadNew)\r\n by OperationId, UFDType\r\n | extend \r\n ResultType = iff(UFDType has_any (\"SpeakingWhileMicrophoneIsMuted\", \"SpeakerMuted\"), 'Succeeded', ResultType),\r\n OperationEndTime = max_of(OperationEndTime, OperationStartTime + 10ms)\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend UFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged))\r\n // Capitalize the first letter.\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend parent_entity_type = case(OperationName has_any ('StateChanged', 'AcceptIncomingCall', 'AskDevicePermission', 'CallAgentInit', 'EnterCall', \r\n 'Hangup', 'Hold', 'Join', 'PageHidden', 'RejectIncomingCall', 'SelectedDeviceChanged', \r\n 'StartCall'),\r\n 'Call',\r\n OperationName has_any (\r\n 'IsMuted-changed',\r\n 'IsIncomingAudioMuted-changed',\r\n 'IsIncomingAudioMutedChanged',\r\n 'IsMutedChanged',\r\n 'MuteMicrophone',\r\n 'UnmuteMicrophone',\r\n 'StartAudio',\r\n 'StopAudio',\r\n 'SelectedMicrophoneChanged',\r\n 'SelectedSpeakerChanged'\r\n ),\r\n 'Audio',\r\n OperationName has_any ('StartScreenShare', 'StopScreenShare'),\r\n 'ScreenSharing',\r\n OperationName has_any ('OptimalVideoCount-changed', 'OptimalVideoCountChanged'),\r\n 'Video',\r\n OperationName has_any ('SwitchSource'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n tostring(OperationPayload.StreamType) == 'ScreenSharing',\r\n 'ScreenSharing',\r\n 'Video'\r\n ),\r\n OperationName == 'UserFacingDiagnostics',\r\n case(\r\n UFDType contains 'Speak' or UFDType contains 'microphone',\r\n 'Audio',\r\n UFDType contains 'camera' or UFDType contains 'capture',\r\n 'Video',\r\n UFDType contains 'screenshare',\r\n 'ScreenSharing',\r\n UFDType contains 'network',\r\n 'Network',\r\n 'Call'\r\n ),\r\n 'Call')\r\n | project\r\n ParentEntityId = strcat(ParticipantId, '-', parent_entity_type),\r\n ParentEntityType = parent_entity_type,\r\n OperationRoundtripId = OperationId,\r\n OperationId = OperationId,\r\n OperationName = OperationName,\r\n OperationType = UFDType,\r\n OperationStartTime,\r\n OperationEndTime,\r\n OperationDuration = DurationMs,\r\n OperationDisplayName = UFDType,\r\n OperationResultCode = toint(iff(ResultType !in ('Succeeded', 'Success', 'ExpectedError'), 500, 200)),\r\n OperationResult = ResultType,\r\n OperationPayload = OperationPayloadPacked,\r\n Insights_HasIssues = ResultType !in ('Succeeded', 'Success', 'ExpectedError'),\r\n ParticipantId,\r\n UserAgent\r\n | extend \r\n Insights_Payload = bag_pack('ResultType', OperationResult, 'ResultSignature', OperationResultCode, 'userAgent', UserAgent, 'ParticipantId', ParticipantId),\r\n ShowLabel = true\r\n | project-away UserAgent);\r\n//\r\nlet nonCorrelatedOperations = materialize(allOperations\r\n | where OperationName !in (rangeEventsWithCorrelation)\r\n | extend OperationId = coalesce(hash_sha256(strcat(OperationId, tostring(CallClientTimeStamp), OperationName)), tostring(new_guid()))\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend UFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged))\r\n // Capitalize the first letter.\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend parent_entity_type = case(OperationName has_any ('StateChanged', 'AcceptIncomingCall', 'AskDevicePermission', 'CallAgentInit', 'EnterCall', \r\n 'Hangup', 'Hold', 'Join', 'PageHidden', 'RejectIncomingCall', 'SelectedDeviceChanged', \r\n 'StartCall'),\r\n 'Call',\r\n OperationName has_any (\r\n 'IsMuted-changed',\r\n 'IsIncomingAudioMuted-changed',\r\n 'IsIncomingAudioMutedChanged',\r\n 'IsMutedChanged',\r\n 'MuteMicrophone',\r\n 'UnmuteMicrophone',\r\n 'StartAudio',\r\n 'StopAudio',\r\n 'SelectedMicrophoneChanged',\r\n 'SelectedSpeakerChanged'\r\n ),\r\n 'Audio',\r\n OperationName has_any ('StartScreenShare', 'StopScreenShare'),\r\n 'ScreenSharing',\r\n OperationName has_any ('OptimalVideoCount-changed', 'OptimalVideoCountChanged'),\r\n 'Video',\r\n OperationName has_any ('SwitchSource'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n tostring(OperationPayload.StreamType) == 'ScreenSharing',\r\n 'ScreenSharing',\r\n 'Video'\r\n ),\r\n OperationName == 'UserFacingDiagnostics',\r\n case(\r\n UFDType contains 'Speak' or UFDType contains 'microphone',\r\n 'Audio',\r\n UFDType contains 'camera' or UFDType contains 'capture',\r\n 'Video',\r\n UFDType contains 'screenshare',\r\n 'ScreenSharing',\r\n UFDType contains 'network',\r\n 'Network',\r\n 'Call'\r\n ),\r\n 'Call')\r\n | project\r\n ParentEntityId = strcat(ParticipantId, '-', parent_entity_type),\r\n ParentEntityType = parent_entity_type,\r\n OperationRoundtripId = OperationId,\r\n OperationId = OperationId,\r\n OperationName,\r\n OperationType=OperationName,\r\n OperationEndTime=CallClientTimeStamp,\r\n OperationStartTime=iff(OperationName in (pointEvents), CallClientTimeStamp, CallClientTimeStamp - max_of(DurationMs, 10) * 1ms),\r\n OperationDuration=DurationMs,\r\n OperationDisplayName = OperationName,\r\n OperationResultCode = ResultSignature,\r\n OperationResult = ResultType,\r\n OperationPayload,\r\n Insights_HasIssues = ResultType !in ('Succeeded', 'Success', 'ExpectedError'),\r\n Insights_Payload = bag_pack('ResultType', ResultType, 'ResultSignature', ResultSignature, 'userAgent', UserAgent, 'ParticipantId', ParticipantId),\r\n ParticipantId,\r\n ShowLabel = true);\r\nlet poorOperations = materialize((union nonCorrelatedOperations, correlatedOperations)\r\n | where Insights_HasIssues\r\n | extend \r\n ParentEntityId = ParticipantId,\r\n ParentEntityType = 'Participant',\r\n OperationId = strcat('Participant-Issues-', OperationId),\r\n GroupName = \"lifeCycle\",\r\n ShowLabel = false);\r\nunion poorOperations, nonCorrelatedOperations, correlatedOperations\r\n| project\r\n ParentEntityId,\r\n ParentEntityType,\r\n OperationId,\r\n OperationRoundtripId = OperationId,\r\n OperationName,\r\n OperationDisplayName,\r\n OperationResultCode,\r\n OperationResult,\r\n OperationType,\r\n OperationStartTime,\r\n OperationEndTime,\r\n OperationPayload,\r\n Insights_HasIssues,\r\n Insights_Payload,\r\n GroupName,\r\n ShowLabel","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientOperations","ACSCallDiagnostics"]}},{"id":"b22325db4-5ea1-3436-a5eb-14ad2ab4gb31","displayName":"Fetch time series media stats of all participants in a call","description":"Fetch time series media stats of all participants in a given call based on ACSCallClientMediaStatsTimeSeries log","body":"// Replace queryConditions_callId with the callId you want to investigate.\r\n// Note this query is used in Call Diagnostics timeline page to get all the time series media metrics for all participants in the call.\r\ndeclare query_parameters(queryConditions_callId:string = 'replace-with-your-callId');\r\nACSCallClientMediaStatsTimeSeries\r\n| where CallId == queryConditions_callId\r\n| extend lcMediaStreamType = tolower(MediaStreamType)\r\n| extend lcMediaStreamDirection = tolower(MediaStreamDirection)\r\n| extend isIncoming = case(\r\n lcMediaStreamDirection == 'recv', true,\r\n lcMediaStreamDirection == 'incoming', true, \r\n false)\r\n| extend isOutgoing = \r\n case(lcMediaStreamDirection == 'send', true,\r\n lcMediaStreamDirection == 'outgoing', true,\r\n false)\r\n| extend MediaStreamDirectionType = case(isIncoming == true, 'recv', \"send\")\r\n| summarize hint.strategy = shuffle arg_max(OperationName, *) by CallClientTimeStamp, MetricName, MediaStreamDirection, MediaStreamType, MediaStreamDirectionType\r\n| order by CallClientTimeStamp asc\r\n| summarize hint.strategy = shuffle arg_max(OperationName, *), newAverage = avg(Average) by CallClientTimeStamp, MetricName, MediaStreamDirection, MediaStreamType, MediaStreamDirectionType \r\n| summarize hint.strategy = shuffle\r\n Timestamps = make_list(CallClientTimeStamp), \r\n Values = make_list(newAverage), \r\n MediaStreamCodec = make_list(MediaStreamCodec) by MetricName, ParticipantId, MediaStreamDirection, MediaStreamType, MediaStreamDirectionType \r\n| extend (Timestamps, Values, MediaStreamCodec) = array_sort_asc(Timestamps, Values, MediaStreamCodec)\r\n| project Timestamps, Values, MediaStreamCodec, MetricName, ParticipantId, MediaStreamDirection, MediaStreamType, MediaStreamDirectionType","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientMediaStatsTimeSeries"]}},{"id":"d22137ab2-6ba3-2426-a2eb-14ad1bc1gb32","displayName":"Search all client operations in a call","description":"Find all client operations for all participants in a call by callId. This query is also used in Call Diagnostics to search for client operations.","body":"// Replace queryConditions_callId with the callId you want to investigate.\r\n// Note this query is used in Call Diagnostics to get all the operations in the call.\r\ndeclare query_parameters(queryConditions_callId: string = 'replace-with-your-callId');\r\nlet rangeEventsWithCorrelation = dynamic(['UserFacingDiagnostics']);\r\nlet pointEvents = dynamic([\r\n 'SelectedMicrophoneChanged', 'SelectedSpeakerChanged', 'OptimalVideoCount-changed', 'State-changed', 'CallMode-changed',\r\n 'IsMuted-changed', 'IsIncomingAudioMuted-changed', 'Id-changed', 'Role-changed', 'SelectedDevice-changed', 'PageHidden',\r\n 'OptimalVideoCountChanged', 'StateChanged', 'IsMutedChanged', 'IsIncomingAudioMutedChanged', 'SelectedDeviceChanged']);\r\nlet participants = materialize(ACSCallSummary\r\n | where CorrelationId == queryConditions_callId\r\n | where ParticipantId != CorrelationId and isnotempty(ParticipantId)\r\n | extend CallEndTime = CallStartTime + 1s * CallDuration\r\n | distinct ParticipantId, CallStartTime, CallEndTime);\r\nlet OperationsTimestampLowerBound = max_of(toscalar(participants | project CallStartTime | take 1) - 2h, ago(365d));\r\nlet OperationsTimestampUpperBound = min_of(toscalar(participants | project CallEndTime | take 1) + 2h, now() + 365d);\r\n// We need clientIds to get all operations before call is established.\r\nlet callClientIds = materialize(ACSCallClientOperations\r\n | where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n | where ParticipantId in ((participants | project ParticipantId)) or CallId == queryConditions_callId\r\n | where CallClientTimeStamp between (OperationsTimestampLowerBound..OperationsTimestampUpperBound)\r\n | distinct ClientInstanceId, ParticipantId);\r\n//\r\nlet allOperations = \r\n materialize(ACSCallClientOperations\r\n | where OperationName !in ('CallModeChanged', 'IdChanged', 'RoleChanged')\r\n | where CallClientTimeStamp between (OperationsTimestampLowerBound..OperationsTimestampUpperBound)\r\n | where ParticipantId in ((participants | project ParticipantId)) or CallId == queryConditions_callId or (isempty(CallId) and isempty(ParticipantId) and ClientInstanceId in ((callClientIds | distinct ClientInstanceId)))\r\n | where isnotempty(OperationName) and OperationName != 'CallClientOperations' \r\n and isnotempty(OperationId) and isnotempty(CallClientTimeStamp)\r\n | join kind=leftouter hint.strategy=shuffle callClientIds on ClientInstanceId \r\n | extend ParticipantId = coalesce(ParticipantId, ParticipantId1)\r\n | project-away ParticipantId1, ClientInstanceId1\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId, OperationName, CallClientTimeStamp);\r\n//\r\nlet correlatedOperations = materialize(allOperations\r\n | where OperationName in (rangeEventsWithCorrelation)\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend\r\n UFDQuality = tostring(OperationPayload.DiagnosticQuality),\r\n UFDType = tostring(OperationPayload.DiagnosticChanged)\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend OperationPayloadNew = bag_pack(tostring(CallClientTimeStamp), OperationPayload)\r\n | project-away ResultType\r\n // Make sure the UFD payload are aggregated in time-asc order.\r\n | order by CallClientTimeStamp asc\r\n | summarize hint.strategy = shuffle \r\n arg_max(TimeGenerated, *), ResultType = iff(countif(UFDQuality != 'Good') > 0, 'Failed', 'Succeeded'), \r\n OperationStartTime = min(CallClientTimeStamp), OperationEndTime = max(CallClientTimeStamp),\r\n OperationPayloadPacked = make_bag(OperationPayloadNew)\r\n by OperationId, UFDType\r\n | extend \r\n ResultType = iff(UFDType has_any (\"SpeakingWhileMicrophoneIsMuted\", \"SpeakerMuted\"), 'Succeeded', ResultType),\r\n OperationEndTime = max_of(OperationEndTime, OperationStartTime + 10ms)\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend UFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged))\r\n // Capitalize the first letter.\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend parent_entity_type = case(OperationName has_any ('StateChanged', 'AcceptIncomingCall', 'AskDevicePermission', 'CallAgentInit', 'EnterCall', \r\n 'Hangup', 'Hold', 'Join', 'PageHidden', 'RejectIncomingCall', 'SelectedDeviceChanged', \r\n 'StartCall'),\r\n 'Call',\r\n OperationName has_any (\r\n 'IsMuted-changed',\r\n 'IsIncomingAudioMuted-changed',\r\n 'IsIncomingAudioMutedChanged',\r\n 'IsMutedChanged',\r\n 'MuteMicrophone',\r\n 'UnmuteMicrophone',\r\n 'StartAudio',\r\n 'StopAudio',\r\n 'SelectedMicrophoneChanged',\r\n 'SelectedSpeakerChanged'\r\n ),\r\n 'Audio',\r\n OperationName has_any ('StartScreenShare', 'StopScreenShare'),\r\n 'ScreenSharing',\r\n OperationName has_any ('OptimalVideoCount-changed', 'OptimalVideoCountChanged'),\r\n 'Video',\r\n OperationName has_any ('SwitchSource'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n tostring(OperationPayload.StreamType) == 'ScreenSharing',\r\n 'ScreenSharing',\r\n 'Video'\r\n ),\r\n OperationName == 'UserFacingDiagnostics',\r\n case(\r\n UFDType contains 'Speak' or UFDType contains 'microphone',\r\n 'Audio',\r\n UFDType contains 'camera' or UFDType contains 'capture',\r\n 'Video',\r\n UFDType contains 'screenshare',\r\n 'ScreenSharing',\r\n UFDType contains 'network',\r\n 'Network',\r\n 'Call'\r\n ),\r\n 'Call')\r\n | project\r\n ParentEntityId = strcat(ParticipantId, '-', parent_entity_type),\r\n ParentEntityType = parent_entity_type,\r\n OperationRoundtripId = OperationId,\r\n OperationId = OperationId,\r\n OperationName = OperationName,\r\n OperationType = UFDType,\r\n OperationStartTime,\r\n OperationEndTime,\r\n OperationDuration = DurationMs,\r\n OperationDisplayName = UFDType,\r\n OperationResultCode = toint(iff(ResultType !in ('Succeeded', 'Success', 'ExpectedError'), 500, 200)),\r\n OperationResult = ResultType,\r\n OperationPayload = OperationPayloadPacked,\r\n Insights_HasIssues = ResultType !in ('Succeeded', 'Success', 'ExpectedError'),\r\n ParticipantId,\r\n UserAgent\r\n | extend \r\n Insights_Payload = bag_pack('ResultType', OperationResult, 'ResultSignature', OperationResultCode, 'userAgent', UserAgent, 'ParticipantId', ParticipantId),\r\n ShowLabel = true\r\n | project-away UserAgent);\r\n//\r\nlet nonCorrelatedOperations = materialize(allOperations\r\n | where OperationName !in (rangeEventsWithCorrelation)\r\n | extend OperationId = coalesce(hash_sha256(strcat(OperationId, tostring(CallClientTimeStamp), OperationName)), tostring(new_guid()))\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by OperationId\r\n | extend OperationPayload = todynamic(OperationPayload)\r\n | extend UFDType = coalesce(tostring(OperationPayload.DiagnosticChanged), tostring(OperationPayload.diagnosticChanged))\r\n // Capitalize the first letter.\r\n | extend UFDType = strcat(toupper(substring(UFDType, 0, 1)), substring(UFDType, 1))\r\n | extend parent_entity_type = case(OperationName has_any ('StateChanged', 'AcceptIncomingCall', 'AskDevicePermission', 'CallAgentInit', 'EnterCall', \r\n 'Hangup', 'Hold', 'Join', 'PageHidden', 'RejectIncomingCall', 'SelectedDeviceChanged', \r\n 'StartCall'),\r\n 'Call',\r\n OperationName has_any (\r\n 'IsMuted-changed',\r\n 'IsIncomingAudioMuted-changed',\r\n 'IsIncomingAudioMutedChanged',\r\n 'IsMutedChanged',\r\n 'MuteMicrophone',\r\n 'UnmuteMicrophone',\r\n 'StartAudio',\r\n 'StopAudio',\r\n 'SelectedMicrophoneChanged',\r\n 'SelectedSpeakerChanged'\r\n ),\r\n 'Audio',\r\n OperationName has_any ('StartScreenShare', 'StopScreenShare'),\r\n 'ScreenSharing',\r\n OperationName has_any ('OptimalVideoCount-changed', 'OptimalVideoCountChanged'),\r\n 'Video',\r\n OperationName has_any ('SwitchSource'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n 'Audio'\r\n ),\r\n OperationName has_any ('CreateView', 'DisposeView', 'StartVideo', 'StopVideo'),\r\n case(\r\n tostring(OperationPayload.StreamType) == 'Video',\r\n 'Video',\r\n tostring(OperationPayload.StreamType) == 'ScreenSharing',\r\n 'ScreenSharing',\r\n 'Video'\r\n ),\r\n OperationName == 'UserFacingDiagnostics',\r\n case(\r\n UFDType contains 'Speak' or UFDType contains 'microphone',\r\n 'Audio',\r\n UFDType contains 'camera' or UFDType contains 'capture',\r\n 'Video',\r\n UFDType contains 'screenshare',\r\n 'ScreenSharing',\r\n UFDType contains 'network',\r\n 'Network',\r\n 'Call'\r\n ),\r\n 'Call')\r\n | project\r\n ParentEntityId = strcat(ParticipantId, '-', parent_entity_type),\r\n ParentEntityType = parent_entity_type,\r\n OperationRoundtripId = OperationId,\r\n OperationId = OperationId,\r\n OperationName,\r\n OperationType=OperationName,\r\n OperationEndTime=CallClientTimeStamp,\r\n OperationStartTime=iff(OperationName in (pointEvents), CallClientTimeStamp, CallClientTimeStamp - max_of(DurationMs, 10) * 1ms),\r\n OperationDuration=DurationMs,\r\n OperationDisplayName = OperationName,\r\n OperationResultCode = ResultSignature,\r\n OperationResult = ResultType,\r\n OperationPayload,\r\n Insights_HasIssues = ResultType !in ('Succeeded', 'Success', 'ExpectedError'),\r\n Insights_Payload = bag_pack('ResultType', ResultType, 'ResultSignature', ResultSignature, 'userAgent', UserAgent, 'ParticipantId', ParticipantId),\r\n ParticipantId,\r\n ShowLabel = true);\r\nlet poorOperations = materialize((union nonCorrelatedOperations, correlatedOperations)\r\n | where Insights_HasIssues\r\n | extend \r\n ParentEntityId = ParticipantId,\r\n ParentEntityType = 'Participant',\r\n OperationId = strcat('Participant-Issues-', OperationId),\r\n GroupName = \"lifeCycle\",\r\n ShowLabel = false);\r\nunion poorOperations, nonCorrelatedOperations, correlatedOperations\r\n| project\r\n ParentEntityId,\r\n ParentEntityType,\r\n OperationId,\r\n OperationRoundtripId = OperationId,\r\n OperationName,\r\n OperationDisplayName,\r\n OperationResultCode,\r\n OperationResult,\r\n OperationType,\r\n OperationStartTime,\r\n OperationEndTime,\r\n OperationPayload,\r\n Insights_HasIssues,\r\n Insights_Payload,\r\n GroupName,\r\n ShowLabel","tags":{"Topic":["CallClientOperations"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientOperations","ACSCallSummary"]}},{"id":"a6552tt9-5ed2-4965-b7fb-62ee5ac0ff66","displayName":"Metrics per each media type","description":"List all the media metrics included in the ACSCallClientMediaStatsTimeSeries log for each media stream type.","body":"ACSCallClientMediaStatsTimeSeries\r\n| distinct MetricName, MediaStreamType","tags":{"Topic":["CallClientMediaStatsTimeSeries"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientMediaStatsTimeSeries"]}},{"id":"a3552tt9-4ed2-4665-b7eb-61ee5ac0fc46","displayName":"Metric histogram per media type and direction","description":"Plot the histogram of selected metric, per callId, participantId, media type and meida direction","body":"let PlotMetricHistogram = (_MetricName: string, _ParticipantId: string = '', _CallId: string = '', _MediaStreamType: string = '', _MediaStreamDirection: string = '') {\r\n // _MetricName: the name of the metric. This must be set.\r\n // _ParticipantId: set this variable if want to just plot the metric value histogram for a specific partiticpant.\r\n // _CallId: set this variable if want to just plot the metric value histogram for a specific call.\r\n // _MediaStreamType: possible values can be: 'audio', 'video', 'screen'.\r\n // _MediaStreamDirection: possible values can be: 'recv', 'send'.\r\n ACSCallClientMediaStatsTimeSeries\r\n | where MetricName == _MetricName\r\n | where isempty(_ParticipantId) or ParticipantId == _ParticipantId\r\n | where isempty(_CallId) or CallId == _CallId\r\n | where isempty(_MediaStreamType) or MediaStreamType == _MediaStreamType\r\n | where isempty(_MediaStreamDirection) or MediaStreamDirection == _MediaStreamDirection\r\n | summarize count=count() by Average\r\n | render columnchart title=strcat(_MetricName, \" Histogram\")\r\n};\r\n// Below plots the histogram for jitter for all outbound audio streams\r\nPlotMetricHistogram('JitterInMs', _MediaStreamType='audio', _MediaStreamDirection='send')","tags":{"Topic":["CallClientMediaStatsTimeSeries"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallClientMediaStatsTimeSeries"]}},{"id":"d0fad1c6-6580-4c19-ad0b-d410db4e04d6","displayName":"Loop play success rate","description":"Calculates the number of success and failures of the play operation when played in loop or not.","body":"ACSCallAutomationMediaSummary\r\n| where OperationName == \"Play\"\r\n| summarize playedInLoopCount=count() by PlayInLoop, ResultType","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationMediaSummary"]}},{"id":"b838972e-f1e4-4141-be20-fcb264e283ac","displayName":"Play to participant success rate","description":"Calculates the number of success and failures of the play operation when played to a participant or to all.","body":"ACSCallAutomationMediaSummary\r\n| where OperationName == \"Play\"\r\n| summarize playedToCount=count() by PlayToParticipant, ResultType","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationMediaSummary"]}},{"id":"77b86d68-0cad-4dbe-a475-89f76f524035","displayName":"Recognize success rate","description":"Calculates the number of success and failures of the recognize operation.","body":"ACSCallAutomationMediaSummary\r\n| where OperationName == \"Recognize\"\r\n| summarize recognizeCount=count() by ResultType","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationMediaSummary"]}},{"id":"aad69aaf-18e3-480a-93f3-5e4fac15f772","displayName":"Success rate by sub operation name","description":"Calculates the number of success and failures of the recognize operation based on its sub operation name.","body":"ACSCallAutomationIncomingOperations\r\n| join ACSCallAutomationMediaSummary on OperationId\r\n| where OperationName == \"Recognize\"\r\n| summarize recognizeCount=count() by SubOperationName, ResultType1\r\n| project SubOperationName, EventResultType = ResultType1, recognizeCount","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationMediaSummary"]}},{"id":"064165C0-C98A-490F-B1CC-EEB7E97E14D7","displayName":"Advanced Messaging operations","description":"Returns all distinct combinations of Advanced Messaging operation and version pairs.","body":"ACSAdvancedMessagingOperations\r\n| distinct OperationName, OperationVersion \r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"C413DD46-FC07-4503-BD46-6675865964D9","displayName":"Advanced Messaging operation duration percentiles","description":"Calculates the 90th, 95th, and 99th percentiles of run duration in milliseconds for each chat operation. It can be customized to be run for a single operation, or for other percentiles.","body":"ACSAdvancedMessagingOperations\r\n// where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's duration percentiles\r\n| summarize percentiles(DurationMs, 90, 95, 99) by OperationName, OperationVersion // calculate 90th, 95th, and 99th percentiles of each Operation\r\n| limit 100\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"43BDBB0E-EDEB-4553-9D3B-0F0FCD634A2A","displayName":"Advanced Messaging top 5 IP addresses per operation","description":"For every Advanced Messaging operation, fetch the 5 IP addresses that have called that operation the most.","body":"ACSAdvancedMessagingOperations\r\n// | where OperationName == \"\" // This can be uncommented and specified to calculate only a single operation's count\r\n| top-nested of OperationName by dummy=max(0), // For all the Operations...\r\n top-nested 5 of CallerIpAddress by count() // List the IP address that have called that operation the most\r\n| project-away dummy // Remove dummy line from the result set\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"11E85FFF-DB30-44EB-BF92-C1B2AE87FA67","displayName":"Advanced Messaging operational errors","description":"List every Advanced Messaging error ordered by recency.","body":"ACSAdvancedMessagingOperations\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, OperationVersion, ResultSignature, ResultDescription\r\n| order by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"903C2AAD-D6B3-4EBE-B36F-489BAE2CE89B","displayName":"Advanced Messaging operation result counts","description":"For every Advanced Messaging operation, count the types of returned results.","body":"ACSAdvancedMessagingOperations\r\n| summarize Count = count() by OperationName, OperationVersion, ResultType //, ResultSignature // This can also be uncommented to determine the count of each ResultSignature for each ResultType \r\n| order by OperationName asc, Count desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"5A911040-8674-47FB-B9F6-82F16E98F6EE","displayName":"Advanced Messaging channel activity","description":"Summary of the message activity per channel for the past 24 hours.","body":"ACSAdvancedMessagingOperations\r\n| where TimeGenerated > ago(24h)\r\n| summarize count() by ChannelId, MessageType\r\n| order by ChannelId asc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"ADB6AFF9-FEAD-443C-BCC8-704F586CC5A4","displayName":"Advanced Messaging message status count","description":"Count of message status for the past 24 hours.","body":"ACSAdvancedMessagingOperations\r\n| where TimeGenerated > ago(24h)\r\n| summarize Count = count() by MessageType, MessageStatus\r\n| order by MessageType asc, Count desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSAdvancedMessagingOperations"]}},{"id":"9a6be894-4674-4d77-8d2e-844a8eb28eae","displayName":"Number of calls with MediaStreaming active","description":"Calculates the number of calls that had MediaStreaming active.","body":"ACSCallAutomationStreamingUsage \r\n | where StreamingModality contains \"AudioStreaming\" \r\n | summarize NumCallsWithMediaStreamingActive = dcount(CallConnectionId) ","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"a00fc011-6091-440b-8284-f9fac99a7afe","displayName":"MediaStreaming operation Success count","description":"Calculates the number of success of the MediaStreaming operation.","body":"ACSCallAutomationIncomingOperations\r\n// Filter OperationName to view results for each API. \r\n | where OperationName in (\"StartMediaStreaming\", \"StopMediaStreaming\")\r\n | where tostring(ResultSignature) matches regex \"2..\"\r\n | summarize MediaStreamingSuccess=count() by ResultSignature","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"e804b73f-639a-4b9c-acc2-cbbbfa2ef312","displayName":"MediaStreaming operation Failure count","description":"Calculates the number of failures of the MediaStreaming operation.","body":"ACSCallAutomationIncomingOperations \r\n// Filter OperationName to view results for each API.\r\n | where OperationName in (\"StartMediaStreaming\", \"StopMediaStreaming\")\r\n | where tostring(ResultSignature) matches regex \"5..\"\r\n | summarize MediaStreamingFailures=count() by ResultSignature","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"ad05f177-82ee-43fb-8454-522e08f987e0","displayName":"Media Streaming minutes","description":"Calculates the total number of streaming minutes of the MediaStreaming operation.","body":"ACSCallAutomationStreamingUsage \r\n | where StreamingModality contains \"AudioStreaming\" \r\n | summarize TotalMinutesStreamed = sum(StreamingDurationInMs)/60000","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"dfa672f3-f6ae-4eda-8550-1f7fbf1bcca1","displayName":"Media Streaming minutes per call","description":"Calculates the total number of streaming minutes of the MediaStreaming operation per call.","body":"// Get total number of minutes of streams recorded per call. This will sum up all durations of streams in each call.\r\n// For Media Streaming, Streams would be defined as and calculated per call as follows:\r\n// - Mixed MediaStreaming: Total number of minutes streamed in each session between a start request and stop request/call-end/error.\r\n// eg: if the streaming session was 10 minutes and there were 3 participants during the session, the stream length would be 10 minutes total.\r\n// - Unmixed MediaStreaming: Total number of minutes streamed in each session between a start request and stop request/call-end/error.\r\n// or joining and leaving events per participant in that session.\r\n// eg: if the streaming session was 10 minutes and there were 3 participants during the session, the stream length would be 3x10 = 30 minutes total.\r\nACSCallAutomationStreamingUsage\r\n | where StreamingModality contains \"AudioStreaming\"\r\n | summarize TotalMinutesStreamedPerCall = sum(StreamingDurationInMs)/60000 by CallConnectionId","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"6b2c4057-669d-493d-a6b3-fbb2a2f44fb3","displayName":"Media Streaming minutes per call per participant","description":"Calculates the total number of streaming minutes of the MediaStreaming operation per call per participant.","body":"// Get total number of minutes of streams recorded per participant in each call. This applies only to the unmixed MediaStreaming cases.\r\n// For Media Streaming, Streams would be defined as and calculated per call as follows:\r\n// - Unmixed MediaStreaming: Total number of minutes streamed in each session between a start request and stop request/call-end/error.\r\n// or joining and leaving events per participant in that session.\r\n// eg: In a single call,\r\n// if streaming session (1) was 10 minutes participant (a) and (b) were in that session;\r\n// if streaming session (2) was 05 minutes participant (b) and (c) were in that session;\r\n// if streaming session (3) was 07 minutes participant (a), (b) and (c) were in that session;\r\n// then the total minutes per participant would be: \r\n// participant (a) = 17 minutes,\r\n// participant (b) = 22 minutes,\r\n// participant (c) = 12 minutes\r\nACSCallAutomationStreamingUsage\r\n| where StreamingModality == \"AudioStreamingUnmixed\"\r\n| summarize TotalMinutesStreamedPerParticipant = sum(StreamingDurationInMs)/60000 by CallConnectionId, ParticipantId ","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"a45ed096-b8c6-4ce1-ba2e-a6b5a52a7aae","displayName":"Number of calls with Transcription active","description":"Calculates the number of calls that had Transcription active.","body":"ACSCallAutomationStreamingUsage \r\n | where StreamingModality == \"Transcription\" \r\n | summarize NumCallsWithTranscriptionActive = dcount(CallConnectionId)","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"64844757-e0db-4568-845c-cf608593778c","displayName":"Transcription operation Success count","description":"Calculates the number of success of the Transcription operation.","body":"ACSCallAutomationIncomingOperations\r\n// Filter OperationName to view results for each API.\r\n | where OperationName in (\"StartTranscription\", \"StopTranscription\", \"UpdateTranscription\")\r\n | where tostring(ResultSignature) matches regex \"2..\"\r\n | summarize TranscriptionSuccess=count()","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"6c58d1d8-5dfe-4a65-9764-4bd50fbcf37d","displayName":"Transcription operation Failure count","description":"Calculates the number of failures of the Transcription operation.","body":"ACSCallAutomationIncomingOperations \r\n// Filter OperationName to view results for each API.\r\n | where OperationName in (\"StartTranscription\", \"StopTranscription\", \"UpdateTranscription\")\r\n | where tostring(ResultSignature) matches regex \"5..\"\r\n | summarize TranscriptionFailures=count()","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationIncomingOperations"]}},{"id":"d99254bc-99b3-421b-ba6c-8ef7d465ecfc","displayName":"Transcription streaming minutes","description":"Calculates the total number of streaming minutes of the Transcription operation.","body":"ACSCallAutomationStreamingUsage \r\n | where StreamingModality == \"Transcription\" \r\n | summarize TotalMinutesStreamed = sum(StreamingDurationInMs)/60000","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"1b5f6e45-fefc-465e-ae38-5d5a57ce5d1a","displayName":"Transcription streaming minutes per call","description":"Calculates the total number of streaming minutes of the Transcription operation per call.","body":"// Get total number of minutes of streams recorded per call. This will sum up all durations of streams in each call.\r\n// For Transcription, Streams would be defined as and calculated per call as follows:\r\n// Total number of minutes streamed in each session between a start request and stop request/call-end/error.\r\n// or joining and leaving events per participant in that session.\r\n// eg: if the streaming session was 10 minutes and there were 3 participants during the session, the stream length would be 3x10 = 30 minutes total.\r\nACSCallAutomationStreamingUsage\r\n | where StreamingModality == \"Transcription\"\r\n | summarize TotalMinutesStreamedPerCall = sum(StreamingDurationInMs)/60000 by CallConnectionId","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"cd98dfa9-1467-4c31-a378-b65063fea535","displayName":"Transcription streaming minutes per call per participant","description":"Calculates the total number of streaming minutes of the Transcription operation per call per participant.","body":"// Get total number of minutes of streams recorded per participant in each call.\r\n// For Transcription, Streams would be defined as and calculated per call as follows:\r\n// Total number of minutes streamed in each session between a start request and stop request/call-end/error.\r\n// or joining and leaving events per participant in that session.\r\n// eg: In a single call,\r\n// if streaming session (1) was 10 minutes participant (a) and (b) were in that session;\r\n// if streaming session (2) was 05 minutes participant (b) and (c) were in that session;\r\n// if streaming session (3) was 07 minutes participant (a), (b) and (c) were in that session;\r\n// then the total minutes per participant would be: \r\n// participant (a) = 17 minutes,\r\n// participant (b) = 22 minutes,\r\n// participant (c) = 12 minutes\r\nACSCallAutomationStreamingUsage\r\n| where StreamingModality == \"Transcription\"\r\n| summarize TotalMinutesStreamedPerParticipant = sum(StreamingDurationInMs)/60000 by CallConnectionId, ParticipantId ","tags":{"Topic":["CallOverview"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"tables":["ACSCallAutomationStreamingUsage"]}},{"id":"3eb92137-5019-4eb0-8a01-7480256befea","displayName":"How many times a resource was granted grants per pipeline run?","description":"Return the number of times access was granted for resources during pipeline run. Grouped by the type of grant: Entitlement (by participant in production mode), Referenced (by participant in test mode) or Owner (by the owner of the resource).","body":"//=================================================================================================================================================================\r\n// summarize by CorrelationId groups audits by pipeline run. For more details about summarize see: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/summarizeoperator\r\nACICollaborationAudit\r\n| summarize PipelineExecutedOn=max(TimeGenerated), ResourceAccessGrantCount=count(), EntitlementResult=array_strcat(make_set(EntitlementResult), ',') by CorrelationId, GrantType, TargetResourceId\r\n| project-away CorrelationId\r\n| order by PipelineExecutedOn desc, TargetResourceId asc\r\n| top 100 by PipelineExecutedOn;\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.datacollaboration/workspaces"],"tables":["ACICollaborationAudit"]}},{"id":"bc25e051-3518-4aa2-9493-2dc1abf176b1","displayName":"What entitlements was granted to my resource?","description":"Find entitlements that was granted to CI resources. Can be used to query a specific resource.","body":"//==============================================================================================\r\n// For specific results, insert values in the let statements and uncomment the where filters within the query\r\n// let partialResourceId = \"\");\r\nACICollaborationAudit\r\n| where GrantType == 'Entitlement'\r\n//| where TargetResourceId has partialResourceId\r\n| extend ShortOperationName=tostring(array_slice(split(OperationName, '/'), -1, -1)[0])\r\n| summarize TimeGenerated=max(TimeGenerated), EntitlementResult=array_strcat(make_set(EntitlementResult), ','), \r\n GrantSource=any(GrantSource), GrantSourceType=any(GrantSourceType),\r\n TargetResourceId=any(TargetResourceId), TargetResourceType=any(TargetResourceType), ParticipantName=any(ParticipantName),\r\n OperationName=any(ShortOperationName)\r\n by GrantCorrelationId\r\n| project-away GrantCorrelationId\r\n| order by TimeGenerated desc\r\n| limit 100;\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.datacollaboration/workspaces"],"tables":["ACICollaborationAudit"]}},{"id":"acd263c0-a5a3-42cd-af74-d12df6f577e3","displayName":"What resources was granted accessed by an entitlement?","description":"Find CI resources that was entitled for access. Can be used to query a specific entitlement.","body":"//============================================================================================\r\n// For specific results, insert values in the let statements and uncomment the where filters within the query\r\n// let entitlementOrContract = \"\");\r\nACICollaborationAudit \r\n| where GrantType == 'Entitlement'\r\n//| where GrantSource has entitlementOrContract\r\n| extend ShortOperationName=tostring(array_slice(split(OperationName, '/'), -1, -1)[0])\r\n| summarize TimeGenerated=max(TimeGenerated), EntitlementResult=array_strcat(make_set(EntitlementResult), ','),\r\n TargetResourceId=any(TargetResourceId), TargetResourceType=any(TargetResourceType), \r\n ParticipantName=any(ParticipantName), GrantSource=any(GrantSource), GrantSourceType=any(GrantSourceType),\r\n OperationName=any(ShortOperationName)\r\n by GrantCorrelationId\r\n| project-away GrantCorrelationId\r\n| order by TimeGenerated desc\r\n| limit 100;\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.datacollaboration/workspaces"],"tables":["ACICollaborationAudit"]}},{"id":"1c7e3db4-ce89-43b3-a951-b7948e6f4874","displayName":"Which participants was granted accessed to my resource?","description":"Find participants that was granted access to CI resources. Can be used to query a specific resource.","body":"//=====================================================================================================\r\n// For specific results, insert values in the let statements and uncomment the where filters within the query\r\n// let partialParticipantName = \"\");\r\nACICollaborationAudit \r\n| where GrantType == 'Entitlement'\r\n//| where ParticipantName contains partialParticipantName\r\n| extend ShortOperationName=tostring(array_slice(split(OperationName, '/'), -1, -1)[0])\r\n| summarize TimeGenerated=max(TimeGenerated), EntitlementResult=array_strcat(make_set(EntitlementResult), ','),\r\n TargetResourceId=any(TargetResourceId), TargetResourceType=any(TargetResourceType), \r\n GrantSource=any(GrantSource), GrantSourceType=any(GrantSourceType),\r\n OperationName=any(ShortOperationName), ParticipantName=any(ParticipantName)\r\n by GrantCorrelationId\r\n| project-away GrantCorrelationId\r\n| order by TimeGenerated desc\r\n| limit 100;\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.datacollaboration/workspaces"],"tables":["ACICollaborationAudit"]}},{"id":"1681882b-e00c-408b-8cd3-4f0b58374d7a","displayName":"Discovered object","description":"Find discovered objects, or if transfer started.","body":"DataTransferOperations\r\n| where Status == \"SenderProcessing\"\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuredatatransfer/connections"],"tables":["DataTransferOperations"]}},{"id":"9d7c3fe3-1f56-4a92-9888-7ba597e3b0d2","displayName":"Terminal object state","description":"Find objects that have been completed. Can be used to find if transfer completed successfully or in error state.","body":"DataTransferOperations \r\n| where Status == \"Rejected\"\r\n or Status == \"Delivered\"\r\n or Status == \"Failed\"\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuredatatransfer/connections"],"tables":["DataTransferOperations"]}},{"id":"30a46f4f-dc1a-43e1-9fe4-c82750e218b3","displayName":"Malicious scan objects per storage account","description":"Scan objects with malicious scan results group by storage account name.","body":"StorageMalwareScanningResults\r\n| where ScanResultType == \"Malicious\"\r\n| summarize ScannedObjectUris = make_list(ScannedObjectUri), count() by StorageAccountName","properties":{"ExampleQuery":true},"related":{"categories":["audit","security"],"resourceTypes":["microsoft.security/defenderforstoragesettings"],"tables":["StorageMalwareScanningResults"]}},{"id":"dd5cd0fc-683c-4ace-a7da-ef6afd649407","displayName":"Unsuccessful Scans","description":"Unsuccessful scans grouped by verdict and error information with related scanned object uris list, containing failed scans and encrypted objects.","body":"StorageMalwareScanningResults\r\n| where ScanResultType in (\"Error\", \"Not Scanned\")\r\n| summarize count(), BlobUris = make_list(BlobUri) by ScanResultType, ScanResultDetails","properties":{"ExampleQuery":true},"related":{"categories":["audit","security"],"resourceTypes":["microsoft.security/defenderforstoragesettings"],"tables":["StorageMalwareScanningResults"]}},{"id":"bc4366ef-b269-43f2-aad7-4919e5defdfb","displayName":"Data History operation failure logs","description":"Failed operation events logged when data history messages are sent to the time series database.","body":"ADTDataHistoryOperation\r\n| where ResultType == \"Failure\"\r\n| take 100\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"],"tables":["ADTDataHistoryOperation"]}},{"id":"5fdb334b-28ad-411e-8679-e9ef7f40ad1f","displayName":"Data History egress latency","description":"Delivery latency of data history messages sent to the time series database.","body":"ADTDataHistoryOperation\r\n| where OperationName == \"Microsoft.DigitalTwins/digitalTwinsInstances/datahistory/messages/send/action\"\r\n| summarize percentile(DurationMs, 99) by bin(TimeGenerated, 5m)\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"],"tables":["ADTDataHistoryOperation"]}},{"id":"24310862-5ed4-41f6-b7b0-66176ac8a4f3","displayName":"DNS queries by virtual network and return code","description":"Summarize count of DNS queries by virtual network and return code.","body":"DNSQueryLogs\r\n| summarize count() by VirtualNetworkId, ResponseCode","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.network/dnsresolverpolicies"],"tables":["DNSQueryLogs"]}},{"id":"9b5542ef-7676-40ad-999d-efba45f42e9c","displayName":"Authentication error query","description":"Authentication errors report by session name.","body":"EGNFailedMqttConnections\r\n| where ResultSignature == \"AuthenticationError\"\r\n| summarize count() by SessionName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"tables":["EGNFailedMqttConnections"]}},{"id":"22db387f-49a3-4b3e-88a4-13b1b00728b8","displayName":"Disconnections reason query","description":"Disconnections report by reasons.","body":"EGNMqttDisconnections\r\n| summarize count() by ResultSignature","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"tables":["EGNMqttDisconnections"]}},{"id":"7a684553-e9ad-4fd8-a31f-75c1a4db8d2c","displayName":"Session disconnections query","description":"Disconnections report by session names.","body":"EGNMqttDisconnections\r\n| summarize count() by SessionName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"tables":["EGNMqttDisconnections"]}},{"id":"56bf07f2-0029-4c3a-9eb1-22320fd92b39","displayName":"Session connections query","description":"Connections report by session names.","body":"EGNSuccessfulMqttConnections\r\n| summarize count() by SessionName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"tables":["EGNSuccessfulMqttConnections"]}},{"id":"60E4B8B4-31FA-4BA7-9155-44AF1DDA8BA3","displayName":"TLS 1.3 Lower query","description":"Clients using TLS of version lower than 1.3.","body":"EGNSuccessfulHttpDataPlaneOperations\r\n| where TLSVersion != \"1.3\"\r\n| summarize count() by CallerIpAddress","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"tables":["EGNFailedHttpDataPlaneOperations","EGNSuccessfulHttpDataPlaneOperations"]}},{"id":"1a5d3292-cb61-4372-bf32-0c013cb15625","displayName":"Publish failures by topic and error","description":"Publish failures logs by topic name and error message.","body":"AegPublishFailureLogs \r\n| parse Message with * \"), httpStatusCode=\" HttpStatusCode \",\" * \", errorMessage=\" ErrorMessage \r\n| parse _ResourceId with * \"/topics/\" TopicName \r\n| project TimeGenerated, _ResourceId, TopicName, TenantId, OperationName, HttpStatusCode, ErrorMessage\r\n| summarize by _ResourceId, TopicName, HttpStatusCode, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/topics"],"tables":["AegPublishFailureLogs"]}},{"id":"14ed6864-b898-400d-9083-b811bca96cb5","displayName":"Delivery failures by topic and error","description":"Delivery failures logs by topic name and error message.","body":"AegDeliveryFailureLogs \r\n| parse Message with * \", httpStatusCode=\" HttpStatusCode \",\" * \"., errorMessage=\" ErrorMessage \",\" *\r\n| parse _ResourceId with * \"/topics/\" TopicName \r\n| summarize by _ResourceId, TopicName, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/topics"],"tables":["AegDeliveryFailureLogs"]}},{"id":"09073e9b-334f-43b8-8b42-58ddf7e6b1e2","displayName":"Unique unauthorized or forbidden client IP addresses","description":"Get a list of client IP addresses from which EventGrid received unauthorized or forbidden requests.","body":"EventGridDataPlaneRequests\r\n| where OperationResult == \"Unauthorized\" or OperationResult == \"Forbidden\"\r\n| summarize count() by ClientIpAddress","tags":{"Topic":["Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventgrid/topics"],"tables":["AegDataPlaneRequests"]}},{"id":"eaa7957b-aecb-406b-be10-f48696b0ecehdel","displayName":"Publish detailed error logs","description":"Publish detailed error logs for diagnostics.","body":"AZMSDiagnosticErrorLogs\r\n| where Provider =~ \"EventHub\"\r\n| project ActivityName, _ResourceId, OperationResult,ErrorMessage\r\n| summarize by ActivityName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSDiagnosticErrorLogs"]}},{"id":"8a0df091-26c3-4e64-a3b9-d2b2bd397c4e","displayName":"Publish success data for topics","description":"Publish success data for topics for OperationLogs.","body":"AZMSOperationalLogs\r\n| extend TopicName = tostring(split(_ResourceId, \"/\")[10])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(TopicName) and Status == \"Succeeded\"\r\n| project TopicName, _ResourceId, EventName, Status, Caller, _SubscriptionId\r\n| summarize by TopicName, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"c6b1a9cd-8b76-468d-8a00-b3be3040cf2b","displayName":"Publish failures for subscription","description":"Publish management action failures for subscription.","body":"AZMSOperationalLogs\r\n| extend SubInfo = _SubscriptionId\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(SubInfo) and Status != \"Succeeded\"\r\n| project SubInfo, _ResourceId, EventName, Status, Caller\r\n| summarize by SubInfo, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"2600882e-3766-4e90-8823-4f1285d4595c","displayName":"Publish failures for namespace","description":"Publish management action failures for namespace.","body":"AZMSOperationalLogs\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(NamespaceName) and Status != \"Succeeded\"\r\n| project NamespaceName, _ResourceId, EventName, Status, Caller, _SubscriptionId\r\n| summarize by NamespaceName, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"719df79c-282d-49ff-9163-35542afe3e47","displayName":"Publish deny connection by namespace","description":"Publish deny connection by namespace on network data.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where Action == \"Deny Connection\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count\r\n| summarize by Action, NamespaceName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"cc0aeb16-1fe2-43c5-b483-cc8aba72b41c","displayName":"Publish namespace vnet data","description":"Publish vnet data for namespace by action status.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count, _ResourceId\r\n| summarize by NamespaceName, Action","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"b1101646-c48a-4f18-83b9-2a3af4cd2c2b","displayName":"Publish successful connection for AMQP protocol","description":"Publish runtime successful connection for Advanced Message Queuing Protocol(AMQP).","body":"AZMSRunTimeAuditLogs\r\n| where Provider =~ \"EventHub\"\r\n| where Protocol == \"AMQP\" and Status == \"Success\"\r\n| project ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"b8df4aec-7c87-46e1-a6fb-d20b9c0e0ef0","displayName":"Publish failed AAD logs","description":"Publish the failed entries for AAD auth.","body":"AZMSRunTimeAuditLogs \r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == \"AAD\" and Status != \"Success\" \r\n| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, AuthKey, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"bcb23e62-59f9-4b81-b7f9-91f2157c051f","displayName":"Publish failed SAS logs","description":"Publish the failed entries for SAS auth.","body":"AZMSRunTimeAuditLogs \r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == \"SAS\" and Status != \"Success\" \r\n| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, AuthKey, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"b48bce62-0ab9-4b29-9d48-fd0602f175c3","displayName":"Publish failure for send message","description":"Publish the runtime failure for send message event.","body":"AZMSRunTimeAuditLogs \r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(NamespaceInfo) and Status != \"Success\" and ActivityName == \"SendMessage\"\r\n| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"8741ae6e-c9d1-4af4-8e8b-e139342c94cd","displayName":"Publish failure for Namespace","description":"Publish the runtime failure for multiple namespaces.","body":"AZMSRunTimeAuditLogs \r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"EventHub\"\r\n| where isnotnull(NamespaceInfo) and Status != \"Success\"\r\n| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"6e754b00-8d1b-4191-a332-fe3c746d64ee","displayName":"[Classic] Errors in the last 7 days","description":"This lists all the errors for the last 7 days.","body":"AzureDiagnostics\r\n| where ResourceProvider ==\\\"MICROSOFT.EVENTHUB\\\"\r\n| where Category == \\\"OperationalLogs\\\"\r\n| summarize count() by \\\"EventName\\\", _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"eeafb4d2-cc77-45de-8ee4-bcc7f804fa9b","displayName":"[Classic] Duration of Capture failure","description":"Summarizes the duaration of failure on Capture.","body":"AzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.EVENTHUB\\\"\r\n| where Category == \\\"ArchiveLogs\\\"\r\n| summarize count() by \\\"failures\\\", \\\"durationInSeconds\\\", _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"375f9d9e-29bd-44ba-84ef-f30bbf8edbbb","displayName":"[Classic] Join request for client","description":"Summarized the status of join request for client.","body":"AzureDiagnostics // Need to turn on the Capture for this \r\n| where ResourceProvider == \\\"MICROSOFT.EVENTHUB\\\"\r\n| project \\\"OperationName\\\"\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"03935bbe-6dcb-4712-a695-cba2e583784f","displayName":"[Classic] Access to keyvault - key not found","description":"Summarizes the access to keyvault when key is not found.","body":"// To create an alert for this query, click '+ New alert rule'\r\nAzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.EVENTHUB\\\"\r\n| where Category == \\\"Error\\\" and OperationName == \\\"wrapkey\\\"\r\n| project Message, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"88ab8b25-c3c5-4c97-a93f-8e3158dc487e","displayName":"[Classic] Operation performed with keyvault","description":"Summarizes the operation performed with keyvault to disable or restore the key.","body":"AzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.EVENTHUB\\\"\r\n| where Category == \\\"info\\\" and OperationName == \\\"disable\\\" or OperationName == \\\"restore\\\"\r\n| project Message","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"5eea8814-60dd-4d3c-bec0-3c364c88efca","displayName":"Network rule logs","description":"Packets that matched Network rules. Both packet and rule metadata is displayed.","body":"AZFWNetworkRule\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWNetworkRule"]}},{"id":"8146e954-5df5-4eaa-afe6-1cef6c1583cb","displayName":"Application rule logs","description":"Connections that matched Application rules. HTTP, HTTPS and MSSQL are supported. Both connection and rule metadata is displayed.","body":"AZFWApplicationRule\r\n| take 100\r\n","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWApplicationRule"]}},{"id":"ddacb4dd-a7c6-4f36-9642-71a0fac3a34c","displayName":"DNAT rule logs","description":"Connections which were redirected to a client behind the firewall's NAT rules.","body":"AZFWNatRule\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWNatRule"]}},{"id":"3d806161-ab30-4c7c-a4fc-9bae0622e531","displayName":"Threat intelligence logs","description":"Threat intelligence events recognized by the firewall.","body":"AZFWThreatIntel\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWThreatIntel"]}},{"id":"dca5053f-af30-44dc-bfa7-089e61668991","displayName":"DNS proxy logs","description":"DNS Proxy events. These logs are only available when DNS Proxy is enabled.","body":"AZFWDnsQuery\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWDnsQuery"]}},{"id":"ae4119c9-1e46-4b3f-b9a6-df570e93e6f9","displayName":"IDPS event logs","description":"IDPS events. These logs are only available when IDPS is enabled.","body":"AZFWIdpsSignature\r\n| take 100\r\n","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWIdpsSignature"]}},{"id":"2705d573-c84c-4b40-973c-2aba2407ff22","displayName":"Internal FQDN resolution failures","description":"Failures encountered when firewall is unable to resolve a FQDN for a rule.","body":"AZFWInternalFqdnResolutionFailure\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWInternalFqdnResolutionFailure"]}},{"id":"04205bbc-69b9-4c56-8ef6-f99814abfcba","displayName":"Azure Firewall Top Flow Logs","description":"Identify top flows across Azure Firewall instances. Log contains flow information, date transmission rate (in Megabits per second units) and the time period when the flows were recorded.","body":"// Get the fatflows from past 1000 samples with rate atleast 5 mbps\r\nAZFWFatFlow\r\n| take 1000\r\n| order by TimeGenerated desc\r\n| where FlowRate > 5\r\n","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWFatFlow"]}},{"id":"616c413f-dc29-402c-851e-3b524865ce2a","displayName":"Azure Firewall flow trace logs","description":"Identify flow traces across Azure Firewall instances. Log contains flow information, flags and the time period when the flows were recorded.","body":"AZFWFlowTrace\r\n| where Flag == \"INVALID\"\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWFlowTrace"]}},{"id":"4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b","displayName":"All firewall decisions","description":"All decision taken by firewall. Contains hits on network, application and NAT rules, as well as threat intelligence hits and IDPS signature hits.","body":"AZFWNetworkRule\r\n| union AZFWApplicationRule, AZFWNatRule, AZFWThreatIntel, AZFWIdpsSignature\r\n| take 100","tags":{"Topic":["Firewall Logs (Resource Specific Tables)"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"tables":["AZFWNetworkRule","AZFWApplicationRule","AZFWNatRule","AZFWThreatIntel","AZFWIdpsSignature"]}},{"id":"b2bd1ca4-8a33-11ec-8fd3-00155dd7661c","displayName":"Show login error events","description":"A list of login error event sorted by time.","body":"AGSGrafanaLoginEvents\r\n| where Level == \"Error\"\r\n| sort by TimeGenerated asc\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dashboard/grafana"],"tables":["AGSGrafanaLoginEvents"]}},{"id":"e2c1b8a7-4f8b-4e2a-9a3d-2c6e8f7d5b1c","displayName":"Most recent actionable Interop logs","description":"Get user actionable logs generated by Interop service.","body":"AHCIDiagnosticLogs\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareinterop/workspaces"],"tables":["AHCIDiagnosticLogs"]}},{"id":"e8a2f7c1-5b3d-4c9a-9e2f-7d1b6a4c2f8e","displayName":"Log count per correlation ID","description":"Get the count of the logs emitted from Interop service per correlation ID.","body":"AHCIDiagnosticLogs\r\n| summarize Count = count() by CorrelationId\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareinterop/workspaces"],"tables":["AHCIDiagnosticLogs"]}},{"id":"68299a2f-71a3-4795-a11c-9dfc7b2d0651","displayName":"Most recent actionable MedTech logs","description":"Get user actionable logs generated by MedTech service.","body":"AHDSMedTechDiagnosticLogs\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSMedTechDiagnosticLogs"]}},{"id":"af396c53-a04e-43aa-8bd9-c9cf75f96318","displayName":"Log count per MedTech log or exception type","description":"Get the count of the logs emitted from MedTech service per log type and operation. The result contains what exception is thrown how many times.","body":"AHDSMedTechDiagnosticLogs\r\n| summarize Count = count() by LogType, OperationName\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSMedTechDiagnosticLogs"]}},{"id":"3dfc6cd3-9545-43f3-b1b8-7c4813d1da5c","displayName":"MedTech healthcheck exceptions","description":"Get exceptions caused by failing healthchecks to dependent Azure resources (eg. FHIR Service, Event Hub).","body":"AHDSMedTechDiagnosticLogs\r\n| where LogType == \"HealthCheckException\"\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSMedTechDiagnosticLogs"]}},{"id":"5c33c4fb-04cf-410e-9556-04509fb24090","displayName":"MedTech normalization stage logs","description":"Get user actionable logs from the Normalization stage of the MedTech service.","body":"AHDSMedTechDiagnosticLogs\r\n| where OperationName == \"Normalization\"\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSMedTechDiagnosticLogs"]}},{"id":"f1aa373c-ecc6-49cd-835a-05ac38b0749f","displayName":"MedTech FHIR conversion stage logs","description":"Get user actionable logs from the FHIR conversion stage of the MedTech service.","body":"AHDSMedTechDiagnosticLogs\r\n| where OperationName == \"FHIRConversion\"\r\n| order by TimeGenerated desc\r\n| take 100\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSMedTechDiagnosticLogs"]}},{"id":"5d9df8e3-7ff1-45f5-9569-411f6ffacfc7","displayName":"DICOM privileged operations","description":"Get the count of the privileged operation logs per operation. For example, how many requests have been received to store a DICOM instance.","body":"AHDSDicomAuditLogs\r\n| summarize Count = count() by OperationName\r\n","tags":{"Topic":["DICOM Audit Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSDicomAuditLogs"]}},{"id":"c3346bdf-e3db-4af3-b6f7-5e1e73ce0d2b","displayName":"Log count per log starting with Dicom100 error code and CorrelationId","description":"Get the count of logs starting with Dicom100 error emitted from Dicom service per CorrelationId. The result contains count by CorrelationId.","body":"AHDSDicomDiagnosticLogs\r\n| where Message startswith \"DICOM100:\"\r\n| summarize Count = count() by CorrelationId\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"tables":["AHDSDicomDiagnosticLogs"]}},{"id":"126a5c26-d357-4b03-a4bc-5e8fbd26a1b8","displayName":"Are there any failures?","description":"Count of failed keyvault requests by status code.","body":"AZKVAuditLogs\r\n| where HttpStatusCode >= 300 and not(OperationName == \"Authentication\" and HttpStatusCode == 401)\r\n| summarize count() by RequestUri, ResultSignature, _ResourceId","tags":{"Topic":["Alerts","Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"d196c718-afdf-4eb1-9849-4f236030f51b","displayName":"Are there any slow requests?","description":"List of keyvault requests taking longer than 1 second.","body":"let threshold=1000;\r\nAZKVAuditLogs\r\n| where DurationMs > threshold\r\n| summarize count() by OperationName, _ResourceId\r\n","tags":{"Topic":["Alerts","Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"10026928-5243-4850-82e5-e1c4c175bc15","displayName":"How active has this KeyVault been?","description":"Line chart showing trend of KeyVault requests volume, per operation over time.","body":"AZKVAuditLogs\r\n| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour\r\n| render timechart\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"163b3a0a-e23d-4648-aec6-72906be0c027","displayName":"How fast is this KeyVault serving requests?","description":"Line chart showing trend of request duration over time using different aggregations.","body":"AZKVAuditLogs\r\n| summarize avg(DurationMs) by RequestUri, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request\r\n| render timechart\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"dcfebdea-1637-46b9-8452-1979e9e30251","displayName":"What changes occurred last month?","description":"Lists all update and patch requests from the last 30 days.","body":"AZKVAuditLogs\r\n| where TimeGenerated > ago(30d)\r\n| where OperationName == \"VaultPut\" or OperationName == \"VaultPatch\"\r\n| sort by TimeGenerated desc\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"79cf6219-a0c3-4cac-a011-e5c02fc7cada","displayName":"Who is calling this KeyVault?","description":"List of callers identified by their IP address with their request count.","body":"AZKVAuditLogs\r\n| summarize count() by CallerIpAddress\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.keyvault/vaults"],"tables":["AZKVAuditLogs"]}},{"id":"5bcdd75f-8eaf-4c5a-aa38-7c10a501d260","displayName":"Volume of Kubernetes audit events per SourceIp","description":"Display the count of Kubernetes audit events generated from a given source IP address for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.","body":"AKSAudit\r\n| where ResponseStatus.code != 401 // Exclude unauthorized responses\r\n| mv-expand SourceIps // Expand the list of SourceIp entries into individual rows\r\n| summarize Count = count() by SourceIp = tostring(SourceIps), ResourceId = _ResourceId\r\n| sort by Count desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["AKSAudit"]}},{"id":"820ac966-e438-4fae-aef9-2d162ce23ced","displayName":"Volume of admin Kubernetes audit events per username","description":"Display the count of admin Kubernetes audit events generated from a given user name for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.","body":"AKSAuditAdmin\r\n| where ResponseStatus.code != 401 // Exclude unauthorized responses\r\n| summarize Count = count() by Username = tostring(User.username), ResourceId = _ResourceId\r\n| sort by Count desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["AKSAuditAdmin"]}},{"id":"39ef777f-53d8-400a-9d4e-d6e6946a538e","displayName":"Admin Kubernetes audit events for deployment","description":"Query for admin Kubernetes audit events against deployments within the default namespace. Requires Diagnostic Settings to use the Resource Specific destination table.","body":"AKSAuditAdmin\r\n| where ObjectRef.resource == \"deployments\"\r\n| where ObjectRef.namespace == \"default\"\r\n| where User.username != \"system:serviceaccount:kube-system:deployment-controller\" // Exclude updates from the kube controller for deployments\r\n| limit 100\r\n| project TimeGenerated, Verb, RequestUri, User, RequestObject, ObjectRef","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["AKSAuditAdmin"]}},{"id":"1f0b44f9-2a90-4d74-bd6f-32671f493c65","displayName":"Cluster Autoscaler logs","description":"Query for logs from the cluster autoscaler. This can help explain why the cluster is unexpectedly scaling up or down. Requires Diagnostic Settings to use the Resource Specific destination table.","body":"AKSControlPlane\r\n| where Category==\"cluster-autoscaler\"\r\n| limit 100\r\n| project TimeGenerated, Level, Message\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["AKSControlPlane"]}},{"id":"6d69a6ab-78ed-45c8-b5bb-557c2a096d54","displayName":"Kubernetes API server logs","description":"Query for logs from the Kubernetes API server. Requires Diagnostic Settings to use the Resource Specific destination table.","body":"AKSControlPlane\r\n| where Category==\"kube-apiserver\"\r\n| limit 100\r\n| project TimeGenerated, Level, Message\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["AKSControlPlane"]}},{"id":"2a9d8818-5683-41cc-bedb-493c61a04bb6","displayName":"Azure load test creation count","description":"Counts the number of tests creation by resource ID.","body":"AzureLoadTestingOperation\r\n| where OperationId == \"Test_CreateOrUpdateTest\"\r\n| where HttpStatusCode == 201\r\n| summarize count() by _ResourceId","tags":{"Topic":["Usage","Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.loadtestservice/loadtests"],"tables":["AzureLoadTestingOperation"]}},{"id":"a4b29234-b732-486e-9e5a-1d61af4aaf1e","displayName":"Azure load test run creation count","description":"Counts the number of successful test runs started by resource ID.","body":"AzureLoadTestingOperation\r\n| where OperationId == \"TestRun_CreateAndUpdateTest\"\r\n| where HttpStatusCode == 200\r\n| summarize count() by _ResourceId","tags":{"Topic":["Usage","Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.loadtestservice/loadtests"],"tables":["AzureLoadTestingOperation"]}},{"id":"96c338bf-610b-4231-83b5-df264ddbf749","displayName":"Find all entries where value is active","description":"Components state updates events are projected from devices. This query will list out all logs where value is active.","body":"MNFDeviceUpdates\r\n| where EventCategory == \"ComponentStateUpdates\"\r\n| where Properties has \"ACTIVE\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFDeviceUpdates"]}},{"id":"f789e18e-9204-43f0-9656-ae305a7c56d3","displayName":"Find all entries where value is up","description":"Interface status updates are projected from devices. This query will list out all logs where value is up.","body":"MNFDeviceUpdates\r\n| where EventCategory == \"InterfaceStateUpdates\"\r\n| where Properties !has \"DOWN\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFDeviceUpdates"]}},{"id":"53052d78-882f-46b7-a711-69dca0f58af4","displayName":"Find all events of the type VxlanVlanToVniVlan","description":"Interface vxlan updates events are projected from devices. This query will list out all the logs where events is of the type VxlanVlanToVniVlan.","body":"MNFDeviceUpdates\r\n| where EventCategory == \"InterfaceVxlanUpdates\"\r\n| where Properties has \"VxlanVlanToVniVlan\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFDeviceUpdates"]}},{"id":"ade0fc51-681d-490d-b8f5-216b3203e419","displayName":"Find all entries where afisafiname is not of the type L2VPN_EVPN","description":"Network instance neighbor updates that happened between routers during a BGP communication are listed with types of afisafiname. This is the query to filter the logs where afisafiname is not of the type L2VPN_EVPN.","body":"MNFDeviceUpdates\r\n| where EventCategory == \"NetworkInstanceBgpNeighborUpdates\"\r\n| where Properties !has \"L2VPN_EVPN\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFDeviceUpdates"]}},{"id":"c21d56d3-8079-46ff-b056-9d5be6505e88","displayName":"Find all entries where network instance name is of the type workload-mgmt","description":"Network instance updates events from device will be reported here with different instance name. This query filters all network instances of the type workload-mgmt.","body":"MNFDeviceUpdates\r\n| where EventCategory == \"NetworkInstanceUpdates\"\r\n| where Properties has \"WORKLOAD-MGMT\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFDeviceUpdates"]}},{"id":"a1378514-505d-453b-a0a9-44cd62cd5228","displayName":"Find all errors from Syslog","description":"Syslog from device will be reported with message severity codes. This query filters all error messages from the Syslog.","body":"MNFSystemStateMessageUpdates\r\n| where Properties has \"error\"\r\n| project EventName, EventCategory, DeviceId, TimeGenerated, Properties\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFSystemStateMessageUpdates"]}},{"id":"6f7d4fb8-e91c-4fa3-aa6f-c695d21e5e1a","displayName":"Find all entries where session update user is admin","description":"System session history update events are projected from devices. This query will list out all logs where session update user is admin.","body":"MNFSystemSessionHistoryUpdates\r\n| where EventCategory == \"SystemSessionHistoryUpdates\"\r\n| project EventName, EventCategory, DeviceId, DeviceName, FabricId, TimeGenerated, DiffTimeStamp, GnmiTimeStamp, SessionUpdateSessionId, SessionUpdateUser, SessionDiffs\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"tables":["MNFSystemSessionHistoryUpdates"]}},{"id":"7f99e5e3-4b53-4ac2-8b96-3f2a5f92c7f9","displayName":"Cassandra logs","description":"Cassandra logs for a specific node, sorted by time (latest logs shown first).","body":"let nodeIPAddress = \"10.0.0.0\"; // Replace with your node IP address\r\nCassandraLogs\r\n| where AddressIP == nodeIPAddress\r\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.documentdb/cassandraclusters"],"tables":["CassandraLogs"]}},{"id":"d2752945-c33f-4a6b-9128-e2f8e2dbf6a1","displayName":"Cassandra errors or warnings","description":"Error or warning logs from Cassandra, sorted by time (latest logs shown first).","body":"CassandraLogs\r\n| where Level == \"ERROR\" or Level == \"WARN\"\r\n| project TimeGenerated, Level, AddressIp, ThreadName, ThreadId, SourceFile, SourceLine, Message, Exception, EventProduct, EventCategory, EventType\r\n| sort by TimeGenerated desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.documentdb/cassandraclusters"],"tables":["CassandraLogs"]}},{"id":"7c29ceda-72da-4398-befe-2a17722165b1","displayName":"Mongo vCore requests P99 duration by operation","description":"Mongo vCore requests P99 runtime duration by operation name.","body":"VCoreMongoRequests\r\n// Time range filter: | where TimeGenerated between (StartTime .. EndTime)\r\n// Resource id filter: | where _ResourceId == \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group-name/providers/microsoft.documentdb/mongoclusters/my-cluster-name\"\r\n| summarize percentile(DurationMs, 99) by bin(TimeGenerated, 1h), OperationName\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/mongoclusters"],"tables":["VCoreMongoRequests"]}},{"id":"5bb1d784-35fa-4065-bcfe-d780877bb42a","displayName":"Mongo vCore requests binned by duration","description":"Count of Mongo vCore requests binned by total runtime duration.","body":"VCoreMongoRequests\r\n// Time range filter: | where TimeGenerated between (StartTime .. EndTime)\r\n// Resource id filter: | where _ResourceId == \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group-name/providers/microsoft.documentdb/mongoclusters/my-cluster-name\"\r\n| project TimeGenerated, DurationBin=tostring(bin(DurationMs, 5))\r\n| summarize count() by bin(TimeGenerated, 1m), tostring(DurationBin)\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/mongoclusters"],"tables":["VCoreMongoRequests"]}},{"id":"9883e7d9-5df2-4ced-bd47-3fc5f34f3c7a","displayName":"Failed Mongo vCore requests","description":"Count of failed Mongo vCore requests by error code.","body":"VCoreMongoRequests\r\n// Time range filter: | where TimeGenerated between (StartTime .. EndTime)\r\n// Resource id filter: | where _ResourceId == \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group-name/providers/microsoft.documentdb/mongoclusters/my-cluster-name\"\r\n| where ErrorCode != 0\r\n| summarize count() by bin(TimeGenerated, 5m), ErrorCode=tostring(ErrorCode)\r\n","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/mongoclusters"],"tables":["VCoreMongoRequests"]}},{"id":"4ad830b9-b8b6-4e8e-a934-754d4ad2d959","displayName":"Mongo vCore requests by user agent","description":"Count of Mongo vCore requests by user agent.","body":"VCoreMongoRequests\r\n// Time range filter: | where TimeGenerated between (StartTime .. EndTime)\r\n// Resource id filter: | where _ResourceId == \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group-name/providers/microsoft.documentdb/mongoclusters/my-cluster-name\"\r\n| summarize count() by bin(TimeGenerated, 1h), UserAgent\r\n","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/mongoclusters"],"tables":["VCoreMongoRequests"]}},{"id":"5eea8814-60dd-4d3c-bec0-3c364c88e123","displayName":"Pods in crash loop","description":"Determines whether Pods/Containers has Crash-Loop phase.","body":"//Determines whether Pods/Containers has Crash-Loop phase\r\nKubePodInventory\r\n| where ContainerStatus == 'waiting' \r\n| where ContainerStatusReason == 'CrashLoopBackOff' or ContainerStatusReason == 'Error'\r\n| extend ContainerLastStatus=todynamic(ContainerLastStatus)\r\n| summarize RestartCount = arg_max(ContainerRestartCount, Computer, Namespace, ContainerLastStatus.reason) by Name","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["KubePodInventory"]}},{"id":"8146e954-5df5-4eaa-afe6-1cef6c158456","displayName":"Pods in pending state","description":"Check Pods that cannot be started and their pending time.","body":"//Check Pods that cannot be started and its pending time\r\nKubePodInventory\r\n| where PodStatus == 'Pending'\r\n| project PodCreationTimeStamp, Namespace, PodStartTime, PodStatus, Name, ContainerStatus\r\n| summarize Start = any(PodCreationTimeStamp), arg_max(PodStartTime, Namespace) by Name\r\n| extend PodStartTime = iff(isnull(PodStartTime), now(), PodStartTime)\r\n| extend PendingTime = PodStartTime - Start\r\n| project Name, Namespace ,PendingTime","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"tables":["KubePodInventory"]}},{"id":"37325c2f-a267-4c55-8b85-3a315e9e50a3","displayName":"Latest Data Collection Rule Conditional Data Set Output","description":"Displays the output of the latest successful Data Collection Rule (DCR) based conditional data set.","body":"let latestSuccessfulDataSetRun =\r\nDataSetRuns\r\n| where Status == \"DataSetRunSucceeded\"\r\n| order by TimeGenerated desc\r\n| project DataSetRunId\r\n| take 1;\r\nDataSetOutput\r\n| where DataSetRunId in (latestSuccessfulDataSetRun)\r\n| order by DataSetRunSeqNum asc","tags":{"Topic":["Diagnostics","Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection"],"tables":["DataSetRuns","DataSetOutput"]}},{"id":"e70b8048-60cc-485e-aa4c-13681020dc97","displayName":"PerfInsights Impacted Resources Details","description":"Unpacks and displays details of PerfInsights impacted resources.","body":"PerfInsightsImpactedResources\r\n| where isnotnull(Details)\r\n| extend FirstConfig = Details[0]\r\n| extend ResourceKVP = pack(\r\n tostring(ImpactedResourceName),\r\n tostring(ImpactedResourceValue)\r\n)\r\n| extend MergedConfig = bag_merge(ResourceKVP, FirstConfig)\r\n| project MergedConfig\r\n| evaluate bag_unpack(MergedConfig)","tags":{"Topic":["Diagnostics","Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection"],"tables":["PerfInsightsImpactedResources"]}},{"id":"1b1df069-ae9b-4026-876e-09b8d1c4cf12","displayName":"View users who updated the dashboard","description":"Gets the ID's of the users who made the most recent updates, along with the version number and time.","body":"AGSUpdateEvents\r\n| sort by TimeGenerated desc\r\n| project TimeGenerated, User, Message\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dashboard/dashboard"],"tables":["AGSUpdateEvents"]}},{"id":"d7f3a1b9-4c2e-48a6-b5d1-9e8f7c6a3b20","displayName":"Azure Monitor pipeline errors","description":"Retrieves logs indicating errors during data ingestion, transformation, and export in Azure Monitor pipeline.","body":"// This query helps list the most recent 10 logs for failures during Azure Monitor pipeline operations.\r\nAzureMonitorPipelineLogErrors\r\n//| where OperationName == \"Ingestion\" // Uncomment this line to see Ingestion errors\r\n//| where OperationName == \"Transform\" // Uncomment this line to see Transform errors\r\n//| where OperationName == \"Export\" // Uncomment this line to see Export errors\r\n| sort by TimeGenerated desc\r\n| limit 10\r\n","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.monitor/pipelinegroups"],"tables":["AzureMonitorPipelineLogErrors"]}},{"id":"0d32e6ff-9894-415e-a981-2e9e5f76bd78","displayName":"Workload Monitoring Insights data collection warnings or errors","description":"Warning or error logs from data collection services of Workload Monitoring of Azure Monitor Insights.","body":"WorkloadDiagnosticLogs\r\n| where Status in (\"Warning\", \"Error\")\r\n| sort by TimeGenerated desc\r\n| take 100","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","monitor"],"resourceTypes":["microsoft.insights/workloadmonitoring"],"tables":["WorkloadDiagnosticLogs"]}},{"id":"f6544502-3c0c-4e40-916d-bac6bb3ce8cf","displayName":"Deleted objects for an ANF volume","description":"Display all deleted object events for an ANF volume.","body":"ANFFileAccess\r\n| where OperationName == \"Unlink Object\"\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"tables":["ANFFileAccess"]}},{"id":"b0398ff8-d74a-11ec-9d64-0242ac120002","displayName":"All Logs for a Particular Object","description":"Display all audit events for a particular object on an ANF volume.","body":"ANFFileAccess\r\n| where ObjectName == \"/auditlog.txt\"\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"tables":["ANFFileAccess"]}},{"id":"b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","displayName":"Volume of Kubernetes API audit events per source IP","description":"Display the count of Kubernetes API audit events generated from a given source IP address for each Nexus cluster.","body":"NCCKubernetesAPIAuditLogs\r\n| where ResponseStatusCode != 401 // Exclude unauthorized responses\r\n| summarize Count = count() by SourceIps, ClusterName\r\n| sort by Count desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.networkcloud/clusters"],"tables":["NCCKubernetesAPIAuditLogs"]}},{"id":"c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","displayName":"Volume of Kubernetes API audit events per user","description":"Display the count of Kubernetes API audit events generated from a given user for each Nexus cluster.","body":"NCCKubernetesAPIAuditLogs\r\n| where ResponseStatusCode != 401 // Exclude unauthorized responses\r\n| summarize Count = count() by User, ClusterName\r\n| sort by Count desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.networkcloud/clusters"],"tables":["NCCKubernetesAPIAuditLogs"]}},{"id":"d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","displayName":"Failed Kubernetes API requests","description":"Display failed Kubernetes API requests (4xx and 5xx status codes) grouped by response code and verb for each Nexus cluster.","body":"NCCKubernetesAPIAuditLogs\r\n| where ResponseStatusCode >= 400 // Failed requests (4xx and 5xx)\r\n| summarize Count = count() by ResponseStatusCode, Verb, ClusterName\r\n| sort by Count desc\r\n","tags":{"Topic":["Audit","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.networkcloud/clusters"],"tables":["NCCKubernetesAPIAuditLogs"]}},{"id":"e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e","displayName":"Kubernetes deployment modification audit events","description":"Query for Kubernetes API audit events showing modifications (create, update, patch, delete) to deployments in Nexus clusters.","body":"NCCKubernetesAPIAuditLogs\r\n| where ObjectRef contains \"deployments\"\r\n| where Verb in (\"create\", \"update\", \"patch\", \"delete\")\r\n| project TimeGenerated, Verb, RequestUri, User, ObjectRef, ResponseStatusCode, ClusterName\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.networkcloud/clusters"],"tables":["NCCKubernetesAPIAuditLogs"]}},{"id":"8f2774ec-9662-4eff-bc18-b223ec9ce86d","displayName":"Latest Snat Port Exhaustion Per LB Frontend","description":"List the latest SNAT port exhaustion event per load balancer Frontend IP","body":"ALBHealthEvent\r\n| where TimeGenerated > ago(1d)\r\n| where HealthEventType == \"SnatPortExhaustion\"\r\n| summarize arg_max(TimeGenerated, *) by LoadBalancerResourceId, FrontendIP","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.network/loadbalancers"],"tables":["ALBHealthEvent"]}},{"id":"652774ec-9662-4e1f-bc18-b223ec9ce36d","displayName":"Total allowed packets and bytes sent per NatGateway IP and Destination IP","description":"Total packets and bytes sent per NatGateway IP and Destination IP, that was allowed by the NAT Gateway.","body":"NatGatewayFlowlogsV1\r\n| where TimeGenerated > ago(1d)\r\n| summarize PacketsSentTotal = sum(PacketsSent), BytesSentTotal = sum(BytesSent) by DestinationIP, NatGatewayIP","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.network/natgateways"],"tables":["NatGatewayFlowlogsV1"]}},{"id":"252274ec-9662-4e3f-bc18-b225ec9ce31d","displayName":"Total allowed packets and bytes sent per NatGateway IP and Source IP","description":"Total packets and bytes sent per NatGateway IP and Source IP, that was allowed by the NAT Gateway.","body":"NatGatewayFlowlogsV1\r\n| where TimeGenerated > ago(1d)\r\n| summarize PacketsSentTotal = sum(PacketsSent), BytesSentTotal = sum(BytesSent) by SourceIP, NatGatewayIP","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.network/natgateways"],"tables":["NatGatewayFlowlogsV1"]}},{"id":"5a5e640c-37d6-4f21-93c2-3287fd420ea3","displayName":"Audit collection delete events","description":"Display audit logs for collection delete events.","body":"PurviewSecurityLogs\r\n| where EntityType == 'Collections'\r\n| where OperationName == 'Delete'\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.purview/accounts"],"tables":["PurviewSecurityLogs"]}},{"id":"d7328548-c02f-4461-a86d-ddea98534a3c","displayName":"Get replication health status history","description":"Get replication health status history for a virtual machine.","body":"let replicatedItemFriendlyName = \"\";\r\nASRReplicatedItems\r\n//| where TimeGenerated >= ago(30d) // uncomment this line to view last 30 days\r\n//| where _ResourceId == resourceId // uncomment this line and enter resource ID\r\n| where ReplicatedItemFriendlyName == replicatedItemFriendlyName\r\n| project Day=startofday(TimeGenerated), TimeGenerated, ReplicatedItemId, ReplicatedItemFriendlyName, ReplicationStatus\r\n| summarize arg_max(TimeGenerated,*) by Day","properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"tables":["ASRReplicatedItems"]}},{"id":"8ae09b10-bba7-4059-a179-4dd802f9dd28","displayName":"Get all test failover jobs run","description":"Get all test failover jobs run for your ASR protected items to verify if recoverability is being tested regularly for all your important resources.","body":"ASRJobs\r\n//| where TimeGenerated >= ago(30d) // uncomment this line to view last 30 days\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where OperationName == \"Test failover\"\r\n| project StartTime, EndTime, SourceResourceId, SourceFriendlyName, DurationMs, ResultDescription","properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"tables":["ASRJobs"]}},{"id":"4e376b4a-24d9-4110-9640-4c427e80af43","displayName":"Get all backup operations","description":"Get all backup operations for change passphrase.","body":"AzureBackupOperations\r\n//| where TimeGenerated >= ago(30d) // uncomment this line to view last 30 days\r\n| where OperationType == \"ChangePassphrase\"\r\n| project TimeGenerated, OperationType, OperationStartTime, ExtendedProperties, BackupManagementType\r\n| limit 10","properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"tables":["AzureBackupOperations"]}},{"id":"ddd81f93-5320-4626-ac94-a938757326a4","displayName":"Unique authenticated Redis client IP addresses","description":"Unique Redis client IP addresses that have successfully authenticated to the cache.","body":"REDConnectionEvents\r\n// https://docs.redis.com/latest/rs/security/audit-events/#status-result-codes\r\n// EventStatus :\r\n// 0 AUTHENTICATION_FAILED - Invalid username and/or password.\r\n// 1 AUTHENTICATION_FAILED_TOO_LONG - Username or password are too long.\r\n// 2 AUTHENTICATION_NOT_REQUIRED - Client tried to authenticate, but authentication isn’t necessary.\r\n// 3 AUTHENTICATION_DIRECTORY_PENDING - Attempting to receive authentication info from the directory in async mode.\r\n// 4 AUTHENTICATION_DIRECTORY_ERROR - Authentication attempt failed because there was a directory connection error.\r\n// 5 AUTHENTICATION_SYNCER_IN_PROGRESS - Syncer SASL handshake. Return SASL response and wait for the next request.\r\n// 6 AUTHENTICATION_SYNCER_FAILED - Syncer SASL handshake. Returned SASL response and closed the connection.\r\n// 7 AUTHENTICATION_SYNCER_OK - Syncer authenticated. Returned SASL response.\r\n// 8 AUTHENTICATION_OK - Client successfully authenticated.\r\n| where EventType == \"auth\" and EventStatus == 2 or EventStatus == 8 or EventStatus == 7\r\n| summarize count() by ClientIp","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redisenterprise"],"tables":["REDConnectionEvents"]}},{"id":"42dfde83-f564-4282-854d-612dfda54abf","displayName":"Redis client authentication requests per hour","description":"Redis client authentication requests per hour within the specified IP address range. Includes both successful and unsuccessful requests.","body":"REDConnectionEvents\r\n| extend EventTime = unixtime_seconds_todatetime(EventEpochTime)\r\n// For particular datetime filtering, add '| where EventTime between (StartTime .. EndTime)'\r\n// For particular IP range filtering, add '| where ipv4_is_in_range(ClientIp, IpRange)'\r\n// IP range can be defined like this 'let IpRange = \"10.1.1.0/24\";' at the top of query.\r\n| where EventType == \"auth\"\r\n| summarize AuthencationRequestsCount = count() by TimeRange = bin(EventTime, 1h)\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redisenterprise"],"tables":["REDConnectionEvents"]}},{"id":"e1629bb4-4c6e-49a1-a826-5627804b3dcf","displayName":"Redis client connections per hour","description":"Redis client connections per hour within the specified IP address range.","body":"REDConnectionEvents\r\n// For particular datetime filtering, add '| where EventTime between (StartTime .. EndTime)'\r\n// For particular IP range filtering, add '| where ipv4_is_in_range(ClientIp, IpRange)'\r\n// IP range can be defined like this 'let IpRange = \"10.1.1.0/24\";' at the top of query.\r\n| extend EventTime = unixtime_seconds_todatetime(EventEpochTime)\r\n| where EventType == \"new_conn\"\r\n| summarize ConnectionCount = count() by TimeRange = bin(EventTime, 1h)\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redisenterprise"],"tables":["REDConnectionEvents"]}},{"id":"d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","displayName":"Redis client disconnections per hour","description":"Redis client disconnections per hour within the specified IP address range.","body":"REDConnectionEvents\r\n// For particular datetime filtering, add '| where EventTime between (StartTime .. EndTime)'\r\n// For particular IP range filtering, add '| where ipv4_is_in_range(ClientIp, IpRange)'\r\n// IP range can be defined like this 'let IpRange = \"10.1.1.0/24\";' at the top of query.\r\n| extend EventTime = unixtime_seconds_todatetime(EventEpochTime)\r\n| where EventType == \"close_conn\"\r\n| summarize DisconnectionCount = count() by TimeRange = bin(EventTime, 1h)\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redisenterprise"],"tables":["REDConnectionEvents"]}},{"id":"e4c56072-f3d4-4d90-89af-7b94cf0a80e1","displayName":"Unsuccessful authentication attempts on Redis cache","description":"Authentication attempts on Redis cache which were unsuccessful.","body":"REDConnectionEvents\r\n// https://docs.redis.com/latest/rs/security/audit-events/#status-result-codes\r\n// EventStatus : \r\n// 0 AUTHENTICATION_FAILED - Invalid username and/or password.\r\n// 1 AUTHENTICATION_FAILED_TOO_LONG - Username or password are too long.\r\n// 2 AUTHENTICATION_NOT_REQUIRED - Client tried to authenticate, but authentication isn’t necessary.\r\n// 3 AUTHENTICATION_DIRECTORY_PENDING - Attempting to receive authentication info from the directory in async mode.\r\n// 4 AUTHENTICATION_DIRECTORY_ERROR - Authentication attempt failed because there was a directory connection error.\r\n// 5 AUTHENTICATION_SYNCER_IN_PROGRESS - Syncer SASL handshake. Return SASL response and wait for the next request.\r\n// 6 AUTHENTICATION_SYNCER_FAILED - Syncer SASL handshake. Returned SASL response and closed the connection.\r\n// 7 AUTHENTICATION_SYNCER_OK - Syncer authenticated. Returned SASL response.\r\n// 8 AUTHENTICATION_OK - Client successfully authenticated.\r\n| where EventType == \"auth\" and EventStatus != 2 and EventStatus != 8 and EventStatus != 7\r\n| project ClientIp, EventStatus, ConnectionId","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","network","resources"],"resourceTypes":["microsoft.cache/redisenterprise"],"tables":["REDConnectionEvents"]}},{"id":"07097c10-af17-46fd-b8a0-65c405f8b299","displayName":"Publish HTTP send data for hybrid connection","description":"Publish details for send events on a hybrid connection.","body":"//Endpoint needs to be replaced with client specific endpoint.\r\nAZMSHybridConnectionsEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where OperationName == \"Microsoft.Relay/HybridConnections/SenderSentHttpRequest\"\r\n| where Endpoint contains \"shamavijay-relay-hybconn\"\r\n| project NamespaceName, TaskName, Message, OperationName\r\n| summarize by NamespaceName, TaskName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.relay/namespaces"],"tables":["AZMSHybridConnectionsEvents"]}},{"id":"d25850ef-feda-42dc-afdb-d6f527854b8b","displayName":"Publish deny connection by namespace","description":"Publish deny network connection information by namespace.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"Relay\"\r\n| where Action == \"Deny Connection\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count\r\n| summarize by Action, NamespaceName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.relay/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"942c6acb-1f7e-498e-b5fa-d3c30f787f61","displayName":"Publish virtual network events by namespace","description":"Publish virtual network events with outcome for namespace.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"Relay\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count, _ResourceId\r\n| summarize by NamespaceName, Action","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.relay/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"eaa7957b-aecb-406b-be10-f48696b0ecdf","displayName":"Publish success data for topics","description":"Publish success data for topics on CRUD Operations in Server Bus.","body":"AZMSOperationalLogs\r\n| extend TopicName = tostring(split(_ResourceId, \"/\")[10])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(TopicName) and Status == \"Succeeded\"\r\n| project TopicName, _ResourceId, EventName, Status, Caller, _SubscriptionId\r\n| summarize by TopicName, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"eaa7957b-aecb-406b-be10-f48696b0ecdfdel","displayName":"Publish detailed error logs","description":"Publish detailed error logs for diagnostics.","body":"AZMSDiagnosticErrorLogs\r\n| where Provider =~ \"ServiceBus\"\r\n| project ActivityName, _ResourceId, OperationResult,ErrorMessage\r\n| summarize by ActivityName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSDiagnosticErrorLogs"]}},{"id":"e16d5b06-e193-4e8f-8f2c-e3dd04413d9e","displayName":"Publish failures for Topics","description":"Publish management action failures for topics.","body":"AZMSOperationalLogs\r\n| extend TopicName = tostring(split(_ResourceId, \"/\")[10])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(TopicName) and Status != \"Succeeded\"\r\n| project TopicName, _ResourceId, EventName, Status, Caller, SubscriptionId\r\n| summarize by TopicName, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"2b7d7c31-a6f4-4fcc-857e-c40fd9ecd918","displayName":"Publish failures for subscription","description":"Publish management action failures for subscription.","body":"AZMSOperationalLogs\r\n| extend SubInfo = _SubscriptionId\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(SubInfo) and Status != \"Succeeded\"\r\n| project SubInfo, _ResourceId, EventName, Status, Caller\r\n| summarize by SubInfo, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"9edb2134-7a9d-4193-b727-1900e50b133d","displayName":"Publish failures for namespace","description":"Publish management action failures for namespace.","body":"AZMSOperationalLogs\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(NamespaceName) and Status != \"Succeeded\"\r\n| project NamespaceName, _ResourceId, EventName, Status, Caller, _SubscriptionId\r\n| summarize by NamespaceName, EventName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSOperationalLogs"]}},{"id":"5956fb69-ccc1-40a2-a7be-8cf35a3fc627","displayName":"Publish deny connection by namespace","description":"Publish deny network connection information by namespace.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where Action == \"Deny Connection\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count\r\n| summarize by Action, NamespaceName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"39525fb9-8431-4c02-826f-c610eaaeb9c1","displayName":"Publish virtual network events by namespace","description":"Publish virtual network events with outcome for namespace.","body":"AZMSVnetConnectionEvents\r\n| extend NamespaceName = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| project Action, _SubscriptionId, NamespaceName, AddressIp, Reason, Count, _ResourceId\r\n| summarize by NamespaceName, Action","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSVnetConnectionEvents"]}},{"id":"e42b82a3-12b7-49d3-90da-cb8f0d15090c","displayName":"Publish successful connection for AMQP protocol","description":"Publish runtime successful connection for Advanced Message Queuing Protocol(AMQP).","body":"AZMSRunTimeAuditLogs\r\n| where Provider =~ \"ServiceBus\" \r\n| where Protocol == \"AMQP\" and Status == \"Success\"\r\n| project ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"5378867d-d538-4133-b9ad-b98d8e920995","displayName":"Publish failures for send message","description":"Publish the runtime failures for send message event.","body":"AZMSRunTimeAuditLogs\r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(NamespaceInfo) and Status != \"Success\" and ActivityName == \"SendMessage\"\r\n| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"7f71e893-1960-4080-b67f-1a06c5a79143","displayName":"Publish failure for namespace","description":"Publish the runtime failure for multiple namespaces.","body":"AZMSRunTimeAuditLogs\r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(NamespaceInfo) and Status != \"Success\"\r\n| project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"1b9a6421-8d31-4a38-ae8c-35f70ffafdb8","displayName":"Publish failed AAD logs","description":"Publish the failed entries for AAD authorization.","body":"AZMSRunTimeAuditLogs\r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == \"AAD\" and Status != \"Success\" \r\n| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, AuthKey, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"1b159023-07e2-4d37-9447-af7b6cc5cfc6","displayName":"Publish failed SAS logs","description":"Publish the failed entries for SAS authorization.","body":"AZMSRunTimeAuditLogs\r\n| extend NamespaceInfo = tostring(split(_ResourceId, \"/\")[8])\r\n| where Provider =~ \"ServiceBus\"\r\n| where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == \"SAS\" and Status != \"Success\" \r\n| project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, _ResourceId\r\n| summarize by NamespaceInfo, AuthKey, ActivityName","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AZMSRunTimeAuditLogs"]}},{"id":"1bd9dbca-3306-4985-8043-b4cb8c1f21e7","displayName":"[Classic] List Management operations","description":"This lists all the management calls.","body":"AzureDiagnostics\r\n| where ResourceProvider ==\\\"MICROSOFT.SERVICEBUS\\\"\r\n| where Category == \\\"OperationalLogs\\\"\r\n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"26f1dcce-f504-41fc-8613-e0458cce591a","displayName":"[Classic] Error Summary","description":"Summarizes all the errors encountered.","body":"AzureDiagnostics\r\n| where ResourceProvider ==\\\"MICROSOFT.SERVICEBUS\\\"\r\n| where Category == \\\"Error\\\"\r\n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"e71a5c12-1ac5-4784-9c99-ce483f11da8d","displayName":"[Classic] Keyvault access attempt - key not found","description":"Summarizes the access to keyvault when key is not found.","body":"// To create an alert for this query, click '+ New alert rule'\r\nAzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.SERVICEBUS\\\"\r\n| where Category == \\\"Error\\\" and OperationName == \\\"wrapkey\\\"\r\n| project Message, _ResourceId\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"ad8246e6-68dd-4bb6-a94a-dddb9c1e35d1","displayName":"[Classic] AutoDeleted entities","description":"Summary of all the entities that have been auto-deleted.","body":"// To create an alert for this query, click '+ New alert rule'\r\nAzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.SERVICEBUS\\\"\r\n| where Category == \\\"OperationalLogs\\\"\r\n| where EventName_s startswith \\\"AutoDelete\\\"\r\n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"066798a4-70b2-4a0e-badb-a551fa92603d","displayName":"[Classic] Keyvault performed operational","description":"Summarizes the operation performed with keyvault to disable or restore the key.","body":"// To create an alert for this query, click '+ New alert rule'\r\nAzureDiagnostics\r\n| where ResourceProvider == \\\"MICROSOFT.SERVICEBUS\\\"\r\n| where (Category == \\\"info\\\" and (OperationName == \\\"disable\\\" or OperationName == \\\"restore\\\"))\r\n| project Message, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.servicebus/namespaces"],"tables":["AzureDiagnostics"]}},{"id":"483f4b2c-5325-441f-9ec4-edc9baefcdd4","displayName":"Azure Sphere device authentication and attestation failures","description":"A list of Azure Sphere device authentication and attestation failures for the last week, sorted by time.","body":"ASCDeviceEvents\r\n| where OperationName == \"DeviceCertificateEvent\" and\r\n Properties.EventType == \"DeviceAttestationFailure\" or Properties.EventType == \"DeviceCertificateEvent\" and\r\n ResultType == \"Failure\" // Filter by time by adding \" | where TimeGenerated > ago(7d) \" for last 7 days of data or using time picker in the UI\r\n| project TimeGenerated, DeviceId, Properties, ResultDescription, Location\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics","Errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuresphere/catalogs"],"tables":["ASCDeviceEvents"]}},{"id":"24acfce7-569c-4e05-9145-e09752fae02c","displayName":"Azure Sphere device events timeline","description":"A sorted timeline of all events generated by an Azure Sphere device during the last week, to monitor and troubleshoot any unexpected failures.","body":"ASCDeviceEvents\r\n| where OperationName == \"DeviceCertificateEvent\" or Properties.DeviceTelemetryEventCategory == \"AppCrash\" // Remove/Add filters to see all/specific events. Filter data by Device by adding \" | where DeviceId == \"Your Device ID\" \" \r\n| project TimeGenerated, OperationName, ResultType, ResultDescription, Properties, Location\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics","Errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuresphere/catalogs"],"tables":["ASCDeviceEvents"]}},{"id":"0c4a1b53-4761-4793-88ee-b5e569a333c4","displayName":"Azure Sphere device heartbeat events timechart","description":"A timechart of all certificate generation events initiated by Azure Sphere devices over the last week, to continuously monitor device health and see trends.","body":"let Interval = timespan(1d); // Interval for the Chart \r\nASCDeviceEvents\r\n| where OperationName == \"DeviceCertificateEvent\" and \r\n Properties.EventType == \"DeviceCertificatesGenerate\" and \r\n ResultType == \"Success\"\r\n| summarize Device_Heartbeat_Events=count() by bin(TimeGenerated, Interval)\r\n| render timechart","tags":{"Topic":["Diagnostics","Errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuresphere/catalogs"],"tables":["ASCDeviceEvents"]}},{"id":"f718df22-98e8-4b32-a6d0-bfd05f725a42","displayName":"Azure Sphere devices not updated to latest OS","description":"A list of Azure Sphere devices that have not been updated to the latest OS version over the last week.","body":"ASCDeviceEvents\r\n| where OperationName == \"DeviceUpdateEvent\" and \r\n todouble(Properties.InstalledOSVersion) != todouble(Properties.TargetedOSVersion) // Filter by time by adding \" | where TimeGenerated > ago(7d) \" for last 7 days of data or using time picker in the UI\r\n| summarize by DeviceId\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics","Errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuresphere/catalogs"],"tables":["ASCDeviceEvents"]}},{"id":"5ef6030d-8c6a-44a0-8739-5797f36eea20","displayName":"Azure Sphere device telemetry events summary","description":"A piechart summarizing the share of each of the event categories generated by Azure Sphere Devices over the last week, to monitor the overall device health.","body":"ASCDeviceEvents\r\n| where OperationName == \"DeviceTelemetryEvent\" // Filter by time by adding \" | where TimeGenerated > ago(7d) \" for last 7 days of data or using time picker in the UI\r\n| summarize count() by tostring(Properties.DeviceTelemetryEventCategory)\r\n| render piechart","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azuresphere/catalogs"],"tables":["ASCDeviceEvents"]}},{"id":"44e16774-d990-4192-8fce-2e543e34633a","displayName":"Succeeded DevOps Operations Audit Sample Query","description":"Display sample records from Succeeded DevOps Operations Audit table.","body":"DevOpsOperationsAudit\r\n| take 1\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.sql/servers"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e34633b","displayName":"Query Store Wait Statistics Sample Query","description":"Display sample records from Query Store Wait Statistics table.","body":"AzureSQLQueryStoreWaitStatistics\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLQueryStoreWaitStatistics"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e34633c","displayName":"Automatic Tuning Sample Query","description":"Display sample records from Automatic Tuning table.","body":"AzureSQLAutomaticTuning\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLAutomaticTuning"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e34633d","displayName":"Blocks Sample Query","description":"Display sample records from Blocks table.","body":"AzureSQLBlocks\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLBlocks"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e34633e","displayName":"Database Wait Statistics Sample Query","description":"Display sample records from Database Wait Statistics table.","body":"AzureSQLDatabaseWaitStatistics\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLDatabaseWaitStatistics"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e34633f","displayName":"Deadlocks Sample Query","description":"Display sample records from Deadlocks table.","body":"AzureSQLDeadlocks\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLDeadlocks"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e346341","displayName":"Errors Sample Query","description":"Display sample records from Errors table.","body":"AzureSQLErrors\r\n| take 1","tags":{"Topic":["AzureSQLErrors"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLErrors"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e346343","displayName":"Query Store Runtime Statistics Sample Query","description":"Display sample records from Query Store Runtime Statistics table.","body":"AzureSQLQueryStoreRuntimeStatistics\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLQueryStoreRuntimeStatistics"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e346345","displayName":"Resource Usage Stats Sample Query","description":"Display sample records from Resource Usage Stats table.","body":"AzureSQLResourceUsageStats\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLResourceUsageStats"]}},{"id":"a1b2c3d4-e5f6-4192-8fce-2e543e346348","displayName":"Timeouts Sample Query","description":"Display sample records from Timeouts table.","body":"AzureSQLTimeouts\r\n| take 1","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"tables":["AzureSQLTimeouts"]}},{"id":"aed2e616-52ae-4c8e-8562-af62c017718a","displayName":"Exhausted Pool Events","description":"A list of times when the pool was exhausted.","body":"SCGPoolExecutionLog\r\n| where EventName == \"StandbyPoolExhausted\"\r\n| project TimeGenerated\r\n| sort by TimeGenerated desc\r\n| limit 30","tags":{"Topic":["Exhausted"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.standbypool/standbycontainergrouppools"],"tables":["SCGPoolRequestLog"]}},{"id":"6f2a51a0-449a-4578-b715-4f634a4d084a","displayName":"Settings Updated Pool Events","description":"A list of the last 10 settings updates.","body":"SCGPoolRequestLog\r\n| project TimeGenerated, Location\r\n| sort by TimeGenerated desc\r\n| limit 30","tags":{"Topic":["Settings"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.standbypool/standbycontainergrouppools"],"tables":["SCGPoolExecutionLog"]}},{"id":"d76e62a6-9777-4e9c-a455-1d2541deaaf2","displayName":"Degraded Pool Events","description":"A list of times when the pool got into a degraded state.","body":"SVMPoolExecutionLog\r\n| where EventName == \"StandbyPoolDegradedPool\"\r\n| project TimeGenerated, Location\r\n| sort by TimeGenerated desc\r\n| limit 30","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.standbypool/standbyvirtualmachinepools"],"tables":["SVMPoolRequestLog"]}},{"id":"485749e7-4fa6-4e11-80f7-ef1696cd7736","displayName":"Max Settings Updated Pool Events","description":"A list of times when the max capacity count was increased in settings.","body":"SVMPoolRequestLog\r\n| where NewMaxCapacity > 10 \r\n| project TimeGenerated, Location\r\n| sort by TimeGenerated desc\r\n| limit 30","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.standbypool/standbyvirtualmachinepools"],"tables":["SVMPoolExecutionLog"]}},{"id":"db83ff91-df3b-4d7d-b62f-559d49e7d63c","displayName":"Get Top Talkers","description":"List 10 Top Talkers during a defined time period.","body":"let startTime = ago(2h);\r\nlet endTime = ago(1h);\r\nlet num_toptalkers = 10; // Amount of top talker 5Tuples. Change this value to display a different number of items\r\nlet tuple = \"5\"; \r\nlet ipfixData = ATCExpressRouteCircuitIpfix\r\n| where FlowRecordTime >= startTime and FlowRecordTime = startTime and FlowRecordTime = startTime and FlowRecordTime = 300\r\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"599d9097-d85c-44a3-8284-55e525590f21","displayName":"Direct Line Channel Response Codes Line Chart","description":"Line Chart showing Direct Line channel requests response codes.","body":"// This query displays a Line Chart showing requests related to Direct Line channel.\r\nABSBotRequests\r\n| where Channel == \"directline\"\r\n| summarize Number_Of_Requests = count() by tostring(ResultCode), bin(TimeGenerated, 5m)\r\n| render timechart","tags":{"Topic":["Diagnostics","Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"599d9097-d85c-44a3-8284-55e525590f23","displayName":"Requests Duration Line Chart","description":"Line Chart showing requests response times/duration per operation.","body":"// This query displays a Line Chart showing requests response duration per operation.\r\nABSBotRequests\r\n| summarize DurationMs = avg(DurationMs) by bin(TimeGenerated, 5m), OperationName\r\n| render timechart","tags":{"Topic":["Diagnostics","Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"599d9097-d85c-44a3-8284-55e525590f24","displayName":"Response Codes Line Chart","description":"Line Chart showing requests response status codes.","body":"// Display a Line Chart of requests response status codes.\r\nABSBotRequests\r\n| summarize Number_Of_Requests = count() by tostring(ResultCode), bin(TimeGenerated, 5m)\r\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"599d9097-d85c-44a3-8284-55e525590f25","displayName":"Response Codes PieChart","description":"Pie Chart showing requests response status codes.","body":"// Display a Pie Chart showing requests response status codes.\r\nABSBotRequests\r\n| summarize count() by tostring(ResultCode) \r\n| render piechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"599d9097-d85c-44a3-8284-55e525534f97","displayName":"Request Operations PieChart","description":"Pie Chart showing requests operations.","body":"// Display a Pie Chart showing requests by operation name.\r\n// This gives a perspective of the request operations percentage distribution in the selected time range.\r\nABSBotRequests\r\n| summarize count() by tostring(OperationName) \r\n| render piechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"tables":["ABSBotRequests"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000001","displayName":"Recent changes on a case","description":"Shows the last 10 field-level changes on a specific case, including who made the change and what was modified.","body":"// Last 10 changes on a specific case (including child entities like tasks, comments, attachments).\r\n// Each row represents one event. Note: a single user action may produce multiple rows\r\n// (one per property changed).\r\n//\r\n// Replace the placeholder below with a case ID\r\nlet targetCaseId = '';\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(90d)\r\n| where EntityId == targetCaseId or ParentEntityId == targetCaseId\r\n//| where EntityType == 'Case' // Uncomment to show only case-level changes (no tasks/comments)\r\n//| where OperationName == 'Update' // Uncomment to show only updates (no creates/deletes)\r\n| project EventTime, ModifiedBy, OperationName, EntityType, EntityId, PropertyNames, NewValues\r\n| order by EventTime desc\r\n| take 10\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000002","displayName":"Cases by status","description":"Finds all cases where the current status matches a specific value by replaying Create and Update events.","body":"// Find all cases where the current status matches a specific value.\r\n// Replays Create/Update events to determine each case's latest status.\r\n//\r\n// Replace the placeholder below with the status value to match (e.g. 'Active', 'InProgress')\r\nlet targetStatus = '';\r\n// --- Exclude deleted cases ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(30d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Determine each case's latest status and type ---\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(30d)\r\n| where EntityType == 'Case'\r\n| where OperationName in ('Create', 'Update')\r\n| where EntityId !in (deletedCases)\r\n// mv-expand: expands array properties into individual rows per property change\r\n| mv-expand PropertyNames, NewValues\r\n| extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n| where PropName in ('caseStatus.statusName', 'caseType')\r\n// arg_max: keeps only the most recent value per case per property\r\n| summarize arg_max(EventTime, PropValue) by EntityId, PropName\r\n| summarize\r\n Status = take_anyif(PropValue, PropName == 'caseStatus.statusName'),\r\n CaseType = take_anyif(PropValue, PropName == 'caseType')\r\n by EntityId\r\n| where isnotempty(Status)\r\n| where tolower(Status) == tolower(targetStatus)\r\n//| where tolower(Status) != tolower(targetStatus) // Uncomment to exclude this status instead\r\n//| where CaseType == '' // Uncomment to filter by case type\r\n| project EntityId, Status, CaseType\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000003","displayName":"Cases with most open tasks","description":"Ranks cases by number of open tasks, excluding deleted tasks and cases.","body":"// Ranks cases by number of open tasks, excluding deleted tasks and cases.\r\n//\r\n// --- Exclude deleted cases and tasks ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet deletedTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'CaseTask'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Find the latest status of each task and count open ones per case ---\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(90d)\r\n| where EntityType == 'CaseTask'\r\n| where OperationName in ('Create', 'Update')\r\n| where EntityId !in (deletedTasks)\r\n| where ParentEntityId !in (deletedCases)\r\n// mv-expand: expands array properties into individual rows\r\n| mv-expand PropertyNames, NewValues\r\n| extend Status = tostring(NewValues)\r\n| where PropertyNames == 'status'\r\n// arg_max: keeps the latest status value per task\r\n| summarize arg_max(EventTime, Status) by EntityId, ParentEntityId\r\n// Keep only open tasks\r\n| where tolower(Status) !in ('completed', 'skipped', 'failed')\r\n//| where tolower(Status) == 'inprogress' // Uncomment to count only in-progress tasks\r\n| summarize OpenTaskCount = count() by CaseId = ParentEntityId\r\n| order by OpenTaskCount desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000004","displayName":"Inactive cases","description":"Finds cases with no activity (including child entity activity) in the last 7 days, excluding recently created and deleted cases.","body":"// Cases with no activity in the last 7 days (excluding deleted and closed cases).\r\n// \"Activity\" includes any event on the case itself or its child entities (tasks, comments, etc.).\r\n//\r\n// Parameters you can adjust:\r\nlet creationWindow = 21d; // How far back to look for case creation\r\nlet inactiveDays = 7d; // How many days of silence counts as \"inactive\"\r\n//\r\n// --- Exclude deleted cases ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(creationWindow)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Exclude closed cases (based on latest topLevelStatusName) ---\r\nlet closedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(creationWindow)\r\n | where EntityType == 'Case'\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | where PropName == 'caseStatus.topLevelStatusName'\r\n // arg_max: get the most recent status value per case\r\n | summarize arg_max(EventTime, PropValue) by EntityId\r\n | where tolower(PropValue) == 'closed'\r\n | distinct EntityId;\r\n// --- All candidate cases: created within the window but old enough to be \"inactive\" ---\r\nlet allCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(creationWindow)\r\n | where EntityType == 'Case'\r\n | where OperationName == 'Create'\r\n | where EventTime between (ago(creationWindow) .. ago(inactiveDays))\r\n | where EntityId !in (deletedCases)\r\n | where EntityId !in (closedCases)\r\n | distinct CaseId = EntityId;\r\n// --- Find last activity time per case and determine if active (including child entity activity) ---\r\nlet caseActivity = SecurityCaseEvent\r\n | where TimeGenerated >= ago(creationWindow)\r\n // For child entities, map back to the parent case\r\n | extend CaseId = iff(EntityType == 'Case', EntityId, ParentEntityId)\r\n | where isnotempty(CaseId)\r\n | summarize LastActivityTime = max(EventTime) by CaseId;\r\n// --- Look up CaseType for each case ---\r\nlet caseTypes = SecurityCaseEvent\r\n | where TimeGenerated >= ago(creationWindow)\r\n | where EntityType == 'Case'\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | where PropName == 'caseType'\r\n | summarize arg_max(EventTime, PropValue) by EntityId\r\n | project EntityId, CaseType = PropValue;\r\n// --- Result: cases with zero recent activity ---\r\nallCases\r\n| join kind=leftouter caseActivity on CaseId\r\n| where LastActivityTime ' // Uncomment to filter by case type\r\n| project EntityId = CaseId, CaseType, LastActivityTime\r\n| order by LastActivityTime asc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000005","displayName":"Urgent open cases","description":"Lists cases with Critical or High priority that are not in a closed status.","body":"// Cases with Critical or High priority that are not closed.\r\n// Reconstructs the latest property values per case, then filters for\r\n// urgent (High/Critical) cases that remain open.\r\n//\r\n// --- Exclude deleted cases ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Reconstruct latest case properties via pivot ---\r\nlet CaseProperties =\r\n SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where OperationName in ('Create', 'Update')\r\n | where EntityId !in (deletedCases)\r\n // mv-expand: expands array properties into individual rows per property change\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | extend NormProp = case(\r\n PropName in ('priority', 'severity'), 'Priority',\r\n PropName == 'caseStatus.statusName', 'Status',\r\n PropName == 'caseStatus.topLevelStatusName', 'TopLevelStatus',\r\n PropName == 'displayName', 'DisplayName',\r\n PropName == 'caseType', 'CaseType',\r\n '')\r\n | where NormProp != ''\r\n // arg_max: keeps the most recent value per case per property\r\n | summarize arg_max(EventTime, PropValue) by EntityId, NormProp\r\n // project before pivot to avoid unintended grouping on EventTime\r\n | project EntityId, NormProp, PropValue\r\n // evaluate pivot: turns rows into columns (one column per property)\r\n | evaluate pivot(NormProp, take_any(PropValue));\r\n// --- Filter and output ---\r\n// column_ifexists: safely accesses pivot columns that may not exist if no case has that property\r\nCaseProperties\r\n| extend\r\n Priority = tostring(column_ifexists('Priority', '')),\r\n Status = tostring(column_ifexists('Status', '')),\r\n TopLevelStatus = tostring(column_ifexists('TopLevelStatus', '')),\r\n DisplayName = tostring(column_ifexists('DisplayName', '')),\r\n CaseType = tostring(column_ifexists('CaseType', ''))\r\n| where tolower(Priority) in ('high', 'critical')\r\n| where tolower(Status) !in ('closed') and tolower(TopLevelStatus) !in ('closed')\r\n//| where tolower(Priority) == 'critical' // Uncomment to show only Critical\r\n//| where CaseType == '' // Uncomment to filter by case type\r\n//| where AssignedTo has '' // Uncomment to filter by assignee\r\n| project EntityId, DisplayName, Priority, Status, TopLevelStatus, CaseType\r\n| order by Priority asc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000006","displayName":"Cases with overdue tasks","description":"Identifies cases that have open tasks past their due date, ranked by overdue task count.","body":"// Cases with open tasks past their due date, ranked by overdue count.\r\n// Replays task property events to find each task's latest status and due date,\r\n// then filters for tasks that are open and past due.\r\n//\r\n// --- Exclude deleted cases and tasks ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet deletedTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'CaseTask'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Reconstruct latest task properties via pivot ---\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(90d)\r\n| where EntityType == 'CaseTask'\r\n| where OperationName in ('Create', 'Update')\r\n| where EntityId !in (deletedTasks)\r\n| where ParentEntityId !in (deletedCases)\r\n// mv-expand: expands array properties into individual rows per property change\r\n| mv-expand PropertyNames, NewValues\r\n| extend PropertyValue = tostring(NewValues)\r\n// Map only the properties we need for this query\r\n| extend PivotProperty = case(\r\n PropertyNames == 'status', 'status',\r\n PropertyNames == 'dueDateTime', 'dueDateTime',\r\n ''\r\n)\r\n| where PivotProperty != ''\r\n// arg_max: keeps the most recent value of each property per task\r\n| summarize arg_max(EventTime, PropertyValue) by TaskId = EntityId, CaseId = ParentEntityId, PivotProperty\r\n// project before pivot to avoid unintended grouping on EventTime\r\n| project TaskId, CaseId, PivotProperty, PropertyValue\r\n// evaluate pivot: transforms rows into columns (one column for 'status', one for 'dueDateTime')\r\n| evaluate pivot(PivotProperty, take_any(PropertyValue))\r\n// column_ifexists: safely accesses a column that may not exist if no task ever had that property set\r\n| extend status = tostring(column_ifexists('status', '')),\r\n dueDateTime = tostring(column_ifexists('dueDateTime', ''))\r\n| where isnotempty(CaseId)\r\n// Filter for open tasks only (exclude completed/skipped/failed)\r\n| where tolower(status) !in ('completed', 'skipped', 'failed')\r\n// Filter for tasks past their due date\r\n| where todatetime(dueDateTime) = ago(30d)\r\n| where EntityType == \"CaseTask\"\r\n| where OperationName == \"Create\"\r\n//| where ParentEntityId == '' // Uncomment to filter by a specific case\r\n| summarize TasksCreated = count() by Day = startofday(EventTime)\r\n| order by Day\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000008","displayName":"All case management activity by a specific user","description":"Shows all case management activity (cases, tasks, relations) by a specific user in the last 30 days, grouped by case.","body":"// All case management activity (cases, tasks, relations) by a specific user in the last 30 days, grouped by case.\r\n// Shows the time range and types of operations each user performed on each case.\r\n//\r\n// Replace the placeholder below with a user alias or UPN\r\nlet targetUser = '';\r\nlet timeRange = 30d; // Adjust to widen/narrow the search window\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(timeRange)\r\n| where ModifiedBy has targetUser\r\n// Map child entities (tasks, comments, etc.) back to their parent case\r\n| extend CaseId = iff(EntityType == 'Case', EntityId, ParentEntityId)\r\n| where isnotempty(CaseId)\r\n| summarize\r\n FirstEvent = min(EventTime),\r\n LastEvent = max(EventTime),\r\n OperationsSet = make_set(OperationName),\r\n EntityTypes = make_set(EntityType)\r\n by CaseId\r\n//| where OperationsSet has 'Delete' // Uncomment to show only cases where user performed deletions\r\n//| where EntityTypes has 'CaseTask' // Uncomment to show only cases where user touched tasks\r\n| order by LastEvent desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000009","displayName":"Cases and tasks assigned to a specific user","description":"Finds all cases and tasks currently assigned to a specific user, excluding deleted entities.","body":"// All cases and tasks currently assigned to a specific user.\r\n// Replays 'assignedTo' property changes to find the latest assignment per entity.\r\n//\r\n// Replace the placeholder below with a user alias or UPN\r\nlet targetUser = '';\r\n// --- Exclude deleted cases and tasks ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet deletedTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'CaseTask'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Find the latest 'assignedTo' value for each case and task ---\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(90d)\r\n| where EntityType in ('Case', 'CaseTask')\r\n| where OperationName in ('Create', 'Update')\r\n| extend CaseId = iff(EntityType == 'Case', EntityId, ParentEntityId)\r\n| where CaseId !in (deletedCases)\r\n| where EntityId !in (deletedTasks)\r\n// mv-expand: expands array properties into individual rows per property change\r\n| mv-expand PropertyNames, NewValues\r\n| extend\r\n PropertyName = tostring(PropertyNames),\r\n PropertyValue = tostring(NewValues)\r\n| where PropertyName == 'assignedTo'\r\n// arg_max: keeps the most recent assignment per entity\r\n| summarize arg_max(EventTime, PropertyValue, CaseId) by EntityType, EntityId\r\n| where PropertyValue has targetUser\r\n//| where EntityType == 'CaseTask' // Uncomment to show only tasks\r\n| project\r\n EntityType,\r\n EntityId,\r\n CaseId,\r\n AssignedTo = PropertyValue,\r\n LastAssignmentTime = EventTime\r\n| order by LastAssignmentTime desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000010","displayName":"Users with most open case tasks","description":"Counts open tasks assigned to each user, excluding deleted tasks and cases.","body":"// Users ranked by number of open tasks assigned to them.\r\n// Reconstructs each task's latest status and assignee, then counts open tasks per user.\r\n//\r\n// --- Exclude deleted cases and tasks ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet deletedTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'CaseTask'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Reconstruct latest task properties via pivot ---\r\nSecurityCaseEvent\r\n| where TimeGenerated >= ago(90d)\r\n| where EntityType == 'CaseTask'\r\n| where OperationName in ('Create', 'Update')\r\n| where EntityId !in (deletedTasks)\r\n| where ParentEntityId !in (deletedCases)\r\n// mv-expand: expands array properties into individual rows per property change\r\n| mv-expand PropertyNames, NewValues\r\n| extend PropertyValue = tostring(NewValues)\r\n// Map only the properties we care about\r\n| extend PivotProperty = case(\r\n PropertyNames == 'status', 'status',\r\n PropertyNames == 'assignedTo', 'assignedTo',\r\n ''\r\n)\r\n| where PivotProperty != ''\r\n// arg_max: keeps the most recent value of each property per task\r\n| summarize arg_max(EventTime, PropertyValue) by TaskId = EntityId, PivotProperty\r\n// project before pivot to avoid unintended grouping on EventTime\r\n| project TaskId, PivotProperty, PropertyValue\r\n// evaluate pivot: transforms rows into columns (one for 'status', one for 'assignedTo')\r\n| evaluate pivot(PivotProperty, take_any(PropertyValue))\r\n// column_ifexists: safely accesses columns that may not exist if no task has that property\r\n| extend status = column_ifexists('status', dynamic(null)),\r\n assignedTo = tostring(column_ifexists('assignedTo', 'Unassigned'))\r\n// Keep only open tasks (exclude completed/skipped/failed)\r\n| where tolower(tostring(status)) !in ('completed', 'skipped', 'failed') or isnull(status)\r\n| extend assignedTo = iff(isempty(assignedTo), 'Unassigned', assignedTo)\r\n| where assignedTo != 'Unassigned'\r\n//| where assignedTo has '' // Uncomment to filter for a specific user\r\n| summarize OpenTaskCount = count() by assignedTo\r\n| order by OpenTaskCount desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000011","displayName":"Full cases snapshot (all cases)","description":"Reconstructs the current state of all cases changed within a time window, including tasks, comments, attachments, tags, and relations as JSON arrays.","body":"// Reconstruct the current state of ALL cases changed within a time window, including child entities.\r\n// Same approach as SingleCaseSnapshot but without filtering to a specific case ID.\r\n// Output: one row per case with Tasks, Comments, Attachments, Tags, and Relations as JSON arrays.\r\n//\r\n// How it works:\r\n// 1. Find all non-deleted cases with events in the lookback window\r\n// 2. For each case property, find the latest value via arg_max\r\n// 3. Repeat for child entities (tasks, comments, attachments, relations)\r\n// 4. Join into a single row per case\r\n//\r\nlet lookback = 90d;\r\n//\r\n// ============ STEP 1: Identify non-deleted cases ============\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet ChangedCaseIds = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where EntityId !in (deletedCases)\r\n | distinct CaseId = EntityId;\r\n//\r\n// ============ STEP 2: Reconstruct case-level properties ============\r\nlet CaseSnapshot = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == false\r\n | where EntityId in (ChangedCaseIds)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n // arg_max: for each property, keep the value from the most recent event\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, PropName\r\n | summarize\r\n DisplayName = take_anyif(PropValue, PropName == 'displayName'),\r\n StatusName = take_anyif(PropValue, PropName == 'caseStatus.statusName'),\r\n TopLevelStatus = take_anyif(PropValue, PropName == 'caseStatus.topLevelStatusName'),\r\n Severity = take_anyif(PropValue, PropName == 'severity'), // Incident cases\r\n Priority = take_anyif(PropValue, PropName == 'priority'), // Default cases\r\n AssignedTo = take_anyif(PropValue, PropName == 'assignedTo'),\r\n Classification = take_anyif(PropValue, PropName == 'classification'),\r\n Determination = take_anyif(PropValue, PropName == 'determination'),\r\n Description = take_anyif(PropValue, PropName == 'description'),\r\n CaseType = take_anyif(PropValue, PropName == 'caseType'),\r\n CreatedTime = take_anyif(PropValue, PropName == 'createdTime'),\r\n EntityCreatedTime = take_any(EntityCreatedTime),\r\n CustomFields = take_anyif(PropValue, PropName == 'customFields'),\r\n ClosingNotes = take_anyif(PropValue, PropName == 'closingNotes'),\r\n SlaAssignmentStatus = take_anyif(PropValue, PropName == 'sla.assignmentStatus'),\r\n SlaResolutionStatus = take_anyif(PropValue, PropName == 'sla.resolutionStatus'),\r\n SlaPolicyName = take_anyif(PropValue, PropName == 'sla.policyName'),\r\n SlaPolicyId = take_anyif(PropValue, PropName == 'sla.policyId'),\r\n SlaPolicyAppliedDateTime = take_anyif(PropValue, PropName == 'sla.policyAppliedDateTime')\r\n by EntityId;\r\n//\r\n// ============ STEP 3: Reconstruct child entities ============\r\n// --- Tasks ---\r\nlet ActiveTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseTask'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project TaskId = EntityId;\r\nlet TasksJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseTask'\r\n | where EntityId in (ActiveTasks)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize TaskProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by TaskId = EntityId, CaseId = ParentEntityId\r\n | extend Task = bag_merge(TaskProps, bag_pack('taskId', TaskId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Tasks = make_list(Task) by EntityId = CaseId;\r\n// --- Comments ---\r\nlet ActiveComments = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseComment'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project CommentId = EntityId;\r\nlet CommentsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseComment'\r\n | where EntityId in (ActiveComments)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize CommentProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by CommentId = EntityId, CaseId = ParentEntityId\r\n | extend Comment = bag_merge(CommentProps, bag_pack('commentId', CommentId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Comments = make_list(Comment) by EntityId = CaseId;\r\n// --- Attachments ---\r\nlet ActiveAttachments = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseAttachment'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project AttachmentId = EntityId;\r\nlet AttachmentsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseAttachment'\r\n | where EntityId in (ActiveAttachments)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize AttachmentProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by AttachmentId = EntityId, CaseId = ParentEntityId\r\n | extend Attachment = bag_merge(AttachmentProps, bag_pack('attachmentId', AttachmentId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Attachments = make_list(Attachment) by EntityId = CaseId;\r\n// --- Tags ---\r\nlet CaseTags = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where EntityId in (ChangedCaseIds)\r\n | where OperationName in ('Create', 'Update')\r\n | where PropertyNames has 'tags'\r\n | extend TagIdx = array_index_of(PropertyNames, 'tags')\r\n | extend Tags = iff(TagIdx >= 0, NewValues[TagIdx], NewValues)\r\n | summarize arg_max(EventTime, Tags) by EntityId\r\n | project EntityId, Tags;\r\n// --- Relations ---\r\nlet ActiveRelations = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseRelation'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName !in ('Delete', 'Unlink')\r\n | project RelationId = EntityId;\r\nlet RelationsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseRelation'\r\n | where EntityId in (ActiveRelations)\r\n | where OperationName in ('Create', 'Update', 'Link')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize RelationProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by RelationId = EntityId, CaseId = ParentEntityId\r\n | extend Relation = bag_merge(RelationProps, bag_pack('relationId', RelationId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Relations = make_list(Relation) by EntityId = CaseId;\r\n//\r\n// ============ STEP 4: Join all pieces into final output ============\r\nCaseSnapshot\r\n| join kind=leftouter TasksJson on EntityId\r\n| join kind=leftouter CommentsJson on EntityId\r\n| join kind=leftouter AttachmentsJson on EntityId\r\n| join kind=leftouter RelationsJson on EntityId\r\n| join kind=leftouter CaseTags on EntityId\r\n| project\r\n EntityId, DisplayName, StatusName, TopLevelStatus, Severity, Priority,\r\n AssignedTo, Classification, Determination, Description,\r\n Tags = coalesce(Tags, dynamic([])), CaseType, CreatedTime, EntityCreatedTime, CustomFields, ClosingNotes,\r\n SlaAssignmentStatus, SlaResolutionStatus, SlaPolicyName, SlaPolicyId, SlaPolicyAppliedDateTime,\r\n Tasks = coalesce(Tasks, dynamic([])),\r\n Comments = coalesce(Comments, dynamic([])),\r\n Attachments = coalesce(Attachments, dynamic([])),\r\n Relations = coalesce(Relations, dynamic([]))\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000012","displayName":"Single case snapshot","description":"Reconstructs the complete current state of a single case including all child entities.","body":"// Reconstruct the complete current state of a single case including all child entities.\r\n// This query replays all events to build a full \"snapshot\" of a case as it exists now,\r\n// including tasks, comments, attachments, tags, and relations as JSON arrays.\r\n//\r\n// How it works:\r\n// 1. Identify the target case (exclude if deleted)\r\n// 2. For each property, find the latest value via arg_max (most recent event wins)\r\n// 3. Repeat for each child entity type (tasks, comments, attachments, relations)\r\n// 4. Join everything together into a single output row per case\r\n//\r\n// Replace with the case ID you want to inspect\r\nlet targetCaseId = '';\r\nlet lookback = 90d;\r\n//\r\n// ============ STEP 1: Exclude deleted cases ============\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\nlet ChangedCaseIds = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where EntityId == targetCaseId\r\n | where EntityId !in (deletedCases)\r\n | distinct CaseId = EntityId;\r\n//\r\n// ============ STEP 2: Reconstruct case-level properties ============\r\nlet CaseSnapshot = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == false\r\n | where EntityId in (ChangedCaseIds)\r\n | where OperationName in ('Create', 'Update')\r\n // mv-expand: expand array properties into one row per property\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n // arg_max: for each property, keep the value from the most recent event\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, PropName\r\n // take_anyif: pivot properties into named columns\r\n | summarize\r\n DisplayName = take_anyif(PropValue, PropName == 'displayName'),\r\n StatusName = take_anyif(PropValue, PropName == 'caseStatus.statusName'),\r\n TopLevelStatus = take_anyif(PropValue, PropName == 'caseStatus.topLevelStatusName'),\r\n Severity = take_anyif(PropValue, PropName == 'severity'), // Incident cases\r\n Priority = take_anyif(PropValue, PropName == 'priority'), // Default cases\r\n AssignedTo = take_anyif(PropValue, PropName == 'assignedTo'),\r\n Classification = take_anyif(PropValue, PropName == 'classification'),\r\n Determination = take_anyif(PropValue, PropName == 'determination'),\r\n Description = take_anyif(PropValue, PropName == 'description'),\r\n CaseType = take_anyif(PropValue, PropName == 'caseType'),\r\n CreatedTime = take_anyif(PropValue, PropName == 'createdTime'),\r\n EntityCreatedTime = take_any(EntityCreatedTime),\r\n CustomFields = take_anyif(PropValue, PropName == 'customFields'),\r\n ClosingNotes = take_anyif(PropValue, PropName == 'closingNotes'),\r\n SlaAssignmentStatus = take_anyif(PropValue, PropName == 'sla.assignmentStatus'),\r\n SlaResolutionStatus = take_anyif(PropValue, PropName == 'sla.resolutionStatus'),\r\n SlaPolicyName = take_anyif(PropValue, PropName == 'sla.policyName'),\r\n SlaPolicyId = take_anyif(PropValue, PropName == 'sla.policyId'),\r\n SlaPolicyAppliedDateTime = take_anyif(PropValue, PropName == 'sla.policyAppliedDateTime')\r\n by EntityId;\r\n//\r\n// ============ STEP 3: Reconstruct child entities ============\r\n// --- Tasks ---\r\nlet ActiveTasks = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseTask'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project TaskId = EntityId;\r\nlet TasksJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseTask'\r\n | where EntityId in (ActiveTasks)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n // make_bag + bag_merge: pack all properties into a single JSON object per task\r\n | summarize TaskProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by TaskId = EntityId, CaseId = ParentEntityId\r\n | extend Task = bag_merge(TaskProps, bag_pack('taskId', TaskId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Tasks = make_list(Task) by EntityId = CaseId;\r\n// --- Comments ---\r\nlet ActiveComments = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseComment'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project CommentId = EntityId;\r\nlet CommentsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseComment'\r\n | where EntityId in (ActiveComments)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize CommentProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by CommentId = EntityId, CaseId = ParentEntityId\r\n | extend Comment = bag_merge(CommentProps, bag_pack('commentId', CommentId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Comments = make_list(Comment) by EntityId = CaseId;\r\n// --- Attachments ---\r\nlet ActiveAttachments = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseAttachment'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName != 'Delete'\r\n | project AttachmentId = EntityId;\r\nlet AttachmentsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseAttachment'\r\n | where EntityId in (ActiveAttachments)\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize AttachmentProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by AttachmentId = EntityId, CaseId = ParentEntityId\r\n | extend Attachment = bag_merge(AttachmentProps, bag_pack('attachmentId', AttachmentId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Attachments = make_list(Attachment) by EntityId = CaseId;\r\n// --- Tags ---\r\nlet CaseTags = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'Case'\r\n | where EntityId in (ChangedCaseIds)\r\n | where OperationName in ('Create', 'Update')\r\n | where PropertyNames has 'tags'\r\n | extend TagIdx = array_index_of(PropertyNames, 'tags')\r\n | extend Tags = iff(TagIdx >= 0, NewValues[TagIdx], NewValues)\r\n | summarize arg_max(EventTime, Tags) by EntityId\r\n | project EntityId, Tags;\r\n// --- Relations ---\r\nlet ActiveRelations = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseRelation'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | summarize arg_max(EventTime, IsDeleted, OperationName) by EntityId\r\n | where IsDeleted == false and OperationName !in ('Delete', 'Unlink')\r\n | project RelationId = EntityId;\r\nlet RelationsJson = SecurityCaseEvent\r\n | where TimeGenerated >= ago(lookback)\r\n | where EntityType == 'CaseRelation'\r\n | where EntityId in (ActiveRelations)\r\n | where OperationName in ('Create', 'Update', 'Link')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | summarize arg_max(EventTime, PropValue, EntityCreatedTime) by EntityId, ParentEntityId, PropName\r\n | summarize RelationProps = make_bag(pack(PropName, PropValue)), EntityCreatedTime = take_any(EntityCreatedTime) by RelationId = EntityId, CaseId = ParentEntityId\r\n | extend Relation = bag_merge(RelationProps, bag_pack('relationId', RelationId, 'entityCreatedTime', tostring(EntityCreatedTime)))\r\n | summarize Relations = make_list(Relation) by EntityId = CaseId;\r\n//\r\n// ============ STEP 4: Join all pieces into final output ============\r\nCaseSnapshot\r\n| join kind=leftouter TasksJson on EntityId\r\n| join kind=leftouter CommentsJson on EntityId\r\n| join kind=leftouter AttachmentsJson on EntityId\r\n| join kind=leftouter RelationsJson on EntityId\r\n| join kind=leftouter CaseTags on EntityId\r\n| project\r\n EntityId, DisplayName, StatusName, TopLevelStatus, Severity, Priority,\r\n AssignedTo, Classification, Determination, Description,\r\n Tags = coalesce(Tags, dynamic([])), CaseType, CreatedTime, EntityCreatedTime, CustomFields, ClosingNotes,\r\n SlaAssignmentStatus, SlaResolutionStatus, SlaPolicyName, SlaPolicyId, SlaPolicyAppliedDateTime,\r\n Tasks = coalesce(Tasks, dynamic([])),\r\n Comments = coalesce(Comments, dynamic([])),\r\n Attachments = coalesce(Attachments, dynamic([])),\r\n Relations = coalesce(Relations, dynamic([]))\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"a1b2c3d4-1111-4aaa-bbbb-000000000013","displayName":"Point-in-time single case snapshot","description":"Reconstructs a case's state as of a specific historical timestamp (time-travel), enabling forensic investigation of past case states.","body":"// Reconstruct a case's state as of a specific historical timestamp (time-travel).\r\n// Useful for forensic investigation: \"What did case X look like on date Y?\"\r\n//\r\n// Unlike the other snapshots, this query intentionally has NO TimeGenerated filter\r\n// because it needs to scan all history back to the case's creation.\r\n//\r\n// Replace these parameters with your target case and desired point in time:\r\nlet targetCaseId = '';\r\n// Example: datetime(2026-05-13T14:30:00Z)\r\nlet snapshotTime = datetime('');\r\n//\r\n// ============ STEP 1: Exclude cases deleted before snapshot time ============\r\nlet deletedCases = SecurityCaseEvent\r\n | where EntityType == 'Case'\r\n | where EventTime = 0, NewValues[TagIdx], NewValues)\r\n | summarize arg_max(EventTime, Tags) by EntityId\r\n | project EntityId, Tags;\r\n// --- Relations ---\r\nlet ActiveRelations = SecurityCaseEvent\r\n | where EntityType == 'CaseRelation'\r\n | where ParentEntityId in (ChangedCaseIds)\r\n | where EventTime ';\r\n// --- Exclude deleted cases ---\r\nlet deletedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where IsDeleted == true\r\n | distinct EntityId;\r\n// --- Exclude closed cases ---\r\nlet closedCases = SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where OperationName in ('Create', 'Update')\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | where PropName == 'caseStatus.topLevelStatusName'\r\n | summarize arg_max(EventTime, PropValue) by EntityId\r\n | where tolower(PropValue) == 'closed'\r\n | distinct EntityId;\r\n// --- Reconstruct latest SLA and case properties via pivot ---\r\nlet CaseProperties =\r\n SecurityCaseEvent\r\n | where TimeGenerated >= ago(90d)\r\n | where EntityType == 'Case'\r\n | where OperationName in ('Create', 'Update')\r\n | where EntityId !in (deletedCases)\r\n | where EntityId !in (closedCases)\r\n // mv-expand: expands array properties into individual rows per property change\r\n | mv-expand PropertyNames, NewValues\r\n | extend PropName = tostring(PropertyNames), PropValue = tostring(NewValues)\r\n | extend NormProp = case(\r\n PropName == 'displayName', 'DisplayName',\r\n PropName == 'assignedTo', 'AssignedTo',\r\n PropName == 'caseType', 'CaseType',\r\n PropName == 'sla.resolutionStatus', 'SlaResolutionStatus',\r\n PropName == 'sla.assignmentStatus', 'SlaAssignmentStatus',\r\n PropName == 'sla.policyName', 'SlaPolicyName',\r\n '')\r\n | where NormProp != ''\r\n // arg_max: keeps the most recent value per case per property\r\n | summarize arg_max(EventTime, PropValue) by EntityId, NormProp\r\n // project before pivot to avoid unintended grouping on EventTime\r\n | project EntityId, NormProp, PropValue\r\n // evaluate pivot: turns rows into columns (one column per property)\r\n | evaluate pivot(NormProp, take_any(PropValue));\r\n// --- Filter by SLA status ---\r\n// column_ifexists: safely accesses pivot columns that may not exist if no case has SLA data\r\nCaseProperties\r\n| extend\r\n SlaResolutionStatus = tostring(column_ifexists('SlaResolutionStatus', '')),\r\n SlaAssignmentStatus = tostring(column_ifexists('SlaAssignmentStatus', '')),\r\n SlaPolicyName = tostring(column_ifexists('SlaPolicyName', '')),\r\n CaseType = tostring(column_ifexists('CaseType', ''))\r\n| where tolower(SlaResolutionStatus) == tolower(slaStatus)\r\n//| where tolower(SlaAssignmentStatus) == tolower(slaStatus) // Uncomment to filter by assignment SLA instead\r\n//| where CaseType == '' // Uncomment to filter by case type\r\n//| where AssignedTo has '' // Uncomment to filter by assignee\r\n| project EntityId, DisplayName, AssignedTo, SlaResolutionStatus, SlaAssignmentStatus, SlaPolicyName, CaseType\r\n| order by EntityId asc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.securityinsights/casemanagement"],"tables":["SecurityCaseEvent"]}},{"id":"16191aba-3eee-4973-b338-7077300f32e1","displayName":"Failed experiment runs","description":"List failed experiment runs.","body":"ChaosStudioExperimentEventLogs\r\n| where Status == 'Failed' and SpanType == 'Experiment'\r\n| sort by TimeGenerated desc","properties":{"ExampleQuery":true},"related":{"categories":["audit","resources","monitor"],"resourceTypes":["microsoft.chaos/experiments"],"tables":["ChaosStudioExperimentEventLogs"]}},{"id":"151d25cf-7e9a-48eb-98ff-fe39a595ddff","displayName":"Experiment events on last experiment run","description":"List experiment events on the last experiment run.","body":"ChaosStudioExperimentEventLogs\r\n| lookup kind=inner (\r\n ChaosStudioExperimentEventLogs\r\n | top 1 by TimeGenerated desc\r\n | project CorrelationId\r\n) on CorrelationId\r\n| order by TimeGenerated asc","properties":{"ExampleQuery":true},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.chaos/experiments"],"tables":["ChaosStudioExperimentEventLogs"]}},{"id":"e159f354-4be5-40de-90cc-0152553aca5a","displayName":"Latest Transactions","description":"View the latest transactions.","body":"// ACLTransactionLogsQuery KQL query\r\n// To create an alert for this query, click '+ New alert rule'\r\nACLTransactionLogs\r\n| where Message has \"END\"\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"tables":["ACLTransactionLogs"]}},{"id":"3f837a43-8382-465c-9681-cadd66b5755d","displayName":"Latest User Defined Logs","description":"View the latest logs.","body":"// To create an alert for this query, click '+ New alert rule'\r\nACLUserDefinedLogs\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","applications"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"tables":["ACLUserDefinedLogs"]}},{"id":"f986ae23-a5e3-4b1a-8c7f-d3209a0267a7","displayName":"Latest Ledger Transactions","description":"View the latest transactions on Azure Confidential Ledger.","body":"// LedgerTransactionLogs KQL query\r\n// To create an alert for this query, click '+ New alert rule'\r\nLedgerTransactionLogs\r\n| where Message has \"END\"\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"tables":["LedgerTransactionLogs"]}},{"id":"a68218d8-84d3-45ce-87c5-1ff89cbe9eaf","displayName":"Latest Ledger User Defined Logs","description":"View the latest user defined logs on Azure Confidential Ledger.","body":"// LedgerUserDefinedLogs KQL query\r\n// To create an alert for this query, click '+ New alert rule'\r\nLedgerUserDefinedLogs\r\n| sort by TimeGenerated desc\r\n| limit 100\r\n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","applications"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"tables":["LedgerUserDefinedLogs"]}},{"id":"8a9e48ac-20be-4074-8118-9366e73d8dac","displayName":"Failed tests","description":"Gets failed distinct source, destination, test group and test configuration for each resource.","body":"NWConnectionMonitorTestResult \r\n| where TimeGenerated > ago(24h) \r\n| where TestResult == \"Fail\"\r\n| distinct _ResourceId, SourceName, DestinationName, TestGroupName, TestConfigurationName","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"tables":["NWConnectionMonitorTestResult"]}},{"id":"da3145ca-5cb9-43f4-afcc-0544bc320d8d","displayName":"Tests performance","description":"Gets loss percentage and average latency between given source and destination of a resource.","body":"// For specific results, insert values in the let statements and uncomment the where filters within the query\r\n// let connectionMonitorResourceId = \"\";\r\n// let sourceName = \"\";\r\n// let destinationName = \"\";\r\n// let testGroupName = \"\";\r\n// let testConfigurationName = \"\";\r\nNWConnectionMonitorTestResult \r\n| where TimeGenerated > ago(24h) \r\n// | where ConnectionMonitorResourceId has connectionMonitorResourceId\r\n// | where SourceName has sourceName\r\n// | where DestinationName has destinationName\r\n// | where TestGroupName has testGroupName\r\n// | where TestConfigurationName has testConfigurationName\r\n| extend LossPercent = ChecksFailed * 100 / ChecksTotal\r\n| project TimeGenerated, ConnectionMonitorResourceId, TestResult, AvgRoundTripTimeMs, LossPercent, SourceName, SourceAddress, DestinationName, DestinationAddress\r\n| order by TimeGenerated desc;","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"tables":["NWConnectionMonitorTestResult"]}},{"id":"a756c739-e5cb-4bf1-9b37-4d58d5a49e2d","displayName":"Path diagnostics","description":"Gets path or all hops along with identified issues between given source and destination of a resource.","body":"// For specific results, insert values in the let statements and uncomment the where filters within the query\r\n// let connectionMonitorResourceId = \"\";\r\n// let sourceName = \"\";\r\n// let destinationName = \"\";\r\n// let testGroupName = \"\";\r\n// let testConfigurationName = \"\";\r\nNWConnectionMonitorPathResult \r\n| where TimeGenerated > ago(24h) \r\n// | where ConnectionMonitorResourceId has connectionMonitorResourceId\r\n// | where SourceName has sourceName\r\n// | where DestinationName has destinationName\r\n// | where TestGroupName has testGroupName\r\n// | where TestConfigurationName has testConfigurationName\r\n| project TimeGenerated, ConnectionMonitorResourceId, PathTestResult, SourceName, SourceAddress, DestinationName, DestinationAddress, Hops\r\n| order by TimeGenerated desc;","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"tables":["NWConnectionMonitorPathResult"]}},{"id":"36891d32-455c-4492-9681-a06713a17de0","displayName":"Latest Container App errors","description":"Displays the 100 most recent logs written to the log stream in Azure Container Apps. This will help you quickly spot newly generated errors or warnings for troubleshooting.","body":"ContainerAppConsoleLogs_CL\r\n| where Stream_s == \"stderr\"\r\n| order by TimeGenerated desc\r\n| top 100 by TimeGenerated","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"191c185d-0bb0-4690-a8cd-51a38289b9c0","displayName":"Most Frequent Error Messages","description":"Retrieves the most common error messages by counting how often they appear, then returns the top 10.","body":"ContainerAppConsoleLogs_CL\r\n| where Log_s contains \"error\"\r\n| summarize LastOcurrTime = max(TimeGenerated), CountErrorMessages = count() by Log_s\r\n| top 10 by LastOcurrTime desc","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"9db05ad5-c9f7-4136-882e-a5bebb798cf1","displayName":"Failed Revision Provisions","description":"Shows system logs indicating failures in provisioning revisions from the ContainerAppController, ordered by the most recent failures.","body":"ContainerAppSystemLogs_CL\r\n| where EventSource_s == \"ContainerAppController\"\r\n| where Log_s contains \"Error provisioning revision\"\r\n| project TimeGenerated, ContainerAppName_s, RevisionName_s, Log_s, Reason_s, Level\r\n| order by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"e5922e5d-6e1c-4bb8-a0ba-eb64414622a6","displayName":"Probe Failed","description":"Finds all probe failed logs.","body":"ContainerAppSystemLogs_CL\r\n| where Log_s contains \"probe failed: \"\r\n| top 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"10b27cd1-2881-481a-aa4e-7a7b310fe3af","displayName":"Error or Exception Logs Count","description":"Provides a count of log messages with error or exception per environment, app, and revision in a table.","body":"ContainerAppSystemLogs_CL\r\n| where Log_s contains \"error\" or Log_s contains \"exception\"\r\n| project Time=TimeGenerated, EnvName=EnvironmentName_s, AppName=ContainerAppName_s, Revision=RevisionName_s, Message=Log_s\r\n| summarize count_per_app = count() by EnvName, AppName, Revision\r\n| sort by count_per_app desc","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"67abc9cc-f88e-4d0f-9b47-51bbff409682","displayName":"Image Pull Failures","description":"Provides logs that mention failures when pulling container images, which can indicate registry or network problems.","body":"ContainerAppSystemLogs_CL\r\n| where Log_s contains \"Failed to pull image\"\r\n| project Message=Log_s, Time=TimeGenerated, EnvName=EnvironmentName_s, AppName=ContainerAppName_s, Revision=RevisionName_s\r\n| take 100\r\n| sort by Time desc","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"f94b4370-78dd-40ad-9b22-f3461f9d8446","displayName":"Insufficient Quota","description":"Provides logs that mention maximum allowed cores exceeded for the managed environment.","body":"ContainerAppSystemLogs_CL\r\n| where Log_s contains \"Maximum Allowed Cores exceeded\"","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"cbb070f5-c424-41ff-96ab-f3e6e31e18f2","displayName":"Storage Mount Failed","description":"Provides logs specifically related to storage mount failures.","body":"ContainerAppSystemLogs_CL\r\n| where Reason_s contains \"FailedMount\"\r\n| top 100","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"cf1dc664-075c-4fb6-962c-0280edb652a0","displayName":"Pending infrastructure ready","description":"Provides logs with replica pending for allocation due to infrastructure is not ready. It is usually caused by dedicate node is under scaling.","body":"ContainerAppSystemLogs_CL\r\n| where Log_s contains \"Waiting for infrastructure to be ready\"\r\n| project Message=Log_s, Time=TimeGenerated, EnvName=EnvironmentName_s, AppName=ContainerAppName_s, Revision=RevisionName_s\r\n| take 100\r\n| sort by Time desc","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"8dbbc541-1c2b-4985-8e5c-fbb3e908bd0d","displayName":"Latest HTTP requests","description":"Displays the 100 most recent HTTP requests handled by the Container App Environment ingress. This will help you quickly review recent ingress traffic.","body":"ContainerAppHTTPLogs\r\n| order by TimeGenerated desc\r\n| top 100 by TimeGenerated\r\n","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"5c9510de-ae67-4f1d-afa8-97d8e458182c","displayName":"HTTP requests with non-success status codes","description":"Provides HTTP requests that returned a non-success status code, which can indicate application errors or upstream connectivity issues.","body":"ContainerAppHTTPLogs\r\n| where StatusCode >= 400\r\n| project Time=TimeGenerated, StatusCode, Method, Path, Details=ResponseCodeDetails, EnvName=EnvironmentName, AppName=ContainerAppName, Revision=RevisionName\r\n| top 100 by Time desc\r\n","tags":{"Topic":["Troubleshooting"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"9bc303aa-0156-42d0-a4ea-5795de314b01","displayName":"HTTP response code distribution","description":"Summarizes HTTP requests by response status code, ordered by count.","body":"ContainerAppHTTPLogs\r\n| summarize Count = count() by StatusCode\r\n| order by Count desc\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.app/managedenvironments"]}},{"id":"d42180dc-be37-4b53-9c02-302848dfff5f","displayName":"CIEventsAudit - API response codes line chart","description":"Line chart showing requests response duration per operation.","body":"CIEventsAudit\r\n| summarize DurationMs = avg(DurationMs) by bin(TimeGenerated, 5m), OperationName\r\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.d365customerinsights/instances"],"tables":["CIEventsAudit"]}},{"id":"6fabff7b-d466-43a6-b5e4-e91acd00a155","displayName":"CIEventsOperational - event type ApiEvent","description":"Gets a list of operational events with eventType as APIEvent.","body":"CIEventsOperational\r\n| where EventType has \"ApiEvent\"\r\n| sort by TimeGenerated desc\r\n| limit 100 // You can adjust the limit value to the number of logs you would like to retrieve.","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.d365customerinsights/instances"],"tables":["CIEventsOperational"]}},{"id":"5de254d1-fd54-4468-a243-6756670c51ca","displayName":"CIEventsOperational- event type WorkflowEvent","description":"Gets a list of operational events with eventType as WorkflowEvent.","body":"CIEventsOperational\r\n| where EventType has \"WorkflowEvent\"\r\n| sort by TimeGenerated desc\r\n| limit 100 // You can adjust the limit value to the number of logs you would like to retrieve.","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.d365customerinsights/instances"],"tables":["CIEventsOperational"]}},{"id":"c72b0389-6dc7-40de-9e90-ce5ade614d46","displayName":"CIEventsAudit - result type ClientError","description":"Gets a list of operational events request that finished with result type ClientError: HTTP status code MinQueryExecutionThresholdInMilliseconds\r\n| project\r\n StartTime,\r\n EndTime,\r\n QueryId,\r\n PlanId,\r\n QueryType,\r\n UserId,\r\n DatabaseId,\r\n MeanExecDurationMs,\r\n MaxExecDurationMs,\r\n Calls,\r\n Rows\r\n| order by MeanExecDurationMs desc, QueryId asc\r\n| limit 100","tags":{"Topic":["Usage","Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLQueryStoreRuntime"]}},{"id":"bd908e0d-680a-40b9-88c2-b7fedf053c96","displayName":"Slowest queries","description":"Identify top 10 slowest queries by mean execution time.","body":"// PlanId is captured only if pg_qs.store_query_plans=ON\r\nPGSQLQueryStoreRuntime\r\n| where IsSystemQuery==false //excludes azure managed user\r\n| summarize AvgMeanExecDuration=avg(MeanExecDurationMs),MaxExecDuration=max(MaxExecDurationMs) by QueryId, PlanId, QueryType, UserId, DatabaseId\r\n| top 10 by AvgMeanExecDuration desc","tags":{"Topic":["Usage","Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLQueryStoreRuntime"]}},{"id":"98ce5af3-de4d-45ac-91dc-b8a42f9bd2a4","displayName":"Query counts","description":"Identify the execution counts trend of all queries.","body":"// By default, entries are aggregated in QueryStore every 15 mins (see pg_qs.interval_length_minutes)\r\n// AgregationWindow was set to 15min, but you may modify it based on your needs, however should not be less than pg_qs.interval_length_minutes. \r\nlet AgregationWindow=15m;\r\nPGSQLQueryStoreRuntime\r\n| where IsSystemQuery==false //excludes azure managed user\r\n| summarize sum(Calls) by bin(EndTime,AgregationWindow)\r\n| render columnchart","tags":{"Topic":["Usage","Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLQueryStoreRuntime"]}},{"id":"f749c7ac-5407-4926-a42f-b8c684d6b169","displayName":"Wait event trends","description":"Display wait event trends over time for all queries.","body":"// By default, entries are aggregated in QueryStore Wait Sampling every 15 mins (see pg_qs.interval_length_minutes)\r\n// AgregationWindow was set to 15min, but you may modify it based on your needs, however should not be less than pg_qs.interval_length_minutes. \r\nlet AgregationWindow=15m;\r\nPGSQLQueryStoreWaits\r\n| where UserId !in (10,0) //excludes azure managed user and system calls\r\n| where QueryId != 0 //excludes system calls, background workers and idle sessions\r\n| project StartTime,EndTime, UserId, DatabaseId, QueryId, Calls, EventType, Event\r\n| extend WaitEvent = iff(isempty(EventType), 'No Waits', strcat(EventType, \": \", Event))\r\n| summarize sum(Calls) by WaitEvent, bin(EndTime,AgregationWindow)\r\n| render columnchart","tags":{"Topic":["Usage","Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLQueryStoreWaits"]}},{"id":"6cba4bad-1a95-4970-9fc6-1a5f6936187b","displayName":"Top wait events","description":"Identify top 10 wait events by queries.","body":"// By default, entries are aggregated in QueryStore Wait Sampling every 15 mins (see pg_qs.interval_length_minutes)\r\n// AgregationWindow was set to 15min, but you may modify it based on your needs, however should not be less than pg_qs.interval_length_minutes. \r\nlet AgregationWindow=15m;\r\nPGSQLQueryStoreWaits\r\n| where UserId !in (10,0) //excludes azure managed user and system calls\r\n| where QueryId != 0 // excludes system calls, background workers and idle sessions\r\n| summarize sumSampledCalls=sum(Calls) by EventType, Event, QueryId, bin(EndTime,AgregationWindow)\r\n| extend WaitEvent = iff(isempty(EventType), 'No Waits', strcat(EventType, \": \", Event))\r\n| top 10 by sumSampledCalls desc ","tags":{"Topic":["Usage","Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLQueryStoreWaits"]}},{"id":"c5ec4e2d-c7b3-42c3-9150-6ec344d62ee3","displayName":"Bloat ratio","description":"Summary of the current bloat ratio per database.","body":"// If required to get the snapshot on a certain date and time just filter on TimeGenerated column, like:\r\n// where TimeGenerated between (datetime('2023-03-01 16:00') .. datetime('2023-03-01 19:00'))\r\nPGSQLAutovacuumStats\r\n| extend ts=bin(TimeGenerated,5m)\r\n| summarize arg_max(ts,LiveRowsCount,DeadRowsCount) by DatabaseName, SchemaName\r\n| where DatabaseName !in ('azure_maintenance', 'azure_sys') //exclude system database\r\n| where SchemaName !in ('pg_catalog','information_schema', 'pg_toast') //exclude system schemas\r\n| summarize TotalLiveRows=sum(LiveRowsCount), TotalDeadRows=sum(DeadRowsCount) by DatabaseName\r\n| extend BloatRatio=toreal(TotalDeadRows)/toreal(TotalLiveRows)*100\r\n| extend BloatRatio = iff( isnan(BloatRatio), 0.0, BloatRatio)\r\n| project DatabaseName,TotalLiveRows,TotalDeadRows, BloatRatio\r\n| order by BloatRatio desc ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLAutovacuumStats"]}},{"id":"73917797-b07e-495f-874e-337d5c089123","displayName":"Vacuum statistics","description":"Summary of total tables that were vacuumed per database.","body":"// If required to get the snapshot on a certain date and time just filter on TimeGenerated column, like:\r\n// where TimeGenerated between (datetime('2023-03-01 16:00') .. datetime('2023-03-01 19:00'))\r\nPGSQLAutovacuumStats\r\n| extend ts=bin(TimeGenerated,5m)\r\n| summarize arg_max(ts,TablesCount,TablesVacuumedCount,TablesAutovacuumedCount) by DatabaseName, SchemaName\r\n| where DatabaseName !in ('azure_maintenance', 'azure_sys') //exclude system database\r\n| where SchemaName !in ('pg_catalog','information_schema', 'pg_toast') //exclude system schemas\r\n| summarize TotalTables=sum(TablesCount), TablesVaccumed=sum(TablesVacuumedCount), TablesAutoVaccumed=sum(TablesAutovacuumedCount) by DatabaseName\r\n| order by TotalTables desc ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLAutovacuumStats"]}},{"id":"3412a5f6-4520-4ac5-bd10-6b137a30845e","displayName":"Analyze statistics","description":"Summary of total tables that were analyzed per database.","body":"// If required to get the snapshot on a certain date and time just filter on TimeGenerated column, like:\r\n// where TimeGenerated between (datetime('2023-03-01 16:00') .. datetime('2023-03-01 19:00'))\r\nPGSQLAutovacuumStats\r\n| extend ts=bin(TimeGenerated,5m)\r\n| summarize arg_max(ts,TablesCount,TablesAnalyzedCount,TablesAutoanalyzedCount) by DatabaseName, SchemaName\r\n| where DatabaseName !in ('azure_maintenance', 'azure_sys') //exclude system database\r\n| where SchemaName !in ('pg_catalog','information_schema', 'pg_toast') //exclude system schemas\r\n| summarize TotalTables=sum(TablesCount), TablesAnalyzed=sum(TablesAnalyzedCount), TablesAutoAnalyzed=sum(TablesAutoanalyzedCount) by DatabaseName\r\n| order by TotalTables desc ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLAutovacuumStats"]}},{"id":"f88e66dd-2057-47d3-9758-3aab93c7602a","displayName":"Error Logs","description":"All error logs for PG Bouncer","body":"PGSQLPgBouncer\r\n| where Message contains 'error' or Message contains 'fatal'\r\n| order by TimeGenerated desc\r\n| take 100","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"tables":["PGSQLPgBouncer"]}},{"id":"44a38a05-1147-4795-bd5e-fa808308375f","displayName":"Failed actions query","description":"Summarizes the number and type of operations that have failed.","body":"DevCenterDiagnosticLogs\r\n| where toint(ResponseCode) >= 400 \r\n| extend _date = bin(TimeGenerated, 1d)\r\n| summarize failureCount = count() by OperationName, _date\r\n| sort by _date desc","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"tables":["DevCenterDiagnosticLogs"]}},{"id":"51e6c592-e4f1-d373-e927-aab82f9c1044","displayName":"Hibernate Unsupported Check","description":"Returns the number of occurences of each type of inegibility check for hibernate on dev boxes.","body":"DevCenterResourceLifecycleLogs\r\n| where OperationName == \"HibernateSupportStatusCheck\"\r\n| extend Date = bin(TimeGenerated, 6h)\r\n| summarize unsupportedCount = count() by Message, Date\r\n| sort by Date desc","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"tables":["DevCenterResourceOperationLogs"]}},{"id":"25f8bafd-7cf8-4eb9-a10b-b8e23442f666","displayName":"DevCenter - DevBox storage and compute usage breakdown by dev box","description":"Get the total storage and compute units for a given month.","body":"let startSearchTime = startofmonth(now());\r\nlet endSearchTime = startofmonth(now(), 1); // The second parameter represents the number of months to offset from the input date.\r\nDevCenterBillingEventLogs \r\n| where OperationName == \"DevBoxUsage\"\r\n and StartTime >= startSearchTime \r\n and StartTime = startSearchTime \r\n and StartTime = 24 * 60 * 60\r\n| project\r\n TimeGenerated\r\n ,EventName\r\n ,ExperimentationGroup = Properties.ExperimentationGroup\r\n ,AnalysisType = Properties.AnalysisType\r\n| sort by TimeGenerated desc\r\n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"tables":["AEWComputePipelinesLogs"]}},{"id":"8abfa818-c87f-81c7-99ef-fa38d0c750b3","displayName":"AEWComputePipelinesLogs get task E2E latency time","description":"Get task E2E latency time of compute pipelines records in selected time range.","body":"AEWComputePipelinesLogs\r\n| where EventName =~ \"ScorecardRequestSucceeded\" or EventName =~ \"ScorecardRequestFailed\"\r\n| where Properties.ExperimentationGroup =~ \"test~ExperimentationGroup\"\r\n| summarize\r\n ScorecardRequestTimeInHoursP99 = percentile(todouble(Properties.ScorecardProcessingInSeconds) / 60 / 60, 99)\r\n ,ScorecardRequestTimeInHoursAvg = avg(todouble(Properties.ScorecardProcessingInSeconds) / 60 / 60)\r\n by Date = bin(TimeGenerated, 1d), ExperimentationGroup = tostring(Properties.ExperimentationGroup)\r\n| sort by Date, ExperimentationGroup","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"tables":["AEWComputePipelinesLogs"]}},{"id":"bcec51fd-9e72-40a8-b01b-6d3fd16e0fb6","displayName":"Variant assignment counts by features","description":"List the total number of assignments for each variant in feature allocations.","body":"// Variant assignment counts by features\r\nAEWExperimentAssignmentSummary\r\n| summarize\r\n IsControlVariant = take_any(IsControlVariant),\r\n AllocationPercentage = take_any(AllocationPercentage),\r\n AssignmentEventCount = sum(AssignmentEventCount),\r\n EarliestAssignment = min(MinTimeGenerated),\r\n LatestAssignment = max(MaxTimeGenerated)\r\n by FeatureName, AllocationId, Variant\r\n| order by FeatureName asc, LatestAssignment desc, Variant asc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"tables":["AEWExperimentAssignmentSummary"]}},{"id":"967eb9bf-2d91-4a86-8115-18ee8b458d0e","displayName":"Latest scorecard metadata for a given feature","description":"Query the latest experimentscorecard metadata for a given feature.","body":"// Latest scorecard metadata for a given feature\r\n// set the feature flag name to query\r\nlet QueryFeature = \"MyFeatureFlag\";\r\nAEWExperimentAssignmentSummary\r\n| where FeatureName == QueryFeature\r\n| summarize MaxTimeGenerated=max(MaxTimeGenerated), Variants=make_set(Variant, 1000) by AllocationId\r\n| summarize arg_max(MaxTimeGenerated, *)\r\n| join kind=inner AEWExperimentScorecards on AllocationId\r\n| summarize arg_max(TimeGenerated, ScorecardId)\r\n| project\r\n FeatureName, AllocationId, Variants,\r\n ScorecardId, AnalysisStartTime, AnalysisEndTime, Insights","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"tables":["AEWExperimentAssignmentSummary","AEWExperimentScorecards"]}},{"id":"7f870b0a-b457-4221-a739-20bf3ece31f3","displayName":"Latest scorecard results for a given feature","description":"Query the latest experiment scorecard result for a given feature.","body":"// Latest scorecard results for a given feature\r\n// set the feature flag name to query\r\nlet QueryFeature = \"MyFeatureFlag\";\r\nAEWExperimentAssignmentSummary\r\n| where FeatureName == QueryFeature\r\n| summarize arg_max(MaxTimeGenerated, AllocationId)\r\n| join kind=inner AEWExperimentScorecards on AllocationId\r\n| summarize arg_max(TimeGenerated, ScorecardId)\r\n| join kind=inner AEWExperimentScorecardMetricPairs on ScorecardId\r\n| project\r\n ScorecardId, MetricId, MetricDisplayName, MetricKind, MetricTags,\r\n TreatmentVariant, TreatmentCount, TreatmentMetricValue,\r\n ControlVariant, ControlCount, ControlMetricValue,\r\n TreatmentEffect, RelativeDifference, PValue, Insights","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"tables":["AEWExperimentAssignmentSummary","AEWExperimentScorecards","AEWExperimentScorecardMetricPairs"]}},{"id":"0672f0f4-b973-486e-8f05-25f93f3799cb","displayName":"High risk users","description":"Gets list of the top 100 at high risk users for the last day.","body":"AADRiskyUsers\r\n| where RiskLastUpdatedDateTime > ago(1d)\r\n| where RiskLevel == \"high\"\r\n| where RiskState == \"atRisk\"\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADRiskyUsers"]}},{"id":"d6cf92b1-3b52-4b8b-b5c6-c4c1a0d657ee","displayName":"Recent user risk events","description":"Gets list of the top 100 active user risk events.","body":"AADUserRiskEvents\r\n| where DetectedDateTime > ago(1d)\r\n| where RiskState == \"atRisk\"\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADUserRiskEvents"]}},{"id":"e16559ad-9ff2-418b-b194-8bccf6fb184c","displayName":"Active service principal risk detections","description":"Gets a list of active service principal risk detections.","body":"AADServicePrincipalRiskEvents\r\n| summarize arg_max(LastUpdatedDateTime, *) by RequestId, ServicePrincipalId\r\n| where RiskState == \"atRisk\"","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADServicePrincipalRiskEvents"]}},{"id":"cdeed2a7-e6b7-4e08-bd8e-a7d9d6ec08a8","displayName":"Active user risk detections","description":"Gets a list of active user risk detections.","body":"AADUserRiskEvents\r\n| summarize arg_max(LastUpdatedDateTime, *) by RequestId, UserId\r\n| where RiskState == \"atRisk\"","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADUserRiskEvents"]}},{"id":"6b26cc79-2a2f-4d29-9caa-bd14690e53ed","displayName":"Most active service principals","description":"Gets list of top 100 most active service principals for the last day.","body":"AADServicePrincipalSignInLogs\r\n| where TimeGenerated > ago(1d)\r\n| summarize CountPerServicePrincipal = count() by ServicePrincipalId\r\n| order by CountPerServicePrincipal desc\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADServicePrincipalSignInLogs"]}},{"id":"29ccaaf9-d25b-4aec-8b2b-3047a16516f9","displayName":"Inactive service principals","description":"Service principals that had no sign-ins for the last 30d.","body":"AADServicePrincipalSignInLogs\r\n| where TimeGenerated > ago(90d)\r\n| where ResultType == 0\r\n| summarize LastSignIn = max(TimeGenerated) by ServicePrincipalId\r\n| where LastSignIn ago(1d)\r\n| extend City = parse_json(LocationDetails).city\r\n| summarize CountPerCity = dcount(tostring(City)) by UserId\r\n| where CountPerCity > 1\r\n| order by CountPerCity desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADNonInteractiveUserSignInLogs"]}},{"id":"000c3177-e775-4c3b-8425-c346af81389d","displayName":"Most active ip addresses","description":"Get list of top 100 most active IP addresses for the last day.","body":"AADNonInteractiveUserSignInLogs\r\n| where TimeGenerated > ago(1d)\r\n| summarize CountPerIPAddress = count() by IPAddress\r\n| order by CountPerIPAddress desc\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADNonInteractiveUserSignInLogs"]}},{"id":"d02256eb-1eae-46e9-b63b-4e389f6ce0ae","displayName":"Most active managed identities","description":"Gets list of top 100 most active managed identities for the last day.","body":"AADManagedIdentitySignInLogs\r\n| where TimeGenerated > ago(1d)\r\n| summarize CountPerManagedIdentity = count() by ServicePrincipalId\r\n| order by CountPerManagedIdentity desc\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADManagedIdentitySignInLogs"]}},{"id":"ae89676f-3dbe-495a-a5e6-b9673afe98ca","displayName":"Provisioning actions for the last week","description":"Shows the number of users and groups created, updated, disabled, and deleted in the past 7 days.","body":"AADProvisioningLogs\r\n| where TimeGenerated > ago(7d)\r\n| where ResultType == \"Success\"\r\n| parse SourceIdentity with * \"\\\"identityType\\\":\\\"\" Type \"\\\"\" *\r\n| extend Type = tolower(Type)\r\n| summarize count() by Type, Action\r\n| order by Type, Action","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADProvisioningLogs"]}},{"id":"58719d71-dd9e-4c0c-9405-2e3d5a47f10a","displayName":"Provisioning errors","description":"Shows the count per error code and when were they last seen.","body":"AADProvisioningLogs\r\n| where ResultType == \"Failure\"\r\n| summarize Occurrences=count(), LastSeen=max(TimeGenerated) by ResultSignature\r\n| order by LastSeen","tags":{"Topic":["Audit","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADProvisioningLogs"]}},{"id":"f3b8ad66-b178-49bf-b165-31c2896c406b","displayName":"Provisioned objects by day","description":"Summarizes for each day the number of created objects per day.","body":"AADProvisioningLogs\r\n| where TimeGenerated > ago(7d)\r\n| where ResultType == \"Success\"\r\n| where Action == \"Create\"\r\n| parse SourceIdentity with * \"\\\"identityType\\\":\\\"\" Type \"\\\"\" *\r\n| extend Type = tolower(Type)\r\n| summarize count() by Type, bin(TimeGenerated, 1d)\r\n| render columnchart","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADProvisioningLogs"]}},{"id":"9e1062d5-b526-42d0-9d46-80ec8604da4d","displayName":"Top ADFS account lockouts","description":"Returns top 10 IP addresses by number of lockouts.","body":"ADFSSignInLogs\r\n| where TimeGenerated > ago(7d)\r\n| extend errorCode = toint(parse_json(Status).errorCode)\r\n| where errorCode == 300300\r\n| summarize Lockouts = count() by IPAddress\r\n| top 10 by Lockouts","tags":{"Topic":["Audit","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["ADFSSignInLogs"]}},{"id":"62ae5228-928d-4ef8-a383-3d3793dec41c","displayName":"User's custom security attribute audits","description":"Returns custom security attribute audit logs for a specific user.","body":"AADCustomSecurityAttributeAuditLogs\r\n| extend targetUPN = parse_json(TargetResources)[0].userPrincipalName\r\n| where targetUPN == 'CSALogTester@tenant.com'\r\n| limit 100","tags":{"Topic":["Audit","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.aadiam/tenants"],"tables":["AADCustomSecurityAttributeAuditLogs"]}},{"id":"c8f597f3-9251-468a-86b3-d94ed8ea996d","displayName":"Count heartbeats","description":"Count all computers heartbeats from the last hour.","body":"// Count computers heartbeats in the last hour. \r\n// Normally, agents on VMs generate Heartbeat event every minute.\r\nHeartbeat\r\n| where TimeGenerated > ago(1h)\r\n| summarize count() by Computer","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.compute/virtualmachines"],"tables":["Heartbeat"]}},{"id":"bdbc27e8-3f5d-4981-9050-5ed7f63615a8","displayName":"Last heartbeat of each computer","description":"Show the last heartbeat sent by each computer.","body":"// Last heartbeat of each computer \r\n// Show the last heartbeat sent by each computer. \r\nHeartbeat\r\n| summarize arg_max(TimeGenerated, *) by Computer","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.compute/virtualmachines"],"tables":["Heartbeat"]}},{"id":"ba8b1839-7334-11ea-bed0-c8348e02520c","displayName":"Ingestion latency (end-to-end) spikes - Heartbeat table","description":"Check for latency spikes in the ingestion of Heartbeats in the last 24 hours.","body":"// Ingestion latency (end-to-end) spikes - Heartbeat table \r\n// Check for latency spikes in the ingestion of Heartbeats in the last 24 hour. \r\n// This query calculates ingestion duration every 10 minutes, and looks for spikes\r\nlet StartTime = ago(24h);\r\nlet EndTime = now();\r\nlet MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive\r\nHeartbeat\r\n| where TimeGenerated between (StartTime .. EndTime)\r\n// calculate ingestion duration in seconds\r\n| extend IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s\r\n// Create a time series\r\n| make-series RatioSeries=avg(IngestionDurationSeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m)\r\n// Apply a 2-line regression to the time series\r\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\r\n// Find out if our 2-line is trending up or down\r\n|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\r\n// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)\r\n| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, \"Spike detected\", \"No spike\")\r\n","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.compute/virtualmachines"],"tables":["Heartbeat"]}},{"id":"ba8e256b-7334-11ea-99d3-c8348e02520c","displayName":"Agent latency spikes - Heartbeat table","description":"Check for agent latency spikes in the ingestion of Heartbeats in the last 24 hours.","body":"// Agent latency spikes - Heartbeat table \r\n// Check for agent latency spikes in the ingestion of Heartbeats in the last 24 hour. \r\n// This query calculates ingestion duration every 10 minutes, and looks for spikes\r\nlet StartTime = ago(24h);\r\nlet EndTime = now();\r\nlet MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive\r\nHeartbeat\r\n| where TimeGenerated between (StartTime .. EndTime)\r\n// calculate ingestion duration in seconds\r\n| extend AgentLatencySeconds = (_TimeReceived-TimeGenerated)/1s\r\n// Create a time series\r\n| make-series RatioSeries=avg(AgentLatencySeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m)\r\n// Apply a 2-line regression to the time series\r\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\r\n// Find out if our 2-line is trending up or down\r\n|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\r\n// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)\r\n| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, \"Spike detected\", \"No spike\")","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.compute/virtualmachines"],"tables":["Heartbeat"]}},{"id":"35883956-d397-42e6-a820-01eaceb11471","displayName":"Recently stopped heartbeats - Heartbeat table","description":"Lists resources that stopped sending heartbeats in past 15 minutes.","body":"// Resources, which stopped sending heartbeats in last 15 minutes\r\nHeartbeat\r\n| summarize LastReported=now()-max(TimeGenerated) by ResourceGroup, Resource, ResourceType \r\n// Assuming that heartbeats are sent at least every minute we are looking at 1-15 minute interval\r\n| where LastReported between(1m..15m)","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.compute/virtualmachines"],"tables":["Heartbeat"]}},{"id":"89e77e30-828d-4e3d-96a2-d28befa4275b","displayName":"Most Requested ResourceIds","description":"Most queried resources over the last 24 hours.","body":"LAQueryLogs\r\n| extend reqContext = parse_json(RequestContext)\r\n| extend datasources = array_concat(reqContext[\"resources\"], reqContext[\"workspaces\"], reqContext[\"applications\"])\r\n| mv-expand datasources\r\n| summarize reqCount = count() by tostring(datasources)\r\n| order by reqCount desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"c6eb80df-d93e-451d-8a78-500adeb829ca","displayName":"Unauthorized Users","description":"Get a list of unauthorized users with their request count in last 24 hours.","body":"LAQueryLogs\r\n| where ResponseCode == \"403\"\r\n| summarize reqCount = count() by AADObjectId\r\n| order by reqCount desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"4a4819f6-4d4f-4c1e-8f9f-445c957af054","displayName":"Throttled Users","description":"Get a list of throttled users with their request count in last 24 hours.","body":"LAQueryLogs\r\n| where ResponseCode == \"429\"\r\n| summarize reqCount = count() by AADObjectId\r\n| order by reqCount desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"78b49d99-ccb7-4791-ba0c-73fbf2104daa","displayName":"Request Count by ResponseCode","description":"Request count by response code within 1 min buckets in last 1 hour.","body":"LAQueryLogs\r\n| where TimeGenerated > ago(1h)\r\n| summarize count() by tostring(ResponseCode), bin(TimeGenerated, 1m)\r\n| render columnchart with (kind=stacked)","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"9edff33b-7951-4601-a50b-1da5fea7a127","displayName":"Top 10 resource intensive queries","description":"Get top 10 resource intesive queries (based on CPU consumption) in last 24 hours.","body":"LAQueryLogs\r\n| top 10 by StatsCPUTimeMs desc nulls last ","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"3b374e0c-6e5c-4367-88a8-10d265ce5e42","displayName":"Top 10 longest time range queries","description":"Get top 10 queries that scanned the longest time range in last 24 hours.","body":"LAQueryLogs\r\n| extend DataProcessedTimeRange = format_timespan(StatsDataProcessedEnd - StatsDataProcessedStart, 'dd.hh:mm:ss:FF')\r\n| top 10 by DataProcessedTimeRange desc nulls last ","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAQueryLogs"]}},{"id":"323226e0-df9e-4287-92aa-3795cf8a964e","displayName":"Bin Rules Query Duration","description":"Get a list of bin rules with their query duration.","body":"LASummaryLogs\r\n| summarize QueryDurationInSeconds = sum(QueryDurationMs)/1000 by RuleName, BinStartTime\r\n| sort by QueryDurationInSeconds desc","tags":{"Topic":["SummaryLogs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LASummaryLogs"]}},{"id":"38d33331-aba2-43f7-92c5-c527123edbf6","displayName":"Failed jobs","description":"List failed jobs with details.","body":"LAJobLogs\r\n| where Status == 'Failed'\r\n| project EndTime=TimeGenerated, JobId, CorrelationId, SourceTable, Destination\r\n| sort by EndTime desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAJobLogs"]}},{"id":"bd465c3f-0a2c-4ab7-ad8b-43b616528363","displayName":"Jobs in progress","description":"List jobs in progress with details.","body":"LAJobLogs\r\n| summarize count(), StartTime=min(TimeGenerated) by JobId, CorrelationId, SourceTable, tostring(Destination)\r\n| where count_ == 1\r\n| project StartTime, JobId, CorrelationId, SourceTable, Destination=parse_json(Destination)\r\n| sort by StartTime desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["LAJobLogs"]}},{"id":"a5c31bf6-314c-4c77-9144-eacc566de521","displayName":"Online endpoint console logs","description":"Get latest 100 online endpoint console log records.","body":"AmlOnlineEndpointConsoleLog\r\n| parse kind=regex flags=i _ResourceId with \".*?/RESOURCEGROUPS/\" ResourceGroup \"/PROVIDERS/MICROSOFT.MACHINELEARNINGSERVICES/WORKSPACES/\" Workspace \"/ONLINEENDPOINTS/\" EndpointName\r\n| project\r\n TimeGenerated,\r\n Subscription = _SubscriptionId,\r\n ResourceGroup,\r\n Workspace,\r\n EndpointName,\r\n DeploymentName,\r\n InstanceId,\r\n ContainerName,\r\n ContainerImageName,\r\n Message\r\n| top 100 by TimeGenerated","tags":{"Topic":["Workloads"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"tables":["AmlOnlineEndpointConsoleLog"]}},{"id":"a3e072ef-5aa5-484a-9641-11485b55cb42","displayName":"Online endpoint failed requests","description":"Get the latest 100 failed inferencing requests to the online endpoint.","body":"AmlOnlineEndpointTrafficLog\r\n| where ResponseCode != \"200\" and ResponseCode != \"100\" \r\n| project\r\n TimeGenerated,\r\n Location,\r\n OperationName,\r\n Method,\r\n Path,\r\n Subscription = _SubscriptionId,\r\n AzureMLWorkspaceId,\r\n EndpointName,\r\n DeploymentName,\r\n Protocol,\r\n ResponseCode,\r\n ResponseCodeReason,\r\n ModelStatusCode,\r\n ModelStatusReason,\r\n RequestPayloadSize,\r\n ResponsePayloadSize,\r\n UserAgent,\r\n XRequestId,\r\n XMSClientRequestId,\r\n TotalDurationMs,\r\n RequestDurationMs,\r\n ResponseDurationMs,\r\n RequestThrottlingDelayMs,\r\n ResponseThrottlingDelayMs\r\n| top 100 by TimeGenerated","tags":{"Topic":["Workloads"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"tables":["AmlOnlineEndpointTrafficLog"]}},{"id":"ddc56a57-a0a1-442d-b738-a600bca740f8","displayName":"Online endpoint failure events","description":"Get the latest Azure ML online endpoints failures.","body":"AmlOnlineEndpointEventLog\r\n| where Message contains \"failed\"\r\n| parse kind=regex flags=i _ResourceId with \".*?/RESOURCEGROUPS/\" ResourceGroup \"/PROVIDERS/MICROSOFT.MACHINELEARNINGSERVICES/WORKSPACES/\" Workspace \"/ONLINEENDPOINTS/\" EndpointName\r\n| project\r\n TimeGenerated,\r\n Subscription = _SubscriptionId,\r\n ResourceGroup,\r\n Workspace,\r\n EndpointName,\r\n DeploymentName,\r\n InstanceId,\r\n Name,\r\n Message\r\n| order by TimeGenerated desc\r\n| take 100","tags":{"Topic":["Resources"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"tables":["AmlOnlineEndpointEventLog"]}},{"id":"efb1f6c6-6498-4eba-9f42-71ca1b4ae3ee","displayName":"All WRITE events","description":"Retrieves a list of events of WRITE.","body":"AmlRegistryWriteEventsLog\r\n| project\r\n\tTimeGenerated,\r\n\tRegistryResourceId,\r\n\tOperationType,\r\n\tUserName,\r\n\tAssetName,\r\n\tAssetVersion\r\n| top 100 by TimeGenerated","tags":{"Topic":["Usage","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.machinelearningservices/registries"],"tables":["AmlRegistryWriteEventsLog"]}},{"id":"3d08f663-9b40-4dcb-824c-e073806d5257","displayName":"CCF application errors","description":"View the latest Confidential Consortium Framework application errors.","body":"// To create an alert for this query, click '+ New alert rule'\r\nCCFApplicationLogs\r\n| where Level == \"fail\"\r\n| sort by TimeGenerated desc\r\n| limit 100","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications","audit"],"resourceTypes":["microsoft.confidentialledger/managedccfs"],"tables":["CCFApplicationLogs"]}},{"id":"bdb7da24-8f5f-422d-927e-14b06c75a407","displayName":"All attack paths by specific risk level","description":"Get all attack paths with a specific risk level such as: Critical, High, Medium, and Low.","body":"SecurityAttackPathData\r\n| where RiskLevel == \"Medium\"\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"],"tables":["SecurityAttackPathData"]}},{"id":"5a1c1fd7-a9c7-428a-a804-64d0b46d1c18","displayName":"All file integrity monitoring events by specific monitored entity type","description":"Get all file integrity monitoring events with a specific monitored entity type such as: File or Registry.","body":"FileIntegrityMonitoringEvents\r\n| where MonitoredEntityType in (\"Files\", \"Registry\")\r\n| order by TimeGenerated\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"]}},{"id":"ca4f4032-55e0-48c9-aac1-aa14d6ff21d3","displayName":"All FIM events for directories","description":"Get all FIM events against directories of the host.","body":"MDCDetectionFimEvents\r\n| where IsDir == \"True\"\r\n| order by TimeGenerated\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"],"tables":["MDCDetectionFimEvents"]}},{"id":"1e4f66c0-41e2-45ff-864f-39e9d7a4f492","displayName":"All DNS events where the domain queried was 'www.google.com' ordered by time","description":"Get all DNS events where the domain queried was 'www.google.com' ordered by time.","body":"MDCDetectionDNSEvents\r\n| where Domain == \"www.google.com\"\r\n| order by TimeGenerated\r\n| limit 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"],"tables":["MDCDetectionDNSEvents"]}},{"id":"1558bfb7-2aa3-49e1-8386-f4f8509e514c","displayName":"All recent Gating validation events","description":"Get all Gating validation events published in the last 24 hours.","body":"source\r\n| project\r\n\tAzureResourceId,\t\r\n Region,\r\n Action,\r\n RuleProperties,\r\n AdmissionControlVersions,\r\n\tEvaluatedResourceKind,\r\n\tEvaluatedResourceName,\r\n EvaluatedResourceParentKind,\r\n EvaluatedResourceParentName,\r\n EvaluatedResourceDetails,\r\n\tNamespace,\r\n\tTimeGenerated","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"],"tables":["MDCDetectionGatingValidationEvents"]}},{"id":"8b5511d4-2df9-445f-ac8c-183615aeff4f","displayName":"Key delivery successful request count by key type","description":"Summarizes the count of successful key delivery requests by different key types.","body":"AMSKeyDeliveryRequests\r\n| where ResultType == \"Succeeded\"\r\n| summarize Count = count() by KeyType","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSKeyDeliveryRequests"]}},{"id":"b098e967-079a-4467-898a-8568b6f96f6a","displayName":"Key delivery failed requests","description":"Lists the details of failed key delivery requests.","body":"AMSKeyDeliveryRequests\r\n| where ResultType != \"Succeeded\"\r\n| project KeyId, PolicyName, ResultSignature, StatusMessage, _ResourceId\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSKeyDeliveryRequests"]}},{"id":"e5d93d90-7ff9-4c4d-b46f-5bc037afa284","displayName":"Key delivery requests latency at 95 and 99 percentiles","description":"Estimates the key delivery requests latency at 95th and 99th percentiles.","body":"AMSKeyDeliveryRequests\r\n| summarize percentiles(DurationMs, 95, 99)","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSKeyDeliveryRequests"]}},{"id":"7308fa13-7b01-48d3-b9b6-8ac464ba5b3f","displayName":"Media account health events","description":"Lists Media account health events details.","body":"AMSMediaAccountHealth\r\n| project EventCode, EventMessage, _ResourceId\r\n| limit 100","tags":{"Topic":["Audit","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSMediaAccountHealth"]}},{"id":"fba0fd35-f822-4df0-bc10-2ca0d9041d63","displayName":"Live event ingest discontinuity operation count","description":"Summarizes the count of ingest discontinuities by different live events.","body":"AMSLiveEventOperations\r\n| where OperationName == \"LIVEEVENTS/INGESTDISCONTINUITY\"\r\n| summarize Count = count() by tostring(Properties.liveEventName)","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSLiveEventOperations"]}},{"id":"ecdcd5a9-ac4e-4e24-9ce6-bcb9b2e0cfa6","displayName":"Live event error operations","description":"Lists the live event error operations.","body":"AMSLiveEventOperations\r\n| where Level == \"Error\"\r\n| project _ResourceId, OperationName\r\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSLiveEventOperations"]}},{"id":"1b582828-0234-4b71-9949-c9e08be3bc04","displayName":"Streaming endpoint successful request count by client IP","description":"Summarizes the count of successful streaming endpoint requests by different client IPs.","body":"AMSStreamingEndpointRequests\r\n| where Status == \"200\"\r\n| summarize Count = count() by ClientIP","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSStreamingEndpointRequests"]}},{"id":"3a2a2aea-8ada-497f-8ff1-e3a01c2469da","displayName":"Streaming endpoint informational requests","description":"Lists details of streaming endpoint requests with log level equal to informational.","body":"AMSStreamingEndpointRequests\r\n| where Level == \"Informational\"\r\n| project _ResourceId, ClientIP, URL\r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"tables":["AMSStreamingEndpointRequests"]}},{"id":"26e8acf3-e27d-4d7b-9718-31bda68a0b1d","displayName":"MPT access token creation requests","description":"List of requests for access token creation across all workspaces.","body":"MPTOperation\r\n| where OperationId == \"AccessToken_PUT\"\r\n| project TimeGenerated, Location, OperationId, MptWorkspaceId, CorrelationId, ResultType, DurationMs\r\n| limit 100","tags":{"Topic":["Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.azureplaywrightservice/accounts"]}},{"id":"e198f4d4-6420-4506-a965-f752b002f744","displayName":"MPT access token revocation requests","description":"List of requests for access token revocation across all workspaces.","body":"MPTOperation\r\n| where OperationId == \"AccessToken_DELETE\"\r\n| project TimeGenerated, Location, OperationId, MptWorkspaceId, CorrelationId, ResultType, DurationMs\r\n| limit 100","tags":{"Topic":["Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.azureplaywrightservice/accounts"]}},{"id":"a697d547-302a-4092-a3ad-b3cb8e43c204","displayName":"Frequent users endpoint callers","description":"Gets list of apps and service principals calling users endpoint.","body":"MicrosoftGraphActivityLogs\r\n| where RequestUri has \"users\"\r\n| summarize NumRequests=count() by AppId, ServicePrincipalId, UserId\r\n| sort by NumRequests desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.graph/tenants"],"tables":["MicrosoftGraphActivityLogs"]}},{"id":"a697d547-302a-4092-a3ad-b3cb8e43c205","displayName":"Failed groups endpoint requests","description":"Gets a list of failed requests to group entities, by apps and service principals.","body":"MicrosoftGraphActivityLogs\r\n| where ResponseStatusCode == 403\r\n| where RequestUri has \"groups\"\r\n| summarize UniqueRequests=dcount(RequestId) by AppId, ServicePrincipalId, UserId\r\n| sort by UniqueRequests desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.graph/tenants"],"tables":["MicrosoftGraphActivityLogs"]}},{"id":"839b634d-aa61-4eeb-9826-e42b57a650dc","displayName":"Row digestion errors","description":"All logs about rows which have failed to be digested.","body":"AOIDigestion\r\n| where Message startswith_cs \"Failed to decode row\"\r\n| take 100","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIDigestion"]}},{"id":"4caba217-a14b-4690-934f-d57b9ccbd1da","displayName":"Failed file digestion by source","description":"Breakdown of files that could not be digested by the top-level directory that they were uploaded to (typically the SiteId).","body":"AOIDigestion\r\n| where Message startswith_cs \"Failed to digest file\"\r\n| parse FilePath with Source:string \"/\" *\r\n| summarize count() by Source","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIDigestion"]}},{"id":"9788de8c-73da-4b6f-b259-28f89c8f8964","displayName":"Queries executed by a user on dataproduct","description":"List all the queries run on a dataproduct by a particular user.","body":"AOIDatabaseQuery\r\n| where DatabaseName has_cs \"edrdp\" and User has_cs \"username@domain.com\"\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIDatabaseQuery"]}},{"id":"1d326b1d-b84f-475a-9ce6-78dc33d33461","displayName":"Ingestion operation on storage","description":"Lists all the ingestion operation performed on storage of a dataproduct.","body":"AOIStorage\r\n| where Category has_cs \"Ingestion\"\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIStorage"]}},{"id":"2f7096f6-093c-4c1d-bd85-b47737aa1aa7","displayName":"Delete operation on storage","description":"Lists all delete operation performed on storage of a dataproduct.","body":"AOIStorage\r\n| where Category has_cs \"IngestionDelete\"\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIStorage"]}},{"id":"0bd960eb-b761-4ff6-bf0e-73bc57590734","displayName":"Read operation on storage","description":"Lists all Read operation performed on storage of a dataproduct.","body":"AOIStorage\r\n| where Category has_cs \"ReadStorage\"\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIStorage"]}},{"id":"30005149-f6be-42fc-871c-65b45fbb7891","displayName":"Read operation on input storage","description":"Lists all Read operation performed on the input storage of a dataproduct.","body":"AOIStorage\r\n| where Category has_cs \"IngestionRead\"\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"tables":["AOIStorage"]}},{"id":"30acf699-84cb-4c65-ad46-b2ad151ebc55","displayName":"Get Syslog from last day","description":"Get 100 syslog events from last day.","body":"ADGSyslogEvent\r\n| where TimeGenerated >= ago(1d)\r\n| project TimeGenerated, NVAResourceId, NVARegion, Msg\r\n| order by TimeGenerated desc\r\n| take 100","tags":{"Topic":["Performance, Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","monitor"],"resourceTypes":["microsoft.network/networkvirtualappliances"],"tables":["ADGSyslogEvent"]}},{"id":"eff2d4f3-9a25-4a3e-9434-b1ce56ff7d8c","displayName":"Show NGINXaaS access logs","description":"A list of access logs sorted by time.","body":"NGXOperationLogs\r\n| where FilePath == \"/var/log/nginx/access.log\"\r\n| sort by TimeGenerated asc\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"tables":["NGXOperationLogs"]}},{"id":"55b0b24b-dd8a-4f91-a797-2c0eae9ea440","displayName":"Show NGINXaaS error logs","description":"A list of error logs sorted by time.","body":"NGXOperationLogs\r\n| where FilePath == \"/var/log/nginx/error.log\"\r\n| sort by TimeGenerated asc\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"tables":["NGXOperationLogs"]}},{"id":"4d51c78c-2124-4637-8fd1-0450556306bc","displayName":"Show NGINXaaS security logs","description":"A list of security logs sorted by time.","body":"NGXSecurityLogs\r\n| where FilePath == \"/var/log/nginx/security.log\"\r\n| sort by TimeGenerated asc\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"tables":["NGXSecurityLogs"]}},{"id":"26551BF0-E908-4C30-8199-335F7CC86520","displayName":"Show NGINXaaS upstream update logs","description":"A list of upstream update logs sorted by time.","body":"NginxUpstreamUpdateLogs\r\n| sort by TimeGenerated asc\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"tables":["NginxUpstreamUpdateLogs"]}},{"id":"a7cb524f-2347-4ed2-a9ff-3ce04cb87913","displayName":"Variant assignment counts by features","description":"List the total number of assignments for each variant in feature allocations.","body":"// Variant assignment counts by features\r\nOEWExperimentAssignmentSummary\r\n| summarize\r\n IsControlVariant = take_any(IsControlVariant),\r\n AllocationPercentage = take_any(AllocationPercentage),\r\n AssignmentEventCount = sum(AssignmentEventCount),\r\n FirstAssignmentTimestamp = min(FirstAssignmentTimestamp),\r\n LastAssignmentTimestamp = max(LastAssignmentTimestamp)\r\n by FeatureName, AllocationId, Variant\r\n| order by FeatureName asc, LatestAssignment desc, Variant asc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"tables":["OEWExperimentAssignmentSummary"]}},{"id":"3964f9a7-6371-445c-924f-9efdaef758ca","displayName":"Latest scorecard metadata for a given feature","description":"Query the latest experimentscorecard metadata for a given feature.","body":"// Latest scorecard metadata for a given feature\r\n// set the feature flag name to query\r\nlet QueryFeature = \"MyFeatureFlag\";\r\nOEWExperimentAssignmentSummary\r\n| where FeatureName == QueryFeature\r\n| summarize LastAssignmentTimestamp=max(LastAssignmentTimestamp), Variants=make_set(Variant, 1000) by AllocationId\r\n| summarize arg_max(LastAssignmentTimestamp, *)\r\n| join kind=inner OEWExperimentScorecards on AllocationId\r\n| summarize arg_max(TimeGenerated, ScorecardId)\r\n| project\r\n FeatureName, AllocationId, Variants,\r\n ScorecardId, AnalysisStartTime, AnalysisEndTime, Insights","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"tables":["OEWExperimentAssignmentSummary","OEWExperimentScorecards"]}},{"id":"1e349818-951d-456b-b4b5-90dc93330b98","displayName":"Latest scorecard results for a given feature","description":"Query the latest experiment scorecard result for a given feature.","body":"// Latest scorecard results for a given feature\r\n// set the feature flag name to query\r\nlet QueryFeature = \"MyFeatureFlag\";\r\nOEWExperimentAssignmentSummary\r\n| where FeatureName == QueryFeature\r\n| summarize arg_max(LastAssignmentTimestamp, AllocationId)\r\n| join kind=inner OEWExperimentScorecards on AllocationId\r\n| summarize arg_max(TimeGenerated, ScorecardId)\r\n| join kind=inner OEWExperimentScorecardMetricPairs on ScorecardId\r\n| project\r\n ScorecardId, MetricId, MetricDisplayName, MetricKind, MetricTags,\r\n TreatmentVariant, TreatmentCount, TreatmentMetricValue,\r\n ControlVariant, ControlCount, ControlMetricValue,\r\n TreatmentEffect, RelativeDifference, PValue, Insights","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"tables":["OEWExperimentAssignmentSummary","OEWExperimentScorecards","OEWExperimentScorecardMetricPairs"]}},{"id":"df341dc6-ff0a-4579-b23e-d84b22419c91","displayName":"DAG type vs DAG runs summary statitics","description":"Number of DAG runs of each type of DAG type in the given time range","body":"OEPAirFlowTask\r\n| extend ResourceName = tostring(split(_ResourceId , '/')[-1])\r\n// | where ResourceName == \"\" // to filter on resourceName replace <...> and uncomment line\r\n| distinct DagName, CorrelationId // correlationId is same as runId - we have created a duplicate for consistency in search across logs of all services \r\n| sort by DagName asc\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPAirFlowTask"]}},{"id":"b3e13991-72f2-4b47-aaa1-37ea6c4bcae9","displayName":"Correlation IDs of all DAG runs","description":"Correlation IDs of all the DAG runs that have occurred in the time range (for all DAG types)","body":"OEPAirFlowTask\r\n| extend ResourceName = tostring(split(_ResourceId , '/')[-1])\r\n// | where ResourceName == \"\" // to filter on resourceName replace <...> and uncomment line\r\n| distinct DagName, CorrelationId // correlationId is same as runId - we have created a duplicate for consistency in search across logs of all services \r\n| summarize count() by DagName\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPAirFlowTask"]}},{"id":"b6e48dd7-12b6-494a-b164-52df19d45a9d","displayName":"Logs of a DAG run","description":"Retrieves logs for a particular AirFlow DAG run given the correlationId and time range.","body":"OEPAirFlowTask\r\n| extend ResourceName = tostring(split(_ResourceId , '/')[-1])\r\n// | where ResourceName == \"\" // to filter on resourceName replace <...> and uncomment line\r\n// | where CorrelationId == \"\" // to filter on correlationID replace <...> with correlationId (same as runId) - we have created a duplicate for to maintain consistency of column name across all services \r\n| project TimeGenerated, DagName, LogLevel, DagTaskName, CodePath, Content\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPAirFlowTask"]}},{"id":"29adebd2-37b1-44fc-a684-422431bf0ddd","displayName":"Error logs of a DAG run","description":"Retrieves error logs for a particular AirFlow DAG run given the correlationId and time range.","body":"OEPAirFlowTask\r\n| extend ResourceName = tostring(split(_ResourceId , '/')[-1])\r\n// | where ResourceName == \"\" // to filter on resourceName replace <...> and uncomment line\r\n// | where CorrelationId == \"\" // to filter on correlationID replace <...> with correlationId (same as runId) - we have created a duplicate for to maintain consistency of column name across all services \r\n| where LogLevel == \"ERROR\"\r\n| project TimeGenerated, DagName, LogLevel, DagTaskName, CodePath, Content\r\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPAirFlowTask"]}},{"id":"3ac59a15-04e1-4474-9b8d-8046477d177e","displayName":"Visualizing Error Response Codes","description":"Categorize log messages by HTTP response codes, filters out logs without a response code, and summarizes the count of each response code over a specified time granularity. It then renders a column chart for visualization.","body":"OEPDataplaneLogs\r\n// Categorize messages based on HTTP response codes\r\n| extend ResponseCode = case(\r\n Message has_any (\"Status=500\", \"Internal Server Error\"), \"500\",\r\n Message has_any (\"Status=401\", \"Unauthorized\"), \"401\",\r\n Message has_any (\"Status=403\", \"Forbidden\"), \"403\",\r\n Message has_any (\"Status=429\", \"RequestBodyTooLarge\"), \"429\",\r\n \"\"\r\n)\r\n// Filter out logs without a response code\r\n| where ResponseCode != \"\"\r\n// Summarize the count of each response code over a specified time range\r\n| summarize Count = count() by bin(TimeGenerated, 5m), ResponseCode\r\n// Render a column chart for visualization\r\n| render columnchart","tags":{"Topic":["Errors","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"91d7b5a5-93b8-4a8f-8875-b5c511bc9e41","displayName":"Analyzing User Activity in Storage Logs","description":"Extract UserId values, filters logs to include only those with a UserId and belonging to the StorageLogs category, and checks for specific HTTP methods. It then summarizes the count of logs per user over daily intervals and renders a pie chart for visualization.","body":"OEPDataplaneLogs\r\n// Extract UserId from the Message field using a regular expression\r\n| extend UserId = extract(@\"user-id=([a-zA-Z0-9_-@.]+)\", 1, Message)\r\n// Filter out logs without a UserId\r\n| where UserId != \"\"\r\n// Filter logs to include only those in the \"StorageLogs\" category\r\n| where Category == \"StorageLogs\"\r\n// Filter logs to include only those with specific HTTP methods\r\n| where Message has_any ( \r\n \"GET\",\r\n \"POST\",\r\n \"PUT\",\r\n \"DELETE\",\r\n \"PATCH\",\r\n \"HEAD\",\r\n \"OPTIONS\" \r\n)\r\n// Summarize the count of logs per user over daily intervals\r\n| summarize Count = count() by bin(TimeGenerated, 1d), UserId\r\n// Render a pie chart for visualization\r\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"7f9d3e8f-df6d-4156-93c7-0877c1000716","displayName":"Categorizing Logs by OSDU Service","description":"This KQL query summarizes the count of logs by category over the last 24 hours and renders a pie chart for visualization.","body":"OEPDataplaneLogs\r\n// Summarize the count of logs by category over the last day\r\n| summarize Count = count() by bin(TimeGenerated, 1d), Category\r\n// Render a pie chart for visualization\r\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"ea5e6919-17ea-4cc9-880c-0626d5a351f3","displayName":"Visualizing User Activity","description":"Extract UserId values, filters out logs without a UserId, and summarizes the count of logs per user over the last 24 hours. Renders a pie chart to visualize user activity.","body":"OEPDataplaneLogs\r\n// Extract UserId from the Message field using a regular expression\r\n| extend UserId = extract(@\"user-id=([a-zA-Z0-9_-@.]+)\", 1, Message)\r\n// Filter out logs without a UserId\r\n| where UserId != \"\"\r\n// Summarize the count of logs per user over the last day\r\n| summarize Count = count() by bin(TimeGenerated, 1d), UserId\r\n// Render a pie chart to visualize user activity\r\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"6e113596-c393-4745-b93f-c371d452d94f","displayName":"Visualizing Recent Activity","description":"Filters logs to the last 30 minutes, categorizes them by HTTP response codes, and counts the total number of logs and errors. It then summarizes these counts in 15-second intervals and renders a timechart for visual analysis.","body":"OEPDataplaneLogs\r\n// Filter logs to the last 30 minutes\r\n| where TimeGenerated >= ago(30m)\r\n// | extend UserId = extract(@\"user-id=([a-zA-Z0-9_-@.]+)\", 1, Message) // Uncomment if you want to only display user actions\r\n// | where notempty(UserId) //// Uncomment if you want to only display user actions\r\n// Categorize messages based on HTTP response codes\r\n| extend ResponseCode = case(\r\n Message has_any (\"Status=500\", \"Internal Server Error\"), \"500\",\r\n Message has_any (\"Status=401\", \"Unauthorized\"), \"401\",\r\n Message has_any (\"Status=403\", \"Forbidden\"), \"403\",\r\n Message has_any (\"Status=429\", \"RequestBodyTooLarge\"), \"429\",\r\n \"\"\r\n)\r\n// Mark entries as errors if they match specific response codes\r\n| extend ErrorCount = ResponseCode has_any (\"500\", \"401\", \"403\", \"429\")\r\n// Summarize total logs and errors in 15-second intervals\r\n| summarize Total = count(), Errors = count(ErrorCount) by bin(TimeGenerated, 15s)\r\n// Render a timechart for visual analysis\r\n| render timechart with (ysplit=axes)","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"394023dd-9607-44b9-8f6d-45740903d67a","displayName":"Ensuring Correlation ID Presence","description":"Ensures that each log entry has a CorrelationId. If the CorrelationId is missing, it extracts the value from the Message field using a regular expression.","body":"OEPDataplaneLogs\r\n// Ensure each log entry has a CorrelationId by using the existing one or extracting it from the Message field\r\n| extend CorrelationId = iff(notempty(CorrelationId), CorrelationId, extract(@\"correlation-id=([a-zA-Z0-9_-]+)\", 1, Message))","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"c646d0fd-7eee-44d1-ae13-0791e3f7b766","displayName":"Extracting and Categorizing HTTP Response Codes","description":"Categorize log messages based on HTTP response codes. It extends the log data with a new column called ResponseCode and displays only relevant fields.","body":"OEPDataplaneLogs\r\n// Define ResponseCodes based on Message content and extends into a separate column.\r\n| extend ResponseCode = case(\r\n Message has_any (\"Status=500\", \"Internal Server Error\"), \"500\", // Internal Server Error\r\n Message has_any (\"Status=401\", \"Unauthorized\"), \"401\", // Unauthorized Access\r\n Message has_any (\"Status=403\", \"Forbidden\"), \"403\", // Forbidden Access\r\n Message has_any (\"Status=429\", \"RequestBodyTooLarge\"), \"429\", // Request Body Too Large\r\n Message has_any (\"Status=200\", \"200 OK\"), \"200\", // Successful Request\r\n Message has \"Status=201\", \"201\", // Resource Created\r\n \"\" // Default case if no match\r\n)\r\n//\r\n// Displays only relevant columns\r\n//\r\n| project TimeGenerated, Category, Message, LogLevel, CorrelationId, ResponseCode","tags":{"Topic":["Diagnostics","Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"tables":["OEPDataplaneLogs"]}},{"id":"a4d5c564-f185-450d-9024-ac003c123456","displayName":"Count of successful warehouse delete requests","description":"Evaluates the count of successful warehouse delete requests.","body":"SupplyChainEntityOperationLogs\r\n| where RequestMethod == \"DELETE\" and OperationName == \"Microsoft.OpenLogisticsPlatform/workspace/warehouses/delete\" and HttpStatusCode == 200\r\n| summarize Count = count() by RequestId","tags":{"Topic":["Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openlogisticsplatform/workspaces"],"tables":["OLPSupplyChainEntityOperations"]}},{"id":"a4d5c564-f185-450d-9024-ac003c456789","displayName":"Count of item update events","description":"Count of item entity update events by EventId.","body":"OLPSupplyChainEventLogs\r\n| where EventType == \"Microsoft.OpenLogisticsPlatform.EntityUpdated\" and SupplyChainResourceType == \"Item\"\r\n| summarize Count = count() by EventId","tags":{"Topic":["Diagnostics","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.openlogisticsplatform/workspaces"]}},{"id":"3f8d4567-12ab-34cd-56ef-789012345678","displayName":"Application performance overview","description":"Show span count and average duration by service and operation name over the last hour.","body":"OTelSpans\r\n| where TimeGenerated > ago(1h)\r\n| summarize \r\n SpanCount = count(),\r\n AvgDurationMs = avg(DurationMs),\r\n P50DurationMs = percentile(DurationMs, 50),\r\n P95DurationMs = percentile(DurationMs, 95),\r\n ErrorCount = countif(Success == false)\r\n by ServiceName, Name\r\n| extend ErrorRate = round(100.0 * ErrorCount / SpanCount, 2)\r\n| order by SpanCount desc\r\n| limit 100","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["OTelSpans"]}},{"id":"1e2f3a4b-5c6d-7e8f-9012-3456789abcde","displayName":"Exception events summary","description":"Summarize exception events by type and service over the last 24 hours.","body":"OTelEvents\r\n| where TimeGenerated > ago(24h)\r\n| where isnotempty(ExceptionType)\r\n| summarize \r\n ExceptionCount = count(),\r\n UniqueTraces = dcount(TraceId),\r\n UniqueSpans = dcount(SpanId),\r\n SampleMessages = take_any(ExceptionMessage, 3)\r\n by ServiceName, ExceptionType, ExceptionProblem\r\n| order by ExceptionCount desc\r\n| project ServiceName, ExceptionType, ExceptionProblem, ExceptionCount, UniqueTraces, UniqueSpans, SampleMessages\r\n| limit 100","tags":{"Topic":["Exceptions","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"tables":["OTelEvents"]}},{"id":"2a1b3c4d-6e7f-8901-bcde-f23456789abc","displayName":"Log severity analysis","description":"Analyze log distribution by severity level and service over the last hour.","body":"OTelLogs\r\n| where TimeGenerated > ago(1h)\r\n| summarize \r\n LogCount = count(),\r\n UniqueTraces = dcount(TraceId),\r\n UniqueSpans = dcount(SpanId),\r\n SampleBodies = take_any(Body, 3)\r\n by ServiceName, SeverityText, SeverityNumber\r\n| extend SeverityLevel = case(\r\n SeverityNumber ago(1h)\r\n | where level == \"Error\"\r\n | summarize count()","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["oracle.database/cloudvmclusters"]}},{"id":"def050d2-9447-4229-8a62-b980bb38ca9a","displayName":"Number of Errors in last hour","description":"Number of Vm Cluster errors in last one hour.","body":"source\r\n | where TimeGenerated > ago(1h)\r\n | where level == \"Error\"\r\n | summarize count()","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"],"resourceTypes":["oracle.database/cloudexadatainfrastructures"]}},{"id":"1cf50156-0581-4890-8563-e04def3dbd26","displayName":"Palo Alto collector machine usage","description":"This query displays a descending list of all collector machines hostname according to the amount of events they are recieving from a Palo Alto appliance.","body":"CommonSecurityLog\r\n// Quering on the past 7 days\r\n| where TimeGenerated > ago(7d)\r\n// Quering only on incoming events from a Palo Alto appliance\r\n| where DeviceProduct has 'PAN-OS'\r\n| where DeviceVendor =~ 'Palo Alto Networks'\r\n// Find the the collector machine with the highest usage\r\n| summarize Count=count() by Computer\r\n// Sort in a descending order- Most used Collector hostname comes first\r\n| sort by Count desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/cef"],"tables":["CommonSecurityLog"]}},{"id":"86016240-9a8e-4aa3-8195-73609ef95294","displayName":"Cisco ASA events type usage","description":"This query displays a descending list of the amount of events ingested for each DeviceEventClassID","body":"CommonSecurityLog \r\n// Quering on the past 7 days\r\n| where TimeGenerated > ago(7d)\r\n// Only filter on Cisco ASA events\r\n| where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\r\n// group events by their DeviceEventClassID value, which represents the Cisco message id\r\n| summarize count_events=count() by DeviceEventClassID\r\n// Sort in a descending order- most used DeviceEventClassID comes first\r\n| sort by count_events desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/cef"],"tables":["CommonSecurityLog"]}},{"id":"64ded722-608e-472b-a3dd-17f94b7cac07","displayName":"Get traffic to non standard ports","description":"This query identifies source IP addresses sending connection requests over multiple ports. This could be an indication of adversary attempts to list available services. References: MITRE Network Service Scanning (T1046)","body":"// This query identifies source IP addresses sending connection requests over multiple ports.\r\n// This could be an indication of adversary attempts to list available services.\r\n// References: MITRE Network Service Scanning (T1046)\r\nlet threshold=5;\r\n// Used to filter commonly used ports in your org\r\nlet commonPorts=dynamic([443, 53, 389, 80, 0, 880, 8888, 8080]);\r\nNetworkSessions\r\n | where isnotempty(DstPortNumber) and not(ipv4_is_private(DstIpAddr) ) \r\n // filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\r\n | where DstPortNumber !between (toint(49512) .. toint(65535)) \r\n and DstPortNumber !in (commonPorts)\r\n | where EventResult == \"Failure\" \r\n | summarize PortCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 2m)\r\n | where PortCount > threshold","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/datacollection"],"tables":["NetworkSessions"]}},{"id":"6307514a-d00a-4ada-a0fb-087b72bee4f5","displayName":"High volume traffic to uncommon domains","description":"This query identifies domains receiving uncommon amount of data volume. This could be an indication of adversary attempts to steal and exfiltrate data.","body":"// This query identifies domains receiving uncommon about of data volume.\r\n// This could be an indication of adversary attempts to steal and exfiltrate data.\r\nlet isInternal = (url_hostname:string){url_hostname endswith \".local\" or url_hostname endswith \".lan\" or url_hostname endswith \".home\"};\r\n // used to exclude internal traffic\r\nlet top1M = (externaldata (Position:int, Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with (format=\"csv\", zipPattern=\"*.csv\"));\r\n // fetch the alexa top 1M domains\r\nlet top2ndLevelDomain=top1M\r\n | extend Domain = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain)) \r\n | distinct Domain;\r\nlet rareDomainTraffic = NetworkSessions\r\n | where isnotempty(UrlHostname) and not(isInternal(UrlHostname))\r\n | extend SndLevelDomain=tolower(extract(\"([^.]*).{0,7}$\", 1, UrlHostname))\r\n | where SndLevelDomain !in (top2ndLevelDomain)\r\n | summarize BytesSent=sum(SrcBytes) by SndLevelDomain, UrlHostname;\r\nrareDomainTraffic | summarize TotalBytes=sum(BytesSent) by SndLevelDomain\r\n| join kind=innerunique\r\n rareDomainTraffic\r\n on SndLevelDomain\r\n| sort by TotalBytes desc ","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/datacollection"],"tables":["NetworkSessions"]}},{"id":"d343d7e2-9407-485a-96e5-8fb5d0031ee2","displayName":"Get Production Anomalies (last day)","description":"Gets a list of all anomalies generated by a production Sentinel rule in the last day","body":"Anomalies\r\n| where TimeGenerated > ago(1d)\r\n| where RuleStatus == \"Production\"","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/anomalies"],"tables":["Anomalies"]}},{"id":"650380ee-8027-4dc3-8763-c338222be64a","displayName":"Get Flighting Anomalies (last day)","description":"Gets a list of all anomalies generated by a flighting Sentinel rule in the last day","body":"Anomalies\r\n| where TimeGenerated > ago(1d)\r\n| where RuleStatus == \"Flighting\"","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/anomalies"],"tables":["Anomalies"]}},{"id":"8d9fc68f-84a8-4186-9675-952013133dc9","displayName":"Rejected IPv4 actions","description":"Returns 10 rejected actions of type IPv4.","body":"AWSVPCFlow\r\n| where Action == \"REJECT\"\r\n| where Type == \"IPv4\"\r\n| take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/amazon"],"tables":["AWSVPCFlow"]}},{"id":"44640527-2945-467a-a5db-fcaf8b11f1b1","displayName":"High severity findings","description":"Returns high severity findings summarize by activity type.","body":"AWSGuardDuty\r\n| where Severity > 7\r\n| summarize count() by ActivityType","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/amazon"],"tables":["AWSGuardDuty"]}},{"id":"affffc71-5531-497d-ae2b-6d536ae12784","displayName":"New users per region","description":"Returns count of created users per region.","body":"AWSCloudTrail\r\n| where EventName == \"CreateUser\"\r\n| summarize count() by AWSRegion","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/amazon"],"tables":["AWSCloudTrail"]}},{"id":"f8a1b2c3-4d5e-6f7a-8b9c-0d1e2f3a4b5c","displayName":"High severity detections","description":"Returns count of high severity detections by severity level.","body":"CrowdStrikeDetections\r\n| where MaxSeverity >= 70\r\n| summarize count() by MaxSeverityDisplayName\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"],"tables":["CrowdStrikeDetections"]}},{"id":"a9b8c7d6-5e4f-3a2b-1c0d-9e8f7a6b5c4d","displayName":"Critical alerts by tactic","description":"Returns count of critical alerts grouped by MITRE ATT&CK tactic.","body":"CrowdStrikeAlerts\r\n| where Severity == \"Critical\"\r\n| summarize count() by TacticId, Tactic\r\n| order by count_ desc\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"],"tables":["CrowdStrikeAlerts"]}},{"id":"b1c2d3e4-f5a6-7b8c-9d0e-1f2a3b4c5d6e","displayName":"Open incidents by state","description":"Returns count of open and in-progress incidents by state.","body":"CrowdStrikeIncidents\r\n| where Status in (\"open\", \"in_progress\")\r\n| summarize count() by State\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"],"tables":["CrowdStrikeIncidents"]}},{"id":"4e44198b-0072-4be0-a2aa-60b8804da78f","displayName":"New cases by status","description":"Returns count of new cases by status.","body":"CrowdStrikeCases\r\n| where Status in (\"new\")\r\n| summarize count() by Status\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"],"tables":["CrowdStrikeCases"]}},{"id":"e2eb04f4-fce9-58e6-aa56-86d12e79e496","displayName":"Get sample of CrowdStrike Audit Event logs","description":"Get sample of CrowdStrike Audit Event logs","body":"CrowdStrikeAuditEvents\r\n | take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"]}},{"id":"440a414a-17dd-54a7-8ad6-ec077680bcb1","displayName":"Get CrowdStrike events by type","description":"Get CrowdStrike events by type","body":"CrowdStrikeAuditEvents\r\n | where EventType == \"EppDetectionSummaryEvent\"\r\n | take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/crowdstrike"]}},{"id":"0b4777dd-730e-4b8b-8a13-2bb21f5626c1","displayName":"PubSub subscription logs with severity info","description":"List of pubSub subscription logs with severity info.","body":"GCPAuditLogs\r\n| where GCPResourceType == 'pubsub_subscription'\r\n| where severity == 'INFO'\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/gcp"],"tables":["GCPAuditLogs"]}},{"id":"32e805e5-fe72-4141-aac4-f49c8ae6d03c","displayName":"Ilumio Insights multiple deny events","description":"Display Ilumio Insights multiple deny events.","body":"IlumioInsights\r\n| where status == \"DENIED\"\r\n| summarize count() by Port\r\n| where count_> 40","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/ilumio"],"tables":["IlumioInsights"]}},{"id":"335fcdf9-4712-4176-8266-d19eab3e64a0","displayName":"Imperva WAF Cloud V2 Logs","description":"Query for Imperva Cloud WAF security events","body":"SentinelImpervaWAFCloudV2Logs\r\n| where Act == \"REQ_BLOCKED\"\r\n| summarize count() by AttackName, CCode, Src\r\n| sort by count_ desc\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/impervacloud"],"tables":["SentinelImpervaWAFCloudV2Logs"]}},{"id":"a1b2c3d4-e5f6-7890-abcd-ef1234567890","displayName":"Copilot Interactions by User","description":"Shows Copilot interactions grouped by user with counts and time range over the last 7 days","body":"LLMActivity\r\n| where RecordType == \"CopilotInteraction\"\r\n| where TimeGenerated >= ago(7d)\r\n| summarize InteractionCount = count(), \r\n FirstInteraction = min(TimeGenerated),\r\n LastInteraction = max(TimeGenerated)\r\n by ActorName, ActorUserId\r\n| order by InteractionCount desc\r\n","tags":{"Topic":["Security","User Activity"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"b2c3d4e5-f6g7-8901-bcde-f12345678901","displayName":"Copilot Plugin Management Activity","description":"Shows plugin creation, updates, and status changes over the last 30 days","body":"LLMActivity\r\n| where RecordType in (\"CreateCopilotPlugin\", \"UpdateCopilotPlugin\", \"EnableCopilotPlugin\", \"DisableCopilotPlugin\")\r\n| where TimeGenerated >= ago(30d)\r\n| project TimeGenerated, ActorName, RecordType, AgentName, SrcIpAddr\r\n| order by TimeGenerated desc\r\n","tags":{"Topic":["Administration","Plugin Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"c3d4e5f6-g7h8-9012-cdef-123456789012","displayName":"Copilot PromptBook Management","description":"Tracks PromptBook creation, updates, and deletions over the last 30 days","body":"LLMActivity\r\n| where RecordType in (\"CreateCopilotPromptBook\", \"UpdateCopilotPromptBook\", \"DeleteCopilotPromptBook\")\r\n| where TimeGenerated >= ago(30d)\r\n| extend PromptBookId = tostring(LLMEventData.Resource[0].Property)\r\n| project TimeGenerated, ActorName, RecordType, PromptBookId, SrcIpAddr\r\n| order by TimeGenerated desc\r\n","tags":{"Topic":["Administration","PromptBook Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"d4e5f6g7-h8i9-0123-defg-234567890123","displayName":"Copilot Security and Compliance Events","description":"Shows security-related Copilot events including jailbreak detection over the last 7 days","body":"LLMActivity\r\n| where RecordType == \"CopilotInteraction\"\r\n| where TimeGenerated >= ago(7d)\r\n| extend Messages = LLMEventData.Messages\r\n| mv-expand Messages\r\n| where tobool(Messages.JailbreakDetected) == true\r\n| project TimeGenerated, ActorName, ActorUserId, AgentName, \r\n MessageId = tostring(Messages.Id),\r\n JailbreakDetected = tobool(Messages.JailbreakDetected)\r\n| order by TimeGenerated desc\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"e5f6g7h8-i9j0-1234-efgh-345678901234","displayName":"AI Model Usage Statistics","description":"Shows which AI models are being used across Copilot interactions over the last 30 days","body":"LLMActivity\r\n| where RecordType == \"CopilotInteraction\"\r\n| where TimeGenerated >= ago(30d)\r\n| where isnotempty(AIModelName)\r\n| summarize InteractionCount = count(),\r\n UniqueUsers = dcount(ActorUserId),\r\n FirstUsed = min(TimeGenerated),\r\n LastUsed = max(TimeGenerated)\r\n by AIModelName, AIModelVersion\r\n| order by InteractionCount desc\r\n","tags":{"Topic":["Security","AI Models"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"f6g7h8i9-j0k1-2345-fghi-456789012345","displayName":"Resources Accessed by Copilot","description":"Shows external resources accessed during Copilot interactions over the last 7 days","body":"LLMActivity\r\n| where RecordType == \"CopilotInteraction\"\r\n| where TimeGenerated >= ago(7d)\r\n| extend AccessedResources = LLMEventData.AccessedResources\r\n| mv-expand AccessedResources\r\n| where isnotempty(AccessedResources.SiteUrl)\r\n| project TimeGenerated, ActorName, AgentName,\r\n ResourceUrl = tostring(AccessedResources.SiteUrl),\r\n Action = tostring(AccessedResources.Action),\r\n ResourceType = tostring(AccessedResources.Type)\r\n| summarize AccessCount = count() by ResourceUrl, Action, ResourceType\r\n| order by AccessCount desc\r\n","tags":{"Topic":["Security","Resource Access"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/llmactivity"],"tables":["CopilotActivity"]}},{"id":"f3e18c86-c0aa-4d1a-8f30-6e8c6cd3cad2","displayName":"File name extension change","description":"Display files that were renamed.","body":"CloudAppEvents \r\n| where Application in (\"Microsoft OneDrive for Business\", \"Microsoft SharePoint Online\") and ActionType == \"FileRenamed\"\r\n| extend NewFileNameExtension = tostring(RawEventData.DestinationFileExtension)\r\n| extend OldFileNameExtension = tostring(RawEventData.SourceFileExtension)\r\n| extend OldFileName = tostring(RawEventData.SourceFileName)\r\n| extend NewFileName = tostring(RawEventData.DestinationFileName)\r\n| where NewFileNameExtension == \"doc\" and OldFileNameExtension == \"docx\" \r\n| project RenameTime = Timestamp, OldFileNameExtension, OldFileName, NewFileNameExtension, NewFileName, ActionType, Application, AccountDisplayName, AccountObjectId\r\n| join kind=inner (DeviceFileEvents \r\n| project FileName, AccountObjectId = InitiatingProcessAccountObjectId , DeviceName, SeenOnDevice = Timestamp, FolderPath) on $left.NewFileName == $right.FileName, AccountObjectId\r\n| project RenameTime, NewFileName, OldFileName, Application, AccountObjectId, AccountDisplayName, DeviceName , SeenOnDevice, FolderPath \r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mcas"],"tables":["CloudAppEvents"]}},{"id":"ad9ab554-0b90-4eca-b39a-7871b96d23f4","displayName":"Alerts by MITRE ATT&CK technique","description":"List number of alerts by MITRE ATT&CK technique in descending order.","body":"AlertInfo\r\n| where isnotempty(AttackTechniques)\r\n| mvexpand todynamic(AttackTechniques) to typeof(string)\r\n| summarize AlertCount = dcount(AlertId) by AttackTechniques\r\n| sort by AlertCount desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mda"],"tables":["AlertInfo"]}},{"id":"be15042c-877f-4842-8e66-5bdb4355bcde","displayName":"Alerts involving a user","description":"List 100 alerts involving a certain user.","body":"let userID = \"\";\r\nlet userSid = \"\";\r\nAlertEvidence\r\n| where EntityType == \"User\" and (AccountObjectId == userID or AccountSid == userSid )\r\n| join AlertInfo on AlertId\r\n| project Timestamp, AlertId, Title, Category , Severity , ServiceSource , DetectionSource , AttackTechniques, AccountObjectId, AccountName, AccountDomain , AccountSid \r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mda"],"tables":["AlertEvidence"]}},{"id":"9ad198e4-a2d5-4a5c-926d-fc67f1941a9f","displayName":"Top 10 cloud audit operations","description":"Get the top 10 most common cloud audit operations across all cloud platforms.","body":"CloudAuditEvents\r\n| summarize Count = count() by OperationName\r\n| top 10 by Count","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudAuditEvents"]}},{"id":"56a5cc12-e9d0-4b30-b566-2b28952db73b","displayName":"Cloud audit events from anonymous proxies","description":"Cloud audit events originating from anonymous proxy IP addresses.","body":"CloudAuditEvents\r\n| where IsAnonymousProxy == true\r\n| summarize Count = count() by IPAddress, CountryCode, City\r\n| order by Count desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudAuditEvents"]}},{"id":"6068c9c7-ce57-40ee-9cb2-bcf4023e9963","displayName":"Cloud resource deletion operations","description":"Cloud audit events with delete action type, grouped by data source and operation.","body":"CloudAuditEvents\r\n| where ActionType == \"Delete\"\r\n| summarize Count = count() by DataSource, OperationName\r\n| order by Count desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudAuditEvents"]}},{"id":"55cf1c68-c638-42eb-84d8-7e76eced6737","displayName":"Top 10 active Kubernetes pods","description":"Get the top 10 Kubernetes pods with the most process events.","body":"CloudProcessEvents\r\n| summarize Count = count() by KubernetesNamespace, KubernetesPodName\r\n| top 10 by Count","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudProcessEvents"]}},{"id":"20c91d09-47f6-4b2b-8d22-4ef6e6c2b8c4","displayName":"Process creation events in containers","description":"Process creation events grouped by process name and container image.","body":"CloudProcessEvents\r\n| where ActionType has \"ProcessCreated\"\r\n| summarize Count = count() by ProcessName, ContainerImageName\r\n| order by Count desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudProcessEvents"]}},{"id":"3b623afd-c690-47fd-9304-e3f678ad715b","displayName":"Suspicious commands in containers","description":"Process events with potentially suspicious commands like curl, wget, bash, or sh.","body":"CloudProcessEvents\r\n| where ProcessCommandLine has_any (\"curl\", \"wget\", \"bash\", \"sh\")\r\n| project TimeGenerated, KubernetesNamespace, KubernetesPodName, ProcessName, ProcessCommandLine, AccountName\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudProcessEvents"]}},{"id":"76a0586c-7122-4fc4-abd0-348a6b852174","displayName":"Top storage accounts by activity","description":"Storage accounts with the highest number of GET and PUT operations.","body":"CloudStorageAggregatedEvents\r\n| summarize TotalGets = sum(TotalBlobGetOperations), TotalPuts = sum(TotalBlobPutOperations) by StorageAccountName\r\n| order by TotalGets desc\r\n| limit 50","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudStorageAggregatedEvents"]}},{"id":"0d531240-ad3d-4714-91a9-3e36bf51a607","displayName":"Storage access from anonymous sources","description":"Storage accounts accessed anonymously, grouped by IP address and location.","body":"CloudStorageAggregatedEvents\r\n| where AnonymousSuccessfulOperations > 0\r\n| summarize TotalAnonymousOps = sum(AnonymousSuccessfulOperations) by StorageAccountName, ClientIPAddress, CountryName\r\n| order by TotalAnonymousOps desc\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudStorageAggregatedEvents"]}},{"id":"0cd8d3ed-6d62-4bf4-b854-3a5ca4b8c25c","displayName":"Storage access from suspicious IPs","description":"Storage access events from Tor exit nodes or known suspicious IP addresses.","body":"CloudStorageAggregatedEvents\r\n| where IsTorExitNode == true or IsKnownSuspiciousIp == true\r\n| project TimeGenerated, StorageAccountName, ClientIPAddress, CountryName, CityName, IsTorExitNode, IsKnownSuspiciousIp, TotalBlobGetOperations, TotalBlobPutOperations\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights/mdc"],"tables":["CloudStorageAggregatedEvents"]}},{"id":"6c605c9c-6eca-4945-8a42-18833ad3cf42","displayName":"LDAP authentication processes with cleartext passwords","description":"Find processes that performed LDAP authentication with cleartext passwords.","body":"// Find processes that performed LDAP authentication with cleartext passwords\r\nIdentityLogonEvents\r\n| where Protocol == \"LDAP\" //and isnotempty(AccountName)\r\n| project LogonTime = Timestamp, DeviceName, Application, ActionType, LogonType //,AccountName\r\n| join kind=inner (\r\nDeviceNetworkEvents\r\n| where ActionType == \"ConnectionSuccess\"\r\n| extend DeviceName = toupper(trim(@\"\\..*$\",DeviceName))\r\n| where RemotePort == \"389\"\r\n| project NetworkConnectionTime = Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine\r\n) on DeviceName\r\n| where LogonTime - NetworkConnectionTime between (-2m .. 2m)\r\n| project Application, LogonType, ActionType, LogonTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine //, AccountName\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdi"],"tables":["IdentityLogonEvents"]}},{"id":"68b79dce-2343-49e7-a1a1-1e9c61cc9888","displayName":"SAMR queries to Active Directory","description":"Find processes that sent SAMR queries to Active Directory.","body":"// Find processes that sent SAMR queries to Active Directory\r\nIdentityQueryEvents\r\n| where ActionType == \"SAMR query\"\r\n// and isnotempty(AccountName)\r\n| project QueryTime = Timestamp, DeviceName, AccountName, Query, QueryTarget\r\n| join kind=inner (\r\nDeviceProcessEvents\r\n| extend DeviceName = toupper(trim(@\"\\..*$\",DeviceName))\r\n//| where InitiatingProcessCommandLine contains \"net.exe\"\r\n| project ProcessCreationTime = Timestamp, DeviceName, AccountName,\r\n InitiatingProcessFileName , InitiatingProcessCommandLine\r\n ) on DeviceName//, AccountName\r\n| where ProcessCreationTime - QueryTime between (-2m .. 2m)\r\n| project QueryTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Query, QueryTarget //,AccountName\r\n | limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdi"],"tables":["IdentityQueryEvents"]}},{"id":"09be64ab-51be-4f8c-8c03-17243fbfdfbc","displayName":"Group Membership changed","description":"Group Membership changed.","body":"let group = '';\r\nIdentityDirectoryEvents\r\n| where ActionType == 'Group Membership changed'\r\n| extend AddedToGroup = AdditionalFields['TO.GROUP']\r\n| extend RemovedFromGroup = AdditionalFields['FROM.GROUP']\r\n| extend TargetAccount = AdditionalFields['TARGET_OBJECT.USER']\r\n| where AddedToGroup == group or RemovedFromGroup == group\r\n| project-reorder Timestamp, ActionType, AddedToGroup, RemovedFromGroup, TargetAccount\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdi"],"tables":["IdentityDirectoryEvents"]}},{"id":"67e621ec-0a84-412a-ac48-1cfd80f30a43","displayName":"Password change event","description":"Find the latest password change event for a specific account.","body":"//Find the latest password change event for a specific account\r\nlet userAccount = '';\r\nlet deviceAccount = 'insert your device account';\r\nIdentityDirectoryEvents\r\n| where ActionType == 'Account Password changed'\r\n| where TargetAccountDisplayName == userAccount\r\n//If you are looking for last password change of a device account comment the above row and remove comment from the below row\r\n//| where TargetDeviceName == deviceAccount\r\n| summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for devcie account","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdi"],"tables":["IdentityDirectoryEvents"]}},{"id":"44fc0e47-dc0e-4d77-8fcb-0e7aa58b7e92","displayName":"Phishing emails from the top 10 sender domains","description":"Get the number of phishing emails from the top ten sender domains.","body":"EmailEvents\r\n| where ThreatTypes has \"Phish\"\r\n| summarize Count = count() by SenderFromDomain\r\n| top 10 by Count ","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailEvents"]}},{"id":"824be1eb-27b7-44e9-97b6-ceba952b5301","displayName":"Emails with malware","description":"Get the number of phishing emails from the top ten sender domains.","body":"EmailEvents\r\n| where ThreatTypes has \"Malware\"\r\n| limit 500 ","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailEvents"]}},{"id":"90f66bc3-2a34-4ea7-8849-2a0c1abb9a75","displayName":"Files from malicious sender","description":"Finds the first appearance of files sent by a malicious sender in your organization at selected time frame. To see earlier appearances please increase selected time range.","body":"let MaliciousSender = \"\";\r\nEmailAttachmentInfo\r\n| where SenderFromAddress =~ MaliciousSender\r\n| project SHA256 = tolower(SHA256)\r\n| join (\r\nDeviceFileEvents\r\n) on SHA256\r\n| summarize FirstAppearance = min(Timestamp) by DeviceName, SHA256, FileName \r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailAttachmentInfo"]}},{"id":"d826f137-f675-459e-a758-5acbc604ce90","displayName":"Emails to external domains with attachments","description":"Emails sent to an external domain that include attachments.","body":"EmailEvents\r\n| where EmailDirection == \"Outbound\" and AttachmentCount > 0\r\n| join EmailAttachmentInfo on NetworkMessageId \r\n| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, FileName, AttachmentCount \r\n| take 1000","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailAttachmentInfo"]}},{"id":"d353de41-be6b-4bd0-9c88-62f8db108f09","displayName":"URLs in an email","description":"URLs in a particular message, by NetworkMessageId identifier.","body":"let myEmailId = \"\";\r\nEmailEvents\r\n| where NetworkMessageId == myEmailId\r\n| join EmailUrlInfo on NetworkMessageId\r\n| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, Url, UrlCount \r\n| take 1000","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailUrlInfo"]}},{"id":"4759e733-d0b0-4415-bd31-72b9765994d6","displayName":"Post-delivery administrator actions","description":"Display post-delivery actions made by Administrator.","body":"EmailPostDeliveryEvents\r\n| where ActionTrigger == 'AdminAction'\r\n| take 100 ","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailPostDeliveryEvents"]}},{"id":"a2cdbdc7-3abb-426d-a77f-771d6bf5a4f9","displayName":"Unremediated post-delivery phishing email detections","description":"Display post-delivery phishing email detections which was not remediated.","body":"EmailPostDeliveryEvents\r\n| where ActionType == 'Phish ZAP' and ActionResult == 'Error'\r\n| join EmailEvents on NetworkMessageId, RecipientEmailAddress \r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailPostDeliveryEvents"]}},{"id":"fb42f174-b844-4416-8033-9f40cd9162a4","displayName":"Full email processing details","description":"Emails that include predefined post-delivery actions or automatic rules, by sender and subject.","body":"let mySender = \"\";\r\nlet subject = \"\";\r\nEmailEvents\r\n| where SenderFromAddress == mySender and Subject == subject\r\n| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress \r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["EmailPostDeliveryEvents"]}},{"id":"11769810-ba17-4663-bdc3-d6114617aadd","displayName":"Links where a user was allowed to proceed","description":"Malicious links where user was allowed to proceed through.","body":"UrlClickEvents\r\n| where ActionType == \"ClickAllowed\" or IsClickedThrough !=\"0\"\r\n| where ThreatTypes has \"Phish\"\r\n| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes, Timestamp","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/mdo"],"tables":["UrlClickEvents"]}},{"id":"4e7a449a-ae3f-4100-9598-197f4a43abc1","displayName":"Microsoft Purview Information Protection events","description":"Microsoft Purview Information Protection events summarized by label event type and workload.","body":"MicrosoftPurviewInformationProtection\r\n| summarize Value=count() by LabelEventType, Workload\r\n| order by Value","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/microsoftpurview"],"tables":["MicrosoftPurviewInformationProtection"]}},{"id":"8df595d6-7c32-4257-8280-90182a32c23a","displayName":"MS Project events filtered by organization ID","description":"Display events from more than one day ago, filtered by organization ID and summarized by user ID and result status.","body":"ProjectActivity\r\n| where OrganizationId != \"5b5a146c-eba8-46af-96f8-e31b50d15a3f\"\r\n| summarize count() by UserId, ResultStatus\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/office365"],"tables":["ProjectActivity"]}},{"id":"d5f248e0-45a6-45a7-9bd2-8ef963d39a05","displayName":"PowerBI events filtered by organization ID","description":"Display events from more than one day ago, filtered by organization ID and summarized by user ID and result status.","body":"PowerBIActivity\r\n| where OrganizationId != \"\"\r\n| summarize count() by UserId, ResultStatus","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/office365"],"tables":["PowerBIActivity"]}},{"id":"d6a06676-95e8-4632-b949-44bc00f0793f","displayName":"Office Communication Compliance events filtered by organization ID","description":"Basic query for Office Communication Compliance event logs filtered by organization ID","body":"CommunicationComplianceActivity\r\n| where OrganizationId != \"\"\r\n| summarize count() by UserId, ResultStatus","tags":{"Topic":["Compliance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/office365"],"tables":["CommunicationComplianceActivity"]}},{"id":"054777d1-722e-4b86-512d-2bb21f562cc1","displayName":"Okta SSO Successful logins","description":"List of successful login.","body":"OktaSystemLogs\r\n| where EventOriginalType == 'user.session.start'\r\n| limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/okta"],"tables":["OktaSystemLogs"]}},{"id":"d5eec317-3dee-4aa9-92ec-28af5f25242f","displayName":"Power Apps events filtered activity type","description":"Display events from more than one day ago, filtered by app launch activity events and summarized by user ID, app and environment.","body":"PowerAppsActivity\r\n| where EventOriginalType == \"LaunchPowerApp\"\r\n| extend Environment = tostring(AdditionalData.environmentName)\r\n| summarize count() by ActorName, TargetAppName, Environment","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["PowerAppsActivity"]}},{"id":"8c391e1d-f7d0-4a0b-bab1-a0fc8978e108","displayName":"Power Platform DLP events filtered by by activity type","description":"Display events from more than one day ago, filtered by CreateDlpPolicy activity type and summarized by user ID, policy name and policy type.","body":"PowerPlatformDlpActivity\r\n| where EventOriginalType == \"CreateDlpPolicy\"\r\n| extend PolicyType = tostring(AdditionalInfo.policyType)\r\n| summarize count() by EventOriginalType, ActorName, PolicyName, PolicyType","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["PowerPlatformDlpActivity"]}},{"id":"af2a6875-f636-497f-a721-10070b187d3a","displayName":"Power Platform Connector events filtered by by activity type","description":"Display events from more than one day ago, filtered by PutConnection activity type and summarized by user ID and environment.","body":"PowerPlatformConnectorActivity\r\n| where EventOriginalType == \"PutConnection\"\r\n| summarize by EventOriginalType, ActorName, Environment = tostring(AdditionalInfo.environmentName)","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["PowerPlatformConnectorActivity"]}},{"id":"65800d1d-80dd-4792-a147-5ce60fdd84bb","displayName":"Power Automate events filtered by activity type","description":"Display events from more than one day ago, filtered CreateFlow activity type and summarized by user ID and flow details.","body":"PowerAutomateActivity\r\n| where EventOriginalType == \"CreateFlow\"\r\n| summarize count() by ActorName, FlowDetailsUrl","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["PowerAutomateActivity"]}},{"id":"9fb56969-bd66-46b7-9c43-1aae797a302a","displayName":"Dataverse events filtered by operation type","description":"Display events filtered by Create record operations and summarized by associated table name.","body":"DataverseActivity\r\n| where Message == \"Create\"\r\n| summarize count() by EntityName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["DataverseActivity"]}},{"id":"52f7ea87-5e0f-4366-90fa-d73f627b3bc6","displayName":"Power Platform administration events","description":"Display events summarized by operation type and the user who initiated the operation.","body":"PowerPlatformAdministratorActivity\r\n| summarize count() by EventOriginalType, ActorName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/powerplatform"],"tables":["PowerPlatformAdminActivity"]}},{"id":"63b0b1fc-ec04-4485-900d-a656aa32111e","displayName":"Qualys vulnerability summary by severity","description":"Returns a summary of Qualys vulnerabilities grouped by severity level, category, and vulnerability type, including counts of patchable and unpatchable vulnerabilities.","body":"QualysKnowledgeBase\r\n| extend SoftwareVendorList = tostring(SoftwareVendor)\r\n| summarize\r\n VulnerabilityCount = count(),\r\n PatchableCount = countif(Patchable == \"1\"),\r\n UnpatchableCount = countif(Patchable == \"0\"),\r\n CveCount = dcount(tostring(CveId)),\r\n Cves = make_list(CveId),\r\n Qids = make_list(Qid),\r\n AffectedVendors = make_set(SoftwareVendorList)\r\n by SeverityLevel, Category, VulnType\r\n| extend VendorList = strcat_array(AffectedVendors, \", \")\r\n| project\r\n SeverityLevel,\r\n Category,\r\n VendorList,\r\n VulnType,\r\n VulnerabilityCount,\r\n PatchableCount,\r\n UnpatchableCount,\r\n CveCount,\r\n Qids,\r\n Cves\r\n| order by SeverityLevel desc, VulnerabilityCount desc\r\n| order by SeverityLevel desc, VulnerabilityCount desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.operationalinsights/workspaces/tables"],"tables":["QualysKnowledgeBase"]}},{"id":"3b26c2e7-62eb-4cb1-b350-1afbdac2d7e0","displayName":"Qualys vulnerabilities with Threat Intelligence","description":"Returns Qualys vulnerabilities that have active threat intelligence indicators, including threat levels and exploit information.","body":"QualysKnowledgeBase\r\n| where isnotnull(ThreatIntelligence) and array_length(ThreatIntelligence) > 0\r\n| mv-expand ThreatIntel = ThreatIntelligence\r\n| where isnotnull(ThreatIntel)\r\n| extend\r\n ThreatLevel = tostring(ThreatIntel[\"#cdata-section\"]),\r\n ThreatId = tostring(ThreatIntel.id)\r\n| where isnotempty(ThreatLevel) and isnotempty(ThreatId)\r\n| extend\r\n IsPciRelevant = PciFlag == \"1\",\r\n IsPatchable = Patchable == \"1\",\r\n CveCount = array_length(CveId)\r\n| summarize\r\n ThreatLevels = make_set(ThreatLevel),\r\n ThreatIds = make_set(ThreatId),\r\n HighestThreatId = max(toint(ThreatId))\r\n by TimeGenerated, Qid, VulnTitle, SeverityLevel, Category, VulnType,\r\n IsPatchable, IsPciRelevant, tostring(CveId), CveCount, tostring(SoftwareVendor),\r\n tostring(SoftwareProduct), PublishedDatetime, LastServiceModificationDateTime,\r\n Solution, Consequence\r\n| project\r\n TimeGenerated,\r\n Qid,\r\n VulnTitle,\r\n SeverityLevel,\r\n HighestThreatId,\r\n ThreatLevels,\r\n ThreatIds,\r\n Category,\r\n VulnType,\r\n IsPatchable,\r\n IsPciRelevant,\r\n CveId = parse_json(CveId),\r\n CveCount,\r\n SoftwareVendor = parse_json(SoftwareVendor),\r\n SoftwareProduct = parse_json(SoftwareProduct),\r\n PublishedDatetime,\r\n LastServiceModificationDateTime,\r\n Solution,\r\n Consequence\r\n| order by SeverityLevel desc, HighestThreatId desc, PublishedDatetime desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.operationalinsights/workspaces/tables"],"tables":["QualysKnowledgeBase"]}},{"id":"9a3c7b7e-2a9f-4e4a-9f3c-3e2d8b1c5a67","displayName":"Rapid7 InsightVM Cloud Assets","description":"Summarizes Rapid7 assets.","body":"source \r\n| project\r\n TimeGenerated = now(),\r\n AssessedForPolicies = tobool(assessed_for_policies),\r\n AssessedForVulnerabilities = tobool(assessed_for_vulnerabilities),\r\n CredentialAssessments = tostring(credential_assessments),\r\n CriticalVulnerabilities = todouble(critical_vulnerabilities),\r\n Exploits = todouble(exploits),\r\n HostName = tostring(host_name),\r\n Id = tostring(id),\r\n Ip = tostring(ip),\r\n LastAssessedForVulnerabilities = todatetime(last_assessed_for_vulnerabilities),\r\n LastScanEnd = todatetime(last_scan_end),\r\n LastScanStart = todatetime(last_scan_start),\r\n Mac = tostring(mac),\r\n MalwareKits = todouble(malware_kits),\r\n ModerateVulnerabilities = todouble(moderate_vulnerabilities),\r\n New = tostring(new),\r\n OsArchitecture = tostring(os_architecture),\r\n OsDescription = tostring(os_description),\r\n OsFamily = tostring(os_family),\r\n OsName = tostring(os_name),\r\n OsSystemName = tostring(os_system_name),\r\n OsType = tostring(os_type),\r\n OsVendor = tostring(os_vendor),\r\n OsVersion = tostring(os_version),\r\n Remediated = tostring(remediated),\r\n RiskScore = todouble(risk_score),\r\n Same = tostring(same),\r\n SevereVulnerabilities = todouble(severe_vulnerabilities),\r\n Tags = tostring(tags),\r\n TotalVulnerabilities = todouble(total_vulnerabilities),\r\n UniqueIdentifiers = tostring(unique_identifiers),\r\n AssetType = tostring(type)","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/rapid7insightvmcloud"],"tables":["Rapid7InsightVMCloudAssets"]}},{"id":"7c5e2d1f-4b3a-8c9e-0d1f-2a3b4c5d6e7f","displayName":"Rapid7 InsightVM Cloud Vulnerabilities","description":"Summarizes vulnerabilities.","body":"source \r\n| project\r\n TimeGenerated = now(),\r\n Added = todatetime(added),\r\n Categories = tostring(categories),\r\n Cves = tostring(cves),\r\n CvssV2AccessComplexity = tostring(cvss_v2_access_complexity),\r\n CvssV2AccessVector = tostring(cvss_v2_access_vector),\r\n CvssV2Authentication = tostring(cvss_v2_authentication),\r\n CvssV2AvailabilityImpact = tostring(cvss_v2_availability_impact),\r\n CvssV2ConfidentialityImpact = tostring(cvss_v2_confidentiality_impact),\r\n CvssV2ExploitScore = todouble(cvss_v2_exploit_score),\r\n CvssV2ImpactScore = todouble(cvss_v2_impact_score),\r\n CvssV2IntegrityImpact = tostring(cvss_v2_integrity_impact),\r\n CvssV2Score = todouble(cvss_v2_score),\r\n CvssV2Vector = tostring(cvss_v2_vector),\r\n CvssV3AttackComplexity = tostring(cvss_v3_attack_complexity),\r\n CvssV3AttackVector = tostring(cvss_v3_attack_vector),\r\n CvssV3AvailabilityImpact = tostring(cvss_v3_availability_impact),\r\n CvssV3ConfidentialityImpact = tostring(cvss_v3_confidentiality_impact),\r\n CvssV3ExploitScore = todouble(cvss_v3_exploit_score),\r\n CvssV3ImpactScore = todouble(cvss_v3_impact_score),\r\n CvssV3IntegrityImpact = tostring(cvss_v3_integrity_impact),\r\n CvssV3PrivilegesRequired = tostring(cvss_v3_privileges_required),\r\n CvssV3Scope = tostring(cvss_v3_scope),\r\n CvssV3Score = todouble(cvss_v3_score),\r\n CvssV3UserInteraction = tostring(cvss_v3_user_interaction),\r\n CvssV3Vector = tostring(cvss_v3_vector),\r\n DenialOfService = tobool(denial_of_service),\r\n Description = tostring(description),\r\n Exploits = tostring(exploits),\r\n Id = tostring(id),\r\n Links = tostring(links),\r\n MalwareKits = tostring(malware_kits),\r\n Modified = todatetime(modified),\r\n PciCvssScore = todouble(pci_cvss_score),\r\n PciFail = tobool(pci_fail),\r\n PciSeverityScore = todouble(pci_severity_score),\r\n PciSpecialNotes = tostring(pci_special_notes),\r\n PciStatus = tostring(pci_status),\r\n Published = todatetime(published),\r\n References = tostring(references),\r\n RiskScore = todouble(risk_score),\r\n Severity = tostring(severity),\r\n SeverityScore = todouble(severity_score),\r\n VulnerabilityTitle = tostring(['title'])","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/rapid7insightvmcloud"],"tables":["Rapid7InsightVMCloudVulnerabilities"]}},{"id":"291d06cf-e4b6-43e2-aa5d-45b2fcd74d6b","displayName":"Recent setup changes","description":"Returns the most recent setup changes made in Salesforce.","body":"SalesforceAuditTrail\r\n| where TimeGenerated > ago(7d)\r\n| project \r\n TimeGenerated,\r\n Action,\r\n Section,\r\n Display,\r\n CreatedDate,\r\n CreatedByName,\r\n CreatedByEmail,\r\n CreatedByUsername,\r\n DelegateUser\r\n| sort by TimeGenerated desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/salesforce"],"tables":["SalesforceAuditTrail"]}},{"id":"e8215b69-4cfe-4e8e-9d8e-cec354bd3ecb","displayName":"Failed login attempts","description":"Returns count of failed login attempts by user.","body":"SalesforceLoginHistory\r\n| where TimeGenerated > ago(30d)\r\n| where Status != \"Success\" and isnotempty(Status)\r\n| summarize \r\n FailedLoginCount = count(),\r\n LastFailedAttempt = max(TimeGenerated),\r\n DistinctSources = dcount(SourceIp),\r\n FailureReasons = make_set(Status)\r\n by UserId, Platform, CountryIso\r\n| sort by FailedLoginCount desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/salesforce"],"tables":["SalesforceLoginHistory"]}},{"id":"3459bf35-3c3c-5d12-b6f6-e01431cbf19b","displayName":"Get sample of Salesforce RTEM logs","description":"Get sample of Salesforce RTEM logs","body":"SalesForceRealTimeEventMonitoring\r\n | take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/salesforce"]}},{"id":"e2ffe7a8-d457-5cfa-8f76-ddc2c2a38fc9","displayName":"Get Salesforce Login Events","description":"Get Salesforce Login Events","body":"SalesForceRealTimeEventMonitoring\r\n | where EventType == \"LoginEvent\"\r\n | take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/salesforce"]}},{"id":"180e9e53-1653-4483-aab8-9f55725e8a63","displayName":"ABAP audit log multiple IP logons","description":"Display multiple users login from the same ip.","body":"let perIPLimit = 1;\r\nSAPAuditLog\r\n| where MessageId == 'AUM'\r\n| extend DetailsBy = pack(\"User\", User, \"Email\", Email, \"SystemId\", SystemId, \"ClientId\", ClientId)\r\n| summarize LoginbyIPAttempts = count(), Details = make_set(DetailsBy), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated)\r\n by TerminalIpV6\r\n| where LoginbyIPAttempts > perIPLimit\r\n| mv-expand Details\r\n| evaluate bag_unpack(Details, \"Details_\")","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/sap"],"tables":["ABAPAuditLog"]}},{"id":"e0b79a1a-edf7-4a0e-9ed4-8a0ae14d3a85","displayName":"ABAP audit log file downloads","description":"Display file downloads activities.","body":"let TableAccessTcodes= dynamic([\"SE16\", \"SE16N\", \"SE11\", \"SE16H\", \"SM30\", \"SE12\", \"SM31\", \"SE16H\", \"SE14\", \"SE54\",\"SE17\", \"SE16T\", \"DB01\", \"DB02\"]);\r\n// get data read actions\r\nABAPAuditLog\r\n | where MessageID == \"AU3\"\r\n | where TransactionCode in (TableAccessTcodes) or Variable1 in (TableAccessTcodes)\r\n | summarize by TimeAccessed= bin(TimeGenerated, 1h), SystemId, ClientId, User, AbapProgramName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/sap"],"tables":["ABAPAuditLog"]}},{"id":"dcd68ba6-0656-43f8-8c16-21ed36226048","displayName":"WindowsEvent Audit Policy Events","description":"Display events where audits were cleared (EventId = 1102) or changed (EventId = 4719).","body":"WindowsEvent\r\n| where Provider == 'Microsoft-Windows-Security-Auditing' \r\n| where EventID == 1102 or EventID == 4719\r\n| extend DescriptionMessage = iff(EventID == 1102, 'Audit log was cleared', 'System audit policy was changed')\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"tables":["WindowsEvent"]}},{"id":"bffd4ec5-3957-408c-9831-3f49a4614e93","displayName":"Failures updating Office365-Sharepoint related Sentinel resources","description":"Display audit logs of failed attempts to update Office365-Sharepoint related Sentinel resources, with an optional filter by caller name and workspace id.","body":"SentinelAudit\r\n//| where WorkspaceId == \"\" // to filter on a specific WorspaceId, uncomment this line\r\n| extend CallerName = tostring(ExtendedProperties.CallerName)\r\n// | where CallerName startswith \"\" // to to filter on a specific user, uncomment this line\r\n| where Status == \"Failure\"\r\n| where SentinelResourceName has \"Office365-Sharepoint\"\r\n| limit 100","tags":{"Topic":["Security","Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security","audit"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"tables":["SentinelAudit"]}},{"id":"2ceeb9da-0e43-44b8-b0c7-9debf01d0d89","displayName":"Security Events most common event IDs","description":"This query displays a descending list of the amount of events ingested per EventId for Security-Auditing.","body":"SecurityEvent\r\n| where EventSourceName == \"Microsoft-Windows-Security-Auditing\"\r\n| summarize EventCount = count() by EventID\r\n| sort by EventCount desc\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"tables":["SecurityEvent"]}},{"id":"aecb76d9-4063-422b-8837-9f4dba347a56","displayName":"Group Aggregated Security Alerts by Sector","description":"Aggregated Security alerts grouped by originated sector.","body":"source\r\n| project\r\n TimeGenerated = todatetime(TimeGenerated),\r\n DisplayName = AlertDisplayName,\r\n AlertName = AlertDisplayName,\r\n AlertSeverity = Severity,\r\n Description,\r\n ProviderName,\r\n VendorName,\r\n VendorOriginalId = ProviderAlertId,\r\n SystemAlertId,\r\n AlertType,\r\n ConfidenceLevel,\r\n ConfidenceScore = tofloat(ConfidenceScore),\r\n StartTime = todatetime(StartTimeUtc),\r\n EndTime = todatetime(EndTimeUtc),\r\n ProcessingEndTime = todatetime(ProcessingEndTime),\r\n RemediationSteps = tostring(todynamic(RemediationSteps)),\r\n ExtendedProperties = tostring(todynamic(ExtendedProperties )),\r\n Entities = tostring(todynamic(Entities)),\r\n SourceSystem = \"Detection\",\r\n ExtendedLinks = tostring(todynamic(ExtendedLinks)),\r\n ProductName,\r\n ProductComponentName,\r\n Status,\r\n CompromisedEntity,\r\n Tactics = Intent,\r\n Techniques = tostring(todynamic(Techniques)),\r\n SubTechniques = tostring(todynamic(SubTechniques)),\r\n PartnerId,\r\n PartnerDisplayName,\r\n PartnerMetadata = tostring(todynamic(PartnerMetadata)),\r\n AggregatedSecurityAlertRuleIds,\r\n AggregatedSecurityAlertRuleNames\r\n","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"tables":["AggregatedSecurityAlert"]}},{"id":"9448aa98-3680-40c1-8a3e-d67f0e9c64f7","displayName":"High severity events","description":"High severity events collected from Trellix Endpoint Security.","body":"TrellixEvents\r\n| where ThreatSeverity == \"1\"","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/trellix"]}},{"id":"09786294-08ad-48b1-b467-55ff30e7ca28","displayName":"Devices with antivirus configurations issue","description":"List devices with antivirus configurations issues.","body":"DeviceTvmSecureConfigurationAssessment\r\n| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0\r\n| take 10","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/tvm"],"tables":["DeviceTvmSecureConfigurationAssessment"]}},{"id":"7014f07d-00e7-48ae-85df-df5913ee6174","displayName":"Unsupported software titles","description":"List software titles which are not supported anymore.","body":"DeviceTvmSoftwareInventory\r\n| where EndOfSupportStatus == 'EOS Software'\r\n| summarize dcount(DeviceId) by SoftwareName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/tvm"],"tables":["DeviceTvmSoftwareInventory"]}},{"id":"a894f0af-bb74-4525-bf5a-7e0faaf345d4","displayName":"Devices affected by a specific vulnerability","description":"List devices affected by a specific vulnerability.","body":"DeviceTvmSoftwareVulnerabilities\r\n| where CveId == 'CVE-2020-0791'\r\n| limit 100 ","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/tvm"],"tables":["DeviceTvmSoftwareVulnerabilities"]}},{"id":"94477231-37df-47e8-88a1-862e04d16a75","displayName":"Get Watchlist aliases","description":"Gets a distinct list of all Watchlist aliases in a workspace.","body":"Watchlist\r\n| where _DTItemType == \"Watchlist\"\r\n| where _DTTimestamp > ago(5d)\r\n| distinct WatchlistAlias","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/watchlists"],"tables":["Watchlist"]}},{"id":"d2812a18-ed70-4a01-b124-0f1bf86e86ac","displayName":"Lookup events using a Watchlist","description":"Lookup events in Heartbeat table against data from a Watchlist by treating the Watchlist as a table for joins and lookups.","body":"Heartbeat\r\n| lookup kind=leftouter _GetWatchlist('mywatchlist')\r\n on $left.ComputerIP == $right.SearchKey\r\n | limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/watchlists"],"tables":["Watchlist"]}},{"id":"957d87b7-6acf-4cae-85b0-c45c65e69d0d","displayName":"Get confidential Watchlist aliases","description":"Gets a distinct list of all confidential Watchlist aliases in a workspace.","body":"ConfidentialWatchlist\r\n| take 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/watchlists"],"tables":["ConfidentialWatchlist"]}},{"id":"cc80f907-6e9d-4ec0-99f6-e6dbc2ecd528","displayName":"Lookup events using a confidential Watchlist","description":"Lookup events in Heartbeat table against data from a Watchlist by treating the confidential Watchlist as a table for joins and lookups.","body":"Heartbeat\r\n| lookup kind=leftouter _GetWatchlist('mywatchlist')\r\n on $left.ComputerIP == $right.SearchKey\r\n | limit 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/watchlists"],"tables":["ConfidentialWatchlist"]}},{"id":"86ec7263-b38a-4b73-b0cd-0939156545a6","displayName":"View ASim Agent Event Logs","description":"View the agent events normalized by ASIM.","body":"ASimAgentEventLogs\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/agenteventnormalized"],"tables":["ASimAgentEventLogs"]}},{"id":"9fe432a8-1b0a-4cb5-8878-0825e01c66fa","displayName":"View ASim AlertEvent Logs","description":"View the alert events normalized by ASIM.","body":"ASimAlertEventLogs\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"tables":["ASimAlertEventLogs"]}},{"id":"9fe432a8-1b0a-4cb5-8878-0825e01c66fb","displayName":"View ASim AssetEntity Logs","description":"View the asset entities normalized by ASIM.","body":"ASimAssetEntityLogs\r\n| take 100","properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/assetentitynormalized"],"tables":["ASimAssetEntityLogs"]}},{"id":"083f9ca4-df5c-43d1-951c-0dc34ea73db1","displayName":"Count DNS failures for a source by source and type","description":"Count the number of failed DNS queries for each source IP address and failure type.","body":"ASimDnsActivityLogs\r\n| where EventType == 'Query' and EventResult == 'Failure'\r\n| summarize count() by SrcIpAddr, EventResultDetails","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"tables":["ASimDnsActivityLogs"]}},{"id":"30963fe3-2352-42de-94af-43ef3f63b1e3","displayName":"Identify excessive query for a nonexistent domain by a source","description":"Count the number of queries that return NXDOMAIN, indicating that the queries domain name does not exist, and compares the count to a threshold of 100.","body":"ASimDnsActivityLogs\r\n| where EventResultDetails == 'NXDOMAIN'\r\n| summarize c=count() by SrcIpAddr\r\n| where c > 100","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"tables":["ASimDnsActivityLogs"]}},{"id":"c4cdf677-7d39-4fc9-9894-e2264e719916","displayName":"Aggregate operations query","description":"List all the UnsuspendAmlFilesystem requests for a givein time duration.","body":"AFSAuditLogs\r\n// The OperationName below can be replaced by obtain other operations such as \"RebootAmlFilesystemNode\" or \"AmlFSRefreshHSMToken\".\r\n| where OperationName has \"UnsuspendAmlFilesystem\"\r\n| project TimeGenerated, _ResourceId, ActivityId, ResultSignature, ResultDescription, Location\r\n| sort by TimeGenerated asc\r\n| limit 100\r\n","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.storagecache/amlfilesytems"],"tables":["AFSAuditLogs"]}},{"id":"1ef86e81-77c6-467a-a7a6-f5769f1df2f2","displayName":"Unauthorized requests query","description":"Count of failed AMLFilesystems requests due to unathorized access.","body":"AFSAuditLogs\r\n// 401 below could be replaced by other result signatures to obtain different operation results.\r\n// For example, 'ResultSignature == 202' to obtain accepted requests.\r\n| where ResultSignature == 401\r\n| summarize count() by _ResourceId, OperationName","properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.storagecache/amlfilesytems"],"tables":["AFSAuditLogs"]}},{"id":"84dd84da-6817-4482-92a6-4bcb3ec96cb6","displayName":"Failed operation","description":"Retrieves a list of operation that returned a failed response code.","body":"StorageCacheOperationEvents\r\n| where ResponseCode = 300\r\n| sort by TimeGenerated desc\r\n| take 100","tags":{"Topic":["diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"tables":["StorageCacheOperationEvents"]}},{"id":"cee04e51-5743-4b8e-9913-6d50f3813742","displayName":"Failed priming job","description":"Retrieves a list of failed priming jobs.","body":"StorageCacheOperationEvents\r\n| where OperationName contains \"Priming\"\r\n| where ResultType == \"Failed\"\r\n| project TimeGenerated, OperationName, PrimingJobName, ResultDescription, _ResourceId, CorrelationId, Location\r\n| sort by TimeGenerated desc\r\n| take 100","tags":{"Topic":["diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"tables":["StorageCacheOperationEvents"]}},{"id":"1d18a296-9f63-4753-a271-cc9e38e32e5a","displayName":"Completed long-running asynchronous operations","description":"Retrieves a list of long-running operations that have completed.","body":"StorageCacheOperationEvents\r\n| where ResponseCode == 201 or ResponseCode == 202\r\n| where ResultType == \"Succeeded\" \r\n| sort by TimeGenerated desc\r\n| take 100","tags":{"Topic":["diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"tables":["StorageCacheOperationEvents"]}},{"id":"aa3b3c6e-70e0-4d36-89d3-8ff32afb2c09","displayName":"Upgrade events","description":"Retrieves a list of upgrade events.","body":"StorageCacheUpgradeEvents\r\n| where Description contains \"upgraded\"\r\n| sort by TimeGenerated desc\r\n| take 100","tags":{"Topic":["diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"tables":["StorageCacheUpgradeEvents"]}},{"id":"4b6de6c1-0bc4-4056-bb4b-07feaea2b6f3","displayName":"Active warning events","description":"Retrieves a list of warning events that have not cleared.","body":"StorageCacheWarningEvents\r\n| where State == \"Active\"\r\n| project TimeGenerated, CorrelationId, Description, _ResourceId, State\r\n| join kind=leftanti (StorageCacheWarningEvents\r\n | where State == \"Cleared\"\r\n | project TimeGenerated, CorrelationId, Description, _ResourceId, State)\r\n on CorrelationId\r\n| project TimeGenerated, CorrelationId, Description, _ResourceId, State\r\n| take 100\r\n","tags":{"Topic":["diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"tables":["StorageCacheWarningEvents"]}},{"id":"df057014-305f-4fa9-8522-18ccf8caaa22","displayName":"View copy logs","description":"View the copy logs of job runs, and optionally filter by specific job run name.","body":"StorageMoverCopyLogsFailed\r\n//| where JobRunName = \"\" // Fill in the placeholder and uncomment this line to filter by a specific job run\r\n| project-away JobRunName\r\n| order by TimeGenerated asc\r\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.storagemover/storagemovers"]}},{"id":"f355a34a-0902-469d-a20d-126b6abe9647","displayName":"Synapse Link table fail events","description":"Display sample failed Synapse Link table events.","body":"SynapseLinkEvent\r\n| where OperationName == \"TableFail\"\r\n| limit 100","tags":{"Topic":["Error"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"tables":["SynapseLinkEvent"]}},{"id":"a2995731-5c93-42bc-894e-704789d8deba","displayName":"Display all the recommended rules for a Vnet in given time duration","description":"Gets list of rules recommended for a particular vnet.","body":"let targetResource = \r\nlet flowStartTime = \r\nlet flowEndTime = \r\nsource\r\n| where TargetResourceId contains targetResource\r\n| where StartTime >= flowStartTime and EndTime ), with an optional filter by user UPN.","body":"VIAudit\r\n| where AccountId == \"\" // please fill in the accountId \r\n// | where Upn == \"\" // to to filter on a specific user upn, uncomment this line\r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIAudit"]}},{"id":"ed8f4b3c-4e68-47a7-98d8-86e8dae96466","displayName":"Video Indexer Audit top 10 users by operations","description":"Render timechart of top 10 users by operations, with an optional account id for filtering.","body":"// Trend of top 10 active Upn's\r\nVIAudit\r\n// | where AccountId == \"\" // to filter on a specific accountId, uncomment this line\r\n| where TimeGenerated > ago(30d)\r\n| summarize count() by Upn\r\n| top 10 by count_ desc\r\n| project Upn\r\n| join (VIAudit\r\n| where TimeGenerated > ago(30d)\r\n| summarize count() by Upn, bin(TimeGenerated,1d)) on Upn\r\n| project TimeGenerated, Upn, count_\r\n| render timechart","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIAudit"]}},{"id":"a933b563-1729-4a4a-aae6-0918df2a3762","displayName":"Video Indexer Audit parsed error message","description":"Display audit failed events with an optional account id for filtering.","body":"// Project failures with detailed error message.\r\nVIAudit\r\n// | where AccountId == \"\" // to filter on a specific accountId, uncomment this line\r\n| where Status == \"Failure\"\r\n| parse Description with \"ErrorType: \" ErrorType \". Message: \" ErrorMessage \". Trace\" *\r\n| project TimeGenerated, OperationName, ErrorMessage, ErrorType, CorrelationId, _ResourceId","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIAudit"]}},{"id":"260cbcfa-559a-416b-b97d-31c385b384be","displayName":"Video Indexer Audit failed operations","description":"Display audit logs of all failed operations attempts, with an optional filter by account id and user UPN.","body":"VIAudit\r\n// | where AccountId == \"\" // to filter on a specific accountId, uncomment this line\r\n// | where Upn == \"\" // to to filter on a specific user upn, uncomment this line\r\n| where Status == \"Failure\"\r\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["audit"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIAudit"]}},{"id":"9ddee6d4-c94d-411d-8fb9-ee10fc74502b","displayName":"Failed Indexing operations","description":"Display Video Indexer Account logs of all failed indexing operations.","body":"// Failed Indexing operations \r\n// Display Video Indexer Account logs of all failed indexing operations. \r\nVIIndexing\r\n// | where AccountId == \"\" // to filter on a specific accountId, uncomment this line\r\n| where Status == \"Failure\"\r\n| summarize count() by bin(TimeGenerated, 1d)\r\n| render columnchart","tags":{"Topic":["Indexing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIIndexing"]}},{"id":"8a09c867-4caf-4a3c-ae4a-d8bd5c2b0263","displayName":"Top 10 users","description":"Summarize top 10 users.","body":"// Video Indexer top 10 users by operations \r\n// Render timechart of top 10 users by operations, with an optional account id for filtering. \r\n// Trend of top 10 active Upn's\r\nVIIndexing\r\n// | where AccountId == \"\" // to filter on a specific accountId, uncomment this line\r\n| where OperationName in (\"IndexingStarted\", \"ReindexingStarted\")\r\n| summarize count() by Upn\r\n| top 10 by count_ desc\r\n| project Upn\r\n| join (VIIndexing\r\n| where TimeGenerated > ago(30d)\r\n| where OperationName in (\"IndexingStarted\", \"ReindexingStarted\")\r\n| summarize count() by Upn, bin(TimeGenerated,1d)) on Upn\r\n| project TimeGenerated, Upn, count_\r\n| render timechart","tags":{"Topic":["Indexing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["resources"],"resourceTypes":["microsoft.videoindexer/accounts"],"tables":["VIIndexing"]}},{"id":"f6dd9440-131a-478c-a85d-815c5ee81fc6","displayName":"Auditing workload orchestration Operations","description":"Lists of audit workload orchestration operations.","body":"WOUserAudits\r\n| where Message !startswith_cs \"Request\" \r\n| order by EdgeLocation, TimeGenerated desc\r\n| project EdgeLocation, TimeGenerated, User, Message, OperatingResourceId, OperatingResourceK8SId, OperationName\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.edge/diagnostics"],"tables":["WOUserAudits"]}},{"id":"5bac9c74-6e1e-4a67-8693-9661cc3fdb1e","displayName":"Auditing workload orchestration API requests","description":"Lists of audit workload orchestration api requests.","body":"WOUserAudits\r\n| where Message startswith_cs \"Request\" \r\n| order by EdgeLocation, TimeGenerated desc\r\n| project EdgeLocation, TimeGenerated, User, Message, OperatingResourceId, OperatingResourceK8SId, OperationName\r\n| take 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.edge/diagnostics"],"tables":["WOUserAudits"]}},{"id":"b3bdb478-5088-4179-a6f9-669e1b97f2d6","displayName":"workload orchestration target provider and solution deployment failures","description":"Lists of workload orchestration target provider and solution deployment failures.","body":"WOUserDiagnostics \r\n| where Message startswith \"solution.(*SolutionManager).Reconcile\" or Message contains \".Apply\"\r\n| order by EdgeLocation, TimeGenerated asc\r\n| project EdgeLocation, TimeGenerated, User, Message, OperatingResourceId, OperatingResourceK8SId, OperationName\r\n| take 100","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.edge/diagnostics"],"tables":["WOUserDiagnostics"]}},{"id":"9301ac33-090c-4cb5-b841-dc31c5d1ce13","displayName":"Active sessions on SessionHost","description":"Display a graph of active sessions.","body":"let GranularityInterval = 30m; // Time resolution for query results (min value is 30s).\r\nWVDAgentHealthStatus // Fires every ~30s\r\n// Ensure only one data point is provided per host in the pool\r\n| summarize PeakSessionsByHost=max(toint(ActiveSessions)) by SessionHostName, bin(TimeGenerated, 30s), _ResourceId\r\n// Sum up the values for all of the hosts in each pool\r\n| summarize SessionsByHostPool=sum(PeakSessionsByHost) by TimeGenerated, _ResourceId\r\n// Reduce time resolution to desired GranularityInterval and report the peak session count for each pool in that time window\r\n| summarize max(SessionsByHostPool) by bin(TimeGenerated, GranularityInterval), _ResourceId\r\n| render timechart","tags":{"Topic":["Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"],"tables":["WVDAgentHealthStatus"]}},{"id":"7409e5d2-1178-4487-8f11-fb38a1a368ac","displayName":"HealthChecks of SessionHost","description":"Renders a summary of SessionHost health status.","body":"let HealthCheckIdToDescription = (idx:long) {\r\n case(\r\n idx == 0, \"DomainJoin\",\r\n idx == 1, \"DomainTrust\",\r\n idx == 2, \"FSLogix\",\r\n idx == 3, \"SxSStack\",\r\n idx == 4, \"URLCheck\",\r\n idx == 5, \"GenevaAgent\",\r\n idx == 6, \"DomainReachable\",\r\n idx == 7, \"WebRTCRedirector\",\r\n idx == 8, \"SxSStackEncryption\",\r\n idx == 9, \"IMDSReachable\",\r\n idx == 10, \"MSIXPackageStaging\",\r\n strcat(\"InvalidNameIndex: \", idx)\r\n )\r\n};\r\nlet GetHealthCheckResult = (idx:long) {\r\n case(\r\n idx == 0, \"Unknown\",\r\n idx == 1, \"Succeeded\",\r\n idx == 2, \"Failed\",\r\n idx == 3, \"SessionHostShutdown\",\r\n strcat(\"InvalidResultIndex: \", idx)\r\n )\r\n};\r\nWVDAgentHealthStatus\r\n// In some states (e.g. Unavailable, Upgrading) hosts are not running health checks\r\n| where isnotempty(SessionHostHealthCheckResult)\r\n| mv-expand SessionHostHealthCheckResult to typeof(dynamic)\r\n| evaluate bag_unpack(SessionHostHealthCheckResult)\r\n| evaluate bag_unpack(AdditionalFailureDetails)\r\n| extend HealthCheckDesc = HealthCheckIdToDescription(HealthCheckName)\r\n| summarize count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by HealthCheckDesc, SessionHostName, HealthCheckResult=GetHealthCheckResult(HealthCheckResult)","tags":{"Topic":["Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"],"tables":["WVDAgentHealthStatus"]}},{"id":"716e9029-57e3-485d-87f4-97497192d3cb","displayName":"View failed requests","description":"Lists failed requests, ordered by time.","body":"ZTSRequest\r\n| where TimeGenerated > ago(6h)\r\n| where ResultType == \"Failed\"\r\n| order by TimeGenerated desc\r\n","tags":{"Topic":["ZTS Queries"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.zerotrustsegmentation/segmentationmanagers"],"tables":["ZTSRequest"]}},{"id":"70294d8b-54c3-4eb5-af9b-3023f26a23dd","displayName":"Microsoft.Free Disk Space","body":"let commonMetricsExplorerQuery = materialize( InsightsMetrics | where Origin == 'container.azm.ms/telegraf' | where Namespace == 'disk' or Namespace == 'container.azm.ms/disk' | where Name == 'free' | extend Tags = todynamic(Tags) | extend HostName = tostring(Tags.hostName), Device = strcat('/dev/', tostring(Tags.device)), Path = tostring(Tags.path) | extend NodeDisk = strcat(HostName, Device) | project Timestamp = TimeGenerated, HostName, Device, Path, Value = Val\n);","properties":{"MetricDefinition":{"Name":"Free Disk Space","Namespace":"Container Insights","Category":"Node Disk Capacity","Unit":"Bytes","Aggregations":["Avg","Min","Max","Percentile"],"Dimensions":["Path","Device","HostName"]}}},{"id":"bc8c9041-2f82-48b9-b667-ee99ed49d8bd","displayName":"Microsoft.Used Disk Percentage","body":"let commonMetricsExplorerQuery = materialize( InsightsMetrics | where Origin == 'container.azm.ms/telegraf' | where Namespace == 'disk' or Namespace == 'container.azm.ms/disk' | where Name == 'used_percent' | extend Tags = todynamic(Tags) | extend HostName = tostring(Tags.hostName), Device = strcat('/dev/', tostring(Tags.device)), Path = tostring(Tags.path) | extend NodeDisk = strcat(HostName, Device) | project Timestamp = TimeGenerated, HostName, Device, Path, Value = Val\n);","properties":{"MetricDefinition":{"Name":"Used Disk Percentage","Namespace":"Container Insights","Category":"Node Disk Capacity","Unit":"Percent","Aggregations":["Avg","Min","Max","Percentile"],"Dimensions":["Path","Device","HostName"]}}},{"id":"cb148542-0b47-4135-8794-abe7494e0988","displayName":"Bytes received per second","body":"let commonMetricsExplorerQuery = materialize( InsightsMetrics | where Origin == 'container.azm.ms/telegraf' | where Namespace == 'container.azm.ms/net' | where Name == 'bytes_recv' | extend Tags = todynamic(Tags) | extend HostName = tostring(Tags.hostName), Interface = tostring(Tags.interface) | extend partitionKey = strcat(HostName, '/', Interface) | order by partitionKey asc, TimeGenerated asc | serialize | extend PrevVal = iif(prev(partitionKey) != partitionKey, 0.0, prev(Val)), PrevTimeGenerated = iif(prev(partitionKey) != partitionKey, datetime(null), prev(TimeGenerated)) | where isnotnull(PrevTimeGenerated) and PrevTimeGenerated != TimeGenerated | extend Rate = iif(PrevVal > Val, Val / datetime_diff('Second', TimeGenerated, PrevTimeGenerated), (Val - PrevVal) / datetime_diff('Second', TimeGenerated, PrevTimeGenerated)) | where isnotnull(Rate) | project Timestamp = TimeGenerated, HostName, Interface, Value = Rate\n);","properties":{"MetricDefinition":{"Name":"Bytes received per second","Namespace":"Container Insights","Category":"Node Network","Unit":"BytesPerSecond","Aggregations":["Avg","Min","Max","Percentile"],"Dimensions":["Interface","HostName"]}}},{"id":"993e8088-d4af-46bd-bb26-2eb6ef2873d2","displayName":"Non-RDMA activity","description":"View Non-RDMA activity of a machine.","body":"//Select your log analytics workspace and replace enter nodename with the name of the node within a cluster on which you want to set the alert for Non-RDMA activity\r\nPerf\r\n| where ObjectName == \"Network Interface\"\r\n| extend Nodename= tostring(split(Computer, \".\")[0])\r\n| where Nodename =~'enter nodename'\r\n| summarize NetworkUsage = sum(CounterValue), Nodename = any(Nodename) by TimeGenerated\r\n| summarize arg_max(TimeGenerated, Nodename, NetworkUsage)","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"d180b15e-73ee-4275-8f99-a5b5a7e8cb97","displayName":"RDMA activity","description":"View RDMA activity of a machine.","body":"//Select log analytics workspace and replace enter nodename with the name of the machine on which you want to set the alert for RDMA activity\r\nPerf\r\n| where ObjectName == \"RDMA Activity\"\r\n| extend Nodename= tostring(split(Computer, \".\")[0])\r\n| where Nodename =~'enter nodename'\r\n| summarize RdmaUsage = sum(CounterValue), Nodename = any(Nodename) by TimeGenerated\r\n| summarize arg_max(TimeGenerated, Nodename, RdmaUsage)","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"0542e63c-e978-4f1a-a141-2675e0d49e88","displayName":"Avg. CPU usage per node (%)","description":"View avg. machine CPU usage percentage.","body":"//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID\r\n//Unit for UsedCpuPercentage is in percentage(%)\r\n//Please use Nodename to set alert for each node\r\nEvent\r\n| where EventLog =~ \"Microsoft-Windows-SDDC-Management/Operational\" and EventID == \"3000\"\r\n| extend ClusterData = parse_xml(EventData)\r\n| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData[\"ClusterName\"])\r\n| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData[\"ArmId\"])\r\n| where ClusterArmId =~ 'enter cluster ID'\r\n| summarize arg_max(TimeGenerated, RenderedDescription)\r\n| extend servers_information = parse_json(RenderedDescription).m_servers\r\n| mv-expand servers_information\r\n| extend Nodename = tostring(servers_information.m_name)\r\n| extend UsedCpuPercentage = toint(servers_information.m_totalProcessorsUsedPercentage)\r\n","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"7d2e183d-421e-4240-a1f6-6c139473ec27","displayName":"Virtual machines failed","description":"View failed virtual machines in a cluster.","body":"//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID\r\nEvent\r\n| where EventLog =~ \"Microsoft-Windows-SDDC-Management/Operational\" and EventID == \"3003\"\r\n| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData[\"ClusterName\"])\r\n| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData[\"ArmId\"])\r\n| where ClusterArmId =~ 'enter cluster ID'\r\n| summarize arg_max(TimeGenerated, RenderedDescription)\r\n| extend description = parse_json(RenderedDescription)\r\n| extend VmsFailed = toint(description.m_totalVmsFailed)\r\n","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"dbd3ee2d-b50b-4def-9955-0e3d0576eeca","displayName":"Total VMs running on a cluster","description":"View total, running, stopped and failed virtual machines running on a cluster.","body":"//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID\r\nEvent\r\n| where EventLog =~ \"Microsoft-Windows-SDDC-Management/Operational\" and EventID == \"3003\"\r\n| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData[\"ClusterName\"])\r\n| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData[\"ArmId\"])\r\n| where ClusterArmId =~ 'enter cluster ID'\r\n| summarize arg_max(TimeGenerated, RenderedDescription)\r\n| extend description = parse_json(RenderedDescription)\r\n| extend VmsStopped = toint(description.m_totalVmsStopped)","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"4445a657-aced-497b-a588-a86f845e4ea7","displayName":"Available volume capacity","description":"View available capacity (in bytes) for your cluster shared volumes.","body":"//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID \r\nEvent\r\n| where EventLog =~ \"Microsoft-Windows-SDDC-Management/Operational\" and EventID == \"3002\"\r\n| extend ClusterData = parse_xml(EventData)\r\n| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData[\"ClusterName\"])\r\n| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData[\"ArmId\"])\r\n| where ClusterArmId =~ 'enter cluster ID'\r\n| summarize arg_max(TimeGenerated, RenderedDescription)\r\n| extend volumes_information = parse_json(RenderedDescription).VolumeList\r\n| mv-expand volumes_information\r\n| extend Volumes = tostring(volumes_information.m_Label)\r\n| extend TotalCap = todecimal(volumes_information.m_Size)\r\n| extend AvailableCap = TotalCap - todecimal(volumes_information.m_SizeUsed)","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.azurestackhci/clusters"]}},{"id":"bed7fb50-cd96-48a4-80f9-3976b0529235","displayName":"Volume latency","description":"View the latency for your volumes.","body":"//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID\r\nEvent\r\n| where EventLog =~ \"Microsoft-Windows-SDDC-Management/Operational\" and EventID == \"3002\"\r\n| extend ClusterData = parse_xml(EventData)\r\n| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData[\"ClusterName\"])\r\n| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData[\"ArmId\"])\r\n| where ClusterArmId =~ 'enter cluster ID'\r\n| summarize arg_max(TimeGenerated, RenderedDescription)\r\n| extend volumes_information = parse_json(RenderedDescription).VolumeList\r\n| mv-expand volumes_information\r\n| extend VolumeName = tostring(volumes_information.m_Label)\r\n| extend Latency = todouble(volumes_information.m_AverageLatency)\r\n| extend Latency = iff(Latency ago(12h) \n| where MetricName in (\"Http2xx\", \"Http3xx\", \"Http4xx\", \"Http5xx\") \n| summarize sum(Total) by MetricName \n| render piechart","tags":{"Topic":["Azure Metrics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"49991367-accb-4bf3-a449-c4fe1b11d42b","displayName":"Line chart of response times","description":"Time series of mean response time (over 5 minute intervals).","body":"AzureMetrics \n| extend timeBin = bin(TimeGenerated, 5m) \n| summarize ResponseTime = sumif(Average, MetricName==\"AverageResponseTime\") by timeBin, bin(TimeGenerated, 1h) \n| sort by TimeGenerated desc \n| render timechart","tags":{"Topic":["Azure Metrics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"34dfd1af-6153-11ea-9732-c8348e025209","displayName":"Audit Logs relating to unexpected users","description":"List Audit Logs for users who logged in that aren't a listed user.","body":"// To create an alert for this query, click '+ New alert rule'\nAppServiceAuditLogs\n| where UserDisplayName != \"user@company.com\"","tags":{"Topic":["Audit Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"34e21b0f-6153-11ea-ba17-c8348e025209","displayName":"File Audit Logs relating to a \"Delete\" operation","description":"List File Audit Logs that has a \"Delete\" operation.","body":"// To create an alert for this query, click '+ New alert rule'\nAppServiceFileAuditLogs\n| where OperationName == \"Delete\"","tags":{"Topic":["Audit Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"9b2174e7-b6a3-4613-8f0b-df0bb7cef53e","displayName":"Computers availability today","description":"Chart the number of computers sending logs, each hour.","body":"Heartbeat\n| summarize dcount(ComputerIP) by bin(TimeGenerated, 1h)\n| render timechart","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"548e7a2f-4c64-41c2-a5e7-50cefeaaf87b","displayName":"Unavailable computers","description":"List all known computers that didn't send a heartbeat in the last 5 hours.","body":"Heartbeat\n| summarize LastHeartbeat=max(TimeGenerated) by Computer\n| where LastHeartbeat 0, true, false)\n| summarize totalAvailableHours = countif(availablePerHour == true) by Computer\n| extend availabilityRate = totalAvailableHours*100.0/24","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"3fee872d-3c17-4d12-ae85-b270c2af27a1","displayName":"What data is being collected?","description":"List the collected performance counters and object types (Process, Memory, Processor).","body":"Perf\n| summarize by ObjectName, CounterName","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"df6e5ae0-de57-401f-9161-0bf1e39a5309","displayName":"Memory and CPU usage","description":"Chart all computers' used memory and CPU, over the last hour.","body":"Perf\n| where TimeGenerated > ago(1h)\n| where (CounterName == \"% Processor Time\" and InstanceName == \"_Total\") or CounterName == \"% Used Memory\"\n| project TimeGenerated, CounterName, CounterValue\n| summarize avg(CounterValue) by CounterName, bin(TimeGenerated, 1m)\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"f615beb4-a0b8-4fe6-a477-3662e6ff0526","displayName":"CPU usage trends over the last day","description":"Calculate CPU usage patterns across all computers, chart by percentiles.","body":"Perf\n| where ObjectName == \"Processor\" and CounterName == \"% Processor Time\" and InstanceName == \"_Total\"\n| summarize percentiles(CounterValue, 50, 90, 99) by bin(TimeGenerated, 1h)\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"8e4177ab-8bf4-4d77-9a00-b9122a27d83a","displayName":"Top 10 computers with the highest disk space","description":"Show the top 10 computers with the highest available disk space.","body":"Perf\n| where CounterName == \"Free Megabytes\" and InstanceName == \"_Total\"\n| summarize arg_max(TimeGenerated, *) by Computer\n| top 10 by CounterValue","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"522fe594-74dd-4e4e-913a-a025b0b10595","displayName":"Usage by data types","description":"Chart the amount of logs reported for each data type, today.","body":"Usage\n| summarize count_per_type=count() by DataType\n| sort by count_per_type desc\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"cf3c0e16-b107-4df0-8ab9-fc6b56846f34","displayName":"Billable performance data","description":"Calculate the volume of billable data (in GB) for Perf data, over the last day.","body":"Usage\n| where TimeGenerated > ago(1d)\n| where IsBillable == true\n| where DataType == \"Perf\"\n| summarize TotalVolumeGB = sum(Quantity) / 1024","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba88f54c-7334-11ea-b97f-c8348e02520c","displayName":"Volume of solutions' data","description":"Chart the volume of data (in Mb) sent by each solution.","body":"Usage\n| summarize total_MBytes=sum(Quantity) by Solution\n| sort by total_MBytes desc nulls last\n| render barchart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba896aa0-7334-11ea-b814-c8348e02520c","displayName":"Ingestion latency (end-to-end) timechart - Event table","description":"Chart the latency of ingestion to the Event table in the last 1 day.","body":"Event\n| where TimeGenerated > ago(1d)\n| project TimeGenerated, IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s\n| render timechart title = \"Ingestion latency: Event table\" ","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba8bb46d-7334-11ea-ae17-c8348e02520c","displayName":"Ingestion latency (end-to-end) spikes - by data type","description":"Check for ingestion latency spikes per data type, in the last 24 hour.","body":"let StartTime = ago(24h);\nlet EndTime = now();\nlet MinRSquare = 0.8; // Tune the sensitivity of the detection sensor\nunion withsource=source_table *\n| where TimeGenerated between (StartTime .. EndTime)\n// calculate ingestion duration in seconds\n| extend IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s\n// Create a time series for each source table\n| make-series RatioSeries=avg(IngestionDurationSeconds) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by source_table\n// Apply a 2-line regression to the time series\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\n// Find out if our 2-line is trending up or down\n| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\n// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)\n| project source_table, PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, \"Spike detected\", \"No spike\") ","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba8db056-7334-11ea-bb30-c8348e02520c","displayName":"Total agent latency timechart, last day","description":"Chart the median (50th percentile) agent latency over the last day.","body":"union *\n| where TimeGenerated > ago(1d)\n| extend AgentLatencySeconds = (_TimeReceived-TimeGenerated)/1s\n| summarize percentile(AgentLatencySeconds, 50) by bin(TimeGenerated,1h)\n| render timechart ","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba9048b7-7334-11ea-aa22-c8348e02520c","displayName":"Agent latency spikes - by data type","description":"Check for agent latency spikes per data type, in the last 24 hour.","body":"let StartTime = ago(24h);\nlet EndTime = now();\nlet MinRSquare = 0.8; // Tune the sensitivity of the detection sensor\nunion withsource=source_table *\n| where TimeGenerated between (StartTime .. EndTime)\n// calculate ingestion duration in seconds\n| extend AgentLatencySeconds = (_TimeReceived-TimeGenerated)/1s\n// Create a time series for each source table\n| make-series RatioSeries=avg(AgentLatencySeconds) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by source_table\n// Apply a 2-line regression to the time series\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\n// Find out if our 2-line is trending up or down\n| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\n// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)\n| project source_table, PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, \"Spike detected\", \"No spike\") ","tags":{"Topic":["Health"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba90e48d-7334-11ea-be6e-c8348e02520c","displayName":"Total workspace ingestion over the last 24 hours","description":"Volume (GB) of all data ingested to this workspace, over the last 24 hours.","body":"Usage\n|where TimeGenerated > ago(24h)\n|summarize TotalIngestionVolGB = sum(Quantity)/1024.0","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba926c00-7334-11ea-9216-c8348e02520c","displayName":"Total workspace ingestion volume timechart, last day","description":"Chart the workspace ingestion volume of the last day.","body":"union *\n| where TimeGenerated > ago(1d)\n| summarize TotalVolumeGB = sum(_BilledSize)/1024/1024/1024 by bin(TimeGenerated,10m)\n| render timechart ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba92e06e-7334-11ea-a524-c8348e02520c","displayName":"Ingestion volume spikes - by Solution and data type","description":"Check for ingestion volume spikes per Solution and data type, in the last 24 hour.","body":"let StartTime = ago(24h);\nlet EndTime = now();\nlet MinRSquare =0.8; // Tune the sensitivity of the detection sensor\nUsage\n| where TimeGenerated between (StartTime .. EndTime)\n// Create a time series of data volume by solution and data type\n| make-series RatioSeries=sum(Quantity/1024) default=0 on TimeGenerated in range(StartTime, EndTime,10m) by Solution, DataType\n// Apply a 2-line regression to the time series\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\n// Find out if our 2-line is trending up or down\n| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\n// Check whether the line fit reaches the threshold\n| project Solution, DataType, Spike = iff(RSquare2 > MinRSquare and Slope != 0, \"Spike detected\", \"No spike\")","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"ba93559a-7334-11ea-aa00-c8348e02520c","displayName":"Ingested volume spikes and slopes - by Azure resource","description":"List the identified ingestion volume spikes and the slope of each spike (positive is upward spike, negative is downward).","body":"let StartTime = ago(6h);\nlet EndTime = now();\nlet MinRSquare = 0.8; // Tune the sensitivity of the detection sensor\nunion *\n| where TimeGenerated between (StartTime .. EndTime)\n// Create a time series of data volume by resource id\n| where isempty(_ResourceId) == False\n| make-series RatioSeries=sum(_BilledSize) default=0 on TimeGenerated in range(StartTime, EndTime, 10m) by _ResourceId\n// Apply a 2-line regression to the time series\n| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)\n// Find out if our 2-line is trending up or down\n| extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)\n// Check whether the line fit reaches the threshold\n| where RSquare2 > MinRSquare and Slope != 0\n| project _ResourceId, Slope ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"52772f3b-f583-4901-b75c-ec368bcb1b78","displayName":"Requests per hour","description":"Count of the incoming requests on the Application Gateway.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\"\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId\n| render timechart","tags":{"Topic":["Incoming requests","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"8a81a8ec-db62-45d1-b6e3-6385cadd2f74","displayName":"Non-SSL requests per hour","description":"Count of the Non-SSL requests on the Application Gateway.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\" and sslEnabled_s == \"off\"\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId\n| render timechart","tags":{"Topic":["Incoming requests","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"40f8162e-e9b1-4b78-9d8a-e939fc3e363b","displayName":"Failed requests per hour","description":"Count of requests to which Application Gateway responded with an error.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\" and httpStatus_d > 399\n| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId\n| render timechart","tags":{"Topic":["Incoming requests","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"baf32abd-8e68-46d4-88bb-82e65859d0b2","displayName":"Errors by user agent","description":"Number of errors by user agent.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\" and httpStatus_d > 399\n| summarize AggregatedValue = count() by userAgent_s, _ResourceId\n| sort by AggregatedValue desc","tags":{"Topic":["Analytics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"6ab7ef4f-5ccd-4509-9a9d-98e315759d6f","displayName":"Errors by URI","description":"Number of errors by URI.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\" and httpStatus_d > 399\n| summarize AggregatedValue = count() by requestUri_s, _ResourceId\n| sort by AggregatedValue desc","tags":{"Topic":["Analytics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"62cb4687-3d08-424f-b872-71757bbcc1d0","displayName":"Top 10 Client IPs","description":"Count of requests per client IP.","body":"AzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\"\n| summarize AggregatedValue = count() by clientIP_s\n| top 10 by AggregatedValue","tags":{"Topic":["Analytics"]},"properties":{"ExampleQuery":true},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"dc815502-2306-4db0-a0a5-b34ac7f299da","displayName":"Top HTTP versions","description":"Count of request per HTTP version.","body":"AzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayAccess\"\n| summarize AggregatedValue = count() by httpVersion_s\n| top 10 by AggregatedValue","tags":{"Topic":["Analytics"]},"properties":{"ExampleQuery":true},"related":{"categories":["network"],"resourceTypes":["microsoft.network/applicationgateways"]}},{"id":"be6a0cec-b2bc-4513-88ce-64c555f5bca6","displayName":"[Classic] How active has this KeyVault been?","description":"[Classic] Line chart showing trend of KeyVault requests volume, per operation over time.","body":"// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. \n// Filter on ResourceProvider for logs specific to a service.\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\" \n| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour\n| render timechart","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"b397218a-c6a7-4221-8265-c1fa29303883","displayName":"[Classic] Who is calling this KeyVault?","description":"[Classic] List of callers identified by their IP address with their request count. ","body":"// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. \n// Filter on ResourceProvider for logs specific to a service.\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\"\n| summarize count() by CallerIPAddress","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"7f5b14e9-a072-4d31-b73b-cd8de50c63b3","displayName":"[Classic] Are there any slow requests?","description":"[Classic] List of KeyVault requests that took longer than 1sec.","body":"// To create an alert for this query, click '+ New alert rule'\nlet threshold=1000; // let operator defines a constant that can be further used in the query\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\" \n| where DurationMs > threshold\n| summarize count() by OperationName, _ResourceId","tags":{"Topic":["Usage and Diagnostics","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"314645a8-79f8-487d-8dc0-7103fa5dbc7a","displayName":"[Classic] How fast is this KeyVault serving requests?","description":"[Classic] Line chart showing trend of request duration over time using different aggregations. ","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\" \n| summarize avg(DurationMs) by requestUri_s, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request\n| render timechart","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"1986631a-103b-403b-9860-2eb03a9564c6","displayName":"[Classic] Are there any failures?","description":"[Classic] Count of failed KeyVault requests by status code.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\" \n| where httpStatusCode_d >= 300 and not(OperationName == \"Authentication\" and httpStatusCode_d == 401)\n| summarize count() by requestUri_s, ResultSignature, _ResourceId\n// ResultSignature contains HTTP status, e.g. \"OK\" or \"Forbidden\"\n// httpStatusCode_d contains HTTP status code returned by the request (e.g. 200, 300 or 401)\n// requestUri_s contains the URI of the request","tags":{"Topic":["Usage and Diagnostics","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"f35fd4ac-7121-4085-8204-b6700a59d84b","displayName":"[Classic] What changes occurred last month?","description":"[Classic] Lists all update and patch requests from the last 30 days.","body":"// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. \n// Filter on ResourceProvider for logs specific to a service.\nAzureDiagnostics\n| where TimeGenerated > ago(30d) // Time range specified in the query. Overrides time picker in portal.\n| where ResourceProvider ==\"MICROSOFT.KEYVAULT\" \n| where OperationName == \"VaultPut\" or OperationName == \"VaultPatch\"\n| sort by TimeGenerated desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"36fdb8a7-ee08-4390-8bc4-8686b9b0d4bb","displayName":"[Classic] List all input deserialization errors","description":"[Classic] Shows errors caused due to malformed events that could not be deserialized by the job.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.KEYVAULT\" and parse_json(properties_s).DataErrorType in (\"InputDeserializerError.InvalidData\", \"InputDeserializerError.TypeConversionError\", \"InputDeserializerError.MissingColumns\", \"InputDeserializerError.InvalidHeader\", \"InputDeserializerError.InvalidCompressionType\")\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["security"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"d661e902-a0a1-34c4-3e41-537475821a79","displayName":"[Classic] Find In AzureActivity","description":"[Classic] Find in AzureActivity to search for a specific value in the AzureActivity table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureActivity\r\n| where ResourceProvider == \"MICROSOFT.KEYVAULT\"\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"4f39e42a-1858-28a8-7a2e-fae3ee9f08fc","displayName":"[Classic] Find In AzureDiagnostics","description":"[Classic] Find in AzureDiagnostics to search for a specific value in the AzureDiagnostics table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.KEYVAULT\"\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"6e21eddd-12a4-1d5d-23b3-aaf0b32737b9","displayName":"[Classic] Find In AzureMetrics","description":"[Classic] Find in AzureMetrics to search for a specific value in the AzureMetrics table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureMetrics\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.keyvault/vaults"]}},{"id":"3391637e-7394-489f-b190-e5786da9c8e7","displayName":"Response time trend","description":"Chart request duration over the last 12 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nrequests\n| where timestamp > ago(12h) \n| summarize avgRequestDuration=avg(duration) by bin(timestamp, 10m) // use a time grain of 10 minutes\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"7deda973-b5cf-4c58-a4e7-f41cc30555fc","displayName":"Request count trend","description":"Chart Request count over the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nrequests\n| summarize totalCount=sum(itemCount) by bin(timestamp, 30m)\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"20ad87bf-b901-4d0b-b548-0f65a6c1210b","displayName":"Response time buckets","description":"Show how many requests are in each performance-bucket.","body":"requests\n| summarize requestCount=sum(itemCount), avgDuration=avg(duration) by performanceBucket\n| order by avgDuration asc // sort by average request duration\n| project-away avgDuration // no need to display avgDuration, we used it only for sorting results\n| render barchart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"47a8646f-f2e5-45b7-9e27-63b4235d1137","displayName":"Operations performance","description":"Calculate request count and duration by operations.","body":"// To create an alert for this query, click '+ New alert rule'\nrequests\n| summarize RequestsCount=sum(itemCount), AverageDuration=avg(duration), percentiles(duration, 50, 95, 99) by operation_Name // you can replace 'operation_Name' with another value to segment by a different property\n| order by RequestsCount desc // order from highest to lower (descending)","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"d31cc37e-b086-4ab2-9dad-742d6a4d46c6","displayName":"Top 10 countries by traffic","description":"Chart the amount of requests from the top 10 countries.","body":"requests\n| summarize CountByCountry=count() by client_CountryOrRegion\n| top 10 by CountByCountry\n| render piechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"bada9215-5cf1-4723-9c2e-9f91e2c13738","displayName":"Page views trend","description":"Chart the page views count, during the last day.","body":"// To create an alert for this query, click '+ New alert rule'\npageViews\n| where client_Type == 'Browser'\n| summarize count_sum = sum(itemCount) by bin(timestamp,30m)\n| render timechart","tags":{"Topic":["Browsing data","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"33447b49-182b-4b6f-a26b-e2267279df81","displayName":"Top 3 browser exceptions","description":"What were the highest reported exceptions today?","body":"exceptions\n| where notempty(client_Browser) and client_Type == 'Browser'\n| summarize total_exceptions = sum(itemCount) by problemId\n| top 3 by total_exceptions desc","tags":{"Topic":["Browsing data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"59cfa403-4b7c-4610-b650-de70dc4af480","displayName":"Slowest pages","description":"What are the 3 slowest pages, and how slow are they?","body":"pageViews\n| where notempty(duration) and client_Type == 'Browser'\n| extend total_duration=duration*itemCount\n| summarize avg_duration=(sum(total_duration)/sum(itemCount)) by operation_Name\n| top 3 by avg_duration desc","tags":{"Topic":["Browsing data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"0e39010e-0b8e-4698-a435-e1ffa3451896","displayName":"Failed requests – top 10","description":"What are the 3 slowest pages, and how slow are they?","body":"requests\n| where success == false\n| summarize failedCount=sum(itemCount) by name\n| top 10 by failedCount desc\n| render barchart","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"58147e09-cf5b-4a47-99c4-a5aedbb7c32c","displayName":"Failing dependencies","description":"Which 5 dependencies failed the most today?","body":"dependencies\n| where success == false\n| summarize totalCount=sum(itemCount) by type\n| top 5 by totalCount desc","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"87bcb1a9-2519-4671-a450-bb2971575507","displayName":"Failed operations","description":"Calculate how many times operations failed, and how many users were impacted.","body":"// To create an alert for this query, click '+ New alert rule'\nrequests\n| where success == false\n| summarize failedCount=sum(itemCount), impactedUsers=dcount(user_Id) by operation_Name\n| order by failedCount desc","tags":{"Topic":["Reports failures","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"58a835f6-b86f-4d79-a800-26f1d5265a76","displayName":"Exceptions causing request failures","description":"Find which exceptions led to failed requests in the past hour.","body":"requests\n| where timestamp > ago(1h) and success == false\n| join kind= inner (\nexceptions\n| where timestamp > ago(1h)\n) on operation_Id\n| project exceptionType = type, failedMethod = method, requestName = name, requestDuration = duration","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"7f050aba-bfab-11ea-995b-c8348e03e0b8","displayName":"Response time trend","description":"Chart request duration over the last 12 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nAppRequests\n| where TimeGenerated > ago(12h) \n| summarize avgRequestDuration=avg(DurationMs) by bin(TimeGenerated, 10m), _ResourceId // use a time grain of 10 minutes\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"91e3ee17-bfab-11ea-bad1-c8348e03e0b8","displayName":"Request count trend","description":"Chart Request count over the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nAppRequests\n| summarize totalCount=sum(ItemCount) by bin(TimeGenerated, 30m), _ResourceId\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"55ca5870-bfab-11ea-ac5f-c8348e03e0b8","displayName":"Response time buckets","description":"Show how many requests are in each performance-bucket.","body":"AppRequests\n| summarize requestCount=sum(ItemCount), avgDuration=avg(DurationMs) by PerformanceBucket\n| order by avgDuration asc // sort by average request duration\n| project-away avgDuration // no need to display avgDuration, we used it only for sorting results\n| render barchart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"95035ec2-bfab-11ea-a608-c8348e03e0b8","displayName":"Operations performance","description":"Calculate request count and duration by operations.","body":"// To create an alert for this query, click '+ New alert rule'\nAppRequests\n| summarize RequestsCount=sum(ItemCount), AverageDuration=avg(DurationMs), percentiles(DurationMs, 50, 95, 99) by OperationName, _ResourceId // you can replace 'OperationName' with another value to segment by a different property\n| order by RequestsCount desc // order from highest to lower (descending)","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"9a9283e8-bfab-11ea-b7f5-c8348e03e0b8","displayName":"Top 10 countries by traffic","description":"Chart the amount of requests from the top 10 countries.","body":"AppRequests\n| summarize CountByCountry=count() by ClientCountryOrRegion\n| top 10 by CountByCountry\n| render piechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"9f16b134-bfab-11ea-99c3-c8348e03e0b8","displayName":"Page views trend","description":"Chart the page views count, during the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nAppPageViews\n| where ClientType == 'Browser'\n| summarize count_sum = sum(ItemCount) by bin(TimeGenerated,30m), _ResourceId\n| render timechart","tags":{"Topic":["Browsing data","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"e40b84ff-bfab-11ea-9407-c8348e03e0b8","displayName":"Top 3 browser exceptions","description":"What were the highest reported exceptions today?","body":"AppExceptions\n| where notempty(ClientBrowser) and ClientType == 'Browser'\n| summarize total_exceptions = sum(ItemCount) by ProblemId\n| top 3 by total_exceptions desc","tags":{"Topic":["Browsing data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"ed941c7f-bfab-11ea-8dd3-c8348e03e0b8","displayName":"Slowest pages","description":"What are the 3 slowest pages, and how slow are they?","body":"AppPageViews\n| where notempty(DurationMs) and ClientType == 'Browser'\n| extend total_duration=DurationMs*ItemCount\n| summarize avg_duration=(sum(total_duration)/sum(ItemCount)) by OperationName\n| top 3 by avg_duration desc","tags":{"Topic":["Browsing data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"fdfc57ce-bfab-11ea-ba10-c8348e03e0b8","displayName":"Failed requests – top 10","description":"What are the 3 slowest pages, and how slow are they?","body":"AppRequests\n| where Success == false\n| summarize failedCount=sum(ItemCount) by Name\n| top 10 by failedCount desc\n| render barchart","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"1ab9dc94-bfac-11ea-8dcb-c8348e03e0b8","displayName":"Failing dependencies","description":"Which 5 dependencies failed the most today?","body":"AppDependencies\n| where Success == false\n| summarize totalCount=sum(ItemCount) by DependencyType\n| top 5 by totalCount desc","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"26172a26-bfac-11ea-9c5e-c8348e03e0b8","displayName":"Failed operations","description":"Calculate how many times operations failed, and how many users were impacted.","body":"// To create an alert for this query, click '+ New alert rule'\nAppRequests\n| where Success == false\n| summarize failedCount=sum(ItemCount), impactedUsers=dcount(UserId) by OperationName, _ResourceId\n| order by failedCount desc","tags":{"Topic":["Reports failures","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"321b088f-bfac-11ea-b703-c8348e03e0b8","displayName":"Exceptions causing request failures","description":"Find which exceptions led to failed requests in the past hour.","body":"AppRequests\n| where TimeGenerated > ago(1h) and Success == false\n| join kind= inner (\nAppExceptions\n| where TimeGenerated > ago(1h)\n) on OperationId\n| project exceptionType = Type, failedMethod = Method, requestName = Name, requestDuration = DurationMs, _ResourceId","tags":{"Topic":["Reports failures"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsApplicationInsightsComponent":false,"IsMultiResource":true}},"related":{"categories":["applications"],"resourceTypes":["microsoft.insights/components"]}},{"id":"32b49610-7500-4578-a909-b937a976ebfe","displayName":"What data is being collected?","description":"List the collected performance counters and object types (Process, Memory, Processor…)","body":"Perf\n| summarize by ObjectName, CounterName","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"d2f75376-07d4-4ef7-b3b4-36a97d5b6228","displayName":"Virtual Machine available memory","description":"Chart the VM's available memory over time.","body":"// To create an alert for this query, click '+ New alert rule'\nPerf\n| where ObjectName == \"Memory\" and\n(CounterName == \"Available MBytes Memory\" or // the name used in Linux records\nCounterName == \"Available MBytes\") // the name used in Windows records\n| summarize avg(CounterValue) by bin(TimeGenerated, 15min), Computer, _ResourceId // bin is used to set the time grain to 15 minutes\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"f4ee7d36-fcae-4d21-879b-e11f9a831590","displayName":"Chart CPU usage trends","description":"Calculate CPU usage patterns over the last day, chart by percentiles.","body":"// To create an alert for this query, click '+ New alert rule'\nPerf\n| where CounterName == \"% Processor Time\"\n| where ObjectName == \"Processor\"\n| summarize avg(CounterValue) by bin(TimeGenerated, 15min), Computer, _ResourceId // bin is used to set the time grain to 15 minutes\n| render timechart\n// Perf table stores performance counters for Windows and Linux computers\n// Counters are specified using ObjectName (performance object), InstanceName and CounterName\n// % Processor Time captures CPU activity, ObjectNames can be Processor, Process and Process Information","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"6810d165-9ec6-4e87-84e4-800d74cf85ad","displayName":"Virtual Machine free disk space","description":"Show the latest report of free disk space, per instance.","body":"// To create an alert for this query, click '+ New alert rule'\nPerf\n| where ObjectName == \"LogicalDisk\" or // the object name used in Windows records\nObjectName == \"Logical Disk\" // the object name used in Linux records\n| where CounterName == \"Free Megabytes\"\n| summarize arg_max(TimeGenerated, *) by InstanceName // arg_max over TimeGenerated returns the latest record\n| project TimeGenerated, InstanceName, CounterValue, Computer, _ResourceId","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"b6aa1541-5290-41c5-9bc3-48e26fd6f899","displayName":"Reported errors","description":"Show error events from the last hour.","body":"// To create an alert for this query, click '+ New alert rule'\nunion Event, Syslog // Event table stores Windows event records, Syslog stores Linux records\n| where TimeGenerated > ago(1h)\n| where EventLevelName == \"Error\" // EventLevelName is used in the Event (Windows) records\nor SeverityLevel== \"err\" // SeverityLevel is used in Syslog (Linux) records","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"10eeb5b8-140d-4790-a509-e6f2d62c6abe","displayName":"Find Linux kernel events","description":"Find events reported by Linux kernel process, regarding killed processes.","body":"// To create an alert for this query, click '+ New alert rule'\nSyslog\n| where ProcessName == \"kernel\" and SyslogMessage contains \"Killed process\"","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"d78e5c0b-190f-42b3-9b90-43758415fab2","displayName":"Show the trend of a selected event","description":"Chart how many times an event was reported along the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nEvent\n| where EventID == 44 // this ID indicates Windows Update started downloading an update\n| summarize count() by bin(TimeGenerated, 1h), Computer, _ResourceId // bin is used to set the time grain to 1 hour\n| render barchart","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"e7e0e961-d151-41fd-9062-260808ae1190","displayName":"Missing security or critical updates","description":"Count how many security or other critical updates are missing.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where Classification in (\"Security Updates\", \"Critical Updates\")\n| where UpdateState == 'Needed' and Optional == false and Approved == true\n| summarize count() by Classification, Computer, _ResourceId\n// This query requires the Security or Update solutions","tags":{"Topic":["Security","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"ccbfe85d-b880-4ec2-8760-c382d17db131","displayName":"Members added to security groups","description":"Who was added to security-enabled group over the last day?","body":"// To create an alert for this query, click '+ New alert rule'\nSecurityEvent\n| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group\n| summarize count() by SubjectAccount, Computer, _ResourceId\n// This query requires the Security solution","tags":{"Topic":["Security","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"820798dc-cd18-4f1a-b7f0-1163f78e3935","displayName":"Uses of clear text password","description":"List all accounts that logged on using a clear-text password over the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nSecurityEvent\n| where EventID == 4624 // event ID 4624: \"an account was successfully logged on\",\n| where LogonType == 8 // logon type 8: \"NetworkCleartext\"\n| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account\n// This query requires the Security solution","tags":{"Topic":["Security","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"8318f5a7-adba-41d0-8170-c5af5b31e494","displayName":"Windows failed logins","description":"Find reports of Windows accounts that failed to login.","body":"// To create an alert for this query, click '+ New alert rule'\nSecurityEvent\n| where EventID == 4625\n| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account\n// This query requires the Security solution","tags":{"Topic":["Security","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"f7a287bb-a9ab-44c1-942f-1ec5c03e388e","displayName":"Search In multiple tables","description":"Search both Syslog and Event tables for the term \"login\".","body":"search in (Syslog, Event) \"login\"\n| where TimeGenerated > ago(1h) // return records from the last hour","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"043360e8-9071-46fe-8ae2-1c27eeca2d7b","displayName":"Using wild-cards","description":"Search for terms that follow the pattern \"corp*.com\".","body":"search in (Event) \"corp*.com\" // Search terms that follow the pattern \"corp\"-something-\".com\", such as \"corp.mydomain.com\"\n| take 50 // return only 50 results (not guaranteed to be the latest)","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"5cd45fcf-8566-11ea-821c-c8348e02520c","displayName":"Top 10 Virtual Machines by CPU utilization","description":"Find top 10 VM by CPU utilization in the last 7 days.","body":"Perf\n| where TimeGenerated > ago(7d)\n| where CounterName == \"% Processor Time\" and InstanceName == \"_Total\" \n| project TimeGenerated, Computer, ObjectName, CounterName, InstanceName, round(CounterValue, 2)\n| summarize arg_max(TimeGenerated, *) by Computer\n| top 10 by CounterValue","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"5cd6f7ed-8566-11ea-a2a1-c8348e02520c","displayName":"Bottom 10 Free disk space %","description":"Bottom 10 Free disk space % by computer, for the last 7 days.","body":"Perf\n| where TimeGenerated > ago(7d)\n| where (ObjectName == \"Logical Disk\" or ObjectName == \"LogicalDisk\") and CounterName contains \"%\" and InstanceName != \"_Total\" and InstanceName != \"HarddiskVolume1\"\n| project TimeGenerated, Computer, ObjectName, CounterName, InstanceName, CounterValue \n| summarize arg_max(TimeGenerated, *) by Computer\n| top 10 by CounterValue desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"5cd745fe-8566-11ea-9fa7-c8348e02520c","displayName":"Logical disk space % below threshold:","description":"Show avg % of free Logical disk space over 10 minutes.","body":"let _minValue = 10; // Set the minValue according to your needs\nPerf\n| where ObjectName == \"LogicalDisk\" and CounterName == \"% Free Space\" // the object name used in Windows records\n| where TimeGenerated >= ago(30m) // choose time to observe \n| where CounterValue ago(10m)\n| where OperationName == \"Deallocate Virtual Machine\" and ActivityStatus == \"Succeeded\" \n","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"5cd7e251-8566-11ea-b5f3-c8348e02520c","displayName":"Not reporting VMs","description":"VMs that have not reported a heartbeat in the last 5 minutes.","body":"// To create an alert for this query, click '+ New alert rule'\nHeartbeat \n| where TimeGenerated > ago(24h)\n| summarize LastCall = max(TimeGenerated) by Computer, _ResourceId\n| where LastCall ago(30m)","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines"]}},{"id":"a9d27e1b-1088-4da5-bc78-a772659f6977","displayName":"Latest 50 logs","description":"Show the latest Azure Activity logs for this resource.","body":"AzureActivity \n| top 50 by TimeGenerated desc ","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"]}},{"id":"245b67bd-f04d-4a9f-9008-964dca98fd67","displayName":"Operations' status","description":"Show the latest Azure activity log for each operation.","body":"AzureActivity \n| summarize arg_max(TimeGenerated, *) by OperationName ","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"]}},{"id":"7908b709-0d81-459e-a0df-5f18d05ebebe","displayName":"Recent Azure Activity logs","description":"Display all Azure Activity logs from the last hour.","body":"AzureActivity \n| where Level == \"Error\" or Level == \"Warning\"\n| project TimeGenerated, Level, ResourceProvider, ActivityStatus, Caller, Category, Properties, CorrelationId ","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"]}},{"id":"74fd0091-7a1e-4da7-bea1-6b8dfb84646d","displayName":"Failed operations","description":"List all reports of failed operations, over the past hour.","body":"AzureActivity \n| where TimeGenerated > ago(1h) \n| where ActivityStatus == \"Failed\"","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"]}},{"id":"7f315593-1fb7-1749-91e9-618eaed5990c","displayName":"Resources creation","description":"List created Azure resources. Can be useful for monitoring and alerts.","body":"AzureActivity\r\n| where OperationNameValue has \"Microsoft.Resources/deployments/write\"\r\n| where CategoryValue == \"Administrative\"\r\n| where ActivityStatusValue == \"Success\"\r\n| project Caller, TimeGenerated, _ResourceId\r\n","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true},"related":{"categories":["audit"]}},{"id":"e918b817-a253-4578-b8a0-0514269ede41","displayName":"Common categories in Azure diagnostics","description":"Count the number of logs reported per category.","body":"AzureDiagnostics \n| summarize countLogsPerCategory=count() by Category \n| sort by countLogsPerCategory","tags":{"Topic":["Azure diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"e2f4aaff-3204-41cc-a2cd-9adabb071847","displayName":"Latest metrics","description":"Show the latest metrics reports for each reported metric.","body":"AzureMetrics \n| summarize arg_max(TimeGenerated, UnitName, Total, Count, Maximum, Minimum, Average) by MetricName","tags":{"Topic":["Azure diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"67509168-f4c5-40e9-bed5-659d66238394","displayName":"Network security events","description":"Find Network security events reporting blocked incoming traffic.","body":"AzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.NETWORK\" \n| where Category == \"NetworkSecurityGroupEvent\" \n| where direction_s == \"In\" and type_s == \"block\"","tags":{"Topic":["Azure diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"5bf97db7-243d-4cfe-b928-91b8f60a1507","displayName":"Failed backup jobs","description":"Find logs reported failed backup jobs from the last day.","body":"AzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.RECOVERYSERVICES\" and Category == \"AzureBackupReport\" \n| where OperationName == \"Job\" and JobOperation_s == \"Backup\" and JobStatus_s == \"Failed\" \n| project TimeGenerated, JobUniqueId_g, JobStartDateTime_s, JobOperation_s, JobOperationSubType_s, JobStatus_s , JobFailureCode_s, JobDurationInSecs_s , AdHocOrScheduledJob_s","tags":{"Topic":["Azure diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"e15f26b4-196a-463b-b61c-16d5aeacf611","displayName":"Errors in automation jobs","description":"Find logs reporting errors in automation jobs from the last day.","body":"AzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" \n| where StreamType_s == \"Error\" \n| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription","tags":{"Topic":["Azure diagnostics"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"16cc1100-8d9e-40cc-9f46-11f26dfb6d83","displayName":"Show latest logs from all tables","description":"Search all logs from all tables, and return the last 500 logs.","body":"// returns every column from every table. We recommend you always scope your queries to specific tables or time range. Un-scoped queries may take a while to complete and may return too many results. \nsearch * \n| top 500 by TimeGenerated// return the latest 500 results","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"96b1f5ee-b9c0-41f8-ac78-c63c892316e0","displayName":"Search a term through all logs","description":"Search the term \"Network\" across all tables.","body":"search \"Network\"// search is case-insensitive \n| where TimeGenerated > ago(30m)","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"25557665-32d7-4275-bee8-5f66ba7414b0","displayName":"Search a table for a specific term","description":"Search AzureMetrics table for the term \"CPU\".","body":"search in (AzureMetrics) \"CPU\"// search is case-insensitive","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"bc06437d-ec5a-41d4-a99c-5448e75af0ea","displayName":"Search in multiple tables","description":"Search AzureDiagnostics, AzureMetrics and AzureActivity for logs that contain \"fail\".","body":"search in (AzureDiagnostics, AzureMetrics, AzureActivity) \"*fail*\"","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"962528ba-aa8a-4ed9-b882-269d77b1c317","displayName":"Run a case-sensitive search","description":"Search the AzureDiagnostics table for logs that contain the term \"JIT\".","body":"search kind=case_sensitive in (AzureDiagnostics) \"*JIT*\"","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"ffd8f3c6-2df8-4919-b897-415fdbd67679","displayName":"Search multiple terms","description":"Search the AzureActivity table for logs that contain \"err\" or \"warn\".","body":"search in (AzureActivity) \"*err*\" or \"*warn*\" \n| where TimeGenerated > ago(1h)","tags":{"Topic":["Search through the logs "]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"]}},{"id":"b4d66462-3b14-48e0-8f73-69963f167e07","displayName":"List all input data errors","description":"Shows all errors that occurred while processing the data from inputs.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).Type == \"DataError\" \n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"5ee61bc5-7ab3-4ea6-bd8a-894199439250","displayName":"List all input deserialization errors","description":"Shows errors caused due to malformed events that could not be deserialized by the job.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType in (\"InputDeserializerError.InvalidData\", \"InputDeserializerError.TypeConversionError\", \"InputDeserializerError.MissingColumns\", \"InputDeserializerError.InvalidHeader\", \"InputDeserializerError.InvalidCompressionType\")\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"b90dfde7-6647-431a-ba33-a8d15ce03cfd","displayName":"List all InvalidInputTimeStamp errors","description":"Shows errors caused due to events where value of the TIMESTAMP BY expression can't be converted to datetime.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"InvalidInputTimeStamp\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"787bfae4-3b13-4edf-b04c-df38392915f0","displayName":"List all InvalidInputTimeStampKey errors","description":"Shows errors caused due to events where value of the TIMESTAMP BY OVER timestampColumn is NULL.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"InvalidInputTimeStampKey\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"b8c03410-f001-4b97-9cd7-0e0f133dec66","displayName":"Events that arrived late","description":"Shows errors due to events where difference between application time and arrival time is greater than the late arrival policy.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"LateInputEvent\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"3d9fb8b2-befb-4583-8c92-1da2bf3411b4","displayName":"Events that arrived early","description":"Shows errors due to events where difference between Application time and Arrival time is greater than 5 minutes.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"EarlyInputEvent\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"4d078508-6a71-4f6d-8408-74cc20ad7867","displayName":"Events that arrived out of order","description":"Shows errors due to events that arrive out of order according to the out-of-order policy.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutOfOrderEvent\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Input data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"aa09b62c-25ef-446e-b7b3-a950aef7800f","displayName":"All output data errors","description":"Shows all errors that occurred while writing the results of the query to the outputs in your job.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType in (\"OutputDataConversionError.RequiredColumnMissing\", \"OutputDataConversionError.ColumnNameInvalid\", \"OutputDataConversionError.TypeConversionError\", \"OutputDataConversionError.RecordExceededSizeLimit\", \"OutputDataConversionError.DuplicateKey\")\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"8fb2034b-6c12-47bc-838b-b657bd5f5300","displayName":"List all RequiredColumnMissing errors","description":"Shows all errors where the output record produced by your job has a missing column.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutputDataConversionError.RequiredColumnMissing\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"b1c25cc3-f90b-4514-8391-283ca87952bd","displayName":"List all ColumnNameInvalid errors","description":"Shows errors where the output record produced by your job has a column name that doesn't map to a column in your output.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutputDataConversionError.ColumnNameInvalid\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"33fb2c35-1ffd-4325-9f93-0a23ccf6d0d4","displayName":"List all TypeConversionError errors","description":"Shows errors where the output record produced by your job has a column can't be converted to a valid type in the output.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutputDataConversionError.TypeConversionError\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"052020ef-b3ca-4980-8c22-cd02e0471ee2","displayName":"List all RecordExceededSizeLimit errors","description":"Shows errors where the size of the output record produced by your job is greater than the supported output size. ","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutputDataConversionError.RecordExceededSizeLimit\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"a5921654-c003-4486-8122-60092622db9f","displayName":"List all DuplicateKey errors","description":"Shows errors where the output record produced by job contains a column with the same name as a System column.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).DataErrorType == \"OutputDataConversionError.DuplicateKey\"\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Output data errors","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"1ba813c0-8d01-4837-b8b4-ea954aa2c02d","displayName":"All logs with level \"Error\"","description":"Shows all logs that are likely to have negatively impacted your job.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and Level == \"Error\" \n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Other errors and failures","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"c64e6268-9405-45fa-acce-e59dea7054fe","displayName":"Operations that have \"Failed\"","description":"Shows all operations on your job that have resulted in a failure.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and status_s == \"Failed\" \n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Other errors and failures","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"1c4e1e99-3d45-4125-ab76-320c8fdd3413","displayName":"Output Throttling logs (Cosmos DB, Power BI, Event Hubs)","description":"Shows all instances where writing to one of your outputs was throttled by the destination service.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).Type in (\"DocumentDbOutputAdapterWriteThrottlingError\", \"EventHubOutputAdapterEventHubThrottlingError\", \"PowerBIServiceThrottlingError\", \"PowerBIServiceThrottlingError\")\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Other errors and failures","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"ec788186-ccc0-43fd-b974-1def808dfa21","displayName":"Transient input and output errors","description":"Shows all errors related to input and output that are intermittent in nature.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).Type in (\"AzureFunctionOutputAdapterTransientError\", \"BlobInputAdapterTransientError\", \"DataLakeOutputAdapterTransientError\", \"DocumentDbOutputAdapterTransientError\", \"EdgeHubOutputAdapterEdgeHubTransientError\", \"EventHubBasedInputInvalidOperationTransientError\", \"EventHubBasedInputOperationCanceledTransientError\", \"EventHubBasedInputTimeoutTransientError\", \"EventHubBasedInputTransientError\", \"EventHubOutputAdapterEventHubTransientError\", \"InputProcessorTransientFailure\", \"OutputProcessorTransientError\", \"ReferenceDataInputAdapterTransientError\", \"ServiceBusOutputAdapterTransientError\", \"TableOutputAdapterTransientError\")\n| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId","tags":{"Topic":["Other errors and failures","Alerts"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"801fa603-7ed8-4a4a-b028-5b0ff6277eb5","displayName":"Summary of all data errors in the last 7 days","description":"Summary of all data errors in the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d) //last 7 days\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and parse_json(properties_s).Type == \"DataError\"\n| extend DataErrorType = tostring(parse_json(properties_s).DataErrorType)\n| summarize Count=count(), sampleEvent=any(properties_s) by DataErrorType, JobName=Resource","tags":{"Topic":["Other errors and failures"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"5b86398a-8291-40ce-8d97-c534997f61e6","displayName":"Summary of all errors in the last 7 days","description":"Summary of all errors in the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d) //last 7 days\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\"\n| extend ErrorType = tostring(parse_json(properties_s).Type)\n| summarize Count=count(), sampleEvent=any(properties_s) by ErrorType, JobName=Resource","tags":{"Topic":["Other errors and failures"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"366f2856-ffd7-4f9b-9c42-862e3b201f3c","displayName":"Summary of 'Failed' operations in the last 7 days","description":"Summary of 'Failed' operations in the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d) //last 7 days\n| where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\" and status_s == \"Failed\" \n| summarize Count=count(), sampleEvent=any(properties_s) by JobName=Resource ","tags":{"Topic":["Other errors and failures"]},"properties":{"ExampleQuery":true},"related":{"categories":["resources"],"resourceTypes":["microsoft.streamanalytics/streamingjobs"]}},{"id":"fa0c8117-6153-11ea-8cb3-c8348e025209","displayName":"List sent snapshots by duration","description":"A list of the snapshots sorted by duration time over the last 7 days.","body":"MicrosoftDataShareSentSnapshotLog\n| where TimeGenerated > ago(7d) \n| where StartTime != \"\" and EndTime != \"\" \n| project StartTime , EndTime , DurationSeconds =(todatetime(EndTime)-todatetime(StartTime))/1s , ResourceName = split(_ResourceId,\"/accounts/\",1) \n| sort by DurationSeconds desc nulls last \n","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa0ef211-6153-11ea-8bab-c8348e025209","displayName":"Count failed sent snapshots","description":"Total count of failed snapshots over the last 7 days.","body":"MicrosoftDataShareSentSnapshotLog\n| where TimeGenerated > ago(7d) \n| where Status == \"Failed\" \n| summarize count() by _ResourceId ","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa1078e9-6153-11ea-a498-c8348e025209","displayName":"Frequent errors in sent snapshots","description":"List top 10 errors over the last 7 days.","body":"MicrosoftDataShareSentSnapshotLog \n| where TimeGenerated > ago(7d) \n| where Status == \"Failed\" \n| summarize count() by _ResourceId, DataSetType// Counting failed logs per datasettype\n| top 10 by count_ desc nulls last","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa112e83-6153-11ea-b11d-c8348e025209","displayName":"Chart of daily sent snapshots","description":"A time chart of recent snapshots count, succeeded VS failed.","body":"//Succeeded VS Failed\nMicrosoftDataShareSentSnapshotLog \n| where TimeGenerated > ago(30d) \n| summarize count() by bin(TimeGenerated, 1d), Status, _ResourceId // Aggregating by day //Click \"Table\" to see resource's name.\n| render timechart","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa117c9a-6153-11ea-9c29-c8348e025209","displayName":"List received snapshots by duration","description":"A list of the snapshots sorted by duration time, over the last 7 days.","body":"MicrosoftDataShareReceivedSnapshotLog\n| where TimeGenerated > ago(7d) \n| where StartTime != \"\" and EndTime != \"\"\n| project StartTime , EndTime , DurationSeconds =(todatetime(EndTime)-todatetime(StartTime))/1s, ResourceName = split(_ResourceId,\"/accounts/\",1)// use split to get a part of the _ResourceId \n| sort by DurationSeconds desc nulls last","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa11cab7-6153-11ea-8733-c8348e025209","displayName":"Count failed received snapshots","description":"Count of failed snapshots over the last 7 days.","body":"MicrosoftDataShareReceivedSnapshotLog\n| where TimeGenerated > ago(7d) \n| where Status == \"Failed\" \n| summarize count() by _ResourceId ","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa1320ea-6153-11ea-90da-c8348e025209","displayName":"Frequent errors in received snapshots","description":"Top 10 most frequent errors over the last 7 days.","body":"MicrosoftDataShareReceivedSnapshotLog \n| where TimeGenerated > ago(7d) \n| where Status == \"Failed\" \n| summarize count() by _ResourceId, DataSetType // Counting failed logs per datasettype\n| top 10 by count_ desc nulls last","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"fa136ede-6153-11ea-857e-c8348e025209","displayName":"Chart of daily received snapshots","description":"A time chart of the daily snapshots count, over the past week.","body":"// Failed, In Progress and Succeeded Received Snapshots\nMicrosoftDataShareReceivedSnapshotLog \n| where TimeGenerated > ago(7d) \n| summarize count() by bin(TimeGenerated, 1d), Status , _ResourceId // Aggregating by day //Click \"Table\" to see resource's name.\n| render timechart","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"3dedfcff-6154-11ea-b43b-c8348e025209","displayName":"Requests per hour","description":"Render line chart showing total requests per hour for each FrontDoor resource.","body":"// Summarize number of requests per hour for each FrontDoor resource\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorAccessLog\"\n| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId\n| render timechart ","tags":{"Topic":["Usage and Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df04ba0-6154-11ea-a4a9-c8348e025209","displayName":"Forwarded backend requests by routing rule","description":"Count number of requests for each routing rule and backend host per minute.","body":"// Summarize number of requests per minute for each routing rule and backend host\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorAccessLog\"\n| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RoutingRuleName = routingRuleName_s, BackendHostname = backendHostname_s, ResourceId","tags":{"Topic":["Usage and Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df099bd-6154-11ea-950e-c8348e025209","displayName":"Request errors by host and path","description":"Count number of requests with error responses by host and path.","body":"// Summarize number of requests by host, path, and status codes >= 400\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorAccessLog\"\n| where toint(httpStatusCode_s) >= 400\n| extend ParsedUrl = parseurl(requestUri_s)\n| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId\n| order by RequestCount desc ","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df22024-6154-11ea-bb45-c8348e025209","displayName":"Request errors by user agent","description":"Count number of requests with error responses by user agent.","body":"// Summarize number of requests per user agent and status codes >= 400\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorAccessLog\"\n| where toint(httpStatusCode_s) >= 400\n| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId\n| order by RequestCount desc ","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df26e48-6154-11ea-8a19-c8348e025209","displayName":"Top 10 client IPs and http versions","description":"Show top 10 client IPs and http versions.","body":"// Summarize top 10 client ips and http versions\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorAccessLog\"\n| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource\n| top 10 by RequestCount \n| order by RequestCount desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df2e36e-6154-11ea-954a-c8348e025209","displayName":"Firewall blocked request count per hour","description":"Count number of firewall blocked requests per hour.","body":"// Summarize number of firewall blocked requests per hour by policy\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorWebApplicationFirewallLog\"\n| where action_s == \"Block\"\n| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId\n| order by RequestCount desc","tags":{"Topic":["Firewall Audit","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df49151-6154-11ea-99f0-c8348e025209","displayName":"Top 20 blocked clients by IP and rule","description":"Show top 20 blocked clients by IP and rule name.","body":"// Summarize top 20 blocked clients by IP and rule\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorWebApplicationFirewallLog\"\n| where action_s == \"Block\"\n| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s ,Resource\n| top 20 by RequestCount \n| order by RequestCount desc","tags":{"Topic":["Firewall Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"3df4df3b-6154-11ea-a9a8-c8348e025209","displayName":"Firewall request count by host, path, rule, and action","description":"Count firewall processed requests by host, path, rule, and action taken.","body":"// Summarize request count by host, path, rule, and action\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"FrontdoorWebApplicationFirewallLog\"\n| extend ParsedUrl = parseurl(requestUri_s)\n| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId\n| order by RequestCount desc","tags":{"Topic":["Firewall Audit","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/frontdoors"]}},{"id":"79ff4844-6154-11ea-aec5-c8348e025209","displayName":"Connectvity errors","description":"Identify device connection errors.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where Category == \"Connections\" and Level == \"Error\"","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"7a01741c-6154-11ea-b256-c8348e025209","displayName":"Devices with most throttling errors","description":"Identify devices that made the most requests resulting in throttling errors.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where ResultType == \"429001\"\n| extend DeviceId = tostring(parse_json(properties_s).deviceId)\n| summarize count() by DeviceId, Category , _ResourceId\n| order by count_ desc","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"7a01e758-6154-11ea-8513-c8348e025209","displayName":"Dead endpoints","description":"Identify dead or unhealthy endpoints by the number times the issue was reported, as well as the reason why.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where Category == \"Routes\" and OperationName in (\"endpointDead\", \"endpointUnhealthy\")\n| extend parsed_json = parse_json(properties_s)\n| extend Endpoint = tostring(parsed_json.endpointName), Reason =tostring(parsed_json.details) \n| summarize count() by Endpoint, OperationName, Reason, _ResourceId\n| order by count_ desc","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"7a02356e-6154-11ea-9f6e-c8348e025209","displayName":"Error summary","description":"Count of errors across all operations by type.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where Level == \"Error\"\n| summarize count() by ResultType, ResultDescription, Category, _ResourceId","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"7a02aa98-6154-11ea-be45-c8348e025209","displayName":"Recently connected devices","description":"List of devices that IoT Hub saw connect in the specified time period.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where Category == \"Connections\" and OperationName == \"deviceConnect\"\n| extend DeviceId = tostring(parse_json(properties_s).deviceId)\n| summarize max(TimeGenerated) by DeviceId, _ResourceId","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"7a02f8bb-6154-11ea-ae08-c8348e025209","displayName":"SDK version of devices","description":"List of devices and their SDK versions.","body":"// this query works on device connection or when your device uses device to cloud twin operations\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DEVICES\" and ResourceType == \"IOTHUBS\"\n| where Category == \"Connections\" or Category == \"D2CTwinOperations\"\n| extend parsed_json = parse_json(properties_s) \n| extend SDKVersion = tostring(parsed_json.sdkVersion) , DeviceId = tostring(parsed_json.deviceId)\n| distinct DeviceId, SDKVersion, TimeGenerated, _ResourceId","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"27374154-3ae9-5c0f-047b-059790771ae2","displayName":"IoT Edge: Device offline or not sending messages upstream at expected rate","description":"Identify IoT Edge devices seen in the last 2 days that are not sending D2C messages to IoT Hub at an expected rate during a 30 minute period.","body":"// To create an alert for this query, click '+ New alert rule'\r\nlet targetReceiver = \"upstream\";\r\nInsightsMetrics\r\n| where Origin == \"iot.azm.ms\" and Namespace == \"metricsmodule\"\r\n| where Name == \"edgehub_messages_sent_total\"\r\n| extend dimensions=parse_json(Tags)\r\n| extend device = tostring(dimensions.edge_device)\r\n| extend target = trim_start(@\"[^/]+/\", extractjson(\"$.to\", \r\ntostring(dimensions), typeof(string)))\r\n| where target contains targetReceiver\r\n| extend source = strcat(device, \"::\", trim_start(@\"[^/]+/\", \r\ntostring(dimensions.from)))\r\n| extend messages = toint(Val)\r\n| extend timeUtc = TimeGenerated\r\n| extend sourceTarget = strcat(source, \"::\", target)\r\n| project timeUtc, source, sourceTarget, messages, device, _ResourceId\r\n| order by device, sourceTarget, timeUtc\r\n| serialize\r\n| extend nextCount = next(messages, 1)\r\n| extend nextSourceTarget= next(sourceTarget, 1)\r\n| extend diff = iff((messages - nextCount) >= 0, messages - nextCount, 0)\r\n| where sourceTarget == nextSourceTarget and diff >= 0\r\n| project TimeGenerated = timeUtc, source, sourceTarget, messages, diff, \r\ndevice, _ResourceId\r\n| make-series sum(diff) default=0 on TimeGenerated from ago(2d) to now() \r\nstep 30m by device, _ResourceId\r\n| mv-expand sum_diff, TimeGenerated\r\n| project TimeGenerated=todatetime(TimeGenerated), device, \r\nAggregatedValue=toint(sum_diff), _ResourceId","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"2fb22203-1815-2061-2dcf-f2f162ee3334","displayName":"IoT Edge: Edge Hub queue size over threshold","description":"Number of times a device's Edge Hub queue size (sum) was over the configured threshold during the evaluation period.","body":"// To create an alert for this query, click '+ New alert' \r\nlet qlenThreshold = 100;\r\nInsightsMetrics\r\n| where Origin == \"iot.azm.ms\" and Namespace == \"metricsmodule\"\r\n| where Name == \"edgehub_queue_length\"\r\n| extend dimensions=parse_json(Tags)\r\n| extend device = tostring(dimensions.edge_device)\r\n| extend ep = tostring(dimensions.endpoint)\r\n| extend qlen = toint(Val)\r\n| project device, qlen, ep, TimeGenerated, _ResourceId\r\n| summarize sum(qlen) by TimeGenerated, device, _ResourceId\r\n| where sum_qlen >= qlenThreshold\r\n| project-away sum_qlen","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"fde796bf-52b0-120a-7bff-444d8f9a60ed","displayName":"IoT Edge: Total device disk space percent used","description":"Percentage of total disk space used for an IoT Edge device.","body":"// To create an alert for this query, click '+ New alert' \r\nlet totalBytesByDevice = InsightsMetrics\r\n| where Origin == \"iot.azm.ms\" and Namespace == \"metricsmodule\"\r\n| where Name == \"edgeAgent_total_disk_space_bytes\"\r\n| extend dimensions=parse_json(Tags)\r\n| extend device = tostring(dimensions.edge_device)\r\n| extend iothub = tostring(dimensions.iothub)\r\n| extend value = tolong(Val)\r\n| extend diskname = tostring(dimensions.disk_name)\r\n| extend id = strcat(iothub, \"::\", device)\r\n| project device, id, diskname, value, TimeGenerated, _ResourceId\r\n| top-nested of id by Ignore0=max(1),\r\ntop-nested 1 of TimeGenerated by Ignore1=max(TimeGenerated),\r\ntop-nested of diskname by Ignore2=max(1),\r\ntop-nested of value by Ignore3=max(1)\r\n| project-away Ignore*\r\n| summarize Bytes=max(value) by id, diskname\r\n| summarize totalBytes=sum(Bytes) by id;\r\nInsightsMetrics\r\n| where Origin == \"iot.azm.ms\" and Namespace == \"metricsmodule\"\r\n| where Name == \"edgeAgent_available_disk_space_bytes\"\r\n| extend dimensions=parse_json(Tags)\r\n| extend device = tostring(dimensions.edge_device)\r\n| extend iothub = tostring(dimensions.iothub)\r\n| extend value = tolong(Val)\r\n| extend diskname = tostring(dimensions.disk_name)\r\n| extend id = strcat(iothub, \"::\", device)\r\n| project device, id, diskname, value, TimeGenerated, _ResourceId\r\n| summarize Bytes=max(value) by device, diskname, TimeGenerated, id, \r\n_ResourceId\r\n| summarize availBytes=sum(Bytes) by id, device, TimeGenerated, _ResourceId\r\n| join kind=leftouter totalBytesByDevice\r\non $left.id == $right.id\r\n| extend percentUsed = round((todouble(totalBytes) - todouble(availBytes)) / \r\ntodouble(totalBytes) * 100, 0)\r\n| project TimeGenerated, device, percentUsed, _ResourceId\r\n| summarize AggregatedValue = max(percentUsed) by bin(TimeGenerated, 30m), \r\ndevice, _ResourceId","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.devices/iothubs"]}},{"id":"d8f84807-6154-11ea-8c04-c8348e025209","displayName":"Number of requests","description":"Count the total number of calls across all APIs in the last 24 hours.","body":"//Total number of call per resource\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize count(CorrelationId) by _ResourceId ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fb0c4b-6154-11ea-aae5-c8348e025209","displayName":"Logs of the last 100 calls","description":"Get the logs of the most recent 100 calls in the last 24 hours.","body":"ApiManagementGatewayLogs\n| top 100 by TimeGenerated desc ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fc9214-6154-11ea-9ce5-c8348e025209","displayName":"Number of calls by APIs","description":"View the number of calls per API in the last 24 hours.","body":"//Calls by API ID\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize count(CorrelationId) by ApiId","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fcdffd-6154-11ea-b3f4-c8348e025209","displayName":"Bandwidth consumed","description":"Total bandwidth consumed in the last 24 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| extend bandwidth = RequestSize + ResponseSize \n| summarize sum(bandwidth) by bin(TimeGenerated, 15m), _ResourceId \n| render timechart ","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fd5523-6154-11ea-b89c-c8348e025209","displayName":"Request sizes","description":"Statistics of request sizes in the last 24 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Average=avg(RequestSize), Median=percentile(RequestSize, 50), 90th_Percentile=percentile(RequestSize, 90) by bin(TimeGenerated, 5m) \n| render timechart ","tags":{"Topic":["Usage","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fda3be-6154-11ea-a8af-c8348e025209","displayName":"Response sizes","description":"Statistics of response sizes in the last 24 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Average=avg(ResponseSize), Median=percentile(ResponseSize, 50), 90th_Percentile=percentile(ResponseSize, 90) by bin(TimeGenerated, 5m) \n| render timechart ","tags":{"Topic":["Usage","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8fedbce-6154-11ea-8815-c8348e025209","displayName":"Client TLS versions","description":"Breakdown of client TLS versions in the last 24 hours.","body":"ApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize count(CorrelationId) by ClientTlsVersion, _ResourceId ","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8ff5103-6154-11ea-9777-c8348e025209","displayName":"Error reasons breakdown","description":"Breakdown of all error reasons in the last 24 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| where IsRequestSuccess == false\n| summarize count(CorrelationId) by LastErrorReason, _ResourceId","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8ff9f0b-6154-11ea-aea9-c8348e025209","displayName":"Last 100 failed requests","description":"Get the logs of the last 100 failed requests.","body":"ApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| where IsRequestSuccess == false\n| top 100 by TimeGenerated desc| where ResponseCode >= 400","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d8ffed31-6154-11ea-880d-c8348e025209","displayName":"Get failed requests due to issues related to the backend","description":"Get the logs of failed requests due to backend issues.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| where IsRequestSuccess == false\n| where BackendResponseCode >= 400","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d900144a-6154-11ea-b2e1-c8348e025209","displayName":"Get failed requests due to issues not related to the backend","description":"Get the logs of failed requests due to issues not related to the backend (e.g., API Mangement policies configuration, rate limit exceeded, client disconnection).","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| where IsRequestSuccess == false\n| where isnull(BackendResponseCode) or BackendResponseCode = 400","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d9019f0b-6154-11ea-9c41-c8348e025209","displayName":"Overall latency","description":"Statistics of overall latency (in miliseconds) between the time API Mangement starts receiving a request and the time API Management finishes sending the response back to the client.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Average=avg(TotalTime), Median=percentile(TotalTime, 50), 90th_Percentile=percentile(TotalTime, 90) by bin(TimeGenerated, 15m) \n| render timechart ","tags":{"Topic":["Latency","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d901ed1f-6154-11ea-bc4a-c8348e025209","displayName":"Backend latency","description":"Statistics of time (in miliseconds) spent in backend IO.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Average=avg(BackendTime), Median=percentile(BackendTime, 50), 90th_Percentile=percentile(BackendTime, 90) by bin(TimeGenerated, 15m) \n| render timechart ","tags":{"Topic":["Latency","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d9023cf0-6154-11ea-ae1c-c8348e025209","displayName":"Client latency","description":"Statistics of time (in miliseconds) spent in client IO.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Average=avg(ClientTime), Median=percentile(ClientTime, 50), 90th_Percentile=percentile(ClientTime, 90) by bin(TimeGenerated, 15m) \n| render timechart ","tags":{"Topic":["Latency","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"d9028ad3-6154-11ea-98bf-c8348e025209","displayName":"Cache hit ratio","description":"Statistics of Cache hit/miss ratio.","body":"// To create an alert for this query, click '+ New alert rule'\nApiManagementGatewayLogs\n| where TimeGenerated > ago(1d)\n| summarize Cache_Miss=countif(Cache == \"miss\"), Cache_Hit=countif(Cache == \"hit\") by bin(TimeGenerated, 15m)\n| extend Ratio=Cache_Hit / (Cache_Hit + Cache_Miss)\n| project-away Cache_Hit , Cache_Miss \n| render timechart ","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"48aa0383-62e4-11ea-9e82-c8348e025209","displayName":"Application rule log data","description":"Parses the application rule log data.","body":"AzureDiagnostics\n| where Category == \"AzureFirewallApplicationRule\"\n//this first parse statement is valid for all entries as they all start with this format\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePort:int * \n//Parse action as this is the same for all log lines \n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action \"\\\\.\"\n// case1: Action: A. Reason: R.\n| parse kind=regex flags=U msg_s with \"\\\\. Reason\\\\: \" Reason \"\\\\.\"\n//case 2a: to FQDN:PORT Url: U. Action: A. Policy: P. Rule Collection Group: RCG. Rule Collection: RC. Rule: R.\n| parse msg_s with * \"to \" FQDN \":\" TargetPort:int * \".\" *\n//Parse policy if present\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule\n//case 2.b: Web Category: WC.\n| parse Rule with * \". Web Category: \" WebCategory\n//case 3: No rule matched. Proceeding with default action\"\n| extend DefaultRule = iff(msg_s contains \"No rule matched. Proceeding with default action\", true, false)\n| extend \nSourcePort = tostring(SourcePort),\nTargetPort = tostring(TargetPort)\n| extend \n Action = case(Action == \"\",\"N/A\", case(DefaultRule, \"Deny\" ,Action)),\n FQDN = case(FQDN == \"\", \"N/A\", FQDN),\n TargetPort = case(TargetPort == \"\", \"N/A\", tostring(TargetPort)),\n Policy = case(RuleCollection contains \":\", split(RuleCollection, \":\")[0] ,case(Policy == \"\", \"N/A\", Policy)),\n RuleCollectionGroup = case(RuleCollection contains \":\", split(RuleCollection, \":\")[1], case(RuleCollectionGroup == \"\", \"N/A\", RuleCollectionGroup)),\n RuleCollection = case(RuleCollection contains \":\", split(RuleCollection, \":\")[2], case(RuleCollection == \"\", \"N/A\", RuleCollection)),\n WebCategory = case(WebCategory == \"\", \"N/A\", WebCategory),\n Rule = case(Rule == \"\" , \"N/A\", case(WebCategory == \"N/A\", Rule, split(Rule, '.')[0])),\n Reason = case(Reason == \"\", case(DefaultRule, \"No rule matched - default action\", \"N/A\"), Reason )\n| project TimeGenerated, msg_s, Protocol, SourceIP, SourcePort, FQDN, TargetPort, Action, Policy, RuleCollectionGroup, RuleCollection, Rule, Reason ,WebCategory","tags":{"Topic":["Firewall Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/azurefirewalls"]}},{"id":"48b065a4-62e4-11ea-930c-c8348e025209","displayName":"Network rule log data","description":"Parses the network rule log data.","body":"AzureDiagnostics\n| where Category == \"AzureFirewallNetworkRule\"\n| where OperationName == \"AzureFirewallNatRuleLog\" or OperationName == \"AzureFirewallNetworkRuleLog\"\n//case 1: for records that look like this:\n//PROTO request from IP:PORT to IP:PORT.\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n//case 1a: for regular network rules\n| parse kind=regex flags=U msg_s with * \". Action\\\\: \" Action1a \"\\\\.\"\n//case 1b: for NAT rules\n//TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT\n| parse msg_s with * \" was \" Action1b:string \" to \" TranslatedDestination:string \":\" TranslatedPort:int *\n//Parse rule data if present\n| parse msg_s with * \". Policy: \" Policy \". Rule Collection Group: \" RuleCollectionGroup \".\" *\n| parse msg_s with * \" Rule Collection: \" RuleCollection \". Rule: \" Rule \n//case 2: for ICMP records\n//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2\n| extend\nSourcePort = tostring(SourcePortInt),\nTargetPort = tostring(TargetPortInt)\n| extend \n Action = case(Action1a == \"\", case(Action1b == \"\",Action2,Action1b), split(Action1a,\".\")[0]),\n Protocol = case(Protocol == \"\", Protocol2, Protocol),\n SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),\n TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),\n //ICMP records don't have port information\n SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),\n TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort),\n //Regular network rules don't have a DNAT destination\n TranslatedDestination = case(TranslatedDestination == \"\", \"N/A\", TranslatedDestination), \n TranslatedPort = case(isnull(TranslatedPort), \"N/A\", tostring(TranslatedPort)),\n //Rule information\n Policy = case(Policy == \"\", \"N/A\", Policy),\n RuleCollectionGroup = case(RuleCollectionGroup == \"\", \"N/A\", RuleCollectionGroup ),\n RuleCollection = case(RuleCollection == \"\", \"N/A\", RuleCollection ),\n Rule = case(Rule == \"\", \"N/A\", Rule)\n| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule","tags":{"Topic":["Firewall Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/azurefirewalls"]}},{"id":"48b192a3-62e4-11ea-89fd-c8348e025209","displayName":"Threat Intelligence rule log data","description":"Parses the Threat Intelligence rule log data.","body":"AzureDiagnostics\n| where OperationName == \"AzureFirewallThreatIntelLog\"\n| parse msg_s with Protocol \" request from \" SourceIP \":\" SourcePortInt:int \" to \" TargetIP \":\" TargetPortInt:int *\n| parse msg_s with * \". Action: \" Action \".\" Message\n| parse msg_s with Protocol2 \" request from \" SourceIP2 \" to \" TargetIP2 \". Action: \" Action2\n| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)\n| extend Protocol = case(Protocol == \"\", Protocol2, Protocol),SourceIP = case(SourceIP == \"\", SourceIP2, SourceIP),TargetIP = case(TargetIP == \"\", TargetIP2, TargetIP),SourcePort = case(SourcePort == \"\", \"N/A\", SourcePort),TargetPort = case(TargetPort == \"\", \"N/A\", TargetPort)\n| sort by TimeGenerated desc \r\n| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action,Message","tags":{"Topic":["Firewall Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/azurefirewalls"]}},{"id":"8b7ea3bd-0571-0eec-1a82-605a44e00989","displayName":"Azure Firewall log data","description":"Start from this query if you want to parse the logs from network rules, application rules, NAT rules, IDS, threat intelligence and more to understand why certain traffic was allowed or denied. This query will show the last 100 log records but by adding simple filter statements at the end of the query the results can be tweaked.","body":"// Parses the azure firewall rule log data. \r\n// Includes network rules, application rules, threat intelligence, ips/ids, ...\r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallNetworkRule\" or Category == \"AzureFirewallApplicationRule\"\r\n//optionally apply filters to only look at a certain type of log data\r\n//| where OperationName == \"AzureFirewallNetworkRuleLog\"\r\n//| where OperationName == \"AzureFirewallNatRuleLog\"\r\n//| where OperationName == \"AzureFirewallApplicationRuleLog\"\r\n//| where OperationName == \"AzureFirewallIDSLog\"\r\n//| where OperationName == \"AzureFirewallThreatIntelLog\"\r\n| extend msg_original = msg_s\r\n// normalize data so it's eassier to parse later\r\n| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)\r\n| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)\r\n// extract web category, then remove it from further parsing\r\n| parse msg_s with * \" Web Category: \" WebCategory\r\n| extend msg_s = replace(@'(. Web Category:).*','', msg_s)\r\n// extract RuleCollection and Rule information, then remove it from further parsing\r\n| parse msg_s with * \". Rule Collection: \" RuleCollection \". Rule: \" Rule\r\n| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)\r\n// extract Rule Collection Group information, then remove it from further parsing\r\n| parse msg_s with * \". Rule Collection Group: \" RuleCollectionGroup\r\n| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)\r\n// extract Policy information, then remove it from further parsing\r\n| parse msg_s with * \". Policy: \" Policy\r\n| extend msg_s = replace(@'(. Policy:).*','', msg_s)\r\n// extract IDS fields, for now it's always add the end, then remove it from further parsing\r\n| parse msg_s with * \". Signature: \" IDSSignatureIDInt \". IDS: \" IDSSignatureDescription \". Priority: \" IDSPriorityInt \". Classification: \" IDSClassification\r\n| extend msg_s = replace(@'(. Signature:).*','', msg_s)\r\n// extra NAT info, then remove it from further parsing\r\n| parse msg_s with * \" was DNAT'ed to \" NatDestination\r\n| extend msg_s = replace(@\"( was DNAT'ed to ).*\",\". Action: DNAT\", msg_s)\r\n// extract Threat Intellingence info, then remove it from further parsing\r\n| parse msg_s with * \". ThreatIntel: \" ThreatIntel\r\n| extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)\r\n// extract URL, then remove it from further parsing\r\n| extend URL = extract(@\"(Url: )(.*)(\\. Action)\",2,msg_s)\r\n| extend msg_s=replace(@\"(Url: .*)(Action)\",@\"\\2\",msg_s)\r\n// parse remaining \"simple\" fields\r\n| parse msg_s with Protocol \" request from \" SourceIP \" to \" Target \". Action: \" Action\r\n| extend \r\n SourceIP = iif(SourceIP contains \":\",strcat_array(split(SourceIP,\":\",0),\"\"),SourceIP),\r\n SourcePort = iif(SourceIP contains \":\",strcat_array(split(SourceIP,\":\",1),\"\"),\"\"),\r\n Target = iif(Target contains \":\",strcat_array(split(Target,\":\",0),\"\"),Target),\r\n TargetPort = iif(SourceIP contains \":\",strcat_array(split(Target,\":\",1),\"\"),\"\"),\r\n Action = iif(Action contains \".\",strcat_array(split(Action,\".\",0),\"\"),Action),\r\n Policy = case(RuleCollection contains \":\", split(RuleCollection, \":\")[0] ,Policy),\r\n RuleCollectionGroup = case(RuleCollection contains \":\", split(RuleCollection, \":\")[1], RuleCollectionGroup),\r\n RuleCollection = case(RuleCollection contains \":\", split(RuleCollection, \":\")[2], RuleCollection),\r\n IDSSignatureID = tostring(IDSSignatureIDInt),\r\n IDSPriority = tostring(IDSPriorityInt)\r\n| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory\r\n| order by TimeGenerated\r\n| limit 100","tags":{"Topic":["Firewall Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/azurefirewalls"]}},{"id":"acaaa91b-7585-2e37-9930-d455f72013e5","displayName":"Azure Firewall DNS proxy log data","description":"Start from this query if you want to understand the Firewall DNS proxy log data. This query will show the last 100 log records but by adding simple filter statements at the end of the query the results can be tweaked.","body":"// DNS proxy log data \r\n// Parses the DNS proxy log data. \r\nAzureDiagnostics\r\n| where Category == \"AzureFirewallDnsProxy\"\r\n| parse msg_s with \"DNS Request: \" SourceIP \":\" SourcePortInt:int \" - \" QueryID:int \" \" RequestType \" \" RequestClass \" \" hostname \". \" protocol \" \" details\r\n| extend\r\n ResponseDuration = extract(\"[0-9]*.?[0-9]+s$\", 0, msg_s),\r\n SourcePort = tostring(SourcePortInt),\r\n QueryID = tostring(QueryID)\r\n| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s\r\n| order by TimeGenerated\r\n| limit 100","tags":{"Topic":["Firewall Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network","security"],"resourceTypes":["microsoft.network/azurefirewalls"]}},{"id":"758fc257-7359-11ea-9fad-c8348e02520c","displayName":"Show the application logs which contain the \"error\" or \"exception\" terms","description":"Show the application logs which contain the \"error\" or \"exception\" terms in the last hour.","body":"// To create an alert for this query, click '+ New alert rule'\nAppPlatformLogsforSpring\n| where TimeGenerated > ago(1h)\n| where Log contains \"error\" or Log contains \"exception\"\n| project TimeGenerated , ServiceName , AppName , InstanceName , Log , _ResourceId ","tags":{"Topic":["App Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"759342e9-7359-11ea-bb5a-c8348e02520c","displayName":"Show the error and exception number of each application","description":"Show a pie chart of the number of the logs containing the \"error\" or \"exception\" terms in the last 24 hours, per application.","body":"// To create an alert for this query, click '+ New alert rule'\nAppPlatformLogsforSpring \n| where TimeGenerated > ago(24h)\n| where Log contains \"error\" or Log contains \"exception\"\n| extend FullAppName = strcat(ServiceName, \"/\", AppName)\n| summarize count_per_app = count() by FullAppName, ServiceName, AppName, _ResourceId\n| sort by count_per_app desc \n| render piechart","tags":{"Topic":["App Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"7593b6c0-7359-11ea-88c8-c8348e02520c","displayName":"Show the config server logs","description":"View config server logs of level warn and error.","body":"AppPlatformSystemLogs \n| where LogType == \"ConfigServer\" and Level in (\"WARN\", \"ERROR\")\n| project TimeGenerated , Level , ServiceName , Thread , Stack , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"8393bf25-50e9-e88d-23b3-afabe2d845e9","displayName":"Show the service registry logs","description":"View service registry logs of level warn and error for all tiers.","body":"AppPlatformSystemLogs \n| where LogType == \"ServiceRegistry\" and Level in (\"WARN\", \"ERROR\")\n| project TimeGenerated , Level , ServiceName , Thread , Stack , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"6b63ba82-9e35-babe-0386-96b648bb1a56","displayName":"Show the Spring Cloud Gateway logs","description":"View Spring Cloud Gateway logs for Enterprise tiers.","body":"AppPlatformSystemLogs \n| where LogType == \"SpringCloudGateway\"\n| project TimeGenerated , ServiceName , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"d1a21eb9-4d9e-0e21-a81d-7e78dc488f84","displayName":"Show the API portal logs","description":"View API portal logs for Enterprise tiers.","body":"AppPlatformSystemLogs \n| where LogType == \"ApiPortal\"\n| project TimeGenerated , ServiceName , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"c6f0918a-a022-4273-9737-05312ae54211","displayName":"Show the Application Configuration Service logs","description":"View Application Configuration Service logs for Enterprise tiers.","body":"AppPlatformSystemLogs \n| where LogType == \"ApplicationConfigurationService\"\n| project TimeGenerated , ServiceName , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"bfdd0f36-f300-425f-b149-65c21f652297","displayName":"Show the Spring Cloud Gateway operator logs","description":"View Spring Cloud Gateway operator logs for Enterprise tiers.","body":"AppPlatformSystemLogs \n| where LogType == \"SpringCloudGatewayOperator\"\n| project TimeGenerated , ServiceName , Log , _ResourceId \n| limit 100","tags":{"Topic":["System Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"590ef5ae-7354-11ea-8b23-c8348e02520c","displayName":"Show login events reported over the last hour","description":"A list of login event logs, sorted by time (earliest logs shown first).","body":"ContainerRegistryLoginEvents\n| where TimeGenerated > ago(1h)\n| sort by TimeGenerated asc","tags":{"Topic":["App Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerregistry/registries"]}},{"id":"96578d25-6dbf-475c-a6fd-adcafd97a138","displayName":"Which tables have logs?","description":"Lists all tables that contain logs.","body":"// If no results were found, try selecting another time range using the Time Picker in the top bar\nunion withsource = Tables *\n| where TimeGenerated > ago(24h)\n| distinct Tables","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerregistry/registries"]}},{"id":"5911dbf1-7354-11ea-b34d-c8348e02520c","displayName":"Show registry events reported over the last hour","description":"A list of registry event logs, sorted by time (earliest logs shown first).","body":"ContainerRegistryRepositoryEvents\n| where TimeGenerated > ago(1h)\n| sort by TimeGenerated asc","tags":{"Topic":["App Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerregistry/registries"]}},{"id":"1b37f929-735e-11ea-b6cc-c8348e02520c","displayName":"Distribution of Backup Jobs by Status","description":"View the number of completed and failed Backup Jobs in the selected time range.","body":"AddonAzureBackupJobs\n//Get all Backup Jobs\n| where JobOperation == \"Backup\"\n//Remove duplicate records if any\n| summarize arg_max(TimeGenerated, *) by JobUniqueId\n//Summarize by Job Status\n| summarize count(JobUniqueId) by JobStatus","tags":{"Topic":["Jobs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3a3fbb-735e-11ea-a165-c8348e02520c","displayName":"Distribution of Restore Jobs by Status","description":"View the number of completed and failed Restore Jobs in the selected time range.","body":"AddonAzureBackupJobs\n//Get all Restore Jobs\n| where JobOperation in~ (\"Restore\",\"Recovery\") \n//Remove duplicate records if any\n| summarize arg_max(TimeGenerated, *) by JobUniqueId\n//Summarize by Job Status\n| summarize count(JobUniqueId) by JobStatus","tags":{"Topic":["Jobs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3ab4e9-735e-11ea-bd69-c8348e02520c","displayName":"All Successful Jobs","description":"View all successful jobs in the selected time range.","body":"AddonAzureBackupJobs\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\n| where JobStatus == \"Completed\" ","tags":{"Topic":["Jobs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3c1ae5-735e-11ea-9058-c8348e02520c","displayName":"All Failed Jobs","description":"View all failed jobs in the selected time range.","body":"// To create an alert for this query, click '+ New alert rule'\nAddonAzureBackupJobs\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\n| where JobStatus == \"Failed\"","tags":{"Topic":["Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3c664d-735e-11ea-8315-c8348e02520c","displayName":"Cloud Storage Consumed per Backup Item","description":"View the total Cloud Storage consumed by each Backup Item.","body":"// To create an alert for this query, click '+ New alert rule'\nCoreAzureBackup\n//Get all Backup Items\n| where OperationName == \"BackupItem\"\n//Get distinct Backup Items\n| distinct BackupItemUniqueId, BackupItemFriendlyName, _ResourceId\n| join kind=leftouter(AddonAzureBackupStorage\n| where OperationName == \"StorageAssociation\"\n//Get latest record for each Backup Item\n| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId \n| project BackupItemUniqueId , StorageConsumedInMBs) on BackupItemUniqueId\n| project BackupItemUniqueId , BackupItemFriendlyName , StorageConsumedInMBs, _ResourceId \n| sort by StorageConsumedInMBs desc ","tags":{"Topic":["Usage","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3cdc20-735e-11ea-a43a-c8348e02520c","displayName":"Trend of total Cloud Storage consumed","description":"View the daily trend of total (cumulative) Cloud Storage consumed.","body":"// To create an alert for this query, click '+ New alert rule'\nAddonAzureBackupStorage\n| where OperationName == \"StorageAssociation\"\n//Get total Cloud Storage being consumed per Backup Item at the end of each day\n| summarize TotalStoragePerBackupItemPerDay=sum(StorageConsumedInMBs) by BackupItemUniqueId, Day=bin(TimeGenerated,1d), ResourceId\n//Get total Cloud Storage being consumed at the end of each day\n| summarize TotalStorage=sum(TotalStoragePerBackupItemPerDay) by Day, ResourceId\n| sort by Day asc\n| render timechart","tags":{"Topic":["Usage","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3e105a-735e-11ea-bc03-c8348e02520c","displayName":"Policies with retention duration modified","description":"Find out if the retention duration of any policy has been modified in the selected time range.","body":"//Get all Policies by Vault and Retention Duration, at the start of the selected time range.\nlet PoliciesAtStartOfPeriod = AddonAzureBackupPolicy\n| where OperationName == \"Policy\" \n| summarize arg_min(TimeGenerated, *) by PolicyUniqueId,ResourceId \n| project PolicyUniqueId, ResourceId, DailyRetentionDuration1=DailyRetentionDuration, WeeklyRetentionDuration1=WeeklyRetentionDuration, MonthlyRetentionDuration1=MonthlyRetentionDuration, YearlyRetentionDuration1=YearlyRetentionDuration;\n//Get all Policies by Vault and Retention Duration, at the end of the selected time range\nlet PoliciesAtEndOfPeriod = AddonAzureBackupPolicy\n| where OperationName == \"Policy\"\n| summarize arg_max(TimeGenerated, *) by PolicyUniqueId,ResourceId\n| project PolicyUniqueId, ResourceId, DailyRetentionDuration2=DailyRetentionDuration, WeeklyRetentionDuration2=WeeklyRetentionDuration, MonthlyRetentionDuration2=MonthlyRetentionDuration, YearlyRetentionDuration2=YearlyRetentionDuration;\n//Get all Policies for which Daily/Weekly/Monthly/Yearly Retention Duration has been modified in the selected time range\nPoliciesAtStartOfPeriod\n| join (PoliciesAtEndOfPeriod) on PolicyUniqueId, ResourceId\n | where DailyRetentionDuration1!=DailyRetentionDuration2 or WeeklyRetentionDuration1!=WeeklyRetentionDuration2 or MonthlyRetentionDuration1!=MonthlyRetentionDuration2 or YearlyRetentionDuration1!=YearlyRetentionDuration2","tags":{"Topic":["Backup Settings Changes"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management","security"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3ead6e-735e-11ea-9bb2-c8348e02520c","displayName":"Backup Items with Protection Status modified","description":"Find out if the protection status for any Backup Item has been modified in the selected time range.","body":"//Get Backup Items and their Protection State at the start of the selected time range.\nlet BackupItemsAtStartOfPeriod = CoreAzureBackup\n| where OperationName == \"BackupItem\" \n| summarize arg_min(TimeGenerated, *) by BackupItemUniqueId \n| project BackupItemUniqueId , OldProtectionState=BackupItemProtectionState;\n//Get Backup Items and their Protection State at the end of the selected time range.\nlet BackupItemsAtEndOfPeriod = CoreAzureBackup \n| where OperationName == \"BackupItem\" \n| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId \n| project BackupItemUniqueId , NewProtectionState=BackupItemProtectionState;\n//List Backup Items for which Protection State has been modified in the selected time range.\nBackupItemsAtStartOfPeriod \n| join (BackupItemsAtEndOfPeriod) on BackupItemUniqueId \n| where OldProtectionState != NewProtectionState","tags":{"Topic":["Backup Settings Changes"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management","security"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"1b3f2289-735e-11ea-b431-c8348e02520c","displayName":"Backup Items by Vault and Backup item type","description":"View the different types of items being backed up.","body":"CoreAzureBackup\n//get all backup items\n| where OperationName == \"BackupItem\"\n//remove duplicate records if any\n| summarize arg_max(TimeGenerated, *) by BackupItemUniqueId, ResourceId\n// summarize backup items by type\n| summarize NumberOfItems=count(BackupItemUniqueId) by BackupItemType","tags":{"Topic":["Backup Items"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"67756e5c-735e-11ea-a1fc-c8348e02520c","displayName":"Storage on managed instances above 90%","description":"Display all managed instances with storage utilization above 90%.","body":"// To create an alert for this query, click '+ New alert rule'\nlet storage_percentage_threshold = 90;\nAzureDiagnostics\n| where Category ==\"ResourceUsageStats\"\n| summarize (TimeGenerated, calculated_storage_percentage) = arg_max(TimeGenerated, todouble(storage_space_used_mb_s) *100 / todouble (reserved_storage_mb_s))\n by _ResourceId\n| where calculated_storage_percentage > storage_percentage_threshold","tags":{"Topic":["Utilization","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.sql/managedinstances"]}},{"id":"67787b98-735e-11ea-8214-c8348e02520c","displayName":"CPU utilization treshold above 95% on managed instances","description":"Display all managed instances with CPU treshold being over 95% of treshold.","body":"// To create an alert for this query, click '+ New alert rule'\nlet cpu_percentage_threshold = 95;\nlet time_threshold = ago(1h);\nAzureDiagnostics\n| where Category == \"ResourceUsageStats\" and TimeGenerated > time_threshold\n| summarize avg_cpu = max(todouble(avg_cpu_percent_s)) by _ResourceId\n| where avg_cpu > cpu_percentage_threshold","tags":{"Topic":["Utilization","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.sql/managedinstances"]}},{"id":"6778f0c8-735e-11ea-9bcd-c8348e02520c","displayName":"Display all active intelligent insights","description":"Display all active performance issues detected by intelligent insights. Please note that SQLInsights log needs to be enabled for each database monitored.","body":"AzureDiagnostics\n| where Category == \"SQLInsights\" and status_s == \"Active\"\n| distinct rootCauseAnalysis_s","tags":{"Topic":["Intelligent insights"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.sql/managedinstances"]}},{"id":"67798d1e-735e-11ea-9066-c8348e02520c","displayName":"Workload continously hitting CPU limits","description":"Intelligent insights report detecting the workload behavor as continously hitting CPU limits. Please note that SQLInsights log needs to be enabled for each database monitored.","body":"let alert_run_interval = 1h;\nlet insights_string = \"hitting its CPU limits\";\nAzureDiagnostics\n| where Category == \"SQLInsights\" and status_s == \"Active\"\n| where TimeGenerated > ago(alert_run_interval)\n| where rootCauseAnalysis_s contains insights_string\n| distinct _ResourceId","tags":{"Topic":["Intelligent insights"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.sql/managedinstances"]}},{"id":"bc0bf95e-735e-11ea-926d-c8348e02520c","displayName":"Consumed RU/s in last 24 hours","description":"Identify consumed RU/s on Cosmos databases and collections.","body":"// To create an alert for this query, click '+ New alert rule'\n//You can compare the RU/s consumption with your provisioned RU/s to determine if you should scale up or down RU/s based on your workload.\nAzureDiagnostics\n| where TimeGenerated >= ago(24hr)\n| where Category == \"DataPlaneRequests\"\n//| where collectionName_s == \"CollectionToAnalyze\" //Replace to target the query to a collection\n| summarize ConsumedRUsPerMinute = sum(todouble(requestCharge_s)) by collectionName_s, _ResourceId, bin(TimeGenerated, 1m)\n| project TimeGenerated , ConsumedRUsPerMinute , collectionName_s, _ResourceId\n| render timechart","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.documentdb/databaseaccounts"]}},{"id":"bc0edc14-735e-11ea-85a2-c8348e02520c","displayName":"Collections with throttles (429) in past 24 hours","description":"Identify collections and operations that have received 429 (throttles), which occur when consumed throughput (RU/s) exceeds provisioned throughput.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where TimeGenerated >= ago(24hr)\n| where Category == \"DataPlaneRequests\"\n| where statusCode_s == 429 \n| summarize numberOfThrottles = count() by databaseName_s, collectionName_s, requestResourceType_s, _ResourceId, bin(TimeGenerated, 1hr)\n| order by numberOfThrottles","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.documentdb/databaseaccounts"]}},{"id":"bc0f5421-735e-11ea-93cb-c8348e02520c","displayName":"Top operations by consumed Request Units (RUs) in last 24 hours","description":"Identify top operations on Cosmos resources by count and consumed RU per operation.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where TimeGenerated >= ago(24h)\n| where Category == \"DataPlaneRequests\"\n| summarize numberOfOperations = count(), totalConsumedRU = sum(todouble(requestCharge_s)) by databaseName_s, collectionName_s, OperationName, requestResourceType_s, requestResourceId_s, _ResourceId\n| extend averageRUPerOperation = totalConsumedRU / numberOfOperations \n| order by numberOfOperations","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.documentdb/databaseaccounts"]}},{"id":"bc0fc666-735e-11ea-9e0a-c8348e02520c","displayName":"Top queries by consumed Request Units (RUs) in last 24 hours","description":"Identify top queries on Cosmos resources by count and RU charge of each query.","body":"let queryRUChargeData = AzureDiagnostics\n| where Category == \"DataPlaneRequests\"\n| where OperationName == \"Query\"\n| project requestCharge_s, activityId_g, databaseName_s, collectionName_s, requestResourceType_s, requestResourceId_s, OperationName, TimeGenerated, callerId_s, clientIpAddress_s, userAgent_s;\nAzureDiagnostics\n| where Category == \"QueryRuntimeStatistics\"\n| join queryRUChargeData on $left.activityId_g == $right.activityId_g\n| summarize numberOfTimesRun = count(), totalConsumedRU = sum(todouble(requestCharge_s1)) by databaseName_s, collectionName_s, OperationName1, requestResourceType_s1, requestResourceId_s1, querytext_s, callerId_s1, clientIpAddress_s1, userAgent_s1, _ResourceId, bin(TimeGenerated1, 1min) //bin by 1 minute\n| extend averageRUPerExecution = totalConsumedRU / numberOfTimesRun\n| order by averageRUPerExecution desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.documentdb/databaseaccounts"]}},{"id":"bc1014e4-735e-11ea-8c7b-c8348e02520c","displayName":"Top logical partition keys by storage","description":"Identify largest logical partition key values. PartitionKeyStatistics will emit data for top logical partition keys by storage.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where Category == \"PartitionKeyStatistics\"\n//| where collectionName_s == \"CollectionToAnalyze\" //Replace to target the query to a collection\n| summarize arg_max(TimeGenerated, *) by databaseName_s, collectionName_s, partitionKey_s, _ResourceId //Get the latest storage size\n| extend utilizationOf20GBLogicalPartition = sizeKb_d / 20000000 //20GB\n| project TimeGenerated, databaseName_s , collectionName_s , partitionKey_s, sizeKb_d, utilizationOf20GBLogicalPartition, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.documentdb/databaseaccounts"]}},{"id":"a5e5e3f2-773b-11ea-b11e-c8348e02520c","displayName":"Find logs reporting errors in automation jobs from the last day","description":"List all the errors in the automation jobs.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" \n| where StreamType_s == \"Error\" \n| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription, _ResourceId ","tags":{"Topic":["Automation Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5eac4ad-773b-11ea-83e6-c8348e02520c","displayName":"Azure Automation jobs that are failed, suspended, or stopped","description":"List all the automation jobs that failed , suspended or stopped.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" and Category == \"JobLogs\" and (ResultType == \"Failed\" or ResultType == \"Stopped\" or ResultType == \"Suspended\") \n| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g","tags":{"Topic":["Automation Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5ee200a-773b-11ea-8e01-c8348e02520c","displayName":"Runbook completed successfully with errors","description":"List all jobs that completed with errors.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" and Category == \"JobStreams\" and StreamType_s == \"Error\" \n| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g ","tags":{"Topic":["Automation Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5efcdbd-773b-11ea-8034-c8348e02520c","displayName":"View historical job status","description":"List all automation jobs.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" and Category == \"JobLogs\" and ResultType != \"started\"\n| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) , RunbookName_s , JobId_g, _ResourceId","tags":{"Topic":["Automation Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f2180e-773b-11ea-a27d-c8348e02520c","displayName":"Azure Automation jobs that are Completed","description":"List all automation jobs that got completed.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where ResourceProvider == \"MICROSOFT.AUTOMATION\" and Category == \"JobLogs\" and ResultType == \"Completed\" \n| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g ","tags":{"Topic":["Automation Jobs","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f28cd0-773b-11ea-8000-c8348e02520c","displayName":"Updates available for Windows machines","description":"List the Windows update KBIDs available by their classification and for each Computer.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where TimeGenerated>ago(14h) \n| where UpdateState =~ \"Needed\" and OSType != \"Linux\" \n| summarize by Computer, Classification, Product, KBID, ResourceId","tags":{"Topic":["Azure Update Management","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f4136f-773b-11ea-90bb-c8348e02520c","displayName":"Updates available for Linux machines","description":"List the Linux package version updates available by their classification and for each Computer.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where TimeGenerated>ago(14h) \n| where UpdateState =~ \"Needed\" and OSType == \"Linux\" \n| summarize by Computer, Classification, Product, ProductVersion, ResourceId","tags":{"Topic":["Azure Update Management","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f48946-773b-11ea-b628-c8348e02520c","displayName":"Summary of updates available across machines","description":"Count of updates available under various categories for each machine.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdateSummary \n| where TimeGenerated>ago(14h) \n| summarize by Computer, CriticalUpdatesMissing, SecurityUpdatesMissing, OtherUpdatesMissing, TotalUpdatesMissing, ResourceId","tags":{"Topic":["Azure Update Management","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f65d8f-773b-11ea-8092-c8348e02520c","displayName":"Patch installation failure for your machines","description":"List for each machine the installation status of the updates where the installation was not successful.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdateRunProgress\n| where TimeGenerated>ago(1d) \n| where InstallationStatus == \"NotStarted\" \n| summarize by Title, InstallationStatus, SourceComputerId, UpdateId, Computer, ResourceId\n| join kind= inner (\n UpdateRunProgress\n | where TimeGenerated>ago(1d) \n | where InstallationStatus != \"NotStarted\" \n | summarize by Title, InstallationStatus, SourceComputerId, UpdateId, Computer\n) on UpdateId \n| where InstallationStatus1 != \"Succeed\"\n| summarize by Title, InstallationStatus, Computer, ResourceId\n","tags":{"Topic":["Azure Update Management","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines","security"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f6f9b3-773b-11ea-83b3-c8348e02520c","displayName":"Missing updates summary","description":"Get a summary of missing updates by category.","body":"Update\n| where TimeGenerated>ago(5h) and OSType==\"Linux\" and SourceComputerId in ((Heartbeat\n| where TimeGenerated>ago(12h) and OSType==\"Linux\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n| where Solutions has \"updates\"\n| distinct SourceComputerId))\n| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification) by Computer, SourceComputerId, Product, ProductArch\n| where UpdateState=~\"Needed\"\n| summarize by Product, ProductArch, Classification\n| union (Update\n| where TimeGenerated>ago(14h) and OSType!=\"Linux\" and (Optional==false or Classification has \"Critical\" or Classification has \"Security\") and SourceComputerId in ((Heartbeat\n| where TimeGenerated>ago(12h) and OSType=~\"Windows\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n| where Solutions has \"updates\"\n| distinct SourceComputerId))\n| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Approved) by Computer, SourceComputerId, UpdateID\n| where UpdateState=~\"Needed\" and Approved!=false\n| summarize by UpdateID, Classification )\n| summarize allUpdatesCount=count(), criticalUpdatesCount=countif(Classification has \"Critical\"), securityUpdatesCount=countif(Classification has \"Security\"), otherUpdatesCount=countif(Classification !has \"Critical\" and Classification !has \"Security\")","tags":{"Topic":["Azure Update Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5f795e5-773b-11ea-aa8e-c8348e02520c","displayName":"Computers list","description":"List of computers with Azure Update Management deployed.","body":"Heartbeat\n| where TimeGenerated>ago(12h) and OSType==\"Linux\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId\n| where Solutions has \"updates\"\n| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=1, environment=iff(ComputerEnvironment=~\"Azure\", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=\"\"\n| join kind=leftouter\n(\n Update\n | where TimeGenerated>ago(5h) and OSType==\"Linux\" and SourceComputerId in ((Heartbeat\n | where TimeGenerated>ago(12h) and OSType==\"Linux\" and notempty(Computer)\n | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n | where Solutions has \"updates\"\n | distinct SourceComputerId))\n | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Product, Computer, ComputerEnvironment) by SourceComputerId, Product, ProductArch\n | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has \"Critical\" and UpdateState=~\"Needed\"), missingSecurityUpdatesCount=countif(Classification has \"Security\" and UpdateState=~\"Needed\"), missingOtherUpdatesCount=countif(Classification !has \"Critical\" and Classification !has \"Security\" and UpdateState=~\"Needed\"), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime=\"\" by SourceComputerId\n | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)\n | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)\n)\non SourceComputerId\n| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=1, environment=iff(ComputerEnvironment=~\"Azure\", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2)\n| union(Heartbeat\n| where TimeGenerated>ago(12h) and OSType=~\"Windows\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId\n| where Solutions has \"updates\"\n| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=2, environment=iff(ComputerEnvironment=~\"Azure\", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=\"\"\n| join kind=leftouter\n(\n Update\n | where TimeGenerated>ago(14h) and OSType!=\"Linux\" and SourceComputerId in ((Heartbeat\n | where TimeGenerated>ago(12h) and OSType=~\"Windows\" and notempty(Computer)\n | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n | where Solutions has \"updates\"\n | distinct SourceComputerId))\n | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, Optional, Approved, Computer, ComputerEnvironment) by Computer, SourceComputerId, UpdateID\n | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has \"Critical\" and UpdateState=~\"Needed\" and Approved!=false), missingSecurityUpdatesCount=countif(Classification has \"Security\" and UpdateState=~\"Needed\" and Approved!=false), missingOtherUpdatesCount=countif(Classification !has \"Critical\" and Classification !has \"Security\" and UpdateState=~\"Needed\" and Optional==false and Approved!=false), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime=\"\" by SourceComputerId\n | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)\n | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)\n)\non SourceComputerId\n| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=2, environment=iff(ComputerEnvironment=~\"Azure\", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2))\n| order by ComplianceOrder asc, missingCriticalUpdatesCount desc, missingSecurityUpdatesCount desc, missingOtherUpdatesCount desc, displayName asc\n| project-away ComplianceOrder","tags":{"Topic":["Azure Update Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"a5fb8d87-773b-11ea-9f44-c8348e02520c","displayName":"Missing updates list","description":"Get a list of all updates that are missing.","body":"Update\n| where TimeGenerated>ago(5h) and OSType==\"Linux\" and SourceComputerId in ((Heartbeat\n| where TimeGenerated>ago(12h) and OSType==\"Linux\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n| where Solutions has \"updates\"\n| distinct SourceComputerId))\n| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, BulletinUrl, BulletinID) by SourceComputerId, Product, ProductArch\n| where UpdateState=~\"Needed\"\n| project-away UpdateState, TimeGenerated\n| summarize computersCount=dcount(SourceComputerId, 2), ClassificationWeight=max(iff(Classification has \"Critical\", 4, iff(Classification has \"Security\", 2, 1))) by id=strcat(Product, \"_\", ProductArch), displayName=Product, productArch=ProductArch, classification=Classification, InformationId=BulletinID, InformationUrl=tostring(split(BulletinUrl, \";\", 0)[0]), osType=1\n| union(Update\n| where TimeGenerated>ago(14h) and OSType!=\"Linux\" and (Optional==false or Classification has \"Critical\" or Classification has \"Security\") and SourceComputerId in ((Heartbeat\n| where TimeGenerated>ago(12h) and OSType=~\"Windows\" and notempty(Computer)\n| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId\n| where Solutions has \"updates\"\n| distinct SourceComputerId))\n| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID\n| where UpdateState=~\"Needed\" and Approved!=false\n| project-away UpdateState, Approved, TimeGenerated\n| summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has \"Critical\", 4, iff(Classification has \"Security\", 2, 1))) by id=strcat(UpdateID, \"_\", KBID), classification=Classification, InformationId=strcat(\"KB\", KBID), InformationUrl=iff(isnotempty(KBID), strcat(\"https://support.microsoft.com/kb/\", KBID), \"\"), osType=2)\n| sort by ClassificationWeight desc, computersCount desc, displayName asc\n| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ \"uri\": \"', InformationUrl, '\", \"text\": \"', InformationId, '\", \"target\": \"blank\" }')), toobject('')))\n| project-away ClassificationWeight, InformationId, InformationUrl","tags":{"Topic":["Azure Update Management"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.automation/automationaccounts"]}},{"id":"14b2fa58-8560-11ea-b457-c8348e02520c","displayName":"Successful tasks per job","description":"Provides the number of successful tasks per job.","body":"AzureDiagnostics\n| where OperationName==\"TaskCompleteEvent\"\n| where executionInfo_exitCode_d==0 // Your application may use an exit code other than 0 to denote a successful operation\n| summarize successfulTasks=count(id_s) by jobId=jobId_s","tags":{"Topic":["Tasks"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.batch/batchaccounts"]}},{"id":"7bbc0cff-8560-11ea-9ac3-c8348e02520c","displayName":"Failed tasks per job","description":"Lists failed tasks by parent job.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where OperationName==\"TaskFailEvent\"\n| summarize failedTaskList=make_list(id_s) by jobId=jobId_s, ResourceId","tags":{"Topic":["Tasks","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.batch/batchaccounts"]}},{"id":"7e6d856a-8560-11ea-9a95-c8348e02520c","displayName":"Task durations","description":"Gives the elapsed time of tasks in seconds, from task start to task complete.","body":"AzureDiagnostics\n| where OperationName==\"TaskCompleteEvent\"\n| extend taskId=id_s, ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) // For longer running tasks, consider changing 'second' to 'minute' or 'hour'\n| summarize taskList=make_list(taskId) by ElapsedTime","tags":{"Topic":["Tasks"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.batch/batchaccounts"]}},{"id":"837689e6-8560-11ea-9a45-c8348e02520c","displayName":"Pool resizes","description":"List resize times by pool and result code (success or failure).","body":"AzureDiagnostics\n| where OperationName==\"PoolResizeCompleteEvent\"\n| summarize operationTimes=make_list(startTime_s) by poolName=id_s, resultCode=resultCode_s","tags":{"Topic":["Pools"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.batch/batchaccounts"]}},{"id":"898689c9-8560-11ea-bb44-c8348e02520c","displayName":"Pool resize failures","description":"List pool resize failures by error code and time.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where OperationName==\"PoolResizeCompleteEvent\"\n| where resultCode_s==\"Failure\" // Filter only on failed pool resizes\n| summarize by poolName=id_s, resultCode=resultCode_s, resultMessage=resultMessage_s, operationTime=startTime_s, ResourceId","tags":{"Topic":["Pools","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.batch/batchaccounts"]}},{"id":"fa69eeb1-8569-11ea-8fe4-c8348e02520c","displayName":"Container Lifecycle Information","description":"List all of a container's lifecycle information.","body":"// Container Lifecycle Information \n// List all of a container's lifecycle information. \nContainerInventory\n| project Computer, Name, Image, ImageTag, ContainerState, CreatedTime, StartedTime, FinishedTime\n| top 200 by FinishedTime desc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"59d1df0c-9f8c-4d39-88b2-9c649b110aa3","displayName":"Find a value in Container Logs Table","description":"** This query requires a parameter to run. Container Logs table is used Log lines collected from stdout and stderr streams for containers. This query will find rows in the ContainerLogs table where LogEntry has specified String.","body":"//This qeury requires a parameter to work.\n//The ContainerLog table holds Log lines collected from stdout and stderr streams for containers.\n//Note: the query runs by default for the last 24 hours. Use the time pikcer to adjust time span for query\nlet FindString = \"\";//Please update term you would like to find in LogEntry here\nContainerLog \n| where LogEntry has FindString \n|take 100","tags":{"Topic":["Container Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6b98ca-8569-11ea-9445-c8348e02520c","displayName":"Kubernetes events","description":"Lists all the Kubernetes events.","body":"KubeEvents\n| where TimeGenerated > ago(7d) \n| where not(isempty(Namespace))\n| top 200 by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6be679-8569-11ea-82ff-c8348e02520c","displayName":"Image inventory","description":"Lists all the container image with their status.","body":"ContainerImageInventory\n| summarize AggregatedValue = count() by Image, ImageTag, Running, _ResourceId","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6c348e-8569-11ea-9b4a-c8348e02520c","displayName":"Container CPU","description":"View all the container CPU usage averaged over 30mins.","body":"// To create an alert for this query, click '+ New alert rule'\n//Select the Line chart display option: can we calculate percentage?\nPerf\n| where ObjectName == \"K8SContainer\" and CounterName == \"cpuUsageNanoCores\"\n| summarize AvgCPUUsageNanoCores = avg(CounterValue) by bin(TimeGenerated, 30m), InstanceName, _ResourceId","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"fa6c82a3-8569-11ea-8c6c-c8348e02520c","displayName":"Container memory","description":"View container CPU averaged over 30 mins intervals.","body":"// To create an alert for this query, click '+ New alert rule'\n//Select the Line chart display option: can we calculate percentage?\nlet threshold = 75000000; // choose a threshold \nPerf\n| where ObjectName == \"K8SContainer\" and CounterName == \"memoryRssBytes\"\n| summarize AvgUsedRssMemoryBytes = avg(CounterValue) by bin(TimeGenerated, 30m), InstanceName, _ResourceId\n| where AvgUsedRssMemoryBytes > threshold \n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"fa6cf7e0-8569-11ea-9523-c8348e02520c","displayName":"Maximum node disk ","description":"Max node disk usage averaged over 30 mins intervals.","body":"// To create an alert for this query, click '+ New alert rule'\n//InsightMetrics contains all the custom metrics for Container Insights solution\nInsightsMetrics // Replace Name with your custom metric\n| where Name == \"used_percent\" and Namespace == \"container.azm.ms/disk\" \n| summarize val= max(Val) by bin(TimeGenerated, 15m), _ResourceId\n| render timechart","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6d45fc-8569-11ea-9289-c8348e02520c","displayName":"Billable Log Data per-namespace","description":"See container logs billable data for the last 7d, segregated by namespace.","body":"let billableTimeView = 7d; // Set the requested time - 30d can take some time. \nContainerLog\n|join(KubePodInventory | where TimeGenerated > startofday(ago(billableTimeView)))\non ContainerID\n|where TimeGenerated > startofday(ago(billableTimeView))\n| summarize Total=sum(_BilledSize)/ 1000 by bin(TimeGenerated, 1d), Namespace","tags":{"Topic":["Costing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6e5843-8569-11ea-8d4b-c8348e02520c","displayName":"Billable Log Data by log-type","description":"See container logs billable data for the last 7d ,segregated by log-type.","body":"// Set the requested time, anytime greater than 15d can take longer\nlet billableTimeView = 7d; \n//Join ContainerLog on KubePodInventory for LogEntry source\nContainerLog\n| join(KubePodInventory | where TimeGenerated > startofday(ago(billableTimeView)))on ContainerID\n| where TimeGenerated > startofday(ago(billableTimeView))\n| summarize Total=sum(_BilledSize)/ 1000 by bin(TimeGenerated, 1d), LogEntrySource","tags":{"Topic":["Costing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6eccc5-8569-11ea-9088-c8348e02520c","displayName":"Container Insight solution billable data","description":"See total billable data from Container Insights solution.","body":"//This includes billable data for all solutions in the workspace, see for Container Insights solution\nUsage\n| where TimeGenerated > startofday(ago(30d))\n| where IsBillable == true\n| summarize TotalVolumeGB = sum(Quantity) / 1000 by bin(TimeGenerated, 1d), Solution\n| render barchart","tags":{"Topic":["Costing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","resources"],"solutions":["ContainerInsights"]}},{"id":"fa6f41c2-8569-11ea-98c6-c8348e02520c","displayName":"Prometheus disk read per second per node","description":"View Prometheus disk read metrics from the default kubernetes namespace as timechart.","body":"// To create an alert for this query, click '+ New alert rule'\n// Update TimeGenerated field for custom time range\nInsightsMetrics\n| where Namespace == 'container.azm.ms/diskio'\n| where TimeGenerated > ago(1h)\n| where Name == 'reads'\n| extend Tags = todynamic(Tags)\n| extend HostName = tostring(Tags.hostName), Device = Tags.name\n| extend NodeDisk = strcat(Device, \"/\", HostName)\n| order by NodeDisk asc, TimeGenerated asc\n| serialize //calculating the PreVal, PrevTimeGenerated to render the chart.\n| extend PrevVal = iif(prev(NodeDisk) != NodeDisk, 0.0, prev(Val)), PrevTimeGenerated = iif(prev(NodeDisk) != NodeDisk, datetime(null), prev(TimeGenerated))\n| where isnotnull(PrevTimeGenerated) and PrevTimeGenerated != TimeGenerated\n//Calculating the rate for disk using PreVal\n| extend Rate = iif(PrevVal > Val, Val / (datetime_diff('Second', TimeGenerated, PrevTimeGenerated) * 1), iif(PrevVal == Val, 0.0, (Val - PrevVal) / (datetime_diff('Second', TimeGenerated, PrevTimeGenerated) * 1)))\n| where isnotnull(Rate)\n| project TimeGenerated, NodeDisk, Rate, _ResourceId\n| render timechart","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","workloads","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa6f8fde-8569-11ea-a8f6-c8348e02520c","displayName":"Avg node CPU usage percentage per minute ","description":"For your cluster view avg node CPU usage percentage per minute over the last hour.","body":"// To create an alert for this query, click '+ New alert rule'\n//Modify the startDateTime & endDateTime to customize the timerange\nlet endDateTime = now();\nlet startDateTime = ago(1h);\nlet trendBinSize = 1m;\nlet capacityCounterName = 'cpuCapacityNanoCores';\nlet usageCounterName = 'cpuUsageNanoCores';\nKubeNodeInventory\n| where TimeGenerated = startDateTime\n// cluster filter would go here if multiple clusters are reporting to the same Log Analytics workspace\n| distinct ClusterName, Computer, _ResourceId\n| join hint.strategy=shuffle (\n Perf\n | where TimeGenerated = startDateTime\n | where ObjectName == 'K8SNode'\n | where CounterName == capacityCounterName\n | summarize LimitValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize)\n | project Computer, CapacityStartTime = TimeGenerated, CapacityEndTime = TimeGenerated + trendBinSize, LimitValue\n) on Computer\n| join kind=inner hint.strategy=shuffle (\n Perf\n | where TimeGenerated = startDateTime - trendBinSize\n | where ObjectName == 'K8SNode'\n | where CounterName == usageCounterName\n | project Computer, UsageValue = CounterValue, TimeGenerated\n) on Computer\n| where TimeGenerated >= CapacityStartTime and TimeGenerated = startDateTime\n// cluster filter would go here if multiple clusters are reporting to the same Log Analytics workspace\n| distinct ClusterName, Computer, _ResourceId\n| join hint.strategy=shuffle (\n Perf\n | where TimeGenerated = startDateTime\n | where ObjectName == 'K8SNode'\n | where CounterName == capacityCounterName\n | summarize LimitValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize)\n | project Computer, CapacityStartTime = TimeGenerated, CapacityEndTime = TimeGenerated + trendBinSize, LimitValue\n) on Computer\n| join kind=inner hint.strategy=shuffle (\n Perf\n | where TimeGenerated = startDateTime - trendBinSize\n | where ObjectName == 'K8SNode'\n | where CounterName == usageCounterName\n | project Computer, UsageValue = CounterValue, TimeGenerated\n) on Computer\n| where TimeGenerated >= CapacityStartTime and TimeGenerated = startDateTime\n| distinct ClusterName, Computer, _ResourceId,TimeGenerated\n| summarize ClusterSnapshotCount = count() by bin(TimeGenerated, trendBinSize), ClusterName, Computer, _ResourceId\n| join hint.strategy=broadcast kind=inner (\n KubeNodeInventory //this calculating ready node count.\n | where TimeGenerated = startDateTime\n | summarize TotalCount = count(), ReadyCount = sumif(1, Status contains ('Ready'))\n by ClusterName, Computer, bin(TimeGenerated, trendBinSize), _ResourceId //calculating NotReadyCount\n | extend NotReadyCount = TotalCount - ReadyCount\n) on ClusterName, Computer, _ResourceId, TimeGenerated\n //projecting all the fields\n| project TimeGenerated, ClusterName, Computer, ReadyCount = todouble(ReadyCount) / ClusterSnapshotCount, \n NotReadyCount = todouble(NotReadyCount) / ClusterSnapshotCount, _ResourceId\n| order by ClusterName asc, Computer asc, TimeGenerated desc, _ResourceId","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa724f0c-8569-11ea-931d-c8348e02520c","displayName":"List container logs per namespace","description":"View container logs from all the namespaces in the cluster.","body":"ContainerLog\r\n|where TimeGenerated > startofday(ago(1h))\r\n|join(\r\nKubePodInventory\r\n| where TimeGenerated > startofday(ago(1h)) \r\n| distinct Computer, ContainerID, Namespace\r\n)//KubePodInventory Contains namespace information\r\non Computer, ContainerID\r\n| project TimeGenerated, ContainerID, Namespace , LogEntrySource , LogEntry","tags":{"Topic":["Container Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa729d2f-8569-11ea-8e66-c8348e02520c","displayName":"List all the pods count with phase","description":"View pod phase counts based on all phases: Failed, Pending, Unknown, Running, or Succeeded.","body":"// To create an alert for this query, click '+ New alert rule'\n//Customize endDateTime, startDateTime to select different time range\n let endDateTime = now();\n let startDateTime = ago(1h);\n let trendBinSize = 1m;\n KubePodInventory\n | where TimeGenerated = startDateTime\n | distinct ClusterName, TimeGenerated, _ResourceId\n | summarize ClusterSnapshotCount = count() by bin(TimeGenerated, trendBinSize), ClusterName, _ResourceId\n | join hint.strategy=broadcast (\n KubePodInventory\n | where TimeGenerated = startDateTime\n | distinct ClusterName, Computer, PodUid, TimeGenerated, PodStatus, _ResourceId\n | summarize TotalCount = count(), //Calculating count for per pod status\n PendingCount = sumif(1, PodStatus =~ 'Pending'),\n RunningCount = sumif(1, PodStatus =~ 'Running'),\n SucceededCount = sumif(1, PodStatus =~ 'Succeeded'),\n FailedCount = sumif(1, PodStatus =~ 'Failed')\n by ClusterName, bin(TimeGenerated, trendBinSize), _ResourceId\n ) on ClusterName, TimeGenerated, _ResourceId\n | extend UnknownCount = TotalCount - PendingCount - RunningCount - SucceededCount - FailedCount\n | project TimeGenerated, _ResourceId,\n TotalCount = todouble(TotalCount) / ClusterSnapshotCount,\n PendingCount = todouble(PendingCount) / ClusterSnapshotCount,\n RunningCount = todouble(RunningCount) / ClusterSnapshotCount,\n SucceededCount = todouble(SucceededCount) / ClusterSnapshotCount,\n FailedCount = todouble(FailedCount) / ClusterSnapshotCount,\n UnknownCount = todouble(UnknownCount) / ClusterSnapshotCount","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa73fd03-8569-11ea-aa34-c8348e02520c","displayName":"View data ingested by completed jobs","description":"View data ingested size by jobs that are completed.","body":"//Modify StartTime to customize TimeRange for completedjobs inventory.\nlet startTime = ago(1h);\n//Find all the jobs which are completed\nlet kpi = KubePodInventory\n| where TimeGenerated > startTime\n| where _IsBillable == true\n| where PodStatus in (\"Succeeded\", \"Failed\")\n| where ControllerKind == \"Job\";\n//Find the the billable data for the jobs\nlet containerInventory = ContainerInventory\n| where TimeGenerated > startTime\n| where _IsBillable == true\n| summarize BillableDataMBytes = sum(_BilledSize)/ (1000. * 1000.) by ContainerID;\n//Join on both the tables to calculate the billable data \nlet containerInventoryMB = containerInventory\n| join kpi on $left.ContainerID == $right.ContainerID\n| summarize MB=sum(BillableDataMBytes);\nlet kpiMB = kpi\n| summarize MB = sum(_BilledSize)/ (1000. * 1000.);\nunion\n(containerInventoryMB),(kpiMB)\n| summarize doneJobsInventoryMB=sum(MB)","tags":{"Topic":["Costing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container","workloads","resources"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa7471e0-8569-11ea-b6ce-c8348e02520c","displayName":"Environment variable enriching","description":"View data ingested by environment variables.","body":"// Change time range in UI, or by adding time filter in query. For example: | where TimeGenerated > ago(3d)\r\nContainerInventory\r\n| summarize envvarsMB = sum(string_size(EnvironmentVar)) / (1000. * 1000.) by bin(TimeGenerated, 1h)\r\n| render timechart","tags":{"Topic":["Costing"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["ContainerInsights"]}},{"id":"fa74c014-8569-11ea-aa82-c8348e02520c","displayName":"Instances Avg CPU usage growth from last week","description":"Show Avg CPU growth by instance in the last week by descending order.","body":"// To create an alert for this query, click '+ New alert rule'\n//Show which instances grew CPU usage from last week to current\nPerf\n| where TimeGenerated > ago(7d) //This week Average CPU Usage Nano Cores\n| where ObjectName == \"K8SContainer\" and CounterName == \"cpuUsageNanoCores\"\n| summarize ThisWeekAvgCPU = avg(CounterValue) by InstanceName, _ResourceId\n| join kind= leftouter (\n //Previous week Average CPU Usage Nano Cores\n Perf\n | where TimeGenerated > ago(14d) and TimeGenerated parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureActivity\r\n| where ResourceProvider == \"Microsoft.ContainerService\"\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"45f5c9a8-0bb5-6d2a-8562-a53d34e93887","displayName":"Find In AzureDiagnostics","description":"Find in AzureDiagnostics to search for a specific value in the AzureDiagnostics table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureDiagnostics\r\n| where ResourceProvider == \"Microsoft.ContainerService\"\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"5ea47bca-4305-4423-3b2f-3db502a42760","displayName":"Find In AzureMetrics","description":"Find in AzureMetrics to search for a specific value in the AzureMetrics table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nAzureMetrics\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"1256fc3f-8134-417c-9e24-a6d573eb93f9","displayName":"Find In ContainerImageInventory","description":"Find in ContainerImageInventory to search for a specific value in the ContainerImageInventory table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nContainerImageInventory\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"f1bf35d8-7afb-05bd-842e-5fbddced8dbd","displayName":"Find In ContainerLog","description":"Find in ContainerLog to search for a specific value in the ContainerLog table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nContainerLog\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"19b4df05-22bb-4ac7-a0d1-e1e3029c6256","displayName":"Find In ContainerLogV2","description":"Find in ContainerLogV2 to search for a specific value in the ContainerLogV2 table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nContainerLogV2\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"395c7803-7b63-0779-6863-c5c7ac7c0d62","displayName":"Find In ContainerNodeInventory","description":"Find in ContainerNodeInventory to search for a specific value in the ContainerNodeInventory table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nContainerNodeInventory\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"62ffa781-123a-a1f5-79b4-c31c2ea8769a","displayName":"Find In ContainerServiceLog","description":"Find in ContainerServiceLog to search for a specific value in the ContainerServiceLog table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nContainerServiceLog\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"46a359a0-8e7b-5319-5fc1-84fb70211c0b","displayName":"Find In Heartbeat","description":"Find in Heartbeat to search for a specific value in the Heartbeat table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nHeartbeat\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"19a3ed70-1e90-8f62-5e90-58ec8ea3a705","displayName":"Find In InsightsMetrics","description":"Find in InsightsMetrics to search for a specific value in the InsightsMetrics table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nInsightsMetrics\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"09291696-0b1d-3266-34a3-4a6eda396d8b","displayName":"Find In KubeEvents","description":"Find in KubeEvents to search for a specific value in the KubeEvents table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubeEvents\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"b944809b-373e-036c-059f-78cf8bb5206a","displayName":"Find In KubeMonAgentEvents","description":"Find in KubeMonAgentEvents to search for a specific value in the KubeMonAgentEvents table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubeMonAgentEvents\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"096294d7-8492-448e-2ad3-b4c7f7c0a535","displayName":"Find In KubeNodeInventory","description":"Find in KubeNodeInventory to search for a specific value in the KubeNodeInventory table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubeNodeInventory\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"eafdf8b8-7931-752b-6890-f6b292ca9bcb","displayName":"Find In KubePodInventory","description":"Find in KubePodInventory to search for a specific value in the KubePodInventory table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubePodInventory\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"0740862d-6150-3251-8096-8d6a06f356f5","displayName":"Find In KubeBVInventory","description":"Find in KubeBVInventory to search for a specific value in the KubeBVInventory table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubeBVInventory\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"ee063ac9-8b4b-2d38-8806-ecaae055503a","displayName":"Find In KubeServices","description":"Find in KubeServices to search for a specific value in the KubeServices table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nKubeServices\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"1d7c8ba9-957a-05f1-3ac0-c6cecd388592","displayName":"Find In Perf","description":"Find in Perf to search for a specific value in the Perf table./nNote that this query requires updating the parameter to produce results","body":"// This query requires a parameter to run. Enter value in SearchValue to find in table.\r\nlet SearchValue = \"\";//Please update term you would like to find in the table.\r\nPerf\r\n| where * contains tostring(SearchValue)\r\n| take 1000","tags":{"Topic":["Find in table"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"SearchQuery":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.containerservice/managedclusters"]}},{"id":"18879673-8564-11ea-b38b-c8348e02520c","displayName":"Execution time exceeding a threshold","description":"Identify queries that their run time exceeds 10 seconds.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMARIADB\" \n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId \n| where query_time_d > 10 // You may change the time threshold","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformariadb/servers"]}},{"id":"188a2ec5-8564-11ea-b3bc-c8348e02520c","displayName":"Show the Slowest queries ","description":"Identify top 5 slowest queries.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMARIADB\" \n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s \n| top 5 by query_time_d desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformariadb/servers"]}},{"id":"188aa3a9-8564-11ea-bf1e-c8348e02520c","displayName":"Show Query's statistics","description":"Construct a summary statistics table by query.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMARIADB\" \n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s \n| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s \n| top 50 by percentile_query_time_d_95 desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformariadb/servers"]}},{"id":"188b66fe-8564-11ea-b1c6-c8348e02520c","displayName":"Review audit log events in GENERAL class ","description":"Identify general class events for your server.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMARIADB\" \n| where Category == 'MySqlAuditLogs' and event_class_s == \"general_log\"\n| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s \n| order by TimeGenerated asc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbformariadb/servers"]}},{"id":"188bdc5b-8564-11ea-be3c-c8348e02520c","displayName":"Review audit log events in CONNECTION class ","description":"Identify connection related events for your server.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMARIADB\" \n| where Category == 'MySqlAuditLogs' and event_class_s == \"connection_log\"\n| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s \n| order by TimeGenerated asc ","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbformariadb/servers"]}},{"id":"39530689-8564-11ea-a825-c8348e02520c","displayName":"Execution time exceeding a threshold","description":"Identify queries that their run time exceeds 10 seconds.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORMYSQL\"\n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId \n| where query_time_d > 10 //You may change the time threshold ","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformysql/servers"]}},{"id":"3953c9e1-8564-11ea-90b5-c8348e02520c","displayName":"Show the Slowest queries ","description":"Identify top 5 slowest queries.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORMYSQL\" \n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s \n| top 5 by query_time_d desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformysql/servers"]}},{"id":"395417f2-8564-11ea-a1fa-c8348e02520c","displayName":"Show Query's statistics","description":"Construct a summary statistics table by query.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORMYSQL\"\n| where Category == 'MySqlSlowLogs'\n| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s \n| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s \n| top 50 by percentile_query_time_d_95 desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbformysql/servers"]}},{"id":"39559e97-8564-11ea-b62e-c8348e02520c","displayName":"Review audit log events in GENERAL class ","description":"Identify general class events for your server.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMYSQL\"\n| where Category == 'MySqlAuditLogs' and event_class_s == \"general_log\"\n| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s \n| order by TimeGenerated asc","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbformysql/servers"]}},{"id":"3955ecb1-8564-11ea-9064-c8348e02520c","displayName":"Review audit log events in CONNECTION class ","description":"Identify connection related events for your server.","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORMYSQL\"\n| where Category == 'MySqlAuditLogs' and event_class_s == \"connection_log\"\n| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s \n| order by TimeGenerated asc ","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbformysql/servers"]}},{"id":"f057bedc-8564-11ea-bde7-c8348e02520c","displayName":"Autovacuum events","description":"Search for autovacuum events over the last 24 hours. It requires parameter 'log_autovacuum_min_duration' enabled.","body":"AzureDiagnostics\n| where TimeGenerated > ago(1d) \n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"automatic vacuum\"\n","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f059e1be-8564-11ea-baa5-c8348e02520c","displayName":"Server restarts","description":"Search for server shut down and server ready events.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where TimeGenerated > ago(7d)\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"database system was shut down at\" or Message contains \"database system is ready to accept\" \n","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05a2fd3-8564-11ea-b82c-c8348e02520c","displayName":"Find Errors","description":"Search for errors in the last 6 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where TimeGenerated > ago(6h)\n| where Category == \"PostgreSQLLogs\"\n| where errorLevel_s contains \"error\" \n","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05a7df3-8564-11ea-8cd4-c8348e02520c","displayName":"Unauthorized connections","description":"Search for unauthorized (rejected) connection attempts.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"password authentication failed\" or Message contains \"no pg_hba.conf entry for host\"","tags":{"Topic":["Troubleshooting","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","security"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05af337-8564-11ea-8713-c8348e02520c","displayName":"Deadlocks","description":"Search for deadlock events.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"deadlock detected\"","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05b415a-8564-11ea-8e4c-c8348e02520c","displayName":"Lock contention","description":"Search for lock contention. It requires log_lock_waits=ON and depends on deadlock_timeout setting.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Message contains \"still waiting for ShareLock on transaction\" ","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05c7a2c-8564-11ea-9d91-c8348e02520c","displayName":"Audit logs","description":"Get all audit logs. It requires audit logs to be enabled [https://docs.microsoft.com/azure/postgresql/concepts-audit].","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"AUDIT:\"","tags":{"Topic":["Audit Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05cc7e5-8564-11ea-bd57-c8348e02520c","displayName":"Audit logs for table(s) and event type(s)","description":"Search for audit logs for a specific table and event type DDL. Other event types are READ, WRITE, FUNCTION, MISC. It requires audit logs enabled. [https://docs.microsoft.com/azure/postgresql/concepts-audit].","body":"AzureDiagnostics\n| where ResourceProvider ==\"MICROSOFT.DBFORPOSTGRESQL\" \n| where Category == \"PostgreSQLLogs\"\n| where Message contains \"AUDIT:\" \n| where Message contains \"table name\" and Message contains \"DDL\"","tags":{"Topic":["Audit Logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads","audit"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05d162a-8564-11ea-9b09-c8348e02520c","displayName":"Queries with execution time exceeding a threshold","description":"Identify queries that take longer than 10 seconds. The query store normalizes actual queries to aggregate similar queries. By default, entries are aggregated every 15 mins. Query utilizes mean execution time every 15 mins and other query statistics such as max, min can be used as appropriate.","body":"// To create an alert for this query, click '+ New alert rule'\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\r\n| where Category == \"QueryStoreRuntimeStatistics\"\r\n| where user_id_s != \"10\" //exclude azure system user\r\n| project TimeGenerated, LogicalServerName_s, event_type_s , mean_time_s , db_id_s , start_time_s , query_id_s, _ResourceId\r\n| where todouble(mean_time_s) > 0 // You may change the time threshold","tags":{"Topic":["Performance","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05d8b32-8564-11ea-be76-c8348e02520c","displayName":"Slowest queries","description":"Identify top 5 slowest queries.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\n| where Category == \"QueryStoreRuntimeStatistics\"\n| where user_id_s != \"10\" //exclude azure system user\n| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s\n| top 5 by avg_mean_time_s desc\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05dd951-8564-11ea-a396-c8348e02520c","displayName":"Query statistics","description":"Construct a summary statistics table by query.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\n| where Category == \"QueryStoreRuntimeStatistics\"\n| where user_id_s != \"10\" //exclude azure system user\n| summarize sum(toint(calls_s)), min(todouble(min_time_s)),max(todouble(max_time_s)),avg(todouble(mean_time_s)),percentile(todouble(mean_time_s),95) by db_id_s ,query_id_s\n| order by percentile_mean_time_s_95 desc nulls last ","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05f601a-8564-11ea-9958-c8348e02520c","displayName":"Execution count trends","description":"Execution trend by query aggregated by 15 minute-intervals.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\n| where Category == \"QueryStoreRuntimeStatistics\"\n| where user_id_s != \"10\" //exclude azure system user\n| summarize sum(toint(calls_s)) by tostring(query_id_s), bin(TimeGenerated, 15m), ResourceId\n| render timechart ","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f05ffc32-8564-11ea-8128-c8348e02520c","displayName":"Top wait events","description":"Identify top 5 wait events by queries.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\r\n| where Category == \"QueryStoreWaitStatistics\"\r\n| where user_id_s != \"10\" //exclude azure system user\r\n| where query_id_s != 0\r\n| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m)\r\n| top 5 by sum_calls_s desc nulls last","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f0604a53-8564-11ea-9866-c8348e02520c","displayName":"Wait event trends","description":"Display wait event trends over time.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\n| where Category == \"QueryStoreWaitStatistics\"\n| where user_id_s != \"10\" //exclude azure system user\n| extend query_id_s = tostring(query_id_s)\n| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m), ResourceId // You may change the time threshold \n| render timechart","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f061a449-8564-11ea-8a9c-c8348e02520c","displayName":"Queries waiting","description":"Identify if slowest queries wait on anything.","body":"// Queries waiting \r\n// Identify if slowest queries wait on anything. \r\nlet top5 = AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\r\n//| where LogicalServerName_s == \"your server name\" // you can run this query for a specific server \r\n| where Category == \"QueryStoreRuntimeStatistics\"\r\n| where user_id_s != \"10\" //exclude azure system user\r\n| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s , query_id_s \r\n| order by avg_mean_time_s desc nulls last \r\n| project query_id_s , db_id_s\r\n| take 5;\r\nAzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\r\n| where Category == \"QueryStoreWaitStatistics\"\r\n| extend query_id_s = tostring(query_id_s)\r\n| join top5 on query_id_s\r\n| summarize sum(toint(calls_s)) by event_class_s , query_id_s, bin(TimeGenerated, 15m)\r\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"resourceTypes":["microsoft.dbforpostgresql/servers"]}},{"id":"f0621953-8564-11ea-904e-c8348e02520c","displayName":"Compare two periods for query execution times","description":"Identify queries that have a latency difference exceeding a threshold.","body":"let queryExecutionPrev24h = AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.DBFORPOSTGRESQL\"\n| where Category == \"QueryStoreRuntimeStatistics\"\n//| where LogicalServerName_s == \"your server name\" // you can run this query for a specific server | extend timestamp_new = make_datetime(start_time_t)\n// change range of baseline period based on your needs\n| where timestamp_new >= ago(48h) and timestamp_new = ago(24h)\n| summarize currentTimeAvg=avg(todecimal(mean_time_s)), max(todecimal(mean_time_s)), min(timestamp_new), max(timestamp_new) , currentTimeExecutionCount = sum(toint(calls_s)) by query_id_s\n| join kind=inner\n queryExecutionPrev24h\non query_id_s\n| extend latencyDiff = currentTimeAvg - prevTimeAvg\n| extend latencyDiffPercent = (((prevTimeAvg-currentTimeAvg)/prevTimeAvg)*100)\n| extend executionCountDiff = (((todecimal(prevTimeExecutionCount)-todecimal(currentTimeExecutionCount))/todecimal(prevTimeExecutionCount)))*100\n| project query_id_s, latencyDiff, latencyDiffPercent, currentTimeAvg, prevTimeAvg, currentTimeExecutionCount, prevTimeExecutionCount,executionCountDiff\n// change your threshold of difference between two periods based on your needs\n| where latencyDiffPercent ago(3d) and StatusText !contains \"Success\"\n| summarize count() by StatusText\n| top 10 by count_ desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"0a9be4e3-8566-11ea-bb0a-c8348e02520c","displayName":"Operations causing most errors","description":"List top 10 operations causing the most errors over the last 3 days.","body":"StorageBlobLogs\n| where TimeGenerated > ago(3d) and StatusText !contains \"Success\"\n| summarize count() by OperationName\n| top 10 by count_ desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"0a9d1db1-8566-11ea-86f4-c8348e02520c","displayName":"Operations with the highest latency","description":"List top 10 operations with the longest end to end latency over the last 3 days.","body":"StorageBlobLogs\n| where TimeGenerated > ago(3d)\n| top 10 by DurationMs desc\n| project TimeGenerated, OperationName, DurationMs, ServerLatencyMs, ClientLatencyMs = DurationMs - ServerLatencyMs","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"0a9d6b7a-8566-11ea-8fbe-c8348e02520c","displayName":"Operations causing server side throttling","description":"List all operations causing server side throttling errors over the last 3 days.","body":"// To create an alert for this query, click '+ New alert rule'\nStorageBlobLogs\n| where TimeGenerated > ago(3d) and StatusText contains \"ServerBusy\"\n| project TimeGenerated, OperationName, StatusCode, StatusText, _ResourceId","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"0a9de0a6-8566-11ea-96d1-c8348e02520c","displayName":"Show anonymous requests","description":"List all requests with anonymous access over the last 3 days.","body":"// To create an alert for this query, click '+ New alert rule'\nStorageBlobLogs\n| where TimeGenerated > ago(3d) and AuthenticationType == \"Anonymous\"\n| project TimeGenerated, OperationName, AuthenticationType, Uri, _ResourceId","tags":{"Topic":["Audit","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"0a9e2ecc-8566-11ea-95b0-c8348e02520c","displayName":"Frequent operations chart","description":"A pie chart of operations used over the last 3 days.","body":"StorageBlobLogs\n| where TimeGenerated > ago(3d)\n| summarize count() by OperationName\n| sort by count_ desc \n| render piechart","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"c58b9b88-9b80-11ea-9137-c8348e02520c","displayName":"Management operations in the last 7 days","description":"This lists all the management calls for the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d)\n| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"\n| where Category == \"OperationalLogs\"\n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.servicebus/namespaces"]}},{"id":"c58ea8c7-9b80-11ea-afe7-c8348e02520c","displayName":"Errors summary","description":"Summarizes all the errors seen in the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d)\n| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"\n| where Category == \"Error\" \n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.servicebus/namespaces"]}},{"id":"c591b611-9b80-11ea-8243-c8348e02520c","displayName":"Keyvault access attempt - key not found","description":"Summarizes the access to keyvault when key is not found.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.SERVICEBUS\" \n| where Category == \"Error\" and OperationName == \"wrapkey\"\n| project Message, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.servicebus/namespaces"]}},{"id":"c593ffdc-9b80-11ea-9200-c8348e02520c","displayName":"AutoDeleted entities","description":"Summary of all the entities that have been auto-deleted.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"\n| where Category == \"OperationalLogs\"\n| where EventName_s startswith \"AutoDelete\"\n| summarize count() by EventName_s, _ResourceId","tags":{"Topic":["Usage","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit"],"resourceTypes":["microsoft.servicebus/namespaces"]}},{"id":"c59845a8-9b80-11ea-8a09-c8348e02520c","displayName":"Keyvault performed operational","description":"Summarizes the operation performed with keyvault to disable or restore the key.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"\n| where (Category == \"info\" and (OperationName == \"disable\" or OperationName == \"restore\"))\n| project Message, _ResourceId","tags":{"Topic":["Security","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.servicebus/namespaces"]}},{"id":"c5992ffc-9b80-11ea-8243-c8348e02520c","displayName":"BGP route table","description":"BPG route table learned over last 12 hours.","body":"AzureDiagnostics\n| where TimeGenerated > ago(12h)\n| where ResourceType == \"EXPRESSROUTECIRCUITS\"\n| project TimeGenerated , ResourceType , network_s , path_s , OperationName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"c5997e17-9b80-11ea-8e07-c8348e02520c","displayName":"BGP informational messages","description":"BGP informational messages by level, resource type and network.","body":"AzureDiagnostics\n| where Level == \"Informational\"\n| project TimeGenerated , ResourceId, Level, ResourceType , network_s , path_s","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"c59b04a4-9b80-11ea-9429-c8348e02520c","displayName":"ExpressRoute Circuit BitsInPerSecond traffic graph","description":"Traffic graph BitsInPerSecond (last one hour).","body":"AzureMetrics\n| where MetricName == \"BitsInPerSecond\"\n| summarize by Average, bin(TimeGenerated, 1h), Resource\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor","network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"c59b52d1-9b80-11ea-abe2-c8348e02520c","displayName":"ExpressRoute Circuit BitsOutPerSecond traffic graph","description":"Traffic graph BitsOutPerSecond (last one hour).","body":"AzureMetrics\n| where MetricName == \"BitsOutPerSecond\"\n| summarize by Average, bin(TimeGenerated, 1h), Resource\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor","network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"c59bc801-9b80-11ea-a673-c8348e02520c","displayName":"ExpressRoute Circuit ArpAvailablility graph","description":"Traffic graph for ArpAvailability (5 minutes).","body":"AzureMetrics\n| where MetricName == \"ArpAvailability\"\n| summarize by Average, bin(TimeGenerated, 5m), Resource\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor","network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"c59c161a-9b80-11ea-b8e4-c8348e02520c","displayName":"ExpressRoute Circuit BGP availability","description":"Traffic graph for BgpAvailability (5 minutes).","body":"AzureMetrics\n| where MetricName == \"BgpAvailability\"\n| summarize by Average, bin(TimeGenerated, 5m), Resource\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor","network"],"resourceTypes":["microsoft.network/expressroutecircuits"]}},{"id":"9216f2d9-9b82-11ea-ba13-c8348e02520c","displayName":"Errors in the last 7 days","description":"This lists all the errors for the last 7 days.","body":"AzureDiagnostics\n| where TimeGenerated > ago(7d)\n| where ResourceProvider ==\"MICROSOFT.EVENTHUB\"\n| where Category == \"OperationalLogs\"\n| summarize count() by \"EventName\", _ResourceId","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"]}},{"id":"921acbc5-9b82-11ea-bebf-c8348e02520c","displayName":"Duration of Capture failure","description":"Summarizes the duaration of failure on Capture.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.EVENTHUB\"\n| where Category == \"ArchiveLogs\"\n| summarize count() by \"failures\", \"durationInSeconds\", _ResourceId","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"]}},{"id":"921bdcea-9b82-11ea-ad5d-c8348e02520c","displayName":"Join request for client","description":"Summarized the status of join request for client.","body":"AzureDiagnostics // Need to turn on the Capture for this \n| where ResourceProvider == \"MICROSOFT.EVENTHUB\"\n| project \"OperationName\"","tags":{"Topic":["Kafka"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"]}},{"id":"921e4dd0-9b82-11ea-abb1-c8348e02520c","displayName":"Access to keyvault - key not found","description":"Summarizes the access to keyvault when key is not found.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.EVENTHUB\" \n| where Category == \"Error\" and OperationName == \"wrapkey\"\n| project Message, ResourceId","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"]}},{"id":"9220983b-9b82-11ea-a82a-c8348e02520c","displayName":"Operation performed with keyvault","description":"Summarizes the operation performed with keyvault to disable or restore the key.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.EVENTHUB\"\n| where Category == \"info\" and OperationName == \"disable\" or OperationName == \"restore\"\n| project Message","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventhub/namespaces"]}},{"id":"92237ddb-9b82-11ea-805c-c8348e02520c","displayName":"Endpoints with monitoring Status down","description":"Find the reason why the monitoring status of Azure Traffic Manager endpoints is down.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where ResourceType == \"TRAFFICMANAGERPROFILES\" and Category == \"ProbeHealthStatusEvents\"\n| where Status_s == \"Down\"\n| project TimeGenerated, EndpointName_s, Status_s, ResultDescription, SubscriptionId , _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/trafficmanagerprofiles"]}},{"id":"0acad5d4-9b87-11ea-b69c-c8348e02520c","displayName":"Delivery failures by topic and error","description":"Delivery failures logs by topic name and error message.","body":"// To create an alert for this query, click '+ New alert rule'\nAegDeliveryFailureLogs \n| parse Message with * \", httpStatusCode=\" HttpStatusCode \",\" * \"., errorMessage=\" ErrorMessage \",\" *\n| parse _ResourceId with * \"/topics/\" TopicName \n| summarize by _ResourceId, TopicName, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/topics"]}},{"id":"0acf42ae-9b87-11ea-b093-c8348e02520c","displayName":"Publish failures by topic and error","description":"Publish failures logs by topic name and error message.","body":"// To create an alert for this query, click '+ New alert rule'\nAegPublishFailureLogs \n| parse Message with * \"), httpStatusCode=\" HttpStatusCode \",\" * \", errorMessage=\" ErrorMessage \n| parse _ResourceId with * \"/topics/\" TopicName \n| project TimeGenerated, _ResourceId, TopicName, TenantId, OperationName, HttpStatusCode, ErrorMessage\n| summarize by _ResourceId, TopicName, HttpStatusCode, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/topics"]}},{"id":"0ad18cad-9b87-11ea-9184-c8348e02520c","displayName":"Delivery failures by domain and error","description":"Delivery failures logs by domain name and error message.","body":"// To create an alert for this query, click '+ New alert rule'\nAegDeliveryFailureLogs \n| parse Message with * \", httpStatusCode=\" HttpStatusCode \",\" * \"., errorMessage=\" ErrorMessage \",\" *\n| parse _ResourceId with * \"/domains/\" DomainName \n| project TimeGenerated, _ResourceId, DomainName, TenantId, EventSubscriptionName, SubResourceName, OperationName, HttpStatusCode, ErrorMessage\n| summarize by _ResourceId, DomainName, SubResourceName, EventSubscriptionName, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/domains"]}},{"id":"0ad29e51-9b87-11ea-9bee-c8348e02520c","displayName":"Publish failures by domain and error","description":"Publish failures logs by domain name and error message.","body":"// To create an alert for this query, click '+ New alert rule'\nAegPublishFailureLogs \n| parse Message with * \"), httpStatusCode=\" HttpStatusCode \",\" * \", errorMessage=\" ErrorMessage \n| parse _ResourceId with * \"/domains/\" DomainName\n| project TimeGenerated, _ResourceId, DomainName, TenantId, OperationName, HttpStatusCode, ErrorMessage\n| summarize by _ResourceId, DomainName, HttpStatusCode, ErrorMessage","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/domains"]}},{"id":"59e7db22-9f52-11ea-b8de-c8348e02520c","displayName":"Avg CPU usage","description":"Avg CPU usage in the last hour by resource name.","body":"//consistently high averages could indicate a customer needs to move to a larger SKU\nAzureMetrics\n| where ResourceProvider == \"MICROSOFT.SQL\" // /DATABASES\n| where TimeGenerated >= ago(60min)\n| where MetricName in ('cpu_percent') \n| parse _ResourceId with * \"/microsoft.sql/servers/\" Resource // subtract Resource name for _ResourceId\n| summarize CPU_Maximum_last15mins = max(Maximum), CPU_Minimum_last15mins = min(Minimum), CPU_Average_last15mins = avg(Average) by Resource , MetricName","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["databases"],"resourceTypes":["microsoft.sql/servers/databases","microsoft.sql/servers"]}},{"id":"59ecbd47-9f52-11ea-bc53-c8348e02520c","displayName":"Performance troubleshooting","description":"Potentially query or deadlock on the system that could lead to poor performance.","body":"//potentially a query or deadlock on the system that could lead to poor performance\nAzureMetrics\n| where ResourceProvider == \"MICROSOFT.SQL\"\n| where TimeGenerated >=ago(60min)\n| where MetricName in ('deadlock')\n| parse _ResourceId with * \"/microsoft.sql/servers/\" Resource // subtract Resource name for _ResourceId\n| summarize Deadlock_max_60Mins = max(Maximum) by Resource, MetricName","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["databases"],"resourceTypes":["microsoft.sql/servers/databases","microsoft.sql/servers"]}},{"id":"59f150f7-9f52-11ea-8681-c8348e02520c","displayName":"Loading Data","description":"Monitor data loading in the last hour.","body":"AzureMetrics\n| where ResourceProvider == \"MICROSOFT.SQL\"\n| where TimeGenerated >= ago(60min)\n| where MetricName in ('log_write_percent')\n| parse _ResourceId with * \"/microsoft.sql/servers/\" Resource// subtract Resource name for _ResourceId\n| summarize Log_Maximum_last60mins = max(Maximum), Log_Minimum_last60mins = min(Minimum), Log_Average_last60mins = avg(Average) by Resource, MetricName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["databases"],"resourceTypes":["microsoft.sql/servers/databases","microsoft.sql/servers"]}},{"id":"59f34cde-9f52-11ea-a5c7-c8348e02520c","displayName":"Wait stats","description":"Wait stats over the last hour, by Logical Server and Database.","body":"AzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.SQL\"\n| where TimeGenerated >= ago(60min)\n| parse _ResourceId with * \"/microsoft.sql/servers/\" LogicalServerName \"/databases/\" DatabaseName\n| summarize Total_count_60mins = sum(delta_waiting_tasks_count_d) by LogicalServerName, DatabaseName, wait_type_s","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["databases"],"resourceTypes":["microsoft.sql/servers/databases","microsoft.sql/servers"]}},{"id":"51c067a6-a025-11ea-a1b8-c8348e02520c","displayName":"Signatures out of date","description":"Devices with Signatures out of date.","body":"// To create an alert for this query, click '+ New alert rule'\nProtectionStatus\n| summarize Rank = max(ProtectionStatusRank) by Computer, _ResourceId\n| where Rank == \"250\"","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["AntiMalware"]}},{"id":"51c43753-a025-11ea-b382-c8348e02520c","displayName":"Protection Status updates","description":"Protection Status updates per day.","body":"// To create an alert for this query, click '+ New alert rule'\nProtectionStatus\n| summarize AggregatedValue = count(ScanDate) by bin(TimeGenerated, 1d), Computer, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["AntiMalware"]}},{"id":"51c6ccf0-a025-11ea-93fd-c8348e02520c","displayName":"Malware detection","description":"Malware detected grouped by threat.","body":"// To create an alert for this query, click '+ New alert rule'\nProtectionStatus\n| where ThreatStatus != \"No threats detected\" \n| summarize AggregatedValue = count() by Threat, Computer, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["AntiMalware"]}},{"id":"51c952ba-a025-11ea-9f63-c8348e02520c","displayName":"Software Alert","description":"SurfaceHub software error.","body":"DeviceHealth\n| where EventName == \"CriticalProcessStatus\" and State == \"Unhealthy\" \n| sort by TimeGenerated desc","tags":{"Topic":["Error"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51cb9cb0-a025-11ea-9b66-c8348e02520c","displayName":"Cleanup Failure","description":"SurfaceHub cleanup failure.","body":"DeviceCleanup\n| where State == \"Fatal\" \n| sort by TimeGenerated desc","tags":{"Topic":["Error"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51cc86f0-a025-11ea-ae39-c8348e02520c","displayName":"Skype Error","description":"SurfaceHub Skype error.","body":"DeviceSkypeHeartbeat\n| where State == \"Unhealthy\" \n| sort by TimeGenerated desc","tags":{"Topic":["Error"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51ce5ba9-a025-11ea-b3d9-c8348e02520c","displayName":"Exchange Error","description":"SurfaceHub Exchange error.","body":"DeviceCalendar\n| where EventName == \"activesynchealth\" and SyncStatus != \"Healthy\" \n| sort by TimeGenerated desc","tags":{"Topic":["Error"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51cef7f8-a025-11ea-94ac-c8348e02520c","displayName":"Hardware Minor","description":"SurfaceHub hardware minor.","body":"DeviceHardwareHealth \n|where EventName != \"CameraInUnexpectedState\" and EventName != \"WiredIngestInUnexpectedState\" and EventName != \"WiredTouchInUnexpectedState\" and EventName != \"WifiDirectInUnexpectedState\" and EventName != \"MicInUnexpectedState\" and EventName != \"WiredTouchInUnexpectedState\" and EventName != \"SpeakersInUnexpectedState\" and EventName != \"WirelessCardInUnexpectedState\" \n| sort by TimeGenerated des","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51d07f71-a025-11ea-bd43-c8348e02520c","displayName":"Hardware Alert","description":"SurfaceHubHardwareAlert.","body":"DeviceHardwareHealth\n|where EventName == \"CameraInUnexpectedState\" or EventName == \"WiredIngestInUnexpectedState\" or EventName == \"WiredTouchInUnexpectedState\" or EventName == \"WifiDirectInUnexpectedState\" or EventName == \"MicInUnexpectedState\" or EventName == \"WiredTouchInUnexpectedState\" or EventName == \"SpeakersInUnexpectedState\" or EventName == \"WirelessCardInUnexpectedState\" \n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"51d5d5cb-a025-11ea-a80b-c8348e02520c","displayName":"Computer with missing updates","description":"All computers with missing updates.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n|where OSType != \"Linux\" and UpdateState == \"Needed\" and Optional == \"false\" \n| project TimeGenerated, Computer, Title, KBID, Classification, MSRCSeverity, PublishedDate, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51d64afb-a025-11ea-a30b-c8348e02520c","displayName":"Missing required updates for server","description":"Missing updates for a specific computer \"ComputerName\" (replace with your own computer name).","body":"// To create an alert for this query, click '+ New alert rule'\nlet ComputerName = \"Enter your computer name here\";\nUpdate\n|where OSType != \"Linux\" and UpdateState == \"Needed\" and Optional == \"false\" and Computer == ComputerName\n| project TimeGenerated, Computer, Title, KBID, Product, MSRCSeverity, PublishedDate, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51d84768-a025-11ea-a170-c8348e02520c","displayName":"Missing critical security updates","description":"All computers that are missing critical updates or security updates.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n|where OSType != \"Linux\" and UpdateState == \"Needed\" and Optional == \"false\" and (Classification == \"Security Updates\" or Classification == \"Critical Updates\") \n| sort by TimeGenerated desc ","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51d8e30c-a025-11ea-a73e-c8348e02520c","displayName":"Missing security or critical where update is manual","description":"Critical or security updates needed by machines where updates are manually applied.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where OSType != \"Linux\" and UpdateState == \"Needed\" and Optional == \"false\"\n |where (Classification == \"Security Updates\" or Classification == \"Critical Updates\")\n| join kind=inner (UpdateSummary |where WindowsUpdateSetting == \"Manual\" |distinct Computer) on Computer \n| distinct KBID, Computer, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51da42ca-a025-11ea-8b9b-c8348e02520c","displayName":"Error event on computer missing security co critical update","description":"Error events for machines that are missing critical or security required updates.","body":"// To create an alert for this query, click '+ New alert rule'\nEvent\n| where EventLevelName == \"error\"\n | join kind=inner (Update |where (Classification == \"Security Updates\" or Classification == \"Critical Updates\") and UpdateState == \"Needed\" and Optional == \"false\" | distinct Computer) on Computer \n | sort by TimeGenerated desc","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51db05ee-a025-11ea-93b5-c8348e02520c","displayName":"Missing update rollups","description":"All computers with missing update rollups.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where OSType != \"Linux\" and Optional == \"false\" and Classification == \"Update Rollups\" and UpdateState == \"Needed\" \n| project TimeGenerated, Computer, Title, KBID, Classification, MSRCSeverity, PublishedDate, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51db7b14-a025-11ea-96a8-c8348e02520c","displayName":"Distinct missing updates cross computers","description":"Distinct missing updates across all computers.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdate\n| where OSType != \"Linux\" and UpdateState == \"Needed\" and Optional == \"false\" \n| distinct Title, Computer, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51dcdaa5-a025-11ea-8887-c8348e02520c","displayName":"Missing update specific product","description":"WSUS computer membership.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdateSummary\n| summarize AggregatedValue = count() by WSUSServer, Computer, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51dd28da-a025-11ea-9725-c8348e02520c","displayName":"Automatic update configuration","description":"Automatic update configuration.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdateSummary\n| summarize AggregatedValue = count() by WindowsUpdateSetting, Computer, _ResourceId","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"51dd9de7-a025-11ea-99e2-c8348e02520c","displayName":"Automatic update configuration is disabled","description":"Computers with automatic update disabled.","body":"// To create an alert for this query, click '+ New alert rule'\nUpdateSummary\n| where WindowsUpdateSetting == \"Manual\" \n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"resourceTypes":["microsoft.compute/virtualmachines"],"solutions":["Updates"]}},{"id":"b544376e-b9ef-11ea-afad-c8348e03e0b8","displayName":"Top 10 connection errors","description":"Returns the top 10 deployment-side connection errors by user count.","body":"// You can replace \"UserName\" in the query by \"CorrelationId\" to see how many connections each error has impacted.\r\n// The \"CorrelationId\" is unique for each connection attempt. \r\n// The flag on \"ServiceError\" helps to focus on issues that are most likely mitigated by the administrator or end user.\r\n// Change the ActivityType based on the type of issues you are troubleshooting. \r\nWVDErrors \r\n| where ServiceError == \"false\" \r\n| where ActivityType == \"Connection\" \r\n| summarize UserCount = dcount(UserName), SampleMessage = take_any(Message) by CodeSymbolic\r\n| project SampleMessage, UserCount \r\n| top 10 by UserCount desc\r\n// Go to https://aka.ms/wvdgetstarted and review additional guidance for diagnostics in the How To section.\r\n// Our troubleshooting guidance has information on escalation paths.","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/workspaces"]}},{"id":"b544ac5e-b9ef-11ea-9479-c8348e03e0b8","displayName":"Top 10 feed errors","description":"Returns the top 10 deployment-side feed errors by user count.","body":"// You can replace \"UserName\" in the query by \"CorrelationId\" to see how many feed refresh attempts each error has impacted.\r\n// The \"CorrelationId\" is unique for each feed refresh attempt. \r\n// The flag on \"ServiceError\" helps to focus on issues that are most likely mitigated by the administrator or end user.\r\n// Change the ActivityType based on the type of issues you are troubleshooting. \r\nWVDErrors \r\n| where ServiceError == \"false\" \r\n| where ActivityType == \"Feed\" \r\n| summarize UserCount = dcount(UserName), SampleMessage = take_any(Message) by CodeSymbolic\r\n| project SampleMessage, UserCount \r\n| top 10 by UserCount desc\r\n// Go to https://aka.ms/wvdgetstarted and review additional guidance for diagnostics in the How To section.\r\n// Our troubleshooting guidance has information on escalation paths.","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/workspaces"]}},{"id":"b544d256-b9ef-11ea-a8fb-c8348e03e0b8","displayName":"Connection Errors","description":"List connection checkpoints and errors for each connection attempt, along with detailed information across all users.","body":"//You can also uncomment the where clause to filter to a specific user if you are troubleshooting an issue. \r\nWVDConnections \r\n//| where UserName == \"upn.here@contoso.com\" \r\n| project-away TenantId,SourceSystem \r\n| summarize arg_max(TimeGenerated, *), StartTime = min(iff(State=='Started', TimeGenerated , datetime(null) )), ConnectTime = min(iff(State=='Connected', TimeGenerated , datetime(null) )) by CorrelationId \r\n| join kind=leftouter \r\n(\r\n WVDErrors\r\n |summarize Errors=make_list(pack('Code', Code, 'CodeSymbolic', CodeSymbolic, 'Time', TimeGenerated, 'Message', Message ,'ServiceError', ServiceError, 'Source', Source)) by CorrelationId \r\n) on CorrelationId\r\n| join kind=leftouter \r\n(\r\n WVDCheckpoints\r\n | summarize Checkpoints=make_list(pack('Time', TimeGenerated, 'Name', Name, 'Parameters', Parameters, 'Source', Source)) by CorrelationId \r\n | mv-apply Checkpoints on\r\n ( \r\n order by todatetime(Checkpoints['Time']) asc\r\n | summarize Checkpoints=make_list(Checkpoints)\r\n )\r\n) on CorrelationId \r\n| project-away CorrelationId1, CorrelationId2 \r\n| order by TimeGenerated desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/workspaces"]}},{"id":"b544d257-b9ef-11ea-8a32-c8348e03e0b8","displayName":"Session duration","description":"Lists the duration and connection type of each user's connections.","body":"// The \"State\" field provides information on the connection stage of an actitivity.\r\n// The delta between \"Connected\" and \"Completed\" provides the connection duration.\r\nWVDConnections \r\n| where State == \"Connected\" \r\n| project CorrelationId , UserName, ConnectionType , StartTime=TimeGenerated \r\n| join kind=inner\r\n(\r\n WVDConnections \r\n | where State == \"Completed\" \r\n | project EndTime=TimeGenerated, CorrelationId\r\n) on CorrelationId \r\n| project Duration = EndTime - StartTime, ConnectionType, UserName \r\n| sort by Duration desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d258-b9ef-11ea-840c-c8348e03e0b8","displayName":"Top 10 users by average connection duration","description":"Lists 10 users with the longest average connection duration.","body":"// Connection activities have 3 states, this query demonstrates how to calculate the connection duration.\r\nWVDConnections \r\n| where State == \"Connected\" \r\n| project CorrelationId, UserName, ConnectionType, StartTime=TimeGenerated \r\n| join kind=inner\r\n(\r\n WVDConnections \r\n | where State == \"Completed\" \r\n | project EndTime=TimeGenerated, CorrelationId\r\n) on CorrelationId \r\n| project Duration = EndTime - StartTime, ConnectionType, UserName \r\n| summarize AVGDuration=avg(Duration) by UserName \r\n| sort by AVGDuration desc \r\n| limit 10","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d259-b9ef-11ea-b62a-c8348e03e0b8","displayName":"Top 10 most active users","description":"Lists top 10 users by total connection duration.","body":"// The connection duration is the delta between \"Connected\" and \"Completed\" state.\r\nWVDConnections \r\n| where State == \"Connected\" \r\n| project CorrelationId , UserName, ConnectionType , StartTime=TimeGenerated \r\n| join kind=inner\r\n(\r\n WVDConnections \r\n | where State == \"Completed\" \r\n | project EndTime=TimeGenerated, CorrelationId\r\n) on CorrelationId \r\n| extend SessionDuration = EndTime - StartTime\r\n| summarize TotalConnectionTime = sum(SessionDuration) by UserName, ConnectionType\r\n| top 10 by TotalConnectionTime desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d25a-b9ef-11ea-9067-c8348e03e0b8","displayName":"Average connection duration by hostpool","description":"Ranks hostpools by average connection duration.","body":"// Characterize the usage pattern of all hostpools in the current Log Analytics scope\r\nWVDConnections \r\n| where State == \"Connected\"\r\n| project ResourceAlias, CorrelationId, StartTime=TimeGenerated, _ResourceId\r\n| join kind = leftouter \r\n(\r\n WVDConnections \r\n | where State == \"Completed\" \r\n | project EndTime=TimeGenerated, CorrelationId\r\n) on CorrelationId\r\n// If connection hasn't completed yet, it is still running so the end time can be assumed to be now (duration so far)\r\n| project Duration = coalesce(EndTime, now()) - StartTime, _ResourceId\r\n| summarize AvgDuration=avg(Duration) by _ResourceId\r\n| parse _ResourceId with \"/subscriptions/\" subscription \"/resourcegroups/\" ResourceGroup \"/providers/microsoft.desktopvirtualization/hostpools/\" HostPool\r\n| project ResourceGroup, HostPool, AvgDuration\r\n| sort by AvgDuration desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d25b-b9ef-11ea-b824-c8348e03e0b8","displayName":"Published remote resources by count of users","description":"Produces a bar chart of published resources by the number of users that have launched them.","body":"// The checkpoints table keeps track of any individual remote application or desktop a user has started from the remote desktop client UI. \r\n// Note: These logs will only reflect applications published as RemoteApp; applications started within a published desktop session are not individually captured and only show as the overall remote desktop connection.\r\nWVDCheckpoints \r\n| where Name == \"LaunchExecutable\" \r\n| extend App = parse_json(Parameters).filename \r\n| summarize Usage = dcount(UserName) by tostring(App) \r\n| sort by Usage desc \r\n| render barchart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/workspaces"]}},{"id":"b544d25c-b9ef-11ea-94c4-c8348e03e0b8","displayName":"Client-side operating system information by user count","description":"Produces a bar chart of operating systems used on client devices connecting to the deployment.","body":"// Use this query to understand which OS version users have installed on the devices they are connecting from. \r\nWVDConnections \r\n| summarize UserCount=dcount(UserName) by ClientOS \r\n| sort by UserCount desc \r\n| render barchart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d25d-b9ef-11ea-870f-c8348e03e0b8","displayName":"Azure Virtual Desktop client usage information","description":"List of client types and versions used by users connecting to the deployment.","body":"WVDConnections \r\n| summarize UserCount=dcount(UserName) by ClientType, ClientVersion \r\n| sort by ClientVersion, ClientType, UserCount desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"b544d25e-b9ef-11ea-96fb-c8348e03e0b8","displayName":"Average session logon time","description":"Lists the average session logon time by host pool and session state.","body":"WVDConnections \r\n| where TimeGenerated > ago(24h)\r\n| where State == \"Started\"\r\n| project CorrelationId , UserName, ConnectionType , StartTime=TimeGenerated, _ResourceId\r\n| join kind=inner\r\n(\r\n WVDConnections\r\n | where State == \"Connected\" \r\n | project ConnectTime=TimeGenerated, CorrelationId\r\n) on CorrelationId\r\n| join kind=inner\r\n( \r\n WVDCheckpoints\r\n | where Name =~ \"LoadBalancedNewConnection\"\r\n | extend LoadBalanceOutcome=tostring(parse_json(Parameters).LoadBalanceOutcome)\r\n) on CorrelationId \r\n| project Duration = ConnectTime - StartTime, _ResourceId, Session=case(LoadBalanceOutcome in (\"Active\", \"Disconnected\"), \"ExistingSession\", LoadBalanceOutcome == \"Pending\", \"Creating\", LoadBalanceOutcome)\r\n// Exclude connections that are happening while another connection kicked off the session creation, since results will be inconclusive\r\n| where Session != \"Creating\"\r\n| summarize AvgDuration=avg(Duration) by _ResourceId, Session\r\n| parse _ResourceId with \"/subscriptions/\" subscription \"/resourcegroups/\" ResourceGroup \"/providers/microsoft.desktopvirtualization/hostpools/\" HostPool\r\n| project ResourceGroup, HostPool, Session, AvgDuration\r\n| sort by AvgDuration desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"39382287-7d94-4b21-a8ee-e2f08b55f721","displayName":"Average round-trip time over time","description":"Display a graph of round-trip time (in Milliseconds) across all connections in 10 min intervals at the 10th, 50th, and 90th percentiles.","body":"WVDConnectionNetworkData\r\n| summarize percentiles(EstRoundTripTimeInMs, 90, 50, 10) by bin(TimeGenerated,10m)\r\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"304217d6-6dcf-498e-b052-8fda82967980","displayName":"Average BW across all connections","description":"Displays a graph of bandwidth (in Kilobytes per second) across all connections over 10 min intervals at the 10th, 50th, and 90th percentiles.","body":"WVDConnectionNetworkData\r\n| summarize percentiles(EstAvailableBandwidthKBps, 90, 50, 10) by bin(TimeGenerated,10m)\r\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":false}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"66f7c5e9-bf9f-4ce8-b1d9-5f74c9e58749","displayName":"Bandwidth for a specific user","description":"Display a graph of bandwidth (in Kilobytes per second) over time for a specific user.","body":"let user = \"user@contoso.com\";\r\nWVDConnectionNetworkData\r\n| join kind=leftsemi\r\n(\r\n WVDConnections\r\n | where UserName == user\r\n | distinct CorrelationId\r\n) on CorrelationId\r\n| project EstAvailableBandwidthKBps, TimeGenerated\r\n| render columnchart with (xcolumn=TimeGenerated, ycolumns=EstAvailableBandwidthKBps)","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"2a537cac-6349-435a-8bbd-4cf2d1d3819a","displayName":"Round-trip time for a specific user","description":"Display a graph of round-trip time (in Milliseconds) over time for a specific user","body":"let user = \"user@contoso.com\";\r\nWVDConnectionNetworkData\r\n| join kind=leftsemi\r\n(\r\n WVDConnections\r\n | where UserName == user\r\n | distinct CorrelationId\r\n) on CorrelationId\r\n| render columnchart with (xcolumn=TimeGenerated, ycolumns=EstRoundTripTimeInMs)\r\n","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"a92ee56d-4ba3-49f5-9966-bd66cb58063f","displayName":"Top 10 users with the highest round-trip time","description":"Returns a list of the top 10 users with the highest average round-trip time (in Milliseconds).","body":"WVDConnectionNetworkData\r\n| join kind=leftouter \r\n(\r\n WVDConnections\r\n | where State == \"Completed\"\r\n | distinct CorrelationId, UserName\r\n) on CorrelationId\r\n| summarize AvgRTT=round(avg(EstRoundTripTimeInMs)), RTT_P95=percentile(EstRoundTripTimeInMs, 95) by UserName\r\n| top 10 by AvgRTT desc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"91eb68a2-9d4f-4e83-86e3-323f414b4b96","displayName":"Top 10 users with lowest bandwidth","description":"Returns a list of the top 10 users with the lowest average bandwidth (in Kilobytes per second).","body":"WVDConnectionNetworkData\r\n| join kind=inner \r\n(\r\n WVDConnections\r\n | where State == \"Completed\"\r\n | distinct CorrelationId, UserName\r\n) on CorrelationId\r\n| summarize AvgBW=avg(EstAvailableBandwidthKBps), BW_P95=percentile(EstAvailableBandwidthKBps,95) by UserName\r\n| top 10 by AvgBW asc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"7fb96445-e76f-41dc-8edb-22803c52c8af","displayName":"Summary of Round-trip time and bandwidth","description":"Returns the 90th percentiles for round-trip time (in Milliseconds) and bandwidth (in Kilobytes) for each connection along with additional connection details.","body":"WVDConnectionNetworkData\r\n| summarize RTTP90=percentile(EstRoundTripTimeInMs,90), BWP90=percentile(EstAvailableBandwidthKBps,90), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by CorrelationId\r\n| join kind=inner\r\n(\r\n WVDConnections\r\n | where State == \"Connected\"\r\n | extend Protocol = iif(UdpUse in (\"0\", \"\"), \"TCP\", \"UDP\")\r\n) on CorrelationId\r\n| project CorrelationId, StartTime, EndTime, UserName, SessionHostName, RTTP90, BWP90, Protocol, ClientOS, ClientType, ClientVersion, ConnectionType, ResourceAlias, SessionHostSxSStackVersion","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"0932fe64-c205-11ea-8cfc-c8348e03e0b8","displayName":"All Events in the past hour","description":"All Events in the past hour.","body":"Event\n| where TimeGenerated > ago(1h)\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339aab-c205-11ea-b403-c8348e03e0b8","displayName":"Events started","description":"Events started by event ID.","body":"Event\n| where RenderedDescription contains \"started\" \n| summarize count() by EventID","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339aac-c205-11ea-ad1e-c8348e03e0b8","displayName":"Events by event source","description":"Events by event source.","body":"Event\n| summarize count() by Source","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339aad-c205-11ea-9405-c8348e03e0b8","displayName":"Events by event ID","description":"Top 10 events by event ID.","body":"Event \n| summarize count() by EventID\n| top 10 by count_","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339aae-c205-11ea-a66c-c8348e03e0b8","displayName":"Warning events","description":"Warning events sortd by time.","body":"Event \n| where EventLevelName == \"warning\" \n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339aaf-c205-11ea-8a79-c8348e03e0b8","displayName":"Count of warning events","description":"Count of warning events by event ID.","body":"Event \n| where EventLevelName == \"warning\" \n| summarize count() by EventID","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"09339ab0-c205-11ea-8471-c8348e03e0b8","displayName":"Events in OM between 2000 to 3000","description":"Operation manger events with IDs in range of 2000 to 3000.","body":"Event \n| where EventLog == \"Operations Manager\" and (EventID >= 2000 and EventID = 400 and toint(httpStatusCode_s ) = 400\n// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics\n| where OperationName == \"Microsoft.Cdn/Profiles/AccessLog/Write\" and Category == \"AzureCdnAccessLog\" \n| where isReceivedFromClient_b == true\n| where toint(httpStatusCode_s) >= 400\n| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, _ResourceId\n| order by RequestCount desc","tags":{"Topic":["Errors","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"ddf44596-d5a6-11ea-a8af-c8348e03e0b8","displayName":"[Microsoft CDN (classic)] Top 10 URL request count","description":"Show top 10 URLs by request count.","body":"// top URLs by request count\n// Render line chart showing total requests per hour . \n// Summarize number of requests per hour \nAzureDiagnostics\n| where OperationName == \"Microsoft.Cdn/Profiles/AccessLog/Write\" and Category == \"AzureCdnAccessLog\" \n| where isReceivedFromClient_b == true\n| summarize UserRequestCount = count() by requestUri_s\n| order by UserRequestCount\n| limit 10","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"ddf44597-d5a6-11ea-ae46-c8348e03e0b8","displayName":"[Microsoft CDN (classic)] Unique IP request count","description":"Show Unique IP request count.","body":"AzureDiagnostics\n| where OperationName == \"Microsoft.Cdn/Profiles/AccessLog/Write\"and Category == \"AzureCdnAccessLog\"\n| where isReceivedFromClient_b == true\n| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)\n| render timechart ","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"ddf44598-d5a6-11ea-bdfc-c8348e03e0b8","displayName":"[Microsoft CDN (classic)] Top 10 client IPs and HTTP versions","description":"Show top 10 client IPs and http versions.","body":"// Top 10 client IPs and http versions \n// Show top 10 client IPs and http versions. \n// Summarize top 10 client ips and http versions\nAzureDiagnostics\n| where OperationName == \"Microsoft.Cdn/Profiles/AccessLog/Write\" and Category == \"AzureCdnAccessLog\"\n| where isReceivedFromClient_b == true\n| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource\n| top 10 by RequestCount \n| order by RequestCount desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"8062ec5b-0436-534c-357d-a1a9750542fd","displayName":"[Azure Front Door Standard/Premium] Top 20 blocked clients by IP and rule","description":"Show top 20 blocked clients by IP and rule name.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorWebApplicationFirewallLog\"\r\n| where action_s == \"Block\"\r\n| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s,Resource\r\n| top 20 by RequestCount \r\n| order by RequestCount desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"b6e396a1-49f4-002e-943b-9bcf087a3b58","displayName":"[Azure Front Door Standard/Premium] Requests to origin by route","description":"Count number of requests for each route and origin per minute. Summarize number of requests per minute for each route and origin.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RouteName = routingRuleName_s, originName = originName_s, ResourceId","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"100c8fe9-2f3e-4899-6ef4-6d70047d3f84","displayName":"[Azure Front Door Standard/Premium] Request errors by user agent","description":"Count number of requests with error responses by user agent. Summarize number of requests per user agent and status codes >= 400.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| where toint(httpStatusCode_s) >= 400\r\n| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId\r\n| order by RequestCount desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"ae03d069-6d7a-2ecd-81e4-dbc6b6337f92","displayName":"[Azure Front Door Standard/Premium] Top 10 client IPs and http versions","description":"Show top 10 client IPs and http versions by request count.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource\r\n|top 10 by RequestCount \r\n| order by RequestCount desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"19ef0e4b-2959-3cb3-22ee-594fa7417cde","displayName":"[Azure Front Door Standard/Premium] Request errors by host and path","description":"Count number of requests with error responses by host and path. Summarize number of requests by host, path, and status codes >= 400.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| where toint(httpStatusCode_s) >= 400\r\n| extend ParsedUrl = parseurl(requestUri_s)\r\n| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId\r\n| order by RequestCount desc","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"a9d51280-2768-856a-84f6-e5a4396a6997","displayName":"[Azure Front Door Standard/Premium] Firewall blocked request count per hour","description":"Count number of firewall blocked requests per hour. Summarize number of firewall blocked requests per hour by policy.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorWebApplicationFirewallLog\"\r\n| where action_s == \"Block\"\r\n| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId\r\n| order by RequestCount desc\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"adec1d64-576d-4536-2459-b9181ce6a440","displayName":"[Azure Front Door Standard/Premium] Firewall request count by host, path, rule, and action","description":"Count firewall processed requests by host, path, rule, and action taken. Summarize request count by host, path, rule, and action.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorWebApplicationFirewallLog\"\r\n| extend ParsedUrl = parseurl(requestUri_s)\r\n| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId\r\n| order by RequestCount desc\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"7cce0397-0d02-0d98-29de-f79a1f3a1cd6","displayName":"[Azure Front Door Standard/Premium] Requests per hour","description":"Render line chart showing total requests per hour for each FrontDoor resource.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorWebApplicationFirewallLog\"\r\n| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId\r\n| render timechart \r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"02343258-23f7-8f05-682f-4dede54b8f38","displayName":"[Azure Front Door Standard/Premium] Top 10 URL request count","description":"Show top 10 URLs by request count.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| summarize UserRequestCount = count() by requestUri_s\r\n| order by UserRequestCount\r\n| limit 10\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"805cb7a6-792e-93f1-9292-d71efaf296f2","displayName":" [Azure Front Door Standard/Premium] Top 10 URL request count ","description":" Show egress from AFD edge by URL. Change bins resolution from 1hr to 5m to get real time results.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| summarize ResponseBytes = sum(toint(responseBytes_s)) by requestUri_s\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"c1a54a83-064c-248a-1328-77d03fd914d1","displayName":"[Azure Front Door Standard/Premium] Unique IP request count","description":"Show unique IP request count.","body":"AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.CDN\" and Category == \"FrontDoorAccessLog\"\r\n| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)\r\n| render timechart\r\n","tags":{"Topic":["Usage and Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.cdn/profiles"]}},{"id":"ddf44599-d5a6-11ea-930c-c8348e03e0b8","displayName":"What data is being collected?","description":"List the collected performance counters and object types.","body":"InsightsMetrics\n| where Origin == \"vm.azm.ms\"\n| summarize by Namespace, Name","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459a-d5a6-11ea-a6e8-c8348e03e0b8","displayName":"Virtual Machine available memory","description":"Virtual Machine available memory.","body":"InsightsMetrics\n| where TimeGenerated > ago(1h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"Memory\"\n| where Name == \"AvailableMB\"\n| summarize avg(Val) by bin(TimeGenerated, 5m), Computer\n| render timechart ","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459b-d5a6-11ea-85e5-c8348e03e0b8","displayName":"Chart CPU usage trends by computer","description":"Calculate CPU usage patterns over the last hour, chart by percentiles.","body":"InsightsMetrics\n| where TimeGenerated > ago(1h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"Processor\"\n| where Name == \"UtilizationPercentage\"\n| summarize avg(Val) by bin(TimeGenerated, 5m), Computer //split up by computer\n| render timechart","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459c-d5a6-11ea-bcd7-c8348e03e0b8","displayName":"Virtual Machine free disk space ","description":"Show the latest report of free disk space, per instance.","body":"InsightsMetrics\n| where TimeGenerated > ago(1h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"LogicalDisk\"\n| where Name == \"FreeSpaceMB\"\n| extend t=parse_json(Tags)\n| summarize arg_max(TimeGenerated, *) by tostring(t[\"vm.azm.ms/mountId\"]), Computer // arg_max over TimeGenerated returns the latest record\n| project Computer, TimeGenerated, t[\"vm.azm.ms/mountId\"], Val","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459d-d5a6-11ea-b154-c8348e03e0b8","displayName":"Track VM Availability using Heartbeat ","description":"Display the VM's reported availability during the last hour.","body":"InsightsMetrics\n| where TimeGenerated > ago(1h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"Computer\"\n| where Name == \"Heartbeat\"\n| summarize heartbeat_count = count() by bin(TimeGenerated, 5m), Computer\n| extend alive=iff(heartbeat_count > 2, 1.0, 0.0) //computer considered \"down\" if it has 2 or fewer heartbeats in 5 min interval\n| project TimeGenerated, alive, Computer\n| render timechart with (ymin = 0, ymax = 1) ","tags":{"Topic":["Availability"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459e-d5a6-11ea-b023-c8348e03e0b8","displayName":"Top 10 Virtual Machines by CPU utilization","description":"Top 10 Virtual Machines by CPU utilization.","body":"InsightsMetrics\n| where TimeGenerated > ago(1h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"Processor\" and Name == \"UtilizationPercentage\"\n| summarize P90 = percentile(Val, 90) by Computer\n| top 10 by P90","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf4459f-d5a6-11ea-b7ce-c8348e03e0b8","displayName":"Bottom 10 Free disk space %","description":"Bottom 10 Free disk space % by computer.","body":"InsightsMetrics\n| where TimeGenerated > ago(24h)\n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\"\n| summarize P90 = percentile(Val, 90) by Computer\n| top 10 by P90 asc","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachinescalesets"]}},{"id":"ddf445a0-d5a6-11ea-8c67-c8348e03e0b8","displayName":"Logical disk space % below threshold","description":"Logical disk space % below threshold.","body":"let _minValue = 10; // Set the minValue according to your needs\nInsightsMetrics\n| where TimeGenerated >= ago(1h) // choose time to observe \n| where Origin == \"vm.azm.ms\"\n| where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\"\n| where Val =35\n| summarize arg_max(TimeGenerated, *) by RecommendationId","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["ADAssessment"]}},{"id":"ddf445a9-d5a6-11ea-b635-c8348e03e0b8","displayName":"SQL Recommendations by Focus Area","description":"Count all SQL reccomendations by focus area.","body":"SQLAssessmentRecommendation\n| summarize AggregatedValue = count() by FocusArea","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445aa-d5a6-11ea-8aae-c8348e03e0b8","displayName":"SQL Recommendations by Computer","description":"Count SQL recommendations with failed result by computer.","body":"SQLAssessmentRecommendation\n| where RecommendationResult == \"Failed\"\n| summarize AggregatedValue = count() by Computer","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445ab-d5a6-11ea-8a6f-c8348e03e0b8","displayName":"SQL Recommendations by Instance","description":"Count SQL recommendations with failed result by instance.","body":"SQLAssessmentRecommendation\n| where RecommendationResult == \"Failed\"\n| summarize AggregatedValue = count() by SqlInstanceName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445ac-d5a6-11ea-b1c0-c8348e03e0b8","displayName":"SQL Recommendations by Database","description":"Count SQL recommendations with failed result by database.","body":"SQLAssessmentRecommendation\n| where RecommendationResult == \"Failed\"\n| summarize AggregatedValue = count() by DatabaseName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445ad-d5a6-11ea-af86-c8348e03e0b8","displayName":"SQL Recommendations by AffectedObjectType","description":"Count SQL recommendations with failed result by affected object type.","body":"SQLAssessmentRecommendation\n| where RecommendationResult == \"Failed\"\n| summarize AggregatedValue = count() by AffectedObjectType","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445ae-d5a6-11ea-a8f6-c8348e03e0b8","displayName":"How many times did each unique SQL Recommendation trigger?","description":"Count SQL recommendations with failed result by recommendation.","body":"SQLAssessmentRecommendation\n| where RecommendationResult == \"Failed\"\n| summarize AggregatedValue = count() by Recommendation","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["workloads"],"solutions":["SQLAssessment"]}},{"id":"ddf445af-d5a6-11ea-93db-c8348e03e0b8","displayName":"High priority SQL Assessment recommendations","description":"Latest high priority security recommendation with result failed by recommendation Id.","body":"SQLAssessmentRecommendation\n| where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35\n| summarize arg_max(TimeGenerated, *) by RecommendationId","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SQLAssessment"]}},{"id":"ddf445b0-d5a6-11ea-bc48-c8348e03e0b8","displayName":"All Security Activities","description":"Security activities sorted by time (newest first).","body":"SecurityEvent\n| project TimeGenerated, Account, Activity, Computer\n| sort by TimeGenerated desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b1-d5a6-11ea-babb-c8348e03e0b8","displayName":"Security Activities on the Device","description":"Security activities on a specific device sorted by time (newest first).","body":"SecurityEvent \n//| where Computer == \"COMPUTER01.contoso.com\" // Replace with a specific computer name\n| project TimeGenerated, Account, Activity, Computer\n| sort by TimeGenerated desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b2-d5a6-11ea-85c6-c8348e03e0b8","displayName":"Security Activities for Admin","description":"Security activities on a specific device for administrator sorted by time (newest first).","body":"SecurityEvent \n//| where Computer == \"COMPUTER01.contoso.com\" // Replace with a specific computer name\n| where TargetUserName == \"Administrator\"\n| project TimeGenerated, Account, Activity, Computer\n| sort by TimeGenerated desc","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b3-d5a6-11ea-90d5-c8348e03e0b8","displayName":"Logon Activity by Device","description":"Counts logon activities per device.","body":"SecurityEvent\n| where EventID == 4624\n| summarize LogonCount = count() by Computer","tags":{"Topic":["Security logon"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b4-d5a6-11ea-9688-c8348e03e0b8","displayName":"Devices With More Than 10 Logons","description":"Counts logon activities per devices with more than 10 logons.","body":"SecurityEvent\n| where EventID == 4624\n| summarize LogonCount = count() by Computer\n| where LogonCount > 10","tags":{"Topic":["Security logon"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b5-d5a6-11ea-a854-c8348e03e0b8","displayName":"Accounts Terminated Antimalware","description":"Accounts which terminated Microsoft Antimalware.","body":"SecurityEvent\n| where EventID == 4689\n| where Process has \"MsMpEng.exe\" or ParentProcessName has \"MsMpEng.exe\"\n| summarize TerminationCount = count() by Account","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b6-d5a6-11ea-a2ab-c8348e03e0b8","displayName":"Devices with Antimalware Terminated","description":"Devices which terminated Microsoft Antimalware.","body":"SecurityEvent\n| where EventID == 4689 \n| where Process has \"MsMpEng.exe\" or ParentProcessName has \"MsMpEng.exe\"\n| summarize TerminationCount = count() by Computer","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b7-d5a6-11ea-916b-c8348e03e0b8","displayName":"Devices Where Hash Was Executed","description":"Devices where hash.exe was executed more than 5 times.","body":"SecurityEvent\n| where EventID == 4688\n| where Process has \"hash.exe\" or ParentProcessName has \"hash.exe\"\n| summarize ExecutionCount = count() by Computer\n| where ExecutionCount > 5","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b8-d5a6-11ea-bc05-c8348e03e0b8","displayName":"Process Names Executed","description":"Lists number of executions per process.","body":"SecurityEvent\n| where EventID == 4688\n| summarize ExecutionCount = count() by NewProcessName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445b9-d5a6-11ea-bdff-c8348e03e0b8","displayName":"Devices With Security Log Cleared","description":"Devices with securtiy log cleared.","body":"SecurityEvent\n| where EventID == 1102\n| summarize LogClearedCount = count() by Computer","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445ba-d5a6-11ea-83b5-c8348e03e0b8","displayName":"Logon Activity by Account","description":"Logon activity by account.","body":"SecurityEvent\n| where EventID == 4624\n| summarize LogonCount = count() by Account","tags":{"Topic":["Security logon"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ddf445bb-d5a6-11ea-8592-c8348e03e0b8","displayName":"Accounts With Less Than 5 Times Logons","description":"Logon activity for accounts with less than 5 logons.","body":"SecurityEvent\n| where EventID == 4624\n| summarize LogonCount = count() by Account\n| where LogonCount ago(24h) \n| limit 50","tags":{"Topic":["Autoscale"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"f82e75b8-dd42-11ea-b884-c8348e03e0b8","displayName":"Autoscale operation status","description":"Lists latest Autoscale operations, scale direction, instance count and it's status.","body":"AutoscaleScaleActionsLog\n| project TimeGenerated, ResourceId, CurrentInstanceCount, NewInstanceCount, ScaleDirection, ResultType\n| sort by TimeGenerated desc ","tags":{"Topic":["Autoscale"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"f82e75b9-dd42-11ea-a8b1-c8348e03e0b8","displayName":"Autoscale failed operations","description":"List all reports of failed operations, over the last day.","body":"// To create an alert for this query, click '+ New alert rule'\nAutoscaleScaleActionsLog \n| where TimeGenerated > ago(24h) \n| where ResultType == \"Failed\"","tags":{"Topic":["Autoscale","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor","audit"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"f82e75ba-dd42-11ea-a077-c8348e03e0b8","displayName":"Review Autoscale evaluations","description":"Counts Autoscale evaluations in the last hour.","body":"AutoscaleEvaluationsLog\n| where TimeGenerated > ago(1h)\n| summarize count() by ResourceId, Profile, OperationName, EvaluationResult","tags":{"Topic":["Autoscale"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["monitor"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"f82e75bb-dd42-11ea-8cee-c8348e03e0b8","displayName":"Successful P2S connections","description":"Successful P2S connections in the last 12 hours.","body":"AzureDiagnostics \n| where TimeGenerated > ago(12h)\n| where Category == \"P2SDiagnosticLog\" and Message has \"Connection successful\"\n| project TimeGenerated, Resource ,Message","tags":{"Topic":["VPN Gateway","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75bc-dd42-11ea-bd9c-c8348e03e0b8","displayName":"Failed P2S connections","description":"Failed P2S connections in the last 12 hours.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureDiagnostics \n| where TimeGenerated > ago(12h)\n| where Category == \"P2SDiagnosticLog\" and Message has \"Connection failed\"\n| project TimeGenerated, Resource ,Message","tags":{"Topic":["VPN Gateway","Diagnostics","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75bd-dd42-11ea-8c4d-c8348e03e0b8","displayName":"P2S connection count","description":"Active P2S connection count for the last 30 days.","body":"AzureMetrics \n| where TimeGenerated > ago(30d)\n| where MetricName == \"P2SConnectionCount\"\n| summarize by Maximum, bin(TimeGenerated,1h), Resource\n| render timechart","tags":{"Topic":["VPN Gateway","Metrics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75be-dd42-11ea-bdca-c8348e03e0b8","displayName":"P2S bandwidth utilization","description":"Average P2S bandwidth utilization during the last 12 hours in bits/second.","body":"AzureMetrics\n| where TimeGenerated > ago(24h)\n| where MetricName == \"P2SBandwidth\" \n| summarize by Average, bin(TimeGenerated, 1h), Resource\n| render timechart","tags":{"Topic":["VPN Gateway","Metrics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75bf-dd42-11ea-98ce-c8348e03e0b8","displayName":"Gateway configuration changes","description":"Successful gateway configuration changes made by administrator during the last 24 hours.","body":"AzureDiagnostics\n| where TimeGenerated > ago(24h)\n| where Category == \"GatewayDiagnosticLog\" and operationStatus_s == \"Success\" and configuration_ConnectionTrafficType_s == \"Internet\"\n| project TimeGenerated, Resource, OperationName, Message, operationStatus_s","tags":{"Topic":["VPN Gateway","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75c0-dd42-11ea-8d89-c8348e03e0b8","displayName":"Gateway throughput","description":"Aggregate gateway throughput in Bytes/sec.","body":"AzureMetrics \n| where TimeGenerated > ago(24h)\n| where MetricName == \"AverageBandwidth\"\n| summarize by Average, bin(TimeGenerated, 1h), Resource\n| render timechart","tags":{"Topic":["VPN Gateway","Metrics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75c1-dd42-11ea-a974-c8348e03e0b8","displayName":"S2S tunnel connet/disconnect events","description":"S2S tunnel connet/disconnect events during the last 24 hours.","body":"AzureDiagnostics \n| where TimeGenerated > ago(24h)\n| where Category == \"TunnelDiagnosticLog\" and (status_s == \"Connected\" or status_s == \"Disconnected\")\n| project TimeGenerated, Resource , status_s, remoteIP_s, stateChangeReason_s","tags":{"Topic":["VPN Gateway","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75c2-dd42-11ea-a2f7-c8348e03e0b8","displayName":"BGP route updates","description":"BGP route updates over the last 24 hours.","body":"AzureDiagnostics\n| where TimeGenerated > ago(24h)\n| where Category == \"RouteDiagnosticLog\" and OperationName == \"BgpRouteUpdate\"","tags":{"Topic":["VPN Gateway","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["network"],"resourceTypes":["microsoft.network/virtualnetworkgateways"]}},{"id":"f82e75c3-dd42-11ea-9a7f-c8348e03e0b8","displayName":"Update deployment failures","description":"Update deployment failures by device and update classification.","body":"WaaSDeploymentStatus\n| where DeploymentStatus == \"Failed\"\n| summarize arg_max(TimeGenerated, *) by ComputerID, UpdateClassification \n| project Computer, ComputerID, ReleaseName, UpdateCategory, UpdateClassification, DeploymentError, DeploymentErrorCode","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c4-dd42-11ea-a402-c8348e03e0b8","displayName":"Devices pending reboot to complete update","description":"Devices with pending reboot to complete update.","body":"WaaSDeploymentStatus\n| where DetailedStatus == \"Reboot pending\"\n| summarize arg_max(TimeGenerated, *) by ComputerID, UpdateClassification\n| project Computer, ComputerID, DetailedStatus, ReleaseName, UpdateCategory, UpdateClassification, LastScan","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c5-dd42-11ea-8046-c8348e03e0b8","displayName":"Distribution of device Servicing Branch","description":"Pie chart of devices distribution by servicing branch.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project ComputerID, OSServicingBranch\n| summarize dcount(ComputerID) by OSServicingBranch\n| render piechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c6-dd42-11ea-8b94-c8348e03e0b8","displayName":"Distribution of device OS Edition","description":"Counts devices by OS edition.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project TimeGenerated, ComputerID, OSEdition\n| summarize dcount(ComputerID) by OSEdition","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c7-dd42-11ea-8a63-c8348e03e0b8","displayName":"Feature Update Deferral Configurations","description":"Chart of device count by feature update deferral configurations.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project TimeGenerated, ComputerID, FeatureDeferralDays\n| summarize dcount(ComputerID) by FeatureDeferralDays\n| sort by FeatureDeferralDays asc\n| render columnchart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c8-dd42-11ea-9781-c8348e03e0b8","displayName":"Feature Update Pause Configurations","description":"Count devices by feature update pause configurations.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project TimeGenerated, ComputerID, FeaturePauseState\n| summarize dcount(ComputerID) by FeaturePauseState","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75c9-dd42-11ea-a3ab-c8348e03e0b8","displayName":"Quality Update Deferral Configurations","description":"Chart of device count by quality update deferral configurations.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project TimeGenerated, ComputerID, QualityDeferralDays\n| summarize dcount(ComputerID) by QualityDeferralDays\n| sort by QualityDeferralDays asc\n| render columnchart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75ca-dd42-11ea-a4de-c8348e03e0b8","displayName":"Quality Update Pause Configurations","description":"Count devices by quality update pause configurations.","body":"WaaSUpdateStatus\n| summarize arg_max(TimeGenerated, *) by ComputerID\n| project TimeGenerated, ComputerID, QualityPauseState\n| summarize dcount(ComputerID) by QualityPauseState","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f3993b22-e78f-11ea-8d7e-c8348e03e0b8","displayName":"Devices with a Safeguard Hold","description":"This query shows the device data for all devices that are impacted by safeguard holds.","body":"WaaSDeploymentStatus\n| where DetailedStatus == \"Safeguard Hold\"\n| summarize arg_max(TimeGenerated, *) by ComputerID, UpdateClassification\n| project TimeGenerated, DetailedStatus, ComputerID, ReleaseName, UpdateCategory, UpdateClassification","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f3998942-e78f-11ea-b0a9-c8348e03e0b8","displayName":"Target build distribution of devices with a safeguard hold","description":"Pie chart of target build distribution of devices impacted by safeguards.","body":"WaaSDeploymentStatus\n| where DetailedStatus == \"Safeguard Hold\"\n| summarize count(ComputerID) by TargetBuild\n| render piechart","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"f82e75cb-dd42-11ea-82ac-c8348e03e0b8","displayName":"All configuration changes","description":"Lists all configuration changes sorted by time (newest first).","body":"\nConfigurationChange\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75cc-dd42-11ea-a557-c8348e03e0b8","displayName":"Software changes","description":"Lists software changes sorted by time (newest first).","body":"ConfigurationChange\n| where ConfigChangeType == \"Software\"\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75cd-dd42-11ea-909e-c8348e03e0b8","displayName":"Service changes","description":"Lists service changes sorted by time (newest first).","body":"ConfigurationChange\n| where ConfigChangeType == \"Services\"\n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75ce-dd42-11ea-b511-c8348e03e0b8","displayName":"Software change type per computer","description":"Count software changes by computer.","body":"ConfigurationChange \n| where ConfigChangeType == \"Software\"\n| summarize AggregatedValue = count() by Computer","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75cf-dd42-11ea-bcfc-c8348e03e0b8","displayName":"Stopped services","description":"Lists stopped service changes sorted by time.","body":"ConfigurationChange \n| where ConfigChangeType == \"WindowsServices\" and SvcState == \"Stopped\" \n| sort by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75d0-dd42-11ea-91f3-c8348e03e0b8","displayName":"Software change count per category","description":"Count software changes by change category.","body":"ConfigurationChange\n| where ConfigChangeType == \"Software\"\n| summarize AggregatedValue = count() by ChangeCategory","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75d1-dd42-11ea-991a-c8348e03e0b8","displayName":"Recent stopped auto services","description":"Shows most recent services that were set to Auto but reported as being stopped.","body":"ConfigurationData\n| where ConfigDataType == \"WindowsServices\" and SvcStartupType == \"Auto\"\n| where SvcState == \"Stopped\"\n| summarize arg_max(TimeGenerated, *) by SoftwareName, Computer","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"f82e75d2-dd42-11ea-b46b-c8348e03e0b8","displayName":"Removed software changes","description":"Shows change records for removed software.","body":"ConfigurationChange\n| where ConfigChangeType == \"Software\" and ChangeCategory == \"Removed\"\n| order by TimeGenerated desc","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"],"solutions":["ChangeTracking"]}},{"id":"be55aaa8-ec2b-11ea-8a0a-c8348e03e0b8","displayName":"Topics Average Delivery Latency","description":"Average Delivery Latency summarized by Topics, Event Subscriptions.","body":"AegDeliveryFailureLogs\n| parse _ResourceId with * \"/topics/\" TopicName\n| where TopicName!= \"\" // and TopicName == \"YOUR_TOPIC_NAME\"\n| parse Message with * \", latencyInMs=\" LatencyInMilliSecond \",\" *\n| summarize AverageDeliveryLatencyInMs = avg(todouble(LatencyInMilliSecond)) by TopicName, EventSubscriptionName\n// Uncomment to filter for a specific Topic Name","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/topics"]}},{"id":"be55f9e0-ec2b-11ea-a6d1-c8348e03e0b8","displayName":"Domains Average Delivery Latency ","description":"Average Delivery Latency summarized by Domains, Event Subscriptions and SubResourceName.","body":"AegDeliveryFailureLogs\n| parse _ResourceId with * \"/domains/\" DomainName\n| where DomainName != \"\" // and DomainName == \"YOUR_DOMAIN_NAME\"\n| parse Message with * \", latencyInMs=\" LatencyInMilliSecond \",\" *\n| summarize AverageDeliveryLatencyInMs = avg(todouble(LatencyInMilliSecond)) by DomainName, EventSubscriptionName, SubResourceName\n// Uncomment to filter by a specific Domain Name","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/domains"]}},{"id":"be55f9e1-ec2b-11ea-8a88-c8348e03e0b8","displayName":"Show application logs from Function Apps","description":"A list of application logs, sorted by time (latest logs shown first).","body":"FunctionAppLogs \n| project TimeGenerated, HostInstanceId, Message, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["App Logs","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e2-ec2b-11ea-857f-c8348e03e0b8","displayName":"Show logs with warnings or exceptions","description":"A list of logs which contain warnings or exceptions (latest logs shown first).","body":"FunctionAppLogs\n| where Level == \"Warning\" or Level == \"Error\"\n| project TimeGenerated, HostInstanceId, Level, Message, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["App Logs","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e3-ec2b-11ea-9759-c8348e03e0b8","displayName":"Error and exception count","description":"Show a column chart of the number of the logs containing warnings or errors in the last hour, per application.","body":"FunctionAppLogs \n| where TimeGenerated > ago(1h)\n| where Level == \"Warning\" or Level == \"Error\"\n| summarize count_per_app = count() by _ResourceId\n| sort by count_per_app desc \n| render columnchart","tags":{"Topic":["App Logs","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e4-ec2b-11ea-829f-c8348e03e0b8","displayName":"Function activity over time","description":"Line chart showing trend of Function requests volume, per Function over time.","body":"FunctionAppLogs\n//| where _ResourceId == \"MyResourceId\" // Uncomment and enter a resource ID to get results for a specific resource\n| where Category startswith \"Function.\" and Message startswith \"Executed \"\n| summarize count() by bin(TimeGenerated, 1h), FunctionName // Aggregate by hour\n| render timechart","tags":{"Topic":["Usage and Performance","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e5-ec2b-11ea-86be-c8348e03e0b8","displayName":"Function results","description":"Individual Function invocation results in the last hour (latest logs shown first).","body":"FunctionAppLogs\n| where TimeGenerated > ago(1h)\n| where Category startswith \"Function.\" and Message startswith \"Executed \"\n| parse Message with \"Executed '\" Name \"' (\" Result \", Id=\" Id \", Duration=\" Duration:long \"ms)\"\n| project TimeGenerated, FunctionName, Result, FunctionInvocationId, Duration, _ResourceId\n| sort by TimeGenerated desc","tags":{"Topic":["Usage and Performance","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e6-ec2b-11ea-b9e9-c8348e03e0b8","displayName":"Function Error rate","description":"Summarizing functions success and errors per hour.","body":"FunctionAppLogs\n| where Category startswith \"Function.\" and Message startswith \"Executed \"\n| parse Message with \"Executed '\" Name \"' (\" Result \", Id=\" Id \", Duration=\" Duration:long \"ms)\"\n// | where Name == \"MyFunction\" // Use this to restrict to a specific function\n| summarize count() by bin(TimeGenerated, 1h), Name, Result, _ResourceId\n| order by TimeGenerated desc ","tags":{"Topic":["Usage and Performance","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"be55f9e7-ec2b-11ea-8b7b-c8348e03e0b8","displayName":"Slow Functions","description":"List of Function invocations that took longer than threshold.","body":"let threshold=1000; // let operator defines a constant that can be further used in the query\nFunctionAppLogs\n| where Category startswith \"Function.\" and Message startswith \"Executed \"\n| parse Message with \"Executed '\" Name \"' (\" Result \", Id=\" Id \", Duration=\" Duration:long \"ms)\"\n| project TimeGenerated, FunctionName, Result, FunctionInvocationId, Duration, _ResourceId\n| where Duration > threshold // Duration is recorded in milliseconds\n| sort by TimeGenerated desc","tags":{"Topic":["Usage and Performance","Function App"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","applications"],"resourceTypes":["microsoft.web/sites"]}},{"id":"9eb66810-f1da-11ea-9224-c8348e03e0b8","displayName":"Failed AS2 Messages by Send Partner","description":"Counts AS2 failed messages by send partner.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"AS2Message\" and event_record_messageProperties_messageId_s in ((union *\n| where OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or (event_recordType_s == \"AS2MDN\" and (iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or event_record_messageProperties_statusCode_s == \"Rejected\"))\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by event_record_agreementProperties_senderPartnerName_s","tags":{"Topic":["AS2 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"9eb6b446-f1da-11ea-9405-c8348e03e0b8","displayName":"Failed AS2 Messages by Receive Partner","description":"Counts AS2 failed messages by receive partner.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"AS2Message\" and event_record_messageProperties_messageId_s in ((union *\n| where OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or (event_recordType_s == \"AS2MDN\" and (iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or event_record_messageProperties_statusCode_s == \"Rejected\"))\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by event_record_agreementProperties_receiverPartnerName_s","tags":{"Topic":["AS2 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"9eb6b447-f1da-11ea-a670-c8348e03e0b8","displayName":"Failed AS2 Messages by Workflow","description":"Counts AS2 failed messages by workflow.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"AS2Message\" and event_record_messageProperties_messageId_s in ((union *\n| where OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or (event_recordType_s == \"AS2MDN\" and (iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true or event_record_messageProperties_statusCode_s == \"Rejected\"))\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by source_workflow_name_s","tags":{"Topic":["AS2 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"9eb6b448-f1da-11ea-bbaa-c8348e03e0b8","displayName":"Failed X12 Messages by Send Partner","description":"Counts X12 failed messages by send partner.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_correlationMessageId_s in ((union *\n| where (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSetAcknowledgment\" and event_record_messageProperties_statusCode_s != \"Accepted\" and event_record_messageProperties_direction_s == \"Receive\") or (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_direction_s == \"Receive\" and iff(isnotnull(toint(event_record_messageProperties_isFunctionalAcknowledgmentExpected_b)), event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == true, event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == \"true\") == true and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true)\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by event_record_agreementProperties_senderPartnerName_s","tags":{"Topic":["X12 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"9eb6b449-f1da-11ea-9d02-c8348e03e0b8","displayName":"Failed X12 Messages by Receive Partner","description":"Counts X12 failed messages by receive partner.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_correlationMessageId_s in ((union *\n| where (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSetAcknowledgment\" and event_record_messageProperties_statusCode_s != \"Accepted\" and event_record_messageProperties_direction_s == \"Receive\") or (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_direction_s == \"Receive\" and iff(isnotnull(toint(event_record_messageProperties_isFunctionalAcknowledgmentExpected_b)), event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == true, event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == \"true\") == true and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true)\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by event_record_agreementProperties_receiverPartnerName_s","tags":{"Topic":["X12 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"9eb6b44a-f1da-11ea-8c4a-c8348e03e0b8","displayName":"Failed X12 Messages by Workflow","description":"Counts X12 failed messages by workflow.","body":"search OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_correlationMessageId_s in ((union *\n| where (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSetAcknowledgment\" and event_record_messageProperties_statusCode_s != \"Accepted\" and event_record_messageProperties_direction_s == \"Receive\") or (OperationName == \"Microsoft.Logic/integrationAccounts/trackingEvents\" and event_recordType_s == \"X12TransactionSet\" and event_record_messageProperties_messageType_s != \"997\" and event_record_messageProperties_messageType_s != \"999\" and event_record_messageProperties_direction_s == \"Receive\" and iff(isnotnull(toint(event_record_messageProperties_isFunctionalAcknowledgmentExpected_b)), event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == true, event_record_messageProperties_isFunctionalAcknowledgmentExpected_b == \"true\") == true and iff(isnotnull(toint(event_record_messageProperties_isMessageFailed_b)), event_record_messageProperties_isMessageFailed_b == true, event_record_messageProperties_isMessageFailed_b == \"true\") == true)\n| summarize AggregatedValue = count() by event_record_messageProperties_correlationMessageId_s))\n| summarize AggregatedValue = count() by source_workflow_name_s","tags":{"Topic":["X12 Message","LogicAppB2B"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"]}},{"id":"a6420dd9-f7fb-11ea-9194-c8348e03e0b8","displayName":"App Service Health","description":"Time series of App Service Health (over 5 minute intervals).","body":"AppServiceHTTPLogs \n| summarize (count() - countif(ScStatus >= 500)) * 100.0 / count() by bin(TimeGenerated, 5m), _ResourceId\n| render timechart ","tags":{"Topic":["Incoming requests"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"a6428833-f7fb-11ea-8d8a-c8348e03e0b8","displayName":"Failure Categorization","description":"Categorize all requests which resulted in 5xx.","body":"AppServiceHTTPLogs \n//| where ResourceId = \"MyResourceId\" // Uncomment to get results for a specific resource Id when querying over a group of Apps\n| where ScStatus >= 500\n| reduce by strcat(CsMethod, ':\\\\', CsUriStem)","tags":{"Topic":["Incoming requests"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"a6428834-f7fb-11ea-8313-c8348e03e0b8","displayName":"Response times of requests","description":"Avg & 90, 95 and 99 percentile response times (in milliseconds) per App Service.","body":"AppServiceHTTPLogs \n| summarize avg(TimeTaken), percentiles(TimeTaken, 90, 95, 99) by _ResourceId","tags":{"Topic":["Incoming requests"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"a6428835-f7fb-11ea-b623-c8348e03e0b8","displayName":"Top 5 Clients","description":"Top 5 clients which are generating traffic.","body":"AppServiceHTTPLogs\n| top-nested of _ResourceId by dummy=max(0), // Display results for each resource (App)\n top-nested 5 of UserAgent by count()\n| project-away dummy // Remove dummy line from the result set","tags":{"Topic":["Incoming requests"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"a6428836-f7fb-11ea-8392-c8348e03e0b8","displayName":"Top 5 Machines","description":"Top 5 machines which are generating traffic.","body":"AppServiceHTTPLogs\n| top-nested of _ResourceId by dummy=max(0), // Display results for each resource (App)\n top-nested 5 of CIp by count()\n| project-away dummy // Remove dummy line from the result set","tags":{"Topic":["Incoming requests"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"]}},{"id":"a6428837-f7fb-11ea-bb94-c8348e03e0b8","displayName":"TriggerRuns Availability","description":"Gives the availability of the Trigger Runs.","body":"// To create an alert for this query, click '+ New alert rule'\nADFTriggerRun\n| where Status != 'Running' and Status != 'Waiting' and Status != 'WaitingOnDependency'\n| where TriggerFailureType != 'UserError'\n| summarize availability = 100.00 - (100.00*countif(Status != 'Succeeded') / count()) by bin(TimeGenerated, 1h)), _ResourceId\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a6428838-f7fb-11ea-af2d-c8348e03e0b8","displayName":"PipelineRuns Availability","description":"Gives the availability of the Pipeline Runs.","body":"// To create an alert for this query, click '+ New alert rule'\nADFPipelineRun\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| summarize availability = 100.00 - (100.00*countif(Status != 'Succeeded') / count()) by bin(TimeGenerated, 1h)), _ResourceId\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a6428839-f7fb-11ea-aa48-c8348e03e0b8","displayName":"Activity Runs Availability","description":"Gives the availability of the Activity Runs.","body":"// To create an alert for this query, click '+ New alert rule'\nADFActivityRun\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| summarize availability = 100.00 - (100.00*countif(Status != 'Succeeded') / count()) by bin(TimeGenerated, 1h)), _ResourceId\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883a-f7fb-11ea-8c76-c8348e03e0b8","displayName":"Trigger runs Top 5 Failures","description":"Returns Top 5 Triggers failing with systemErrors.","body":"let name = ADFTriggerRun\n| where Status != 'Running' and Status != 'Waiting' and Status != 'WaitingOnDependency'\n| where TriggerFailureType != 'UserError'\n| summarize failureCount = countif(Status != 'Succeeded') by TriggerName\n| top 5 by failureCount desc nulls last\n| where failureCount != 0\n| project TriggerName;\nADFTriggerRun \n| where TimeGenerated >= ago(24h)\n| where Status != 'Running' and Status != 'Waiting' and Status != 'WaitingOnDependency'\n| where TriggerFailureType != 'UserError'\n| where TriggerName in (name)\n| summarize failureCount = countif(Status != 'Succeeded') by bin(TimeGenerated, 1h), TriggerName\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883b-f7fb-11ea-ae71-c8348e03e0b8","displayName":"Pipeline runs Top 5 Failures","description":"Returns Top 5 pipelines failing with systemErrors.","body":"let name = ADFPipelineRun\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| summarize failureCount = countif(Status != 'Succeeded') by PipelineName\n| top 5 by failureCount desc nulls last\n| where failureCount != 0\n| project PipelineName;\nADFPipelineRun \n| where TimeGenerated >= ago(24h)\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| where PipelineName in (name)\n| summarize failureCount = countif(Status != 'Succeeded') by bin(TimeGenerated, 1h), PipelineName\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883c-f7fb-11ea-a8e7-c8348e03e0b8","displayName":"Activity runs Top 5 Failures","description":"Returns Top 5 Activitys failing with systemErrors.","body":"let name = ADFActivityRun\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| summarize failureCount = countif(Status != 'Succeeded') by ActivityName\n| top 5 by failureCount desc nulls last\n| where failureCount != 0\n| project ActivityName;\nADFActivityRun \n| where TimeGenerated >= ago(24h)\n| where Status != 'InProgress' and Status != 'Queued'\n| where FailureType != 'UserError'\n| where ActivityName in (name)\n| summarize failureCount = countif(Status != 'Succeeded') by bin(TimeGenerated, 1h), ActivityName\n| order by TimeGenerated asc\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883d-f7fb-11ea-9dfe-c8348e03e0b8","displayName":"Trigger runs latest Status","description":"Returns latest Status of Trigger runs.","body":"ADFTriggerRun\n| summarize argmax(TimeGenerated, * ) by TriggerId, Status, _ResourceId","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883e-f7fb-11ea-95c6-c8348e03e0b8","displayName":"Pipeline runs latest Status","description":"Returns latest Status of pipeline runs.","body":"ADFPipelineRun\n| summarize argmax(TimeGenerated, * ) by RunId, Status, _ResourceId","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a642883f-f7fb-11ea-832d-c8348e03e0b8","displayName":"Activity runs latest Status","description":"Returns latest Status of Activity runs.","body":"ADFActivityRun\n| summarize argmax(TimeGenerated, * ) by ActivityRunId, Status, _ResourceId","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"a6428840-f7fb-11ea-9f84-c8348e03e0b8","displayName":"Show logs from AzureDiagnostics table","description":"Lists the latest logs in AzureDiagnostics table, sorted by time (latest first).","body":"AzureDiagnostics\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","network"],"resourceTypes":["microsoft.network/networksecuritygroups","microsoft.network/virtualnetworks","microsoft.network/publicipaddresses"]}},{"id":"a6428841-f7fb-11ea-a564-c8348e03e0b8","displayName":"Show logs from AzureActivity table","description":"Lists the latest logs in AzureActivity table, sorted by time (latest first).","body":"AzureActivity\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","network"],"resourceTypes":["microsoft.network/networksecuritygroups","microsoft.network/virtualnetworks","microsoft.network/publicipaddresses"]}},{"id":"a6428842-f7fb-11ea-9339-c8348e03e0b8","displayName":"Show logs from AzureMetrics table","description":"Lists the latest logs in AzureMetrics table, sorted by time (latest first).","body":"AzureMetrics\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","network"],"resourceTypes":["microsoft.network/networksecuritygroups","microsoft.network/virtualnetworks","microsoft.network/publicipaddresses"]}},{"id":"c04f8b4c-8f78-8652-28db-d12cb5296bcb","displayName":"IPv4 NSG Flow Log Search","description":"Search through NSG flow logs for IPv4 traffic that is being allowed or denied through associated NSGs. Specify a source/destination IPv4 address as well as port number to quickly find traffic flow direction, traffic allow/deny status, and NSG rule name being executed.","body":"// The Limit 100 sets the amount of returned items back to 100, change to get more.\r\n// Uncomment the bottom filter and specify SourceIP value to filter based on source IPv4 address. DestPort_d is a numeric value between 0-65535. Alternatively, you can specify DestinationIP instead of SourceIP as well as SrcPort_d as a value to flip the direction of the search.\r\nAzureNetworkAnalytics_CL \r\n| where SubType_s == \"FlowLog\"\r\n| extend FlowDirection = iff(FlowDirection_s == 'O', 'Outbound', 'Inbound')\r\n| extend AllowedOrDenied = iff(FlowStatus_s == 'A', 'Allowed', 'Denied')\r\n| extend SourceIP = iff(isempty(SrcIP_s), extract_all(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", SrcPublicIPs_s), SrcIP_s)\r\n| extend DestinationIP = iff(isempty(DestIP_s), extract_all(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", DestPublicIPs_s), DestIP_s)\r\n| extend Protocol = case(L4Protocol_s == 'T', \"TCP\", L4Protocol_s == 'U', \"UDP\", L4Protocol_s)\r\n| project-rename NSGFL_Version = FASchemaVersion_s\r\n| project TimeGenerated, FlowDirection, AllowedOrDenied, SourceIP, DestinationIP, DestPort_d, Protocol, L7Protocol_s, NSGList_s, NSGRule_s, NSGFL_Version\r\n| limit 100\r\n//| where SourceIP contains \"XXX.XXX.XXX.XXX\" and DestPort_d == XXXXX","tags":{"Topic":["Diagnostics","Audit","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources","network"],"resourceTypes":["microsoft.network/networksecuritygroups"]}},{"id":"a6428843-f7fb-11ea-8ea5-c8348e03e0b8","displayName":"Show logs from AADDomainServicesAccountLogon table","description":"Lists the latest logs in AADDomainServicesAccountLogon table, sorted by time (latest first).","body":"AADDomainServicesAccountLogon\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428844-f7fb-11ea-bdfb-c8348e03e0b8","displayName":"Show logs from AADDomainServicesAccountManagement table","description":"Lists the latest logs in AADDomainServicesAccountManagement table, sorted by time (latest first).","body":"AADDomainServicesAccountManagement\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428845-f7fb-11ea-a22d-c8348e03e0b8","displayName":"Show logs from AADDomainServicesDirectoryServiceAccess table","description":"Lists the latest logs in AADDomainServicesDirectoryServiceAccess table, sorted by time (latest first).","body":"AADDomainServicesDirectoryServiceAccess\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428846-f7fb-11ea-bfa0-c8348e03e0b8","displayName":"Show logs from AADDomainServicesLogonLogoff table","description":"Lists the latest logs in AADDomainServicesLogonLogoff table, sorted by time (latest first).","body":"AADDomainServicesLogonLogoff\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428847-f7fb-11ea-a877-c8348e03e0b8","displayName":"Show logs from AADDomainServicesPolicyChange table","description":"Lists the latest logs in AADDomainServicesPolicyChange table, sorted by time (latest first).","body":"AADDomainServicesPolicyChange\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428848-f7fb-11ea-aade-c8348e03e0b8","displayName":"Show logs from AADDomainServicesPrivilegeUse table","description":"Lists the latest logs in AADDomainServicesPrivilegeUse table, sorted by time (latest first).","body":"AADDomainServicesPrivilegeUse\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a6428849-f7fb-11ea-a623-c8348e03e0b8","displayName":"Show logs from AADDomainServicesSystemSecurity table","description":"Lists the latest logs in AADDomainServicesSystemSecurity table, sorted by time (latest first).","body":"AADDomainServicesSystemSecurity\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a642884a-f7fb-11ea-9ffc-c8348e03e0b8","displayName":"Show logs from AzureActivity table","description":"Lists the latest logs in AzureActivity table, sorted by time (latest first).","body":"AzureActivity\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"a642884b-f7fb-11ea-8961-c8348e03e0b8","displayName":"Show logs from AzureMetrics table","description":"Lists the latest logs in AzureMetrics table, sorted by time (latest first).","body":"AzureMetrics\n| top 10 by TimeGenerated","tags":{"Topic":["Preview Data"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.aad/domainservices"]}},{"id":"bb5ff65d-0c7f-11eb-be85-c8348e03e0b8","displayName":"DigitalTwin API Latency","description":"Time to complete DigitalTwin operations by type over time.","body":"let grain = 5m;\nADTDigitalTwinsOperation\n| summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain)\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb60447f-0c7f-11eb-9344-c8348e03e0b8","displayName":"Model API Latency","description":"Time to complete Model operations by type over time.","body":"let grain = 5m;\nADTModelsOperation\n| summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain)\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604480-0c7f-11eb-828b-c8348e03e0b8","displayName":"Query API Latency","description":"Time to complete Query operations by type over time.","body":"let grain = 5m;\nADTQueryOperation\n| summarize avg(toint(DurationMs)) by OperationName, bin(TimeGenerated, grain)\n| render timechart","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604481-0c7f-11eb-a61d-c8348e03e0b8","displayName":"DigitalTwin Error Summary","description":"List of all DigitalTwin call errors.","body":"ADTDigitalTwinsOperation\n| where ResultType != 'Success'","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604482-0c7f-11eb-9834-c8348e03e0b8","displayName":"Model Error Summary","description":"List of all Model call errors.","body":"ADTModelsOperation\n| where ResultType != 'Success'","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604483-0c7f-11eb-b808-c8348e03e0b8","displayName":"Query Error Summary","description":"List of all Query call errors.","body":"ADTQueryOperation\n| where ResultType != 'Success'","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604484-0c7f-11eb-bef2-c8348e03e0b8","displayName":"DigitalTwin API Usage","description":"Count of DigitalTwin APIs by type (read, write and delete).","body":"ADTDigitalTwinsOperation\n| summarize count() by OperationName\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604485-0c7f-11eb-b2cf-c8348e03e0b8","displayName":"Model API Usage","description":"Count of Model APIs by type (read, write and delete).","body":"ADTModelsOperation\n| summarize count() by OperationName\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604486-0c7f-11eb-ab5c-c8348e03e0b8","displayName":"EventRoutes API Usage","description":"Count of EventRoute APIs by type (read, write and delete).","body":"ADTEventRoutesOperation\n| summarize count() by OperationName\n| render piechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"bb604487-0c7f-11eb-b9f5-c8348e03e0b8","displayName":"Display top 50 Activity log events","description":"Display top 50 Activity log events.","body":"AzureActivity\n| project TimeGenerated, SubscriptionId, ResourceGroup,ResourceProviderValue,OperationNameValue,CategoryValue,CorrelationId,ActivityStatusValue, ActivitySubstatusValue, Properties_d, Caller\n| top 50 by TimeGenerated","tags":{"Topic":["Activity log"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"solutions":["LogManagement"]}},{"id":"bb604488-0c7f-11eb-8dbc-c8348e03e0b8","displayName":"Display Activity log Administrative events","description":"Displays Activity log for Administrative category.","body":"AzureActivity \n| where CategoryValue == \"Administrative\"\n| order by TimeGenerated desc","tags":{"Topic":["Activity log"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"solutions":["LogManagement"]}},{"id":"bb604489-0c7f-11eb-9f1a-c8348e03e0b8","displayName":"VM creation","description":"This query displays results of when a VM is created.","body":"AzureActivity\n| where TimeGenerated >= ago(1d)\n| where OperationNameValue == \"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE\" and ActivityStatusValue == \"Start\"\n| where Authorization_d.action == \"Microsoft.Compute/virtualMachines/write\"\n| project OperationNameValue, ActivityStatusValue, VM_Name=Properties_d.resource, ResourceGroup, SubscriptionId, Created_By=Caller","tags":{"Topic":["Activity log"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"solutions":["LogManagement"]}},{"id":"bb60448a-0c7f-11eb-8595-c8348e03e0b8","displayName":"Display Activity log events generated from Policy","description":"Display top 100 records of all effect action operations performed by Azure Policy.","body":"AzureActivity\n| project TimeGenerated, SubscriptionId, ResourceProviderValue, OperationNameValue, Caller, CategoryValue, CorrelationId, ActivityStatusValue, Properties_d\n| where OperationNameValue has \"audit\"\n| top 100 by TimeGenerated desc","tags":{"Topic":["Activity log"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"solutions":["LogManagement"]}},{"id":"bb60448b-0c7f-11eb-ba0d-c8348e03e0b8","displayName":"List callers and their associated action in last 48 hours","description":"List callers and their associated action in last 48 hours.","body":"AzureActivity\n| where TimeGenerated > ago(2d)\n| project Caller, OperationNameValue, ActivityStatusValue, CategoryValue\n| where Caller has \"@\"","tags":{"Topic":["Activity log"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"solutions":["LogManagement"]}},{"id":"bb60448c-0c7f-11eb-965c-c8348e03e0b8","displayName":"All work items","description":"Retrieves all work items generated in this solution.","body":"ServiceDesk_CL\n| summarize arg_max(TimeGenerated, *) by ServiceDeskId_s \n| sort by TimeGenerated desc ","tags":{"Topic":["Usage","ITSM Connector"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"]}},{"id":"bb60448d-0c7f-11eb-93a5-c8348e03e0b8","displayName":"All work items created today","description":"Retrieves all work items generated in this solution during the last day.","body":"ServiceDesk_CL\n| where CreatedDate_t > bin(now(), 1d) \n| summarize arg_max(TimeGenerated, *) by ServiceDeskId_s \n| sort by TimeGenerated desc ","tags":{"Topic":["Usage","ITSM Connector"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"]}},{"id":"bb60448e-0c7f-11eb-8095-c8348e03e0b8","displayName":"All incidents","description":"Retrieves all Incident work items generated in this solution.","body":"ServiceDesk_CL\n| where ServiceDeskWorkItemType_s == \"Incident\" \n| summarize arg_max(TimeGenerated, *) by ServiceDeskId_s \n| sort by TimeGenerated desc ","tags":{"Topic":["Usage","ITSM Connector"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"]}},{"id":"bb60448f-0c7f-11eb-ab22-c8348e03e0b8","displayName":"All incidents created today","description":"Retrieves all Incident work items generated in this solution during the last day.","body":"ServiceDesk_CL\n|where ServiceDeskWorkItemType_s == \"Incident\" and CreatedDate_t > bin(now(), 1d) \n| summarize arg_max(TimeGenerated, *) by ServiceDeskId_s \n| sort by TimeGenerated desc","tags":{"Topic":["Usage","ITSM Connector"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"]}},{"id":"bb604490-0c7f-11eb-a548-c8348e03e0b8","displayName":"All security incidents","description":"Retrieves all Security Incident work items generated in this solution.","body":"ServiceDesk_CL\n| where ServiceDeskWorkItemType_s == \"SecurityIncident\" \n| summarize arg_max(TimeGenerated, *) by ServiceDeskId_s \n| sort by TimeGenerated desc ","tags":{"Topic":["Usage","ITSM Connector"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["management"]}},{"id":"a4288de6-1d24-11eb-9472-c8348e03e0b8","displayName":"Alerts on critical issues workspace","description":"This query will list all the 'Error' level issues in the operation table, these issues are usually related to potential data loss, and needs immediate attention. ","body":"// To create an alert for this query, click '+ New alert rule'\n// It is recommended to create and alert with frequency of 5 minutes.\n// Read more - https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\n_LogOperation \n| where Level == \"Error\"","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"solutions":["LogManagement"]}},{"id":"a42903d6-1d24-11eb-8648-c8348e03e0b8","displayName":"Alerts on noncritical issues workspace","description":"This query will list all the 'Warning' level issues in the operation table. ","body":"// These noncritical issues are noncritical, but needs attention. \n// To create an alert for this query, click '+ New alert rule'.\n// It is recommended to create and alert with frequency of 24 hours.\n// Read more https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\n_LogOperation \n| where Level == \"Warning\"","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"solutions":["LogManagement"]}},{"id":"a42903d7-1d24-11eb-afed-c8348e03e0b8","displayName":"Alert on workspace ingestion limit reached","description":"This query will show 'Warning' if the workspace is reaching 80% of ingestion limit, And 'Error' if the ingestion limit was reached. ","body":"// In the later case, data collection is stopped and data loss is possible.\n// To create an alert for this query, click '+ New alert rule'.\n// It is recommended to create and alert with frequency of 5 minutes. \n// Read more https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\n_LogOperation \n| where Category == \"Ingestion\" \n| where Operation == \"Ingestion rate\" \n| where Level == \"Warning\" or Level == \"Error\"","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"solutions":["LogManagement"]}},{"id":"a42903d8-1d24-11eb-aa16-c8348e03e0b8","displayName":"Alert on daliy ingestion quata reached ","description":"This query will show 'Warning' if the daily workspace quota limit is reached. ","body":"// This might be due to Free tier limit or user defined limit. \n// In the later case, data collection is stopped and data loss is possible.\n// To create an alert for this query, click '+ New alert rule'\n// It is recommended to create and alert with frequency of 5 minutes. \n// Read more https://docs.microsoft.com/en-us/azure/azure-monitor/platform/monitor-workspace\n_LogOperation\n| where Category == \"Ingestion\" \n| where Operation == \"Data Collection\" \n| where Level == \"Warning\"","tags":{"Topic":["Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["audit","monitor"],"solutions":["LogManagement"]}},{"id":"a42903db-1d24-11eb-88c1-c8348e03e0b8","displayName":"Commands and queries top users","description":"Most active users (by command/query count).","body":"let system_databases = dynamic(['KustoMonitoringPersistentDatabase', '$systemdb']); // Internal Kusto system databases\nlet system_users = dynamic(['AAD app id=b753584e-c468-4503-852a-374280ce7a62', 'KustoServiceBuiltInPrincipal']); // Internal Kusto system users (b753584e-c468-4503-852a-374280ce7a62 is Kusto Query Runner)\nlet system_cluster_management_applications = dynamic(['Kusto.WinSvc.CM.Svc', 'Kusto.WinSvc.DM.Svc']); // Internal kusto management applications (Cluster and Data Management)\nlet CommandTable = ADXCommand\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name;\nlet QueryTable = ADXQuery\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name\n| extend CommandType = 'Query';\nlet dataset_commands_queries = CommandTable\n| union (QueryTable);\ndataset_commands_queries\n// | where cluster_name == '' // Uncomment to filter by specific cluster name\n| project User, StartedOn , ApplicationName, CommandType , cluster_name\n| summarize Count=count() by User, ApplicationName, cluster_name\n| top 50 by Count desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903d9-1d24-11eb-afcb-c8348e03e0b8","displayName":"Commands and queries failures","description":"Top users who ran failed commands/queries (by count).","body":"let system_databases = dynamic(['KustoMonitoringPersistentDatabase', '$systemdb']); // Internal Kusto system databases\nlet system_users = dynamic(['AAD app id=b753584e-c468-4503-852a-374280ce7a62', 'KustoServiceBuiltInPrincipal']); // Internal Kusto system users (b753584e-c468-4503-852a-374280ce7a62 is Kusto Query Runner)\nlet system_cluster_management_applications = dynamic(['Kusto.WinSvc.CM.Svc', 'Kusto.WinSvc.DM.Svc']); // Internal kusto management applications (Cluster and Data Management)\nlet CommandTable = ADXCommand\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name;\nlet QueryTable = ADXQuery\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name\n| extend CommandType = 'Query';\nlet dataset_commands_queries = CommandTable\n| union (QueryTable);\ndataset_commands_queries\n//| where cluster_name == '' // Uncomment to filter by specific cluster name\n| where State == 'Failed'\n| summarize Count=count() by User, ApplicationName, cluster_name\n| top 10 by Count desc\n| order by Count desc","tags":{"Topic":["Errors","Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903da-1d24-11eb-9b58-c8348e03e0b8","displayName":"Commands and queries failures timechart","description":"Top users who ran failed commands/queries (timechart).","body":"let system_databases = dynamic(['KustoMonitoringPersistentDatabase', '$systemdb']); // Internal Kusto system databases\nlet system_users = dynamic(['AAD app id=b753584e-c468-4503-852a-374280ce7a62', 'KustoServiceBuiltInPrincipal']); // Internal Kusto system users (b753584e-c468-4503-852a-374280ce7a62 is Kusto Query Runner)\nlet system_cluster_management_applications = dynamic(['Kusto.WinSvc.CM.Svc', 'Kusto.WinSvc.DM.Svc']); // Internal kusto management applications (Cluster and Data Management)\nlet CommandTable = ADXCommand\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name;\nlet QueryTable = ADXQuery\n| where DatabaseName !in (system_databases) and User !in (system_users) and ApplicationName !in (system_cluster_management_applications)\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name\n| extend CommandType = 'Query';\nlet dataset_commands_queries = CommandTable\n| union (QueryTable);\ndataset_commands_queries\n//| where cluster_name == '' // Uncomment to filter by specific cluster name\n| where State == 'Failed'\n| summarize count() by bin(TimeGenerated, 1h), User\n| render timechart ","tags":{"Topic":["Errors","Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903df-1d24-11eb-99e3-c8348e03e0b8","displayName":"Succeeded ingestions","description":"How many succeeded ingestions accrued (per database, table).","body":"SucceededIngestion\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name // Get the cluster name from the ResourceId string\n| summarize count() by bin(TimeGenerated, 1h), cluster_name, Database, Table","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e0-1d24-11eb-9739-c8348e03e0b8","displayName":"Succeeded ingestions timechart","description":"How many succeeded ingestions accrued (timechart).","body":"SucceededIngestion \n| summarize count() by bin(TimeGenerated, 1h) \n| render timechart ","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903de-1d24-11eb-ae49-c8348e03e0b8","displayName":"Failed ingestions by errors","description":"How many ingestion failures accrued (by ErrorCode).","body":"FailedIngestion \n| summarize count() by ErrorCode","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903dd-1d24-11eb-9fdf-c8348e03e0b8","displayName":"Failed ingestions timechart","description":"How many ingestion failures accrued (timechart).","body":"FailedIngestion \n| summarize count() by bin(TimeGenerated, 5m) \n| render timechart ","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903dc-1d24-11eb-a6ff-c8348e03e0b8","displayName":"Failed Ingestions","description":"How many ingestion failures accrued (by cluster, database, table, ErrorCode, status).","body":"FailedIngestion \n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name // Get the cluster name from the ResourceId string\n| summarize count() by bin(TimeGenerated, 1h), cluster_name, Database, Table, ErrorCode, FailureStatus","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e3-1d24-11eb-a60d-c8348e03e0b8","displayName":"Ingestion batching size","description":"Track ingestion batch size timechart","body":"ADXIngestionBatching\n| where TimeGenerated > ago(1d)\n| summarize sum(BatchSizeBytes) by Database, Table, bin(TimeGenerated, 10m)\n| render timechart","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e2-1d24-11eb-a6da-c8348e03e0b8","displayName":"Ingestion batching summary","description":"Ingestion batching summary (by database, table and type).","body":"ADXIngestionBatching\n| where TimeGenerated > ago(1d)\n| summarize count() by Database, Table, BatchingType, bin(TimeGenerated, 10m)\n","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e4-1d24-11eb-83c0-c8348e03e0b8","displayName":"Ingestion batching duration timechart","description":"Track ingestion batching duration timechart.","body":"ADXIngestionBatching\n| where TimeGenerated > ago(1d)\n| summarize sum(BatchTimeSeconds) by Database, Table, bin(TimeGenerated, 10m)\n| render timechart","tags":{"Topic":["Ingestion"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e5-1d24-11eb-bf99-c8348e03e0b8","displayName":"Table usage by number of queries","description":"Top 10 used tables by number of queries.","body":"ADXTableUsageStatistics\n//| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name // Uncomment to get the cluster name from the ResourceId string\n//| where cluster_name == ''\n//| where DatabaseName == ''\n| summarize Count=count() by TableName, DatabaseName\n| top 10 by Count desc\n| order by Count desc","tags":{"Topic":["Tables"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e6-1d24-11eb-9ef5-c8348e03e0b8","displayName":"Table usage by application","description":"Top 10 used tables (highest number of queries) by application.","body":"ADXTableUsageStatistics \n//| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name // Uncomment to get the cluster name from the ResourceId string\n//| where cluster_name == ''\n//| where DatabaseName == ''\n| summarize Count=count() by TableName, DatabaseName, ApplicationName\n| top 10 by Count desc\n| order by Count desc","tags":{"Topic":["Tables"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e7-1d24-11eb-944e-c8348e03e0b8","displayName":"Table data scanned - top time windows","description":"Top 10 data scanned lookback time windows.","body":"ADXTableUsageStatistics \n//| parse _ResourceId with * \"\"providers/microsoft.kusto/clusters/\"\" cluster_name // Uncomment to get the cluster name from the ResourceId string\n//| where cluster_name == ''\n//| where DatabaseName == ''\n//| where TableName == ''\n| extend TotalTime = (MaxCreatedOn - MinCreatedOn)\n| top 10 by TotalTime desc\n| order by TotalTime desc\n| project TimeGenerated, TotalTime, TableName, DatabaseName, MinCreatedOn, MaxCreatedOn, ApplicationName","tags":{"Topic":["Tables"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e8-1d24-11eb-bc91-c8348e03e0b8","displayName":"Table data scanned - top tables","description":"Top 10 data scanned lookback time windows by table.","body":"ADXTableUsageStatistics \n//| parse _ResourceId with * \"\"providers/microsoft.kusto/clusters/\"\" cluster_name // Uncomment to get the cluster name from the ResourceId string\n//| where cluster_name == ''\n//| where DatabaseName == ''\n//| where TableName == ''\n| extend TotalTime = (MaxCreatedOn - MinCreatedOn)\n| summarize arg_max(TotalTime, *) by TableName\n| order by TotalTime desc\n| project TimeGenerated, TotalTime, TableName, DatabaseName, MinCreatedOn, MaxCreatedOn, ApplicationName","tags":{"Topic":["Tables"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"a42903e1-1d24-11eb-ab6e-c8348e03e0b8","displayName":"Cluster availability (KeepAlive)","description":"Display the cluster's availability during the last hour.","body":"// To create an alert for this query, click '+ New alert rule'\nAzureMetrics \n| where ResourceProvider == \"MICROSOFT.KUSTO\"\n| where TimeGenerated > ago(1d)\n| where MetricName == \"KeepAlive\"\n| parse _ResourceId with * \"providers/microsoft.kusto/clusters/\" cluster_name // Get the cluster name from the ResourceId string\n| summarize heartbeat_count = count() by bin(TimeGenerated, 30m), cluster_name // bin is used to set the time grain to 30 minutes\n| extend alive=iff(heartbeat_count > 0, true, false)\n| sort by TimeGenerated asc // sort the results by time (ascending order)","tags":{"Topic":["Availability","Alerts"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["resources"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"b839c4b8-2e6c-11eb-978b-c8348e03e0b8","displayName":"All Office Activity","description":"All the events provided by Office Activity.","body":"OfficeActivity\n| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId\n| sort by TimeGenerated desc nulls last","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4b9-2e6c-11eb-b951-c8348e03e0b8","displayName":"Users accessing files","description":"Users sorted by number of OneDrive and SharePoint files they accessed.","body":"OfficeActivity\n| where OfficeWorkload in (\"OneDrive\", \"SharePoint\") and Operation in (\"FileDownloaded\", \"FileAccessed\")\n| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId\n| sort by AccessedFilesCount desc nulls last","tags":{"Topic":["Usage","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4ba-2e6c-11eb-aac2-c8348e03e0b8","displayName":"File upload operation","description":"Lists users sorted by number of files they uploaded to OneDrive and SharePoint.","body":"OfficeActivity\n| where OfficeWorkload in (\"OneDrive\", \"SharePoint\") and Operation in (\"FileUploaded\")\n| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId\n| sort by AccessedFilesCount desc nulls last","tags":{"Topic":["Usage","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4bb-2e6c-11eb-85b9-c8348e03e0b8","displayName":"Office activity for user","description":"The query presents user's activity over Office.","body":"// Replace the UPN in the query with the UPN of the user of interest\nlet v_Users_UPN= \"osotnoc@contoso.com\";\nOfficeActivity\n| where UserId==v_Users_UPN\n| project TimeGenerated, OfficeWorkload, Operation, ResultStatus, OfficeObjectId, _ResourceId","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4bc-2e6c-11eb-9bb0-c8348e03e0b8","displayName":"Creation of Forward rule","description":"Lists creation of email forward rules.","body":"OfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend RuleName = case(Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId), Operation =~ \"New-TransportRule\", tostring(parse_json(Parameters)[1].Value), \"Unknown\")\n| project TimeGenerated, ClientIP, UserId, Operation, RuleName, _ResourceId","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4bd-2e6c-11eb-92a1-c8348e03e0b8","displayName":"Suspicious file name","description":"Operations on files with name that might indicate obfuscation of an executable.","body":"OfficeActivity\n| where RecordType =~ \"SharePointFileOperation\" and isnotempty(SourceFileName)\n| where OfficeObjectId has \".exe.\" and OfficeObjectId matches regex @\"\\.exe\\.\\w{0,4}$\"","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4be-2e6c-11eb-bfbd-c8348e03e0b8","displayName":"All Azure Activity","description":"The query presents all AzureActivity events.","body":"AzureActivity\n| project TimeGenerated, Caller, OperationName, ActivityStatus, _ResourceId","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4bf-2e6c-11eb-9169-c8348e03e0b8","displayName":"Azure Activity for user","description":"Show the user's activity over Azure Activity.","body":"// Replace the UPN in the query with the UPN of the user of interest\nlet v_Users_UPN= \"osotnoc@contoso.com\";\nAzureActivity\n| where Caller == v_Users_UPN\n| project TimeGenerated, Caller, OperationName, ActivityStatus","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c0-2e6c-11eb-83ef-c8348e03e0b8","displayName":"Successful key enumaration","description":"Lists users who performed key enumeration, and their location.","body":"AzureActivity\n| where OperationName == \"List Storage Account Keys\"\n| where ActivityStatus == \"Succeeded\"\n| project TimeGenerated, Caller, CallerIpAddress, OperationName","tags":{"Topic":["Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c1-2e6c-11eb-a5d6-c8348e03e0b8","displayName":"Network Access JIT initiation","description":"Lists the initiation of JIT network access permissions.","body":"AzureActivity\n| where OperationName == \"Initiate JIT Network Access Policy\"\n| where ActivityStatus == \"Started\"","tags":{"Topic":["Security","Access"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c2-2e6c-11eb-98df-c8348e03e0b8","displayName":"Azure Activity operation statistics","description":"Statistics of operations over Azure Activity.","body":"AzureActivity\n| summarize Count=count() by OperationName, _ResourceId\n| sort by Count desc nulls last","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c3-2e6c-11eb-b9b3-c8348e03e0b8","displayName":"All SiginLogs events","description":"All Azure signin events.","body":"SigninLogs\n| project UserDisplayName, Identity,UserPrincipalName, AppDisplayName, AppId, ResourceDisplayName","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c4-2e6c-11eb-b7e8-c8348e03e0b8","displayName":"Resources accessed by user","description":"Lists the resources accessed for a specific user.","body":"// Set v_Users_UPN with the UPN of the user of interest\nlet v_Users_UPN = \"osotnoc@contoso.com\";\nSigninLogs\n| where UserPrincipalName == v_Users_UPN\n| summarize Count=count() by ResourceDisplayName, AppDisplayName","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c5-2e6c-11eb-b8dd-c8348e03e0b8","displayName":"User count per Resource","description":"Distinct count if users by resource.","body":"SigninLogs\n| project UserDisplayName, Identity,UserPrincipalName, AppDisplayName, AppId, ResourceDisplayName\n| summarize UserCount=dcount(UserPrincipalName) by ResourceDisplayName","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c6-2e6c-11eb-abf4-c8348e03e0b8","displayName":"User count per Application","description":"Distinct count of users by application.","body":"SigninLogs\n| project UserDisplayName, Identity,UserPrincipalName, AppDisplayName, AppId, ResourceDisplayName\n| summarize UserCount=dcount(UserPrincipalName) by AppDisplayName","tags":{"Topic":["Security","Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c7-2e6c-11eb-b0d8-c8348e03e0b8","displayName":"Failed Signin reasons","description":"The query list the main reasons for sign in failures.","body":"SigninLogs\n| where ResultType != 0\n| summarize Count=count() by ResultDescription, ResultType\n| sort by Count desc nulls last","tags":{"Topic":["Access","Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c8-2e6c-11eb-8554-c8348e03e0b8","displayName":"Failed MFA challenge","description":"Highlights sign in failures caused by failed MFA challenge.","body":"SigninLogs\n| where ResultType == 50074\n| project UserDisplayName, Identity,UserPrincipalName, ResultDescription, AppDisplayName, AppId, ResourceDisplayName\n| summarize FailureCount=count(), FailedResources=dcount(ResourceDisplayName), ResultDescription=any(ResultDescription) by UserDisplayName","tags":{"Topic":["Access","Security"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4c9-2e6c-11eb-b557-c8348e03e0b8","displayName":"Failed App tried silent signin","description":"Failed silent app signin attempts.","body":"SigninLogs\n| where ResultType == 50058\n| project UserDisplayName, Identity,UserPrincipalName, ResultDescription, AppDisplayName, AppId, ResourceDisplayName\n| summarize FailureCount=count(), FailedResources=dcount(ResourceDisplayName), ResultDescription=any(ResultDescription) by UserDisplayName","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4ca-2e6c-11eb-bdea-c8348e03e0b8","displayName":"Failed login Count","description":"Resources with most failed log in attempts.","body":"SigninLogs\n| where ResultType !=0\n| summarize FailedLoginCount=count() by ResourceDisplayName\n| sort by FailedLoginCount desc nulls last","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4cb-2e6c-11eb-a8f4-c8348e03e0b8","displayName":"Signin Locations","description":"Failed and successful sig ins by source location.","body":"SigninLogs\n| summarize Successful=countif(ResultType==0), Failed=countif(ResultType!=0) by Location","tags":{"Topic":["Access","Geolocation"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4cc-2e6c-11eb-9fee-c8348e03e0b8","displayName":"Logins To Resource","description":"Lists API sign ins.","body":"SigninLogs\n| where ResourceDisplayName == \"Windows Azure Service Management API\"\n| project TimeGenerated, UserDisplayName, Identity,UserPrincipalName, AppDisplayName, Success=iff(ResultType==0, \"Success\", \"Fail\")","tags":{"Topic":["Access","API"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4cd-2e6c-11eb-9089-c8348e03e0b8","displayName":"All AWS CloudTrail events","description":"Lists all AWS cloud trail events.","body":"AWSCloudTrail\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements, SessionIssuerUserName","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4ce-2e6c-11eb-9426-c8348e03e0b8","displayName":"AWSCT for user","description":"AWS activity for a user.","body":"// Set v_sessionissuerusername and v_userpid with the details of the user of interest\nlet v_sessionissuerusername =\"abc\";let v_userpid =\"AIDxXxXxXxXxXxX\";\nAWSCloudTrail\n| where SessionIssuerUserName == v_sessionissuerusername or UserIdentityPrincipalid ==v_userpid\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements, SessionIssuerUserName","tags":{"Topic":["Activity logs"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4cf-2e6c-11eb-bfed-c8348e03e0b8","displayName":"AWS routing configuration events","description":"Lists routing configuration events over AWS.","body":"let EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SessionIssuerUserName, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements, SessionIssuerArn","tags":{"Topic":["Network"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4d0-2e6c-11eb-89cf-c8348e03e0b8","displayName":"AWS console sign in","description":"Lists AWS signin events.","body":"AWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| summarize Count=count() by UserIdentityAccountId, UserIdentityUserName, MFAUsed, LoginResult","tags":{"Topic":["Access","MFA"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4d1-2e6c-11eb-a467-c8348e03e0b8","displayName":"Group Policy Events","description":"The query lists AWS group policy settings events.","body":"let PolicyChangeEvents = dynamic([\"AttachGroupPolicy\", \"AttachRolePolicy\", \"AttachUserPolicy\", \"CreatePolicy\", \"DeleteGroupPolicy\", \"DeletePolicy\", \"DeleteRolePolicy\", \"DeleteUserPolicy\", \"DetachGroupPolicy\", \"PutUserPolicy\", \"PutGroupPolicy\", \"CreatePolicyVersion\", \"DeletePolicyVersion\", \"DetachRolePolicy\", \"CreatePolicy\"]);\nAWSCloudTrail\n| where EventName in~ (PolicyChangeEvents)\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements","tags":{"Topic":["Diagnostics","Configuration"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4d2-2e6c-11eb-b717-c8348e03e0b8","displayName":"Device events volume statistics","description":"Devices sending most events.","body":"CommonSecurityLog\n| top-nested 15 of DeviceVendor by Vendor=count(),\n top-nested 5 of DeviceProduct by Product=count(),\n top-nested 5 of DeviceVersion by Version=count()","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"b839c4d3-2e6c-11eb-9b72-c8348e03e0b8","displayName":"Activity From IP","description":"Lists activities involving a given IP.","body":"let IP=\"1.2.3.255\";\nCommonSecurityLog\n| where SourceIP == IP or DestinationIP==IP","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"35aa1317-608e-11eb-9456-b831b58816f3","displayName":"Show event source connection errors","description":"Retrieves the most recent 100 logs pertaining to event source connection failures and summarizes them to display the time when the log was generated (TimeGenerated), a high level description (ResultDescription), a message continaing details on what went wrong and how to fix it (Message), and your event source's current configuration (EventSourceProperties).","body":"//Retrieves the most recent 100 logs pertaining to event source connection failures and summarizes them to display the time when the log was generated (TimeGenerated), a high level description (ResultDescription), a message continaing details on what went wrong and how to fix it (Message), and your event source's current configuration (EventSourceProperties). \nTSIIngress\n| where OperationName == 'Microsoft.TimeSeriesInsights/environments/eventsources/ingress/connect'\n| project TimeGenerated, ResultDescription, Message, tostring(EventSourceProperties)\n| top 100 by TimeGenerated desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.timeseriesinsights/environments"]}},{"id":"35aa1318-608e-11eb-a734-b831b58816f3","displayName":"10 latest Ingress logs","description":"Shows the most recent ten error logs in the Ingress category. This is helpful when getting familiar with the TSIIngress schema.","body":"//Retrieves the most recent ten error logs in the Ingress category. This is helpful when getting familiar with the TSIIngress schema.\nTSIIngress\n| top 10 by TimeGenerated","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.timeseriesinsights/environments"]}},{"id":"35aa1319-608e-11eb-8fa0-b831b58816f3","displayName":"Show deserialization errors","description":"Retrieves the most recent 100 error logs from failures to deserialize telemetry message(s) and summarizes them to display the time when the log was generated (TimeGenerated), a high level description (ResultDescription), and a message with the deserialization error (Message).","body":"//Retrieves the most recent 100 error logs from failures to deserialize telemetry message(s) and summarizes them to display the time when the log was generated (TimeGenerated), a high level description (ResultDescription), and a message with the deserialization error (Message).\nTSIIngress\n| where OperationName == 'Microsoft.TimeSeriesInsights/environments/eventsources/ingress/deserialize'\n| project TimeGenerated, ResultDescription, Message, tostring(EventSourceProperties)\n| top 100 by TimeGenerated desc","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.timeseriesinsights/environments"]}},{"id":"3fe8395a-8be3-46ac-9e04-f134ad813588","displayName":"Get failed jobs","description":"Get top 100 failed jobs.","body":"AmlComputeJobEvent\n| where EventType == \"JobFailed\"\n| project TimeGenerated, ClusterId, EventType, ExecutionState, ToolType, JobErrorMessage, ErrorDetails\n| limit 100","tags":{"Topic":["Errors"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"bb1d1cd0-b41e-428a-956b-15090b9e836e","displayName":"Get records for a job","description":"Get top 100 records for a specific job name.","body":"AmlComputeJobEvent\n| where JobName == \"automl_a9940991-dedb-4262-9763-2fd08b79d8fb_setup\"\n| project TimeGenerated, ClusterId, EventType, ExecutionState, ToolType\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"f8741bb2-5e77-4b74-b2e0-726b1853a495","displayName":"Get cluster events for clusters for specific VM size","description":"Get top 100 cluster events for clusters where the VM size is Standard_D1_V2.","body":"AmlComputeClusterEvent\n| where VmSize == \"STANDARD_D1_V2\"\n| project ClusterName, InitialNodeCount, MaximumNodeCount, QuotaAllocated, QuotaUtilized\n| limit 100","tags":{"Topic":["Diagnostics"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"8d0b6135-2074-4e4f-8ad1-dd4c589562f8","displayName":"Get number of running nodes","description":"Get number of running nodes across workspaces and clusters.","body":"AmlComputeClusterEvent\n| summarize avgRunningNodes=avg(TargetNodeCount), maxRunningNodes=max(TargetNodeCount) by Workspace=tostring(split(_ResourceId, \"/\")[8]), ClusterName, ClusterType, VmSize, VmPriority\n| limit 100","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"8ba385dd-d37a-4240-b8d6-a39d4fbea568","displayName":"Graph of Running and Idle Node instances","description":"Graph of Running and Idle Node instances.","body":"AmlComputeClusterEvent\n| project TimeGenerated, WorkspaceName=split(_ResourceId, \"/\")[-1], ClusterName, ClusterType, VmSize, VmPriority, \n InitialNodeCount , IdleNodeCount, RunningNodeCount, PreparingNodeCount, MinimumNodeCount, MaximumNodeCount , CurrentNodeCount, TargetNodeCount \n|summarize round(sum(RunningNodeCount),1), round(sum(IdleNodeCount),1) by Hourly=bin(TimeGenerated, 60m) \n| render timechart","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"ca209759-fcc0-40b3-afc3-fc0194b022ac","displayName":"Display top 5 longest job runs","description":"Display top 5 longest job runs.","body":"AmlComputeJobEvent\n| where OperationName == \"JobSubmitted\"\n| join kind = inner (AmlComputeJobEvent\n | where OperationName == \"JobSucceeded\"\n | project StopTime=TimeGenerated, JobId)\n on JobId \n|project Duration=(StopTime-TimeGenerated), ExperimentName, WorkspaceName, ClusterName, JobName\n|top 5 by Duration desc nulls last","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"3b3a2331-4f85-43fe-956e-916ffa4af31d","displayName":"Plot compute cluster utilization","description":"Plot recent compute cluster CPU utilization over time for specific cluster.","body":"AmlComputeCpuGpuUtilization\n| join kind = inner (AmlComputeJobEvent\n | where NodeId!=\"\" and EventType ==\"JobSucceeded\"\n | project NodeId, ClusterName)\n on NodeId \n| project TimeGenerated, todecimal(Utilization), ClusterName, DeviceType\n| where ClusterName==\"Cpu-cluster\" and DeviceType==\"CPU\"\n| limit 100\n| render timechart ","tags":{"Topic":["Performance"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"7c64371a-7305-4213-8b63-d60407569f86","displayName":"Count datasets reads","description":"Count datasets reads grouped by users and datasets.","body":"AmlDataSetEvent\n| where split(OperationName, \"/\")[-1]==\"READ\" and AmlDatasetId !=\"\"\n| extend Identity=(parse_json(Identity))\n| project AmlDatasetId, UserName=Identity.UserName\n| summarize Count=count() by AmlDatasetId, UserName=tostring(UserName)","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"93b4628f-0bc4-40dc-84f9-927ecee32ff4","displayName":"Found users who accessed models","description":"Found top 100 users who accessed models.","body":"AmlModelsEvent\n| where AmlModelName !=\"\"\n| extend Identity=(parse_json(Identity))\n| where Identity.UserName!=\"\"\n| project AmlModelName, OperationName=split(OperationName, \"/\")[-1], UserName=Identity.UserName\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"1e7c9aa6-8c97-4d20-b5ba-fca641339521","displayName":"Request the history of accessing environment","description":"Request the history of accessing specific environment in the specific AML workspace.","body":"AmlEnvironmentEvent \n| where AmlEnvironmentName ==\"experiment_env\" and split(_ResourceId, \"/\")[-1]==\"amlws\"\n| extend Identity=(parse_json(Identity))\n| where Identity.UserName!=\"\"\n| project TimeGenerated, OperationName=split(OperationName, \"/\")[-1], WorkspaceName=split(_ResourceId, \"/\")[-1], AmlEnvironmentName,AmlEnvironmentVersion, UserName=Identity.UserName\n| limit 100","tags":{"Topic":["Audit"]},"properties":{"ExampleQuery":true,"QueryAttributes":{"IsMultiResource":true}},"related":{"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"d4e5f6a7-b8c9-11eb-a1b2-c8348e03e0b8","displayName":"Ingestion volume by table","description":"An exploration query that helps analyze data ingestion patterns by showing volume (in GB) per table in the workspace.","body":"Usage\n| summarize VolumeGB = round(sum(Quantity)/1.E3, 3) by Table = DataType\n| sort by VolumeGB desc","tags":{"Topic":["Usage"]},"properties":{"ExampleQuery":true},"related":{"categories":["_general"]}}],"functions":[{"id":"b65a317e-7513-4379-b5fc-a467d3daa1d9","name":"_AzureSiteRecovery_GetJobs","body":"let _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), now(), RangeEnd + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _DatasourceTypeList = split(DatasourceTypeList,',');\r\nlet _ReplicatedItemName = ReplicatedItemName;\r\nlet _JobStatusList = split(JobStatusList,',');\r\nlet _JobOperationList = split(JobOperationList,',');\r\nlet AsonDay = _RangeEnd-1d;\r\nlet ASRJobsUnderResourceSpecificHistory = ()\r\n{\r\nASRJobs\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nFinalTable_ASRJobs | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", DatasourceTypeList:string=\"*\",ReplicatedItemName:string=\"*\",JobStatusList:string=\"*\",JobOperationList:string=\"*\"","displayName":"_AzureSiteRecovery_GetJobs","description":"Returns a list of all site recovery and failover related jobs that were triggered in a specified time range, along with detailed information about each job, such as job status, job duration etc.","related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"],"solutions":["LogManagement"],"tables":["ASRJobs"]}},{"id":"29112523-50d8-4bb9-931f-47b8b3da558f","name":"_AzureSiteRecovery_GetReplicatedItems","body":"let _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), now(), RangeEnd + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _DatasourceTypeList = split(DatasourceTypeList,',');\r\nlet _ReplicatedItemName = ReplicatedItemName;\r\nlet AsonDay = _RangeEnd - 1d;\r\nlet ASRReplicatedItemsUnderResourceSpecificHistory = ()\r\n{\r\nASRReplicatedItems\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n};\r\nlet FinalTable_Reporting = () {\r\n FinalTable_ASRReplicatedItems\r\n | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", DatasourceTypeList:string=\"*\",ReplicatedItemName:string=\"*\"","displayName":"_AzureSiteRecovery_GetReplicatedItems","description":"Returns the list of replicated items that are associated with your Recovery Services vaults, along with detailed information about each replicated item, such as replication status, failover readiness etc.","related":{"categories":["management"],"resourceTypes":["microsoft.recoveryservices/vaults"],"solutions":["LogManagement"],"tables":["ASRReplicatedItems"]}},{"id":"bd5b5b75-dad2-40f2-b2f1-a58a0b41106d","name":"_PGSQL_GetPostgresServerLogs","body":"let ParamTimeStart = iff((isnull(TimeStart)), ago(1d), TimeStart);\r\nlet ParamTimeEnd = iff((isnull(TimeEnd)), now(), TimeEnd);\r\nlet ParamResourceId = iff(isnull(ResourceId) or trim(\" \", ResourceId) == \"\", \"\", ResourceId);\r\nlet existsResource=iff( ParamResourceId == \"\" , false, true);\r\nlet existsGenericTableData = toscalar(\r\n AzureDiagnostics\r\n | where TimeGenerated >= ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated = ParamTimeStart and TimeGenerated ago(maxTimeToLookback)\r\n| summarize max(TimeGenerated);\r\nDeviceTvmSecureConfigurationAssessmentKB_CL\r\n| where TimeGenerated > ago(maxTimeToLookback)\r\n| where TimeGenerated in (lastestSnapshot)\r\n| distinct ConfigurationId_s, \r\n ConfigurationImpact_d, \r\n ConfigurationName_s, \r\n ConfigurationDescription_s,\r\n RiskDescription_s,\r\n ConfigurationCategory_s,\r\n ConfigurationSubcategory_s,\r\n ConfigurationBenchmarks_s,\r\n Tags_s,\r\n RemediationOptions_s,\r\n RelatedMitreTechniques_s,\r\n RelatedMitreTactics_s\r\n| project ConfigurationId = ConfigurationId_s, \r\n ConfigurationImpact = ConfigurationImpact_d, \r\n ConfigurationName = ConfigurationName_s, \r\n ConfigurationDescription = ConfigurationDescription_s, \r\n RiskDescription = RiskDescription_s, \r\n ConfigurationCategory = ConfigurationCategory_s, \r\n ConfigurationSubcategory = ConfigurationSubcategory_s, \r\n ConfigurationBenchmarks = parse_json(ConfigurationBenchmarks_s), \r\n Tags = parse_json(Tags_s), \r\n RemediationOptions = RemediationOptions_s,\r\n RelatedMitreTechniques = RelatedMitreTactics_s, \r\n RelatedMitreTactics = parse_json(RelatedMitreTactics_s)","description":"Microsoft 365 Defender DeviceTvmSecureConfigurationAssessmentKB eqivalent table.","related":{"resourceTypes":["microsoft.securityinsights/tvm"],"solutions":["SecurityInsights"]}},{"id":"7eabe0ef-f8fb-46c4-86cb-9b0fd77057bc","name":"_DeviceTvmSoftwareVulnerabilitiesKB","body":"let lastestSnapshot = DeviceTvmSoftwareVulnerabilitiesKB_CL\r\n| where TimeGenerated > ago(4d)\r\n| summarize max(TimeGenerated);\r\nDeviceTvmSoftwareVulnerabilitiesKB_CL\r\n| where TimeGenerated > ago(4d)\r\n| where TimeGenerated in (lastestSnapshot)\r\n| distinct CveId_s, CvssScore_d, IsExploitAvailable_b, VulnerabilitySeverityLevel_s, LastModifiedTime_t, PublishedDate_t, VulnerabilityDescription_s, AffectedSoftware_s \r\n| project \r\n CveId = CveId_s,\r\n CvssScore = CvssScore_d,\r\n IsExploitAvailable = IsExploitAvailable_b,\r\n VulnerabilitySeverityLevel = VulnerabilitySeverityLevel_s,\r\n LastModifiedTime = LastModifiedTime_t,\r\n PublishedDate = PublishedDate_t,\r\n VulnerabilityDescription = VulnerabilityDescription_s,\r\n AffectedSoftware = parse_json(AffectedSoftware_s) \r\n","description":"Microsoft 365 Defender DeviceTvmSoftwareVulnerabilitiesKB eqivalent table.","related":{"resourceTypes":["microsoft.securityinsights/tvm"],"solutions":["SecurityInsights"]}},{"id":"f2f715dd-4437-5581-9e3a-9849f31b7b2e","name":"_ASim_AlertEvent","body":"union isfuzzy=true\r\n_ASim_AlertEventBuiltIn(pack= pack),\r\nASim_AlertEventSolutions(pack= pack),\r\nASim_AlertEventCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"Alert Event ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"20975018-f4a1-55fd-a19e-8ace398c873b","name":"_ASim_AlertEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_AlertEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_AlertEventBuiltIn', 'Exclude_ASim_AlertEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_AlertEvent_MicrosoftDefenderXDRV02(disabled= (builtInDisabled or('Exclude_ASim_AlertEvent_MicrosoftDefenderXDR' in (DisabledParsers)))),\r\n_ASim_AlertEvent_SentinelOneSingularityV01(disabled= (builtInDisabled or('Exclude_ASim_AlertEvent_SentinelOneSingularity' in (DisabledParsers)))),\r\n_Im_AlertEvent_EmptyV02\r\n","parameters":"pack:bool = false","description":"Alert Event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"aaafb27a-fbee-5e52-b2da-c8f2add85b53","name":"_ASim_AlertEvent_MicrosoftDefenderXDRV02","body":"let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\r\n[\r\n\"User\", \"User\",\r\n\"Machine\", \"Host\",\r\n\"Process\", \"Process\",\r\n\"File\", \"File\",\r\n\"Ip\", \"Ip\",\r\n\"Url\", \"Url\",\r\n\"RegistryValue\", \"Registry\",\r\n\"CloudLogonSession\", \"LogonSession\",\r\n\"CloudApplication\", \"Application\",\r\n\"Mailbox\", \"Mailbox\",\r\n\"MailMessage\", \"Email\",\r\n\"CloudResource\", \"Cloud Resource\"\r\n];\r\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\r\n [\r\n \"Related\", \"Associated\",\r\n \"Impacted\", \"Targeted\"\r\n];\r\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\r\n [\r\n \"ExpandString\", \"Reg_Expand_Sz\"\r\n];\r\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\r\n [\r\n \"Malicious\", \"True Positive\",\r\n \"Suspicious\", \"True Positive\",\r\n \"NoThreatsFound\", \"Benign Positive\"\r\n];\r\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\r\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\r\nlet parser = (\r\ndisabled: bool=false) {\r\nAlertEvidence\r\n| where not(disabled)\r\n// Mapping Inspection Fields\r\n| project-rename\r\n AlertName = Title,\r\n DetectionMethod = DetectionSource\r\n| extend \r\n EventUid = AlertId,\r\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\r\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\r\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\"),\r\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState)\r\n| extend\r\n AlertStatus = case(\r\n AlertOriginalStatus == \"Active\", \"Active\",\r\n isempty(AlertOriginalStatus), \"\",\r\n \"Closed\"\r\n )\r\n| lookup AlertVerdictLookup on AlertVerdict_Custom\r\n| lookup IndicatorTypeLookup on EntityType\r\n| lookup IndicatorAssociationLookup on EvidenceRole\r\n// Mapping Threat Fields\r\n| extend\r\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\")\r\n// Mapping User Entity\r\n| extend \r\n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\r\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\r\n Username = coalesce(AccountName, tostring(AdditionalFields.Account.UserPrincipalName)),\r\n UserSessionId = tostring(AdditionalFields.SessionId),\r\n UserScopeId = tostring(AdditionalFields.AadTenantId),\r\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\r\n| extend\r\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\r\n UserId = coalesce(UserId, UserSid),\r\n UserType = _ASIM_GetUserType(Username, UserSid),\r\n UsernameType = _ASIM_GetUsernameType(Username)\r\n// Mapping Device Entity\r\n| extend \r\n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\r\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\r\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\r\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\r\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\r\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\r\n| extend DvcIdType = iif(isnotempty(DvcId), \"FQDN\", \"\")\r\n| invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\r\n// Mapping Additional Fields\r\n| extend\r\n GeoCity_s = AdditionalFields.Location.City,\r\n GeoCountry_s = AdditionalFields.Location.CountryCode,\r\n GeoLatitude_s = AdditionalFields.Location.Latitude,\r\n GeoLongitude_s = AdditionalFields.Location.Longitude,\r\n GeoRegion_s = AdditionalFields.Location.State\r\n// Mapping Process Entity\r\n| extend \r\n ProcessId = tostring(AdditionalFields.ProcessId),\r\n ProcessCommandLine,\r\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\r\n ProcessFileCompany = tostring(AdditionalFields.Publisher),\r\n // Parent Process Fields\r\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\r\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\r\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\r\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\r\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\r\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\r\n// Mapping File Entity\r\n| extend \r\n FileName,\r\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\r\n FileMD5 = tostring(AdditionalFields.FileHashes[1].Value),\r\n FileSize\r\n| project-rename\r\n FileDirectory = FolderPath,\r\n FileSHA1 = SHA1,\r\n FileSHA256 = SHA256,\r\n Url = RemoteUrl\r\n// Mapping Registry Entity\r\n| extend \r\n RegistryKey,\r\n RegistryValueData,\r\n ValueType = tostring(AdditionalFields.ValueType)\r\n| lookup RegistryValueTypeLookup on ValueType\r\n// Mapping Application Entity\r\n| extend \r\n AppId_s = ApplicationId,\r\n AppName_s = Application\r\n// Mapping Email Entity\r\n| extend\r\n EmailSubject\r\n// Creating IpAddress list in AdditionalFields\r\n | extend IpAddresses = pack_array(RemoteIP, LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address))\r\n | mv-apply IpAddress = IpAddresses on (where isnotempty(IpAddress) | summarize IpAddresses = make_list(IpAddress))\r\n| extend AdditionalFields = bag_pack(\r\n \"AlertVerdictDate\",\r\n AlertVerdictDate_s,\r\n \"HttpUserAgent\",\r\n HttpUserAgent_s,\r\n \"GeoCity\",\r\n GeoCity_s,\r\n \"GeoCountry\",\r\n GeoCountry_s,\r\n \"GeoLatitude\",\r\n GeoLatitude_s,\r\n \"GeoLongitude\",\r\n GeoLongitude_s,\r\n \"GeoRegion\",\r\n GeoRegion_s,\r\n \"ParentProcessId\",\r\n ParentProcessId_s,\r\n \"ParentProcessCommandLine\",\r\n ParentProcessCommandLine_s,\r\n \"ParentProcessName\",\r\n ParentProcessName_s,\r\n \"ParentProcessSHA256\",\r\n ParentProcessSHA256_s,\r\n \"ParentProcessMD5\",\r\n ParentProcessMD5_s,\r\n \"AppId\",\r\n AppId_s,\r\n \"AppName\",\r\n AppName_s,\r\n \"FileDirectory\",\r\n FileDirectory,\r\n \"IpAddresses\",\r\n IpAddresses\r\n )\r\n| project-rename\r\n RegistryValue = RegistryValueName,\r\n EmailMessageId = NetworkMessageId\r\n// Mapping common event fields\r\n| extend\r\n Type = \"AlertEvidence\",\r\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\r\n TimeGenerated = Timestamp,\r\n EventEndTime = Timestamp,\r\n EventStartTime = Timestamp,\r\n EventProduct = ServiceSource,\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'AlertEvent',\r\n EventSchemaVersion = '0.1',\r\n EventType = 'Alert',\r\n EventCount = int(1)\r\n// Mapping Alias\r\n| extend \r\n IpAddr = DvcIpAddr,\r\n Hostname = DvcHostname,\r\n User = Username,\r\n AlertId = EventUid\r\n| project\r\n TimeGenerated,\r\n Type,\r\n AlertId,\r\n EventUid,\r\n AlertName,\r\n AttackTactics,\r\n AlertOriginalStatus,\r\n AlertStatus,\r\n DetectionMethod,\r\n AlertVerdict,\r\n IndicatorType,\r\n IndicatorAssociation,\r\n ThreatCategory,\r\n UserId,\r\n Username,\r\n UserSessionId,\r\n UserIdType,\r\n UserType,\r\n UsernameType,\r\n DvcId,\r\n DvcIpAddr,\r\n DvcOs,\r\n DvcOsVersion,\r\n DvcScopeId,\r\n DvcIdType,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n ProcessId,\r\n ProcessCommandLine,\r\n ProcessName,\r\n ProcessFileCompany,\r\n FileName,\r\n FilePath,\r\n FileSHA1,\r\n FileSHA256,\r\n FileMD5,\r\n FileSize,\r\n Url,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueData,\r\n RegistryValueType,\r\n EmailMessageId,\r\n EmailSubject,\r\n AdditionalFields,\r\n EventSubType,\r\n EventEndTime,\r\n EventStartTime,\r\n EventProduct,\r\n EventVendor,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventCount,\r\n IpAddr,\r\n Hostname,\r\n User\r\n};\r\nparser(\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Alert Event ASIM parser for Microsoft Defender XDR.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"878a4bf8-ab5a-5910-8d27-3c4ce0d268fb","name":"_ASim_AlertEvent_SentinelOneSingularityV01","body":"let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\r\n [\r\n \"Undefined\", \"Unknown\",\r\n \"true_positive\", \"True Positive\",\r\n \"suspicious\", \"True Positive\",\r\n \"false_positive\", \"False Positive\"\r\n];\r\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\r\nlet DetectionMethodLookup = datatable (\r\n threatInfo_engines_s: string,\r\n DetectionMethod: string\r\n)\r\n [\r\n \"Intrusion Detection\", \"Intrusion Detection\",\r\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\r\n \"Reputation\", \"Reputation\"\r\n];\r\nlet parser = (\r\n disabled: bool=false) {\r\n SentinelOne_CL\r\n | where not(disabled)\r\n | where event_name_s in (\"Threats.\")\r\n // Mapping Inspection Fields\r\n | extend \r\n AlertId = threatInfo_threatId_s,\r\n AlertName = threatInfo_threatName_s,\r\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\r\n AlertOriginalStatus = threatInfo_incidentStatus_s,\r\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\r\n ThreatId = threatInfo_threatId_s,\r\n ThreatName = threatInfo_threatName_s,\r\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\r\n ThreatLastReportedTime = threatInfo_updatedAt_t,\r\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\r\n ThreatOriginalCategory = threatInfo_classification_s\r\n | extend\r\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\r\n AttackTactics = tostring(extract_all('\"([^T][^0-9\",]+)\"', dynamic([1]), tostring(Names)))\r\n | project-away Names\r\n | lookup DetectionMethodLookup on threatInfo_engines_s\r\n | extend analystVerdict_s = threatInfo_analystVerdict_s\r\n | lookup AlertVerdictLookup on analystVerdict_s\r\n // Mapping Dvc Fields\r\n | extend \r\n DvcHostname = agentRealtimeInfo_agentComputerName_s,\r\n DvcOs = agentRealtimeInfo_agentOsName_s,\r\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\r\n DvcId = agentRealtimeInfo_agentId_s,\r\n DvcIdType = \"Other\",\r\n DvcDomain = agentRealtimeInfo_agentDomain_s,\r\n DvcDomainType = \"Windows\",\r\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\r\n // Mapping Process Entity\r\n | extend\r\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\r\n ProcessName = threatInfo_originatorProcess_s\r\n // Mapping File Fields\r\n | extend \r\n FileMD5 = threatInfo_md5_g,\r\n FileSHA1 = threatInfo_sha1_s,\r\n FileSHA256 = threatInfo_sha256_s,\r\n FilePath=threatInfo_filePath_s,\r\n FileSize = tolong(threatInfo_fileSize_d)\r\n // Mapping User Fields\r\n | extend \r\n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\r\n | extend UsernameType = _ASIM_GetUsernameType(Username)\r\n // Event Fields\r\n | extend\r\n EventType = 'Alert',\r\n EventOriginalType = event_name_s,\r\n EventUid = threatInfo_threatId_s,\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventStartTime = TimeGenerated,\r\n EventProduct = 'Singularity',\r\n EventVendor = 'SentinelOne',\r\n EventSchemaVersion = '0.1',\r\n EventSchema = \"AlertEvent\"\r\n | extend EventSubType = \"Threat\"\r\n // Aliases\r\n | extend\r\n IpAddr = DvcIpAddr,\r\n User = Username,\r\n Hostname = DvcHostname\r\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\r\n};\r\nparser (\r\n disabled = disabled\r\n)\r\n","parameters":"disabled:bool = false","description":"Alert Event ASIM parser for SentinelOne Singularity platform.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"9dd6654b-6c4e-5f69-9d97-426d62969a41","name":"_Im_AlertEvent","body":"union isfuzzy=true\r\n_Im_AlertEventBuiltIn(starttime= starttime, endtime= endtime, ipaddr_has_any_prefix= ipaddr_has_any_prefix, hostname_has_any= hostname_has_any, username_has_any= username_has_any, attacktactics_has_any= attacktactics_has_any, attacktechniques_has_any= attacktechniques_has_any, threatcategory_has_any= threatcategory_has_any, alertverdict_has_any= alertverdict_has_any, eventseverity_has_any= eventseverity_has_any, pack= pack),\r\nIm_AlertEventSolutions(starttime= starttime, endtime= endtime, ipaddr_has_any_prefix= ipaddr_has_any_prefix, hostname_has_any= hostname_has_any, username_has_any= username_has_any, attacktactics_has_any= attacktactics_has_any, attacktechniques_has_any= attacktechniques_has_any, threatcategory_has_any= threatcategory_has_any, alertverdict_has_any= alertverdict_has_any, eventseverity_has_any= eventseverity_has_any, pack= pack),\r\nIm_AlertEventCustom(starttime= starttime, endtime= endtime, ipaddr_has_any_prefix= ipaddr_has_any_prefix, hostname_has_any= hostname_has_any, username_has_any= username_has_any, attacktactics_has_any= attacktactics_has_any, attacktechniques_has_any= attacktechniques_has_any, threatcategory_has_any= threatcategory_has_any, alertverdict_has_any= alertverdict_has_any, eventseverity_has_any= eventseverity_has_any, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), ipaddr_has_any_prefix:dynamic = dynamic([]), hostname_has_any:dynamic = dynamic([]), username_has_any:dynamic = dynamic([]), attacktactics_has_any:dynamic = dynamic([]), attacktechniques_has_any:dynamic = dynamic([]), threatcategory_has_any:dynamic = dynamic([]), alertverdict_has_any:dynamic = dynamic([]), eventseverity_has_any:dynamic = dynamic([]), pack:bool = false","description":"Alert Event ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"615e1a81-ff4f-551a-adce-d0bfaa46ac4e","name":"_Im_AlertEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_AlertEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_AlertEventBuiltIn', 'Exclude_Im_AlertEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_AlertEvent_EmptyV02,\r\n_Im_AlertEvent_MicrosoftDefenderXDRV02(starttime= starttime, endtime= endtime, ipaddr_has_any_prefix= ipaddr_has_any_prefix, hostname_has_any= hostname_has_any, username_has_any= username_has_any, attacktactics_has_any= attacktactics_has_any, attacktechniques_has_any= attacktechniques_has_any, threatcategory_has_any= threatcategory_has_any, alertverdict_has_any= alertverdict_has_any, eventseverity_has_any= eventseverity_has_any, disabled= (builtInDisabled or('Exclude_Im_AlertEvent_MicrosoftDefenderXDR' in (DisabledParsers)))),\r\n_Im_AlertEvent_SentinelOneSingularityV01(starttime= starttime, endtime= endtime, ipaddr_has_any_prefix= ipaddr_has_any_prefix, hostname_has_any= hostname_has_any, username_has_any= username_has_any, attacktactics_has_any= attacktactics_has_any, attacktechniques_has_any= attacktechniques_has_any, threatcategory_has_any= threatcategory_has_any, alertverdict_has_any= alertverdict_has_any, eventseverity_has_any= eventseverity_has_any, disabled= (builtInDisabled or('Exclude_Im_AlertEvent_SentinelOneSingularity' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), ipaddr_has_any_prefix:dynamic = dynamic([]), hostname_has_any:dynamic = dynamic([]), username_has_any:dynamic = dynamic([]), attacktactics_has_any:dynamic = dynamic([]), attacktechniques_has_any:dynamic = dynamic([]), threatcategory_has_any:dynamic = dynamic([]), alertverdict_has_any:dynamic = dynamic([]), eventseverity_has_any:dynamic = dynamic([]), pack:bool = false","description":"Alert Event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"10fc7e1a-23ed-5034-a89f-d3485b7667ef","name":"_Im_AlertEvent_EmptyV01","body":"let EmptyAlertEvents =datatable (\r\n TimeGenerated:datetime\r\n, _ResourceId:string\r\n, Type:string\r\n// ****** Event fields ******\r\n, AdditionalFields:dynamic\r\n, EventCount:int\r\n, EventType:string\r\n, EventProduct:string\r\n, EventProductVersion:string\r\n, EvenMessage:string\r\n, EventVendor:string\r\n, EventSchema:string\r\n, EventSchemaVersion:string\r\n, EventSeverity:string\r\n, EventOriginalSeverity:string\r\n, EventSubType:string\r\n, EventOriginalUid:string\r\n, EventOwner:string\r\n, EventOriginalType:string\r\n, EventOriginalSubType:string\r\n, EventEndTime:datetime\r\n, EventReportUrl:string\r\n, EventResult:string\r\n, EventStartTime:datetime\r\n, EventUid:string\r\n//****** Device fields ******\r\n, DvcAction:string\r\n, DvcDescription:string\r\n, DvcId:string\r\n, DvcIdType:string\r\n, DvcInterface:string\r\n, DvcHostname:string\r\n, DvcDomain:string\r\n, DvcDomainType:string\r\n, DvcIpAddr:string\r\n, DvcOs:string\r\n, DvcOsVersion:string\r\n, DvcMacAddr:string\r\n, DvcOriginalAction:string\r\n, DvcScope:string\r\n, DvcScopeId:string\r\n, DvcFQDN:string\r\n, DvcZone:string\r\n//****** Inspection fields ******\r\n, AlertId:string\r\n, AlertName:string\r\n, AlertDescription:string\r\n, AlertStatus:string\r\n, AlertOriginalStatus:string\r\n, AlertVerdict:string\r\n, AttackTactics:string\r\n, AttackTechniques:string\r\n, AttackRemediationSteps:string\r\n, IndicatorType:string\r\n, IndicatorAssociation:string\r\n, DetectionMethod:string\r\n, Rule: string\r\n, RuleNumber:int\r\n, RuleName:string\r\n, RuleDescription:string\r\n, ThreatId:string\r\n, ThreatName:string\r\n, ThreatFirstReportedTime:datetime\r\n, ThreatLastReportedTime:datetime\r\n, ThreatCategory:string\r\n, ThreatOriginalCategory:string\r\n, ThreatIsActive:bool\r\n, ThreatRiskLevel:int\r\n, ThreatOriginalRiskLevel:string\r\n, ThreatConfidence:int\r\n, ThreatOriginalConfidence:string\r\n//****** Source User fields ******\r\n, UserId:string\r\n, UserTdType:string\r\n, Username:string\r\n, UsernameType:string\r\n, UserType:string\r\n, OriginalUserType:string\r\n, SessionId:string\r\n, UserScopeId:string\r\n, UserScope:string\r\n//****** Process fields ******\r\n, ProcessId:string\r\n, ProcessName:string\r\n, ProcessCommandLine:string\r\n, ProcessFileCompany:string\r\n//****** File fields ******\r\n, FileName:string\r\n, FilePath:string\r\n, FileSHA1:string\r\n, FileMD5:string\r\n, FileSHA256:string\r\n, FileSize:int\r\n//****** Registry fields ******\r\n, RegistryKey:string\r\n, RegistryValue:string\r\n, RegistryValueType:string\r\n, RegistryValueData:string\r\n//****** Email fields ******\r\n, EmailSubject:string\r\n, EmailMessageId:string\r\n//****** Url fields ******\r\n, Url:string\r\n//****** Aliases ******\r\n, IpAddr:string\r\n, Hostname:string\r\n, User:string\r\n)[];\r\nEmptyAlertEvents","description":"Alert Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"d1813ef1-05a5-5e65-a5d7-e8f399c64e3b","name":"_Im_AlertEvent_EmptyV02","body":"let EmptyAlertEvents =datatable (\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n AdditionalFields:dynamic,\r\n AlertDescription:string,\r\n AlertId:string,\r\n AlertName:string,\r\n AlertOriginalStatus:string,\r\n AlertStatus:string,\r\n AlertVerdict:string,\r\n AttackRemediationSteps:string,\r\n AttackTactics:string,\r\n AttackTechniques:string,\r\n DetectionMethod:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EmailMessageId:string,\r\n EmailSubject:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n FileMD5:string,\r\n FileName:string,\r\n FilePath:string,\r\n FileSHA1:string,\r\n FileSHA256:string,\r\n FileSize:long,\r\n Hostname:string,\r\n IndicatorAssociation:string,\r\n IndicatorType:string,\r\n IpAddr:string,\r\n OriginalUserType:string,\r\n ProcessCommandLine:string,\r\n ProcessFileCompany:string,\r\n ProcessId:string,\r\n ProcessName:string,\r\n RegistryKey:string,\r\n RegistryValue:string,\r\n RegistryValueData:string,\r\n RegistryValueType:string,\r\n Rule:string,\r\n RuleDescription:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalCategory:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n Url:string,\r\n User:string,\r\n UserId:string,\r\n UserIdType:string,\r\n Username:string,\r\n UsernameType:string,\r\n UserScope:string,\r\n UserScopeId:string,\r\n UserSessionId:string,\r\n UserType:string\r\n)[];\r\nEmptyAlertEvents","description":"Alert Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"]}},{"id":"17446833-46a4-5ac6-9739-17ec9ce6c6e7","name":"_Im_AlertEvent_MicrosoftDefenderXDRV02","body":"let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\r\n [\r\n \"User\", \"User\",\r\n \"Machine\", \"Host\",\r\n \"Process\", \"Process\",\r\n \"File\", \"File\",\r\n \"Ip\", \"Ip\",\r\n \"Url\", \"Url\",\r\n \"RegistryValue\", \"Registry\",\r\n \"CloudLogonSession\", \"LogonSession\",\r\n \"CloudApplication\", \"Application\",\r\n \"Mailbox\", \"Mailbox\",\r\n \"MailMessage\", \"Email\",\r\n \"CloudResource\", \"Cloud Resource\"\r\n ];\r\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\r\n [\r\n \"Related\", \"Associated\",\r\n \"Impacted\", \"Targeted\"\r\n];\r\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\r\n [\r\n \"ExpandString\", \"Reg_Expand_Sz\"\r\n];\r\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\r\n [\r\n \"Malicious\", \"True Positive\",\r\n \"Suspicious\", \"True Positive\",\r\n \"NoThreatsFound\", \"Benign Positive\"\r\n];\r\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\r\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\r\nlet parser = (starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n ipaddr_has_any_prefix: dynamic=dynamic([]),\r\n hostname_has_any: dynamic=dynamic([]),\r\n username_has_any: dynamic=dynamic([]),\r\n attacktactics_has_any: dynamic=dynamic([]),\r\n attacktechniques_has_any: dynamic=dynamic([]),\r\n threatcategory_has_any: dynamic=dynamic([]),\r\n alertverdict_has_any: dynamic=dynamic([]),\r\n eventseverity_has_any: dynamic=dynamic([]),\r\n disabled: bool=false) {\r\n AlertEvidence\r\n | where not(disabled)\r\n // Mapping Inspection Fields\r\n | where (isnull(starttime) or Timestamp >= starttime)\r\n and (isnull(endtime) or Timestamp = starttime)\r\n and (isnull(endtime) or TimeGenerated ago(14d)\r\n | where AccountObjectId != \"\"\r\n | project-away AccountName, AccountDomain, GivenName, Surname, Type, TenantId, OnPremisesExtensionAttributes, UserState, UserStateChangedOn, SourceSystem\r\n | project-away InvestigationPriority, InvestigationPriorityPercentile, ExtensionProperty, AccountCloudSID, Applications, ServicePrincipals\r\n | summarize arg_max(TimeGenerated, *) by UserScopeId = AccountTenantId, UserId = AccountObjectId\r\n | project-away TimeGenerated\r\n | project-rename\r\n Username = AccountUPN,\r\n UserDisplayName = AccountDisplayName,\r\n UserSid = AccountSID,\r\n UserDN = OnPremisesDistinguishedName,\r\n UserTags = Tags,\r\n UserRiskLevel = RiskLevel,\r\n UserRiskLevelDetails = RiskLevelDetails,\r\n UserRiskState = RiskState, \r\n UserBlastRadius = BlastRadius,\r\n UserGroupMembership = GroupMembership,\r\n UserAssignedRoles = AssignedRoles,\r\n UserDepartment = Department,\r\n UserEmployeeId = EmployeeId,\r\n UserJobTitle = JobTitle,\r\n UserMailAddress = MailAddress,\r\n UserAdditionalMailAddresses = AdditionalMailAddresses,\r\n UserManager = Manager,\r\n UserStreetAddress = StreetAddress,\r\n UserCity = City,\r\n UserCountry = Country,\r\n UserRegion = State,\r\n UserPhone = Phone,\r\n UserAccountEnabled = IsAccountEnabled,\r\n UserAccountCreationTime = AccountCreationTime,\r\n RelatedUsers = RelatedAccounts,\r\n UserDeleted = DeletedDateTime,\r\n UserLastSeen = LastSeenDate,\r\n UserUACFlags = UACFlags,\r\n UserIsMFARegistered = IsMFARegistered,\r\n UserRiskScore = EntityRiskScore\r\n | extend \r\n UsernameType = \"UPN\",\r\n UserIdType = \"AadId\",\r\n UserType = iff(UserType == \"Guest\", UserType, \"\"),\r\n UserUpn = Username\r\n;\r\nT \r\n| extend\r\n jkUserId = column_ifexists(AadIdField,''),\r\n jkUserScopeId = column_ifexists(TenantIdField,''), \r\n jkUserSid = column_ifexists(SidField,''), \r\n jkUsername = column_ifexists(UpnField,''), \r\n jkUserMailAddress = column_ifexists(EmailField,'')\r\n| extend \r\n jkUserAadFullId = iff (isnotempty(jkUserScopeId), strcat(jkUserScopeId, '/', jkUserId), jkUserId)\r\n| extend\r\n join_key = coalesce (jkUserAadFullId, jkUserSid, jkUsername, jkUserMailAddress)\r\n| lookup ( \r\n AADinfo \r\n | extend join_key = case ( \r\n isnotempty(TenantIdField), strcat(UserScopeId, '/', UserId), \r\n isnotempty(AadIdField), UserId,\r\n isnotempty(SidField), UserSid,\r\n isnotempty(UpnField), UserUpn, \r\n isnotempty(EmailField), UserMailAddress,\r\n ''\r\n )\r\n) on join_key\r\n| project-away jkUserId, jkUserAadFullId, jkUserMailAddress, jkUsername, jkUserScopeId, jkUserSid, join_key\r\n","parameters":"T:(*), AadIdField:string = '', TenantIdField:string = '', SidField:string = '', UpnField:string = '', EmailField:string = ''","description":"Enrich events with data from the IdentityInfo UEBA table.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"6004200a-ea4c-5963-8ea7-7411196da9b8","name":"_ASIM_GetDisabledParsers","body":"let function = (CallerContext:string) {\r\n _ASIM_GetWatchlistRaw ('ASimDisabledParsers', pack_array('Any',CallerContext))\r\n | extend SourceSpecificParser = tostring(WatchlistItem.SourceSpecificParser)\r\n | where isnotempty(SourceSpecificParser)\r\n | distinct SourceSpecificParser \r\n};\r\nfunction (CallerContext)\r\n","parameters":"CallerContext:string","description":"An ASIM function to check if a parser is disabled.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"36a1bf66-3208-5df0-9964-04ec9bb2ea98","name":"_ASIM_GetSourceBySourceType","body":"let function = (SourceType:string) {\r\n let Sources_by_SourceType=(SourceType:string) {\r\n _ASIM_GetWatchlistsRaw (dynamic(['ASimSourceType','Sources_by_SourceType']), SourceType)\r\n | extend Source = tostring(WatchlistItem.Source) \r\n | where isnotempty(Source)\r\n | summarize make_set(Source)\r\n };\r\n toscalar (Sources_by_SourceType(SourceType))\r\n};\r\nfunction (SourceType)\r\n","parameters":"SourceType:string","description":"An ASIM function to get the the list of sources for an ASIM source type.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"3d93296d-00b9-5e04-8126-edd84e9ff112","name":"_ASIM_GetUserType","body":"let _ASIM_GetUserType = (username:string, sid:string) { \r\n case ( \r\n sid startswith \"S-1-5-80\", \"Service\",\r\n sid startswith \"S-1-5-21\", case (\r\n sid endswith \"-500\", \"Admin\",\r\n sid endswith \"-501\", \"Guest\",\r\n sid endswith \"-502\", \"Service\", // A user account that's used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.\r\n username contains \"admin\", \"Admin\",\r\n username endswith \"$\", \"Machine\",\r\n \"Regular\"),\r\n username endswith \"$\", \"Machine\",\r\n sid == \"S-1-5-113\", \"Other\", // Local account\r\n sid == \"S-1-5-7\", \"Anonymous\", \r\n sid == \"S-1-5-17\", \"Service\", // An account that's used by the default Internet Information Services (IIS) user\r\n sid == \"S-1-5-18\", \"System\", \r\n sid == \"S-1-5-19\", \"Service\", \r\n sid == \"S-1-5-20\", \"Service\" ,\r\n isempty(username), \"\",\r\n \"Other\"\r\n )\r\n};\r\n_ASIM_GetUserType(username,sid)\r\n","parameters":"username:string, sid:string","description":"An ASIM function sets the UserType for Windows systems based on the username and sid.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"8db4427b-54d0-5f94-87f9-5e7a8d2b8370","name":"_ASIM_GetUsernameType","body":"let _ASIM_GetUsernameType = (username:string) { \r\n case ( \r\n username contains \"@\" , \"UPN\"\r\n , username contains \"\\\\\", \"Windows\"\r\n , (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\"\r\n , isempty(username), \"\"\r\n , \"Simple\"\r\n )\r\n};\r\n_ASIM_GetUsernameType (username)\r\n","parameters":"username:string","description":"An ASIM function sets the UsernameType based on the username.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"89909bc5-63b2-590b-b3b3-e8f5bea2fcfd","name":"_ASIM_GetWindowsUserType","body":"let _ASIM_GetWindowsUserType = (username:string, sid:string) { \r\n case ( \r\n sid startswith \"S-1-5-80\", \"Service\",\r\n sid startswith \"S-1-5-21\", case (\r\n sid endswith \"-500\", \"Admin\",\r\n sid endswith \"-501\", \"Guest\",\r\n sid endswith \"-502\", \"Service\", // A user account that's used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.\r\n username contains \"admin\", \"Admin\",\r\n username endswith \"$\", \"Machine\",\r\n \"Regular\"),\r\n username endswith \"$\", \"Machine\",\r\n sid == \"S-1-5-113\", \"Other\", // Local account\r\n sid == \"S-1-5-7\", \"Anonymous\", \r\n sid == \"S-1-5-17\", \"Service\", // An account that's used by the default Internet Information Services (IIS) user\r\n sid == \"S-1-5-18\", \"System\", \r\n sid == \"S-1-5-19\", \"Service\", \r\n sid == \"S-1-5-20\", \"Service\" ,\r\n isempty(username), \"\",\r\n \"Other\"\r\n )\r\n};\r\n_ASIM_GetWindowsUserType(username,sid)\r\n","parameters":"username:string, sid:string","description":"An ASIM function sets the UserType for Windows systems based on the username and sid.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"1fb5bab9-8bf8-5745-bb46-1858f0bdca77","name":"_ASIM_IdentityInfo","body":"IdentityInfo\r\n | where TimeGenerated > ago(14d)\r\n | where AccountObjectId != \"\"\r\n | project-away AccountName, AccountDomain, GivenName, Surname, Type, TenantId, OnPremisesExtensionAttributes, UserState, UserStateChangedOn, SourceSystem\r\n | project-away InvestigationPriority, InvestigationPriorityPercentile, ExtensionProperty, AccountCloudSID, Applications, ServicePrincipals\r\n | summarize arg_max(TimeGenerated, *) by UserScopeId = AccountTenantId, UserId = AccountObjectId\r\n | project-away TimeGenerated\r\n | project-rename\r\n Username = AccountUPN,\r\n UserDisplayName = AccountDisplayName,\r\n UserSid = AccountSID,\r\n UserDN = OnPremisesDistinguishedName,\r\n UserTags = Tags,\r\n UserRiskLevel = RiskLevel,\r\n UserRiskLevelDetails = RiskLevelDetails,\r\n UserRiskState = RiskState, \r\n UserBlastRadius = BlastRadius,\r\n UserGroupMembership = GroupMembership,\r\n UserAssignedRoles = AssignedRoles,\r\n UserDepartment = Department,\r\n UserEmployeeId = EmployeeId,\r\n UserJobTitle = JobTitle,\r\n UserMailAddress = MailAddress,\r\n UserAdditionalMailAddresses = AdditionalMailAddresses,\r\n UserManager = Manager,\r\n UserStreetAddress = StreetAddress,\r\n UserCity = City,\r\n UserCountry = Country,\r\n UserRegion = State,\r\n UserPhone = Phone,\r\n UserAccountEnabled = IsAccountEnabled,\r\n UserAccountCreationTime = AccountCreationTime,\r\n RelatedUsers = RelatedAccounts,\r\n UserDeleted = DeletedDateTime,\r\n UserLastSeen = LastSeenDate,\r\n UserUACFlags = UACFlags,\r\n UserIsMFARegistered = IsMFARegistered,\r\n UserRiskScore = EntityRiskScore\r\n | extend \r\n UsernameType = \"UPN\",\r\n UserIdType = \"AadId\",\r\n UserType = iff(UserType == \"Guest\", UserType, \"\"),\r\n UserUpn = Username\r\n","description":"An ASIM normalized view of the IdentityInfo table.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"af841918-ea4a-515c-bb21-0a7a5bc741fc","name":"_ASIM_LookupAADcodes","body":"let function = (ResultType:string) {\r\n let AADResultTypes=dynamic \r\n ({\r\n '53003':'Logon violates policy',\r\n '50034':'No such user or password',\r\n '50059':'No such user or password',\r\n '50053':'User locked',\r\n '50055':'Password expired',\r\n '50056':'Incorrect password',\r\n '50057':'User disabled',\r\n '50058':'Logon violates policy',\r\n '50011':'Logon violates policy', \r\n '50064':'No such user or password',\r\n '50076':'Logon violates policy',\r\n '50079':'Logon violates policy',\r\n '50105':'Logon violates policy',\r\n '50126':'No such user or password',\r\n '50132':'Password expired',\r\n '50133':'Password expired',\r\n '50144':'Password expired',\r\n '50173':'Password expired',\r\n '80012':'Logon violates policy',\r\n '51004':'No such user or password',\r\n '50072':'Logon violates policy',\r\n '50005':'Logon violates policy',\r\n '50020':'Logon violates policy',\r\n '50074':'Logon violates policy', \r\n '70008':'Password expired',\r\n '700016':'No such user or password', \r\n '500011':'No such user or password' \r\n });\r\n let AADResultTypeLookup = AADResultTypes[tostring(ResultType)];\r\n case (\r\n AADResultTypeLookup != \"\", AADResultTypeLookup,\r\n 'Unassigned'\r\n )\r\n};\r\nfunction(ResultType)\r\n","parameters":"ResultType:string","description":"AAD STS error codes.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"a3969e5c-574a-526d-937a-f347c8c77929","name":"_ASIM_LookupDnsQueryType","body":"let function = (QueryType:int) {\r\n let QueryTypeTable=dynamic\r\n ({\r\n \"0\":\"Reserved\",\r\n \"1\":\"A\",\r\n \"2\":\"NS\",\r\n \"3\":\"MD\",\r\n \"4\":\"MF\",\r\n \"5\":\"CNAME\",\r\n \"6\":\"SOA\",\r\n \"7\":\"MB\",\r\n \"8\":\"MG\",\r\n \"9\":\"MR\",\r\n \"10\":\"NULL\",\r\n \"11\":\"WKS\",\r\n \"12\":\"PTR\",\r\n \"13\":\"HINFO\",\r\n \"14\":\"MINFO\",\r\n \"15\":\"MX\",\r\n \"16\":\"TXT\",\r\n \"17\":\"RP\",\r\n \"18\":\"AFSDB\",\r\n \"19\":\"X25\",\r\n \"20\":\"ISDN\",\r\n \"21\":\"RT\",\r\n \"22\":\"NSAP\",\r\n \"23\":\"NSAP-PTR\",\r\n \"24\":\"SIG\",\r\n \"25\":\"KEY\",\r\n \"26\":\"PX\",\r\n \"27\":\"GPOS\",\r\n \"28\":\"AAAA\",\r\n \"29\":\"LOC\",\r\n \"30\":\"NXT\",\r\n \"31\":\"EID\",\r\n \"32\":\"NIMLOC\",\r\n \"33\":\"SRV\",\r\n \"34\":\"ATMA\",\r\n \"35\":\"NAPTR\",\r\n \"36\":\"KX\",\r\n \"37\":\"CERT\",\r\n \"38\":\"A6\",\r\n \"39\":\"DNAME\",\r\n \"40\":\"SINK\",\r\n \"41\":\"OPT\",\r\n \"42\":\"APL\",\r\n \"43\":\"DS\",\r\n \"44\":\"SSHFP\",\r\n \"45\":\"IPSECKEY\",\r\n \"46\":\"RRSIG\",\r\n \"47\":\"NSEC\",\r\n \"48\":\"DNSKEY\",\r\n \"49\":\"DHCID\",\r\n \"50\":\"NSEC3\",\r\n \"51\":\"NSEC3PARAM\",\r\n \"52\":\"TLSA\",\r\n \"53\":\"SMIMEA\",\r\n \"54\":\"Unassigned\",\r\n \"55\":\"HIP\",\r\n \"56\":\"NINFO\",\r\n \"57\":\"RKEY\",\r\n \"58\":\"TALINK\",\r\n \"59\":\"CDS\",\r\n \"60\":\"CDNSKEY\",\r\n \"61\":\"OPENPGPKEY\",\r\n \"62\":\"CSYNC\",\r\n \"99\":\"SPF\",\r\n \"100\":\"UINFO\",\r\n \"101\":\"UID\",\r\n \"102\":\"GID\",\r\n \"103\":\"UNSPEC\",\r\n \"104\":\"NID\",\r\n \"105\":\"L32\",\r\n \"106\":\"L64\",\r\n \"107\":\"LP\",\r\n \"108\":\"EUI48\",\r\n \"109\":\"EUI64\",\r\n \"249\":\"TKEY\",\r\n \"250\":\"TSIG\",\r\n \"251\":\"IXFR\",\r\n \"252\":\"AXFR\",\r\n \"253\":\"MAILB\",\r\n \"254\":\"MAILA\",\r\n \"255\":\"All\",\r\n \"256\":\"URI\",\r\n \"257\":\"CAA\",\r\n \"258\":\"AVC\",\r\n \"259\":\"DOA\",\r\n \"32768\":\"TA\",\r\n \"32769\":\"DLV\",\r\n \"65535\": \"Reserved\"\r\n });\r\n let QueryTypeLookup = QueryTypeTable[tostring(QueryType)];\r\n case (\r\n QueryTypeLookup != \"\", QueryTypeLookup,\r\n QueryType between (65280 .. 65534), 'Reserved for Private Use',\r\n 'Unassigned'\r\n )\r\n};\r\nfunction(QueryType)","parameters":"QueryType:int","description":"An ASIM function to returns the DNS query type name (resource record type) based on a numerical query type.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"cf296479-dace-5fb4-906c-a270dcee23d8","name":"_ASIM_LookupDnsResponseCode","body":"let function = (ResponseCode:int) {\r\n let ResponseCodesTable=dynamic\r\n ({\r\n '0':'NOERROR',\r\n '1':'FORMERR',\r\n '2':'SERVFAIL',\r\n '3':'NXDOMAIN',\r\n '4':'NOTIMP',\r\n '5':'REFUSED',\r\n '6':'YXDOMAIN',\r\n '7':'YXRRSET',\r\n '8':'NXRRSET',\r\n '9':'NOTAUTH',\r\n '10':'NOTZONE',\r\n '11':'DSOTYPENI',\r\n '16':'BADVERS',\r\n //'16':'BADSIG',\r\n '17':'BADKEY',\r\n '18':'BADTIME',\r\n '19':'BADMODE',\r\n '20':'BADNAME',\r\n '21':'BADALG',\r\n '22':'BADTRUNC',\r\n '23':'BADCOOKIE'\r\n });\r\n let ResponseCodeNameLookup = ResponseCodesTable[tostring(ResponseCode)];\r\n case (\r\n ResponseCodeNameLookup != \"\", ResponseCodeNameLookup,\r\n ResponseCode between (3841 .. 4095), 'Reserved for Private Use',\r\n 'Unassigned'\r\n )\r\n};\r\nfunction(ResponseCode)","parameters":"ResponseCode:int","description":"An ASIM function to returns the DNS response code name based on a numerical response code.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"9acfdefa-84a4-531b-a67c-296df42d9e4f","name":"_ASIM_LookupHTTPStatusCode","body":"let function = (StatusCode:string) {\r\n let HTTPStatusCodesTable=dynamic\r\n ({\r\n \"100\":\"Continue\",\r\n \"101\":\"Switching Protocols\",\r\n \"102\":\"Processing\",\r\n \"103\":\"Early Hints\",\r\n \"200\":\"OK\",\r\n \"201\":\"Created\",\r\n \"202\":\"Accepted\",\r\n \"203\":\"Non-Authoritative Information\",\r\n \"204\":\"No Content\",\r\n \"205\":\"Reset Content\",\r\n \"206\":\"Partial Content\",\r\n \"207\":\"Multi-Status\",\r\n \"208\":\"Already Reported\",\r\n \"226\":\"IM Used\",\r\n \"300\":\"Multiple Choices\",\r\n \"301\":\"Moved Permanently\",\r\n \"302\":\"Found\",\r\n \"303\":\"See Other\",\r\n \"304\":\"Not Modified\",\r\n \"305\":\"Use Proxy\",\r\n \"306\":\"Switch Proxy\",\r\n \"307\":\"Temporary Redirect\",\r\n \"308\":\"Permanent Redirect\",\r\n \"400\":\"Bad Request\",\r\n \"400.1\":\"Invalid Destination Header\",\r\n \"400.2\":\"Invalid Depth Header\",\r\n \"400.3\":\"Invalid If Header\",\r\n \"400.4\":\"Invalid Overwrite Header\",\r\n \"400.5\":\"Invalid Translate Header\",\r\n \"400.6\":\"Invalid Request Body\",\r\n \"400.7\":\"Invalid Content Length\",\r\n \"400.8\":\"Invalid Timeout\",\r\n \"400.9\":\"Invalid Lock Token\",\r\n \"400.10\":\"Invalid X-Forwarded-For (XFF) header\",\r\n \"400.11\":\"Invalid WebSocket request\",\r\n \"400.601\":\"Bad client request (ARR)\",\r\n \"400.602\":\"Invalid time format (ARR)\",\r\n \"400.603\":\"Parse range error (ARR)\",\r\n \"400.604\":\"Client gone (ARR)\",\r\n \"400.605\":\"Maximum number of forwards (ARR)\",\r\n \"400.606\":\"Asynchronous competition error (ARR)\",\r\n \"401\":\"Unauthorized\",\r\n \"401.1\":\"Logon failed\",\r\n \"401.2\":\"Logon failed due to server configuration\",\r\n \"401.3\":\"Unauthorized due to ACL on resource\",\r\n \"401.4\":\"Authorization failed by filter\",\r\n \"401.5\":\"Authorization failed by ISAPI/CGI application\",\r\n \"401.501\":\"Access Denied: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached.\",\r\n \"401.502\":\"Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Maximum request rate limit reached.\",\r\n \"401.503\":\"Access Denied: the IP address is included in the Deny list of IP Restriction\",\r\n \"401.504\":\"Access Denied: the host name is included in the Deny list of IP Restriction\",\r\n \"402\":\"Payment Required\",\r\n \"403\":\"Forbidden\",\r\n \"403.1\":\"Execute access forbidden\",\r\n \"403.2\":\"Read access forbidden\",\r\n \"403.3\":\"Write access forbidden\",\r\n \"403.4\":\"SSL required\",\r\n \"403.5\":\"SSL 128 required\",\r\n \"403.6\":\"IP address rejected\",\r\n \"403.7\":\"Client certificate required\",\r\n \"403.8\":\"Site access denied\",\r\n \"403.9\":\"Forbidden: Too many clients are trying to connect to the web server\",\r\n \"403.10\":\"Forbidden: web server is configured to deny Execute access\",\r\n \"403.11\":\"Forbidden: Password has been changed\",\r\n \"403.12\":\"Mapper denied access\",\r\n \"403.13\":\"Client certificate revoked\",\r\n \"403.14\":\"Directory listing denied\",\r\n \"403.15\":\"Forbidden: Client access licenses have exceeded limits on the web server\",\r\n \"403.16\":\"Client certificate is untrusted or invalid\",\r\n \"403.17\":\"Client certificate has expired or is not yet valid\",\r\n \"403.18\":\"Cannot execute requested URL in the current application pool\",\r\n \"403.19\":\"Cannot execute CGI applications for the client in this application pool\",\r\n \"403.20\":\"Forbidden: Passport logon failed\",\r\n \"403.21\":\"Forbidden: Source access denied\",\r\n \"403.22\":\"Forbidden: Infinite depth is denied\",\r\n \"403.501\":\"Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached\",\r\n \"403.502\":\"Forbidden: Too many requests from the same client IP; Dynamic IP Restriction Maximum request rate limit reached\",\r\n \"403.503\":\"Forbidden: the IP address is included in the Deny list of IP Restriction\",\r\n \"403.504\":\"Forbidden: the host name is included in the Deny list of IP Restriction\",\r\n \"404\":\"Not Found\",\r\n \"404.0\":\"Not found\",\r\n \"404.1\":\"Site Not Found\",\r\n \"404.2\":\"ISAPI or CGI restriction\",\r\n \"404.3\":\"Multipurpose Internet Mail Extensions (MIME) type restriction\",\r\n \"404.4\":\"No handler configured\",\r\n \"404.5\":\"Denied by request filtering configuration\",\r\n \"404.6\":\"Verb denied\",\r\n \"404.7\":\"File extension denied\",\r\n \"404.8\":\"Hidden namespace\",\r\n \"404.9\":\"File attribute hidden\",\r\n \"404.10\":\"Request header too long\",\r\n \"404.11\":\"Request contains double escape sequence\",\r\n \"404.12\":\"Request contains high-bit characters\",\r\n \"404.13\":\"Content length too large\",\r\n \"404.14\":\"Request URL too long\",\r\n \"404.15\":\"Query string too long\",\r\n \"404.16\":\"DAV request sent to the static file handler\",\r\n \"404.17\":\"Dynamic content mapped to the static file handler via a wildcard MIME mapping\",\r\n \"404.18\":\"Querystring sequence denied\",\r\n \"404.19\":\"Denied by filtering rule\",\r\n \"404.20\":\"Too Many URL Segments\",\r\n \"404.501\":\"Not Found: Too many requests from the same client IP; Dynamic IP Restriction Concurrent request rate limit reached\",\r\n \"404.502\":\"Not Found: Too many requests from the same client IP; Dynamic IP Restriction Maximum request rate limit reached\",\r\n \"404.503\":\"Not Found: the IP address is included in the Deny list of IP Restriction\",\r\n \"404.504\":\"Not Found: the host name is included in the Deny list of IP Restriction\", \r\n \"405\":\"Method Not Allowed\",\r\n \"406\":\"Not Acceptable\",\r\n \"407\":\"Proxy Authentication Required\",\r\n \"408\":\"Request Timeout\",\r\n \"409\":\"Conflict\",\r\n \"410\":\"Gone\",\r\n \"411\":\"Length Required\",\r\n \"412\":\"Precondition Failed\",\r\n \"413\":\"Payload Too Large\",\r\n \"414\":\"URI Too Long\",\r\n \"415\":\"Unsupported Media Type\",\r\n \"416\":\"Range Not Satisfiable\",\r\n \"417\":\"Expectation Failed\",\r\n \"418\":\"I'm a teapot\", // probably the most common one ;^)\r\n \"421\":\"Misdirect Request\",\r\n \"422\":\"Unprocessable Entity\",\r\n \"423\":\"Locked\",\r\n \"424\":\"Failed Dependency\",\r\n \"425\":\"Too Early\",\r\n \"426\":\"Upgrade Required\",\r\n \"428\":\"Precondition Required\",\r\n \"429\":\"Too Many Requests\",\r\n \"431\":\"Request Header Fields Too Large\",\r\n \"451\":\"Unavailable For Legal Reasons/Redirect\",\r\n \"500\":\"Internal Server Error\",\r\n \"500.0\":\"Module or ISAPI error occurred\",\r\n \"500.11\":\"Application is shutting down on the web server\",\r\n \"500.12\":\"Application is busy restarting on the web server\",\r\n \"500.13\":\"Web server is too busy\",\r\n \"500.15\":\"Direct requests for Global.asax are not allowed\",\r\n \"500.19\":\"Configuration data is invalid\",\r\n \"500.21\":\"Module not recognized\",\r\n \"500.22\":\"An ASP.NET httpModules configuration does not apply in Managed Pipeline mode\",\r\n \"500.23\":\"An ASP.NET httpHandlers configuration does not apply in Managed Pipeline mode\",\r\n \"500.24\":\"An ASP.NET impersonation configuration does not apply in Managed Pipeline mode\",\r\n \"500.50\":\"A rewrite error occurred during RQ_BEGIN_REQUEST notification handling. A configuration or inbound rule execution error occurred.\",\r\n \"500.51\":\"A rewrite error occurred during GL_PRE_BEGIN_REQUEST notification handling. A global configuration or global rule execution error occurred\",\r\n \"500.52\":\"A rewrite error occurred during RQ_SEND_RESPONSE notification handling. An outbound rule execution occurred\",\r\n \"500.53\":\"A rewrite error occurred during RQ_RELEASE_REQUEST_STATE notification handling. An outbound rule execution error occurred. The rule is configured to be executed before the output user cache gets updated\",\r\n \"500.100\":\"Internal ASP error\",\r\n \"501\":\"Not Implemented\",\r\n \"502\":\"Bad Gateway\",\r\n \"502.1\":\"CGI application timeout\",\r\n \"502.2\":\"Bad gateway: Premature Exit/Map request failure (ARR)\",\r\n \"502.3\":\"Bad Gateway: Forwarder Connection Error (ARR)/WinHTTP asynchronous completion failure (ARR)\",\r\n \"502.4\":\"Bad Gateway: No Server (ARR)\",\r\n \"502.5\":\"WebSocket failure (ARR)\",\r\n \"502.6\":\"Forwarded request failure (ARR)\",\r\n \"502.7\":\"Execute request failure (ARR)\",\r\n \"503\":\"Service Unavailable\",\r\n \"503.0\":\"Application pool unavailable\",\r\n \"503.2\":\"Concurrent request limit exceeded\",\r\n \"503.3\":\"ASP.NET queue full\",\r\n \"503.4\":\"FastCGI queue full\",\r\n \"504\":\"Gateway Timeout\",\r\n \"505\":\"HTTP Version Not Supported\",\r\n \"506\":\"Variant Also Negotiates\",\r\n \"507\":\"Insufficient Storage\",\r\n \"508\":\"Loop Detected\",\r\n \"510\":\"Not Extended\",\r\n \"511\":\"Network Authentication Required\",\r\n \"419\":\"Page Expired\",\r\n \"420\":\"Method Failure\",\r\n \"430\":\"Request Header Field Too Large\",\r\n \"450\":\"Blocked by Windows Parental Controls\",\r\n \"498\":\"Invalid Token\",\r\n \"499\":\"Token Required(Esri)/Client Closed Request(nginx)\",\r\n \"509\":\"Bandwith Limit Exceeded\",\r\n \"529\":\"Site is overloaded\",\r\n \"530\":\"Site is frozen/Cloudflare HTTP error 530 is returned with an accompanying 1XXX error displayed\",\r\n \"598\":\"Network read timeout error\",\r\n \"599\":\"Network Connect Timeout Error\",\r\n \"440\":\"Login Time-out\",\r\n \"449\":\"Retry With\",\r\n \"444\":\"No Response\",\r\n \"494\":\"Request header too large\",\r\n \"495\":\"SSL Certificate Error\",\r\n \"496\":\"SSL Certificate Required\",\r\n \"497\":\"HTTP Request Sent to HTTPS Port\",\r\n \"520\":\"Web Server Returned an Unknown Error\",\r\n \"521\":\"Web Server Is Down\",\r\n \"523\":\"Origin Is Unreachable\",\r\n \"524\":\"A Timeout Occurred\",\r\n \"525\":\"SSL Handshake Failed\",\r\n \"526\":\"Invalid SSL Certificate\",\r\n \"527\":\"Railgun Error\",\r\n \"561\":\"Unauthorized\",\r\n \"110\":\"Response is Stale\",\r\n \"111\":\"Revalidation Failed\",\r\n \"112\":\"Disconnected Operation\",\r\n \"113\":\"Heuristic Expiration\",\r\n \"199\":\"Miscellaneous Warning\",\r\n \"214\":\"Transformation Applied\",\r\n \"299\":\"Miscellaneous Persistent Warning\",\r\n \"460\":\"AWS ELB Client closed the connection with the load balancer before the idle timeout period elapsed\",\r\n \"463\":\"AWS ELB The load balancer received an X-Forwarded-For request header with more than 30 IP addresses\"\r\n });\r\n let HTTPStatusCodeLookup = HTTPStatusCodesTable[tostring(StatusCode)];\r\n iff (isnotempty(HTTPStatusCodeLookup), HTTPStatusCodeLookup, 'Unassigned')\r\n};\r\nfunction (StatusCode)","parameters":"StatusCode:string","description":"An ASIM function to returns the HTTP Status code name based on a numerical response code.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"a22d978f-3944-5ad8-9452-757225af75b0","name":"_ASIM_LookupICMPType","body":"let function = (NetworkIcmpCode:int) {\r\n let ICMPTypeTable=dynamic\r\n ({\r\n \"0\":\"Echo Reply\",\r\n \"1\":\"Unassigned\",\r\n \"2\":\"Unassigned\",\r\n \"3\":\"Destination Unreachable\",\r\n \"4\":\"Source Quench (Deprecated)\",\r\n \"5\":\"Redirect\",\r\n \"6\":\"Alternate Host Address (Deprecated)\",\r\n \"7\":\"Unassigned\",\r\n \"8\":\"Echo\",\r\n \"9\":\"Router Advertisement\",\r\n \"10\":\"Router Solicitation\",\r\n \"11\":\"Time Exceeded\",\r\n \"12\":\"Parameter Problem\",\r\n \"13\":\"Timestamp\",\r\n \"14\":\"Timestamp Reply\",\r\n \"15\":\"Information Request (Deprecated)\",\r\n \"16\":\"Information Reply (Deprecated)\",\r\n \"17\":\"Address Mask Request (Deprecated)\",\r\n \"18\":\"Address Mask Reply (Deprecated)\",\r\n \"19\":\"Reserved (for Security)\",\r\n \"20\":\"Reserved (for Robustness Experiment)\", \r\n \"21\":\"Reserved (for Robustness Experiment)\",\r\n \"22\":\"Reserved (for Robustness Experiment)\",\r\n \"23\":\"Reserved (for Robustness Experiment)\",\r\n \"24\":\"Reserved (for Robustness Experiment)\",\r\n \"25\":\"Reserved (for Robustness Experiment)\",\r\n \"26\":\"Reserved (for Robustness Experiment)\",\r\n \"27\":\"Reserved (for Robustness Experiment)\",\r\n \"28\":\"Reserved (for Robustness Experiment)\",\r\n \"29\":\"Reserved (for Robustness Experiment)\",\r\n \"30\":\"Traceroute (Deprecated)\",\r\n \"31\":\"Datagram Conversion Error (Deprecated)\",\r\n \"32\":\"Mobile Host Redirect (Deprecated)\",\r\n \"33\":\"IPv6 Where-Are-You (Deprecated)\",\r\n \"34\":\"IPv6 I-Am-Here (Deprecated)\",\r\n \"35\":\"Mobile Registration Request (Deprecated)\",\r\n \"36\":\"Mobile Registration Reply (Deprecated)\",\r\n \"37\":\"Domain Name Request (Deprecated)\",\r\n \"38\":\"Domain Name Reply (Deprecated)\",\r\n \"39\":\"SKIP (Deprecated)\",\r\n \"40\":\"Photuris\",\r\n \"41\":\"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\r\n \"42\":\"Extended Echo Request\",\r\n \"43\":\"Extended Echo Reply\",\r\n \"253\":\"RFC3692-style Experiment 1\",\r\n \"254\":\"RFC3692-style Experiment 2\",\r\n \"255\":\"Reserved\" \r\n });\r\n let NetworkIcmpTypeLookup = ICMPTypeTable[tostring(NetworkIcmpCode)];\r\n case (\r\n NetworkIcmpTypeLookup != \"\", NetworkIcmpTypeLookup,\r\n 'Unassigned'\r\n )\r\n};\r\nfunction(NetworkIcmpCode)","parameters":"NetworkIcmpCode:int","description":"An ASIM function to return the ICMP type name.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"5fe2edb1-cf39-5039-bf18-5abc1bae5f4c","name":"_ASIM_LookupNetworkProtocol","body":"let function = (NetworkProtocol:int) {\r\n let NetworkProtocolTable=dynamic\r\n ({\r\n \"0\":\"HOPOPT\",\r\n \"1\":\"ICMP\",\r\n \"2\":\"IGMP\",\r\n \"3\":\"GGP\",\r\n \"4\":\"IPv4\",\r\n \"5\":\"ST\",\r\n \"6\":\"TCP\",\r\n \"7\":\"CBT\",\r\n \"8\":\"EGP\",\r\n \"9\":\"IGP\",\r\n \"10\":\"BBN-RCC-MON\",\r\n \"11\":\"NVP-II\",\r\n \"12\":\"PUP\",\r\n \"13\":\"ARGUS (deprecated)\",\r\n \"14\":\"EMCON\",\r\n \"15\":\"XNET\",\r\n \"16\":\"CHAOS\",\r\n \"17\":\"UDP\",\r\n \"18\":\"MUX\",\r\n \"19\":\"DCN-MEAS\",\r\n \"20\":\"HMP\",\r\n \"21\":\"PRM\",\r\n \"22\":\"XNS-IDP\",\r\n \"23\":\"TRUNK-1\",\r\n \"24\":\"TRUNK-2\",\r\n \"25\":\"LEAF-1\",\r\n \"26\":\"LEAF-2\",\r\n \"27\":\"RDP\",\r\n \"28\":\"IRTP\",\r\n \"29\":\"ISO-TP4\",\r\n \"30\":\"NETBLT\",\r\n \"31\":\"MFE-NSP\",\r\n \"32\":\"MERIT-INP\",\r\n \"33\":\"DCCP\",\r\n \"34\":\"3PC\",\r\n \"35\":\"IDPR\",\r\n \"36\":\"XTP\",\r\n \"37\":\"DDP\",\r\n \"38\":\"IDPR-CMTP\",\r\n \"39\":\"TP++\",\r\n \"40\":\"IL\",\r\n \"41\":\"IPv6\",\r\n \"42\":\"SDRP\",\r\n \"43\":\"IPv6-Route\",\r\n \"44\":\"IPv6-Frag\",\r\n \"45\":\"IDRP\",\r\n \"46\":\"RSVP\",\r\n \"47\":\"GRE\",\r\n \"48\":\"DSR\",\r\n \"49\":\"BNA\",\r\n \"50\":\"ESP\",\r\n \"51\":\"AH\",\r\n \"52\":\"I-NLSP\",\r\n \"53\":\"SWIPE (deprecated)\",\r\n \"54\":\"NARP\",\r\n \"55\":\"MOBILE\",\r\n \"56\":\"TLSP\",\r\n \"57\":\"SKIP\",\r\n \"58\":\"IPv6-ICMP\",\r\n \"59\":\"IPv6-NoNxt\",\r\n \"60\":\"IPv6-Opts\",\r\n \"61\":\"\",\r\n \"62\":\"CFTP\",\r\n \"63\":\"\",\r\n \"64\":\"SAT-EXPAK\",\r\n \"65\":\"KRYPTOLAN\",\r\n \"66\":\"RVD\",\r\n \"67\":\"IPPC\",\r\n \"68\":\"\",\r\n \"69\":\"SAT-MON\",\r\n \"70\":\"VISA\",\r\n \"71\":\"IPCV\",\r\n \"72\":\"CPNX\",\r\n \"73\":\"CPHB\",\r\n \"74\":\"WSN\",\r\n \"75\":\"PVP\",\r\n \"76\":\"BR-SAT-MON\",\r\n \"77\":\"SUN-ND\",\r\n \"78\":\"WB-MON\",\r\n \"79\":\"WB-EXPAK\",\r\n \"80\":\"ISO-IP\",\r\n \"81\":\"VMTP\",\r\n \"82\":\"SECURE-VMTP\",\r\n \"83\":\"VINES\",\r\n \"84\":\"TTP\",\r\n // \"84\":\"IPTM\",\r\n \"85\":\"NSFNET-IGP\",\r\n \"86\":\"DGP\",\r\n \"87\":\"TCF\",\r\n \"88\":\"EIGRP\",\r\n \"89\":\"OSPFIGP\",\r\n \"90\":\"Sprite-RPC\",\r\n \"91\":\"LARP\",\r\n \"92\":\"MTP\",\r\n \"93\":\"AX.25\",\r\n \"94\":\"IPIP\",\r\n \"95\":\"MICP (deprecated)\",\r\n \"96\":\"SCC-SP\",\r\n \"97\":\"ETHERIP\",\r\n \"98\":\"ENCAP\",\r\n \"99\":\"\",\r\n \"100\":\"GMTP\",\r\n \"101\":\"IFMP\",\r\n \"102\":\"PNNI\",\r\n \"103\":\"PIM\",\r\n \"104\":\"ARIS\",\r\n \"105\":\"SCPS\",\r\n \"106\":\"QNX\",\r\n \"107\":\"A/N\",\r\n \"108\":\"IPComp\",\r\n \"109\":\"SNP\",\r\n \"110\":\"Compaq-Peer\",\r\n \"111\":\"IPX-in-IP\",\r\n \"112\":\"VRRP\",\r\n \"113\":\"PGM\",\r\n \"114\":\"\",\r\n \"115\":\"L2TP\",\r\n \"116\":\"DDX\",\r\n \"117\":\"IATP\",\r\n \"118\":\"STP\",\r\n \"119\":\"SRP\",\r\n \"120\":\"UTI\",\r\n \"121\":\"SMP\",\r\n \"122\":\"SM (deprecated)\",\r\n \"123\":\"PTP\",\r\n \"124\":\"ISIS over IPv4\",\r\n \"125\":\"FIRE\",\r\n \"126\":\"CRTP\",\r\n \"127\":\"CRUDP\",\r\n \"128\":\"SSCOPMCE\",\r\n \"129\":\"IPLT\",\r\n \"130\":\"SPS\",\r\n \"131\":\"PIPE\",\r\n \"132\":\"SCTP\",\r\n \"133\":\"FC\",\r\n \"134\":\"RSVP-E2E-IGNORE\",\r\n \"135\":\"Mobility Header\",\r\n \"136\":\"UDPLite\",\r\n \"137\":\"MPLS-in-IP\",\r\n \"138\":\"manet\",\r\n \"139\":\"HIP\",\r\n \"140\":\"Shim6\",\r\n \"141\":\"WESP\",\r\n \"142\":\"ROHC\",\r\n \"143\":\"Ethernet\",\r\n \"253\":\"\",\r\n \"254\":\"\",\r\n \"255\":\"Reserved\"\r\n });\r\n let NetworkProtocolLookup = NetworkProtocolTable[tostring(NetworkProtocol)];\r\n case (\r\n NetworkProtocolLookup != \"\", NetworkProtocolLookup,\r\n 'Unassigned'\r\n )\r\n};\r\nfunction(NetworkProtocol)","parameters":"NetworkProtocol:int","description":"An ASIM function to return the IP network protocol name.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"9c002e33-2ecf-409e-b665-645ebff50636","name":"_ASIM_LookupSyslogSeverityLevel","body":"let LookupFunction = (SeverityLevelInput: string) {\r\n let SeverityLevelTypes = dynamic({\r\n \"alert\": \"Low\",\r\n \"crit\": \"High\",\r\n \"critical\": \"High\",\r\n \"debug\": \"Informational\",\r\n \"emerg\": \"High\",\r\n \"emergency\": \"High\",\r\n \"err\": \"Medium\",\r\n \"error\": \"Medium\",\r\n \"info\": \"Informational\",\r\n \"notice\": \"Informational\",\r\n \"warn\": \"Low\",\r\n \"warning\": \"Low\"\r\n });\r\n let SeverityLevelLookup = SeverityLevelTypes[tostring(SeverityLevelInput)];\r\n case(\r\n isnotempty(SeverityLevelLookup), SeverityLevelLookup,\r\n \"\"\r\n )\r\n};\r\nLookupFunction(SeverityLevelInput);","parameters":"SeverityLevelInput:string","description":"An ASIM function to return the normalized Severity Level from Syslog tables.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"e316c508-8b3f-5198-88b0-8fd97672a930","name":"_ASIM_ResolveDnsQueryType","body":"let DnsQueryTypeLookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\r\n 0,\"Reserved\",\r\n 1,\"A\",\r\n 2,\"NS\",\r\n 3,\"MD\",\r\n 4,\"MF\",\r\n 5,\"CNAME\",\r\n 6,\"SOA\",\r\n 7,\"MB\",\r\n 8,\"MG\",\r\n 9,\"MR\",\r\n 10,\"NULL\",\r\n 11,\"WKS\",\r\n 12,\"PTR\",\r\n 13,\"HINFO\",\r\n 14,\"MINFO\",\r\n 15,\"MX\",\r\n 16,\"TXT\",\r\n 17,\"RP\",\r\n 18,\"AFSDB\",\r\n 19,\"X25\",\r\n 20,\"ISDN\",\r\n 21,\"RT\",\r\n 22,\"NSAP\",\r\n 23,\"NSAP-PTR\",\r\n 24,\"SIG\",\r\n 25,\"KEY\",\r\n 26,\"PX\",\r\n 27,\"GPOS\",\r\n 28,\"AAAA\",\r\n 29,\"LOC\",\r\n 30,\"NXT\",\r\n 31,\"EID\",\r\n 32,\"NIMLOC\",\r\n 33,\"SRV\",\r\n 34,\"ATMA\",\r\n 35,\"NAPTR\",\r\n 36,\"KX\",\r\n 37,\"CERT\",\r\n 38,\"A6\",\r\n 39,\"DNAME\",\r\n 40,\"SINK\",\r\n 41,\"OPT\",\r\n 42,\"APL\",\r\n 43,\"DS\",\r\n 44,\"SSHFP\",\r\n 45,\"IPSECKEY\",\r\n 46,\"RRSIG\",\r\n 47,\"NSEC\",\r\n 48,\"DNSKEY\",\r\n 49,\"DHCID\",\r\n 50,\"NSEC3\",\r\n 51,\"NSEC3PARAM\",\r\n 52,\"TLSA\",\r\n 53,\"SMIMEA\",\r\n 54,\"Unassigned\",\r\n 55,\"HIP\",\r\n 56,\"NINFO\",\r\n 57,\"RKEY\",\r\n 58,\"TALINK\",\r\n 59,\"CDS\",\r\n 60,\"CDNSKEY\",\r\n 61,\"OPENPGPKEY\",\r\n 62,\"CSYNC\",\r\n 99,\"SPF\",\r\n 100,\"UINFO\",\r\n 101,\"UID\",\r\n 102,\"GID\",\r\n 103,\"UNSPEC\",\r\n 104,\"NID\",\r\n 105,\"L32\",\r\n 106,\"L64\",\r\n 107,\"LP\",\r\n 108,\"EUI48\",\r\n 109,\"EUI64\",\r\n 249,\"TKEY\",\r\n 250,\"TSIG\",\r\n 251,\"IXFR\",\r\n 252,\"AXFR\",\r\n 253,\"MAILB\",\r\n 254,\"MAILA\",\r\n 255,\"All\",\r\n 256,\"URI\",\r\n 257,\"CAA\",\r\n 258,\"AVC\",\r\n 259,\"DOA\",\r\n 32768,\"TA\",\r\n 32769,\"DLV\",\r\n 65535, \"Reserved\"\r\n];\r\nT\r\n| extend DnsQueryType = toint(column_ifexists(field,0))\r\n| lookup DnsQueryTypeLookup on DnsQueryType\r\n| extend DnsQueryTypeName = \r\n case (\r\n DnsQueryTypeName != \"\", DnsQueryTypeName,\r\n DnsQueryType between (65280 .. 65534), 'Reserved for Private Use',\r\n 'Unassigned'\r\n )\r\n","parameters":"T:(*), field:string","description":"An ASIM function sets DnsQueryType and DnsQueryTypeName based on an resource record code provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"c6259971-9108-5987-9e17-56cf8fc1ae52","name":"_ASIM_ResolveDnsResponseCode","body":"let DnsResponseCodeLookup=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\r\n 0,'NOERROR',\r\n 1,'FORMERR',\r\n 2,'SERVFAIL',\r\n 3,'NXDOMAIN',\r\n 4,'NOTIMP',\r\n 5,'REFUSED',\r\n 6,'YXDOMAIN',\r\n 7,'YXRRSET',\r\n 8,'NXRRSET',\r\n 9,'NOTAUTH',\r\n 10,'NOTZONE',\r\n 11,'DSOTYPENI',\r\n 16,'BADVERS',\r\n 16,'BADSIG',\r\n 17,'BADKEY',\r\n 18,'BADTIME',\r\n 19,'BADMODE',\r\n 20,'BADNAME',\r\n 21,'BADALG',\r\n 22,'BADTRUNC',\r\n 23,'BADCOOKIE'\r\n];\r\nT\r\n| extend DnsResponseCode = toint(column_ifexists(field,0))\r\n| lookup DnsResponseCodeLookup on DnsResponseCode\r\n| extend DnsResponseCodeName = \r\n case (\r\n DnsResponseCodeName != \"\", DnsResponseCodeName,\r\n DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use',\r\n 'Unassigned'\r\n )","parameters":"T:(*), field:string","description":"An ASIM function sets DnsResponseCode and DnsResponseCodeName based on an RCode provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"d2f30bd8-b742-50ac-b597-8e87631d5ab5","name":"_ASIM_ResolveDstFQDN","body":"T\r\n| invoke _ASIM_ResolveFQDN (field)\r\n| project-rename \r\n DstHostname = ExtractedHostname,\r\n DstDomain = Domain,\r\n DstFQDN = FQDN,\r\n DstDomainType = DomainType\r\n","parameters":"T:(*), field:string","description":"An ASIM function sets DstHostname, DstDomain, DstDomainType and DstFQDN based for an FQDN or hostname provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"7deeb113-dcc0-59d7-87cb-c24333c61527","name":"_ASIM_ResolveDvcFQDN","body":"T\r\n| invoke _ASIM_ResolveFQDN (field)\r\n| project-rename \r\n DvcHostname = ExtractedHostname,\r\n DvcDomain = Domain,\r\n DvcFQDN = FQDN,\r\n DvcDomainType = DomainType\r\n","parameters":"T:(*), field:string","description":"An ASIM function sets DvcHostname, DvcDomain, DvcDomainType and DvcFQDN based for an FQDN or hostname provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"73f523ef-c4c8-5d6d-8344-e4426d763242","name":"_ASIM_ResolveFQDN","body":"T\r\n| extend ExtractedHostname = column_ifexists (field,'')\r\n| extend DotSplitHostname = split(ExtractedHostname,\".\")\r\n| extend SlashSplitHostname = split(ExtractedHostname,\"\\\\\")\r\n| extend DomainType = case(\r\n array_length(SlashSplitHostname) > 1, \"Windows\",\r\n array_length(DotSplitHostname) > 1, \"FQDN\",\r\n \"\"\r\n)\r\n| extend \r\n FQDN = iif (DomainType == '', '', ExtractedHostname),\r\n Domain = case (\r\n DomainType == \"Windows\", SlashSplitHostname[0],\r\n DomainType == \"FQDN\", tostring(strcat_array(array_slice(DotSplitHostname, 1, -1), '.')),\r\n \"\"),\r\n ExtractedHostname = case (\r\n DomainType == \"Windows\", SlashSplitHostname[1],\r\n DomainType == \"FQDN\", DotSplitHostname[0],\r\n ExtractedHostname) \r\n| project-away DotSplitHostname, SlashSplitHostname\r\n","parameters":"T:(*), field:string","description":"An ASIM function sets Hostname, Domain, DomainType and FQDN based for an FQDN or hostname provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"020f486b-2b61-5a05-ac2e-fea3e90e4611","name":"_ASIM_ResolveICMPType","body":"let NetworkIcmpTypeLookup = datatable(NetworkIcmpCode:int, NetworkIcmpType:string) [\r\n 0,\"Echo Reply\",\r\n 1,\"Unassigned\",\r\n 2,\"Unassigned\",\r\n 3,\"Destination Unreachable\",\r\n 4,\"Source Quench (Deprecated)\",\r\n 5,\"Redirect\",\r\n 6,\"Alternate Host Address (Deprecated)\",\r\n 7,\"Unassigned\",\r\n 8,\"Echo\",\r\n 9,\"Router Advertisement\",\r\n 10,\"Router Solicitation\",\r\n 11,\"Time Exceeded\",\r\n 12,\"Parameter Problem\",\r\n 13,\"Timestamp\",\r\n 14,\"Timestamp Reply\",\r\n 15,\"Information Request (Deprecated)\",\r\n 16,\"Information Reply (Deprecated)\",\r\n 17,\"Address Mask Request (Deprecated)\",\r\n 18,\"Address Mask Reply (Deprecated)\",\r\n 19,\"Reserved (for Security)\",\r\n 20,\"Reserved (for Robustness Experiment)\", \r\n 21,\"Reserved (for Robustness Experiment)\",\r\n 22,\"Reserved (for Robustness Experiment)\",\r\n 23,\"Reserved (for Robustness Experiment)\",\r\n 24,\"Reserved (for Robustness Experiment)\",\r\n 25,\"Reserved (for Robustness Experiment)\",\r\n 26,\"Reserved (for Robustness Experiment)\",\r\n 27,\"Reserved (for Robustness Experiment)\",\r\n 28,\"Reserved (for Robustness Experiment)\",\r\n 29,\"Reserved (for Robustness Experiment)\",\r\n 30,\"Traceroute (Deprecated)\",\r\n 31,\"Datagram Conversion Error (Deprecated)\",\r\n 32,\"Mobile Host Redirect (Deprecated)\",\r\n 33,\"IPv6 Where-Are-You (Deprecated)\",\r\n 34,\"IPv6 I-Am-Here (Deprecated)\",\r\n 35,\"Mobile Registration Request (Deprecated)\",\r\n 36,\"Mobile Registration Reply (Deprecated)\",\r\n 37,\"Domain Name Request (Deprecated)\",\r\n 38,\"Domain Name Reply (Deprecated)\",\r\n 39,\"SKIP (Deprecated)\",\r\n 40,\"Photuris\",\r\n 41,\"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\r\n 42,\"Extended Echo Request\",\r\n 43,\"Extended Echo Reply\",\r\n 253,\"RFC3692-style Experiment 1\",\r\n 254,\"RFC3692-style Experiment 2\",\r\n 255,\"Reserved\" \r\n];\r\nT\r\n| extend NetworkIcmpCode = toint(column_ifexists(field,0))\r\n| lookup NetworkIcmpTypeLookup on NetworkIcmpCode\r\n| extend NetworkIcmpType = \r\n case (\r\n NetworkIcmpType != \"\", NetworkIcmpType,\r\n 'Unassigned'\r\n )\r\n","parameters":"T:(*), field:string","description":"An ASIM function to set the NetworkIcmpType field.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"3609ce33-4573-50d6-b32b-501da4bbd9b8","name":"_ASIM_ResolveNetworkProtocol","body":"let NetworkProtocolLookup = datatable(NetworkProtocolNumber:int, NetworkProtocol:string) [\r\n 0,\"HOPOPT\",\r\n 1,\"ICMP\",\r\n 2,\"IGMP\",\r\n 3,\"GGP\",\r\n 4,\"IPv4\",\r\n 5,\"ST\",\r\n 6,\"TCP\",\r\n 7,\"CBT\",\r\n 8,\"EGP\",\r\n 9,\"IGP\",\r\n 10,\"BBN-RCC-MON\",\r\n 11,\"NVP-II\",\r\n 12,\"PUP\",\r\n 13,\"ARGUS (deprecated)\",\r\n 14,\"EMCON\",\r\n 15,\"XNET\",\r\n 16,\"CHAOS\",\r\n 17,\"UDP\",\r\n 18,\"MUX\",\r\n 19,\"DCN-MEAS\",\r\n 20,\"HMP\",\r\n 21,\"PRM\",\r\n 22,\"XNS-IDP\",\r\n 23,\"TRUNK-1\",\r\n 24,\"TRUNK-2\",\r\n 25,\"LEAF-1\",\r\n 26,\"LEAF-2\",\r\n 27,\"RDP\",\r\n 28,\"IRTP\",\r\n 29,\"ISO-TP4\",\r\n 30,\"NETBLT\",\r\n 31,\"MFE-NSP\",\r\n 32,\"MERIT-INP\",\r\n 33,\"DCCP\",\r\n 34,\"3PC\",\r\n 35,\"IDPR\",\r\n 36,\"XTP\",\r\n 37,\"DDP\",\r\n 38,\"IDPR-CMTP\",\r\n 39,\"TP++\",\r\n 40,\"IL\",\r\n 41,\"IPv6\",\r\n 42,\"SDRP\",\r\n 43,\"IPv6-Route\",\r\n 44,\"IPv6-Frag\",\r\n 45,\"IDRP\",\r\n 46,\"RSVP\",\r\n 47,\"GRE\",\r\n 48,\"DSR\",\r\n 49,\"BNA\",\r\n 50,\"ESP\",\r\n 51,\"AH\",\r\n 52,\"I-NLSP\",\r\n 53,\"SWIPE (deprecated)\",\r\n 54,\"NARP\",\r\n 55,\"MOBILE\",\r\n 56,\"TLSP\",\r\n 57,\"SKIP\",\r\n 58,\"IPv6-ICMP\",\r\n 59,\"IPv6-NoNxt\",\r\n 60,\"IPv6-Opts\",\r\n 61,\"\",\r\n 62,\"CFTP\",\r\n 63,\"\",\r\n 64,\"SAT-EXPAK\",\r\n 65,\"KRYPTOLAN\",\r\n 66,\"RVD\",\r\n 67,\"IPPC\",\r\n 68,\"\",\r\n 69,\"SAT-MON\",\r\n 70,\"VISA\",\r\n 71,\"IPCV\",\r\n 72,\"CPNX\",\r\n 73,\"CPHB\",\r\n 74,\"WSN\",\r\n 75,\"PVP\",\r\n 76,\"BR-SAT-MON\",\r\n 77,\"SUN-ND\",\r\n 78,\"WB-MON\",\r\n 79,\"WB-EXPAK\",\r\n 80,\"ISO-IP\",\r\n 81,\"VMTP\",\r\n 82,\"SECURE-VMTP\",\r\n 83,\"VINES\",\r\n 84,\"TTP\",\r\n 84,\"IPTM\",\r\n 85,\"NSFNET-IGP\",\r\n 86,\"DGP\",\r\n 87,\"TCF\",\r\n 88,\"EIGRP\",\r\n 89,\"OSPFIGP\",\r\n 90,\"Sprite-RPC\",\r\n 91,\"LARP\",\r\n 92,\"MTP\",\r\n 93,\"AX.25\",\r\n 94,\"IPIP\",\r\n 95,\"MICP (deprecated)\",\r\n 96,\"SCC-SP\",\r\n 97,\"ETHERIP\",\r\n 98,\"ENCAP\",\r\n 99,\"\",\r\n 100,\"GMTP\",\r\n 101,\"IFMP\",\r\n 102,\"PNNI\",\r\n 103,\"PIM\",\r\n 104,\"ARIS\",\r\n 105,\"SCPS\",\r\n 106,\"QNX\",\r\n 107,\"A/N\",\r\n 108,\"IPComp\",\r\n 109,\"SNP\",\r\n 110,\"Compaq-Peer\",\r\n 111,\"IPX-in-IP\",\r\n 112,\"VRRP\",\r\n 113,\"PGM\",\r\n 114,\"\",\r\n 115,\"L2TP\",\r\n 116,\"DDX\",\r\n 117,\"IATP\",\r\n 118,\"STP\",\r\n 119,\"SRP\",\r\n 120,\"UTI\",\r\n 121,\"SMP\",\r\n 122,\"SM (deprecated)\",\r\n 123,\"PTP\",\r\n 124,\"ISIS over IPv4\",\r\n 125,\"FIRE\",\r\n 126,\"CRTP\",\r\n 127,\"CRUDP\",\r\n 128,\"SSCOPMCE\",\r\n 129,\"IPLT\",\r\n 130,\"SPS\",\r\n 131,\"PIPE\",\r\n 132,\"SCTP\",\r\n 133,\"FC\",\r\n 134,\"RSVP-E2E-IGNORE\",\r\n 135,\"Mobility Header\",\r\n 136,\"UDPLite\",\r\n 137,\"MPLS-in-IP\",\r\n 138,\"manet\",\r\n 139,\"HIP\",\r\n 140,\"Shim6\",\r\n 141,\"WESP\",\r\n 142,\"ROHC\",\r\n 143,\"Ethernet\",\r\n 253,\"\",\r\n 254,\"\",\r\n 255,\"Reserved\"\r\n];\r\nT\r\n| extend NetworkProtocolNumber = toint(column_ifexists(field,0))\r\n| lookup NetworkProtocolLookup on NetworkProtocolNumber\r\n| extend NetworkProtocol = \r\n case (\r\n NetworkProtocol != \"\", NetworkProtocol,\r\n 'Unassigned'\r\n )\r\n","parameters":"T:(*), field:string","description":"An ASIM function to set the NetworkProtocol field.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"93c664d8-6aca-5fba-84dc-93e372845c58","name":"_ASIM_ResolveSrcFQDN","body":"T\r\n| invoke _ASIM_ResolveFQDN (field)\r\n| project-rename \r\n SrcHostname = ExtractedHostname,\r\n SrcDomain = Domain,\r\n SrcFQDN = FQDN,\r\n SrcDomainType = DomainType\r\n","parameters":"T:(*), field:string","description":"An ASIM function sets SrcHostname, SrcDomain, SrcDomainType and SrcFQDN based for an FQDN or hostname provided as a parameter.","related":{"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"0b52622c-efc0-598a-9f5b-bbb3eaa1a1b2","name":"_ASim_DhcpEvent","body":"union isfuzzy=true\r\n_ASim_DhcpEventBuiltIn(pack= pack),\r\nASim_DhcpEventSolutions(pack= pack),\r\nASim_DhcpEventCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"Dhcp event ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"2ba8a52f-8c63-506e-b52d-2fb281e363be","name":"_ASim_DhcpEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_DhcpEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_DhcpEventBuiltIn', 'Exclude_ASim_DhcpEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_DhcpEvent_InfobloxBloxOneV01(disabled= (builtInDisabled or('Exclude_ASim_DhcpEvent_InfobloxBloxOne' in (DisabledParsers)))),\r\n_ASim_DhcpEvent_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_DhcpEvent_Native' in (DisabledParsers)))),\r\n_Im_DhcpEvent_EmptyV02\r\n","parameters":"pack:bool = false","description":"Dhcp event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"b2728627-cc75-5d63-ac2e-7948afe330a7","name":"_ASim_DhcpEvent_InfobloxBloxOneV01","body":"let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DHCP\" and ApplicationProtocol == \"DHCP\" | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | invoke _ASIM_ResolveSrcFQDN('SourceHostName') | invoke _ASIM_ResolveDvcFQDN('InfobloxHost') | project-rename SrcIpAddr = SourceIP, SrcMacAddr = SourceMACAddress, DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = iff(Activity has_any (\"Abandon\", \"Delete\"), \"Release\", \"Assign\"), AdditionalFields = bag_pack( \"InfobloxIPSpace\", InfobloxIPSpace, \"InfobloxSubnet\", InfobloxSubnet, \"InfobloxRangeStart\", InfobloxRangeStart, \"InfobloxRangeEnd\", InfobloxRangeEnd, \"InfobloxLeaseOp\", InfobloxLeaseOp, \"InfobloxClientID\", InfobloxClientID, \"InfobloxDUID\", InfobloxDUID, \"InfobloxLeaseUUID\", InfobloxLeaseUUID, \"InfobloxFingerprintPr\", InfobloxFingerprintPr, \"InfobloxFingerprint\", InfobloxFingerprint, \"InfobloxDHCPOptions\", InfobloxDHCPOptions ), Duration = DhcpLeaseDuration, IpAddr = SrcIpAddr | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventResult = \"Success\", EventSchema = \"DhcpEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, CollectorHostName, ExtID, Reason, Message, Activity, Infoblox* }; parser(disabled=disabled)","parameters":"disabled:bool = false","description":"DhcpEvent ASIM parser for Infoblox BloxOne.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"006342ba-acb0-54f9-abac-9e8d77e5cca1","name":"_ASim_DhcpEvent_NativeV01","body":"let parser = (\r\n disabled:bool = false\r\n)\r\n{\r\n ASimDhcpEventLogs\r\n | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"DhcpEvent\",\r\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n SessionId = DhcpSessionId,\r\n Duration = DhcpSessionDuration,\r\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Hostname = SrcHostname\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"3912cecf-a0fd-554f-a102-a4490a0c379b","name":"_ASim_FileEvent","body":"union isfuzzy=true\r\n_ASim_FileEventBuiltIn(pack= pack),\r\nASim_FileEventSolutions(pack= pack),\r\nASim_FileEventCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"File event ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"dc6b50a3-d19d-519f-9ddf-71ee933244bc","name":"_ASim_FileEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_FileEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_FileEventBuiltIn', 'Exclude_ASim_FileEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_FileEvent_AWSCloudTrailV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_AWSCloudTrail' in (DisabledParsers))), pack= pack),\r\n_ASim_FileEvent_AzureBlobStorageV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_AzureBlobStorage' in (DisabledParsers)))),\r\n_ASim_FileEvent_AzureFileStorageV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_AzureFileStorage' in (DisabledParsers)))),\r\n_ASim_FileEvent_AzureQueueStorageV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_AzureQueueStorage' in (DisabledParsers)))),\r\n_ASim_FileEvent_AzureTableStorageV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_AzureTableStorage' in (DisabledParsers)))),\r\n_ASim_FileEvent_GoogleWorkspaceV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_GoogleWorkspace' in (DisabledParsers)))),\r\n_ASim_FileEvent_LinuxSysmonFileCreatedV02(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_LinuxSysmonFileCreated' in (DisabledParsers)))),\r\n_ASim_FileEvent_LinuxSysmonFileDeletedV02(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_LinuxSysmonFileDeleted' in (DisabledParsers)))),\r\n_ASim_FileEvent_Microsoft365DV02(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_Microsoft365D' in (DisabledParsers)))),\r\n_ASim_FileEvent_MicrosoftSecurityEventsV02(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_MicrosoftSecurityEvents' in (DisabledParsers)))),\r\n_ASim_FileEvent_MicrosoftSharePointV03(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_MicrosoftSharePoint' in (DisabledParsers)))),\r\n_ASim_FileEvent_MicrosoftSysmonV05(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_MicrosoftSysmon' in (DisabledParsers)))),\r\n_ASim_FileEvent_MicrosoftSysmonWindowsEventV04(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_MicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\r\n_ASim_FileEvent_MicrosoftWindowsEventsV02(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_MicrosoftWindowsEvents' in (DisabledParsers)))),\r\n_ASim_FileEvent_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_Native' in (DisabledParsers)))),\r\n_ASim_FileEvent_SentinelOneV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_SentinelOne' in (DisabledParsers)))),\r\n_ASim_FileEvent_VMwareCarbonBlackCloudV01(disabled= (builtInDisabled or('Exclude_ASim_FileEvent_VMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_FileEvent_EmptyV02\r\n","parameters":"pack:bool = false","description":"File event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"0078aa34-7c78-5df5-aae9-34584eec0e62","name":"_ASim_FileEvent_AWSCloudTrailV01","body":"let ParseS3Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic)) {\r\n let S3EventNameLookup = datatable(EventName: string, EventType: string, EventSubType: string)\r\n [ \r\n \"CompleteMultipartUpload\", \"FileCreated\", \"Checkin\",\r\n \"CopyObject\", \"FileCopied\", \"\",\r\n \"CreateBucket\", \"FolderCreated\", \"\",\r\n \"CreateBucketMetadataConfiguration\", \"FolderModified\", \"\",\r\n \"CreateBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\r\n \"CreateMultipartUpload\", \"FileCreated\", \"Checkin\",\r\n \"DeleteBucket\", \"FolderDeleted\", \"\",\r\n \"DeleteBucketAnalyticsConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketCors\", \"FolderModified\", \"\",\r\n \"DeleteBucketEncryption\", \"FolderModified\", \"\",\r\n \"DeleteBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketInventoryConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketLifecycle\", \"FolderModified\", \"\",\r\n \"DeleteBucketMetadataConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketMetricsConfiguration\", \"FolderModified\", \"\",\r\n \"DeleteBucketOwnershipControls\", \"FolderModified\", \"\",\r\n \"DeleteBucketPolicy\", \"FolderModified\", \"\",\r\n \"DeleteBucketReplication\", \"FolderModified\", \"\",\r\n \"DeleteBucketTagging\", \"FolderModified\", \"\",\r\n \"DeleteBucketWebsite\", \"FolderModified\", \"\",\r\n \"DeleteObject\", \"FileDeleted\", \"\",\r\n \"DeleteObjects\", \"FileDeleted\", \"\",\r\n \"DeleteObjectTagging\", \"FileAttributesUpdated\", \"\",\r\n \"DeletePublicAccessBlock\", \"FileAttributesUpdated\", \"\",\r\n \"GetBucketAbac\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketAccelerateConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketAcl\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketAnalyticsConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketCors\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketEncryption\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketIntelligentTieringConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketInventoryConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketLifecycle\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketLifecycleConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketLocation\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketLogging\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketMetadataConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketMetadataTableConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketMetricsConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketNotification\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketNotificationConfiguration\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketOwnershipControls\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketPolicy\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketPolicyStatus\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketReplication\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketRequestPayment\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketTagging\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketVersioning\", \"FolderAttributesAccessed\", \"\",\r\n \"GetBucketWebsite\", \"FolderAttributesAccessed\", \"\",\r\n \"GetObject\", \"FileAccessed\", \"Download\",\r\n \"GetObjectAcl\", \"FileAccessed\", \"\",\r\n \"GetObjectAttributes\", \"FileAccessed\", \"\",\r\n \"GetObjectLegalHold\", \"FileAccessed\", \"\",\r\n \"GetObjectLockConfiguration\", \"FileAccessed\", \"\",\r\n \"GetObjectRetention\", \"FileAccessed\", \"\",\r\n \"GetObjectTagging\", \"FileAccessed\", \"\",\r\n \"GetObjectTorrent\", \"FileAccessed\", \"\",\r\n \"GetPublicAccessBlock\", \"FolderAttributesAccessed\", \"\",\r\n \"HeadBucket\", \"FolderAttributesAccessed\", \"\",\r\n \"HeadObject\", \"FileAccessed\", \"\",\r\n \"ListBucketAnalyticsConfigurations\", \"FolderAttributesAccessed\", \"\",\r\n \"ListBucketIntelligentTieringConfigurations\", \"FolderAttributesAccessed\", \"\",\r\n \"ListBucketMetricsConfigurations\", \"FolderAttributesAccessed\", \"\",\r\n \"ListBuckets\", \"FolderAttributesAccessed\", \"\",\r\n \"ListDirectoryBuckets\", \"FolderAttributesAccessed\", \"\",\r\n \"ListObjects\", \"FileAccessed\", \"\",\r\n \"ListObjectsV2\", \"FileAccessed\", \"\",\r\n \"ListObjectVersions\", \"FileAccessed\", \"\",\r\n \"ListParts\", \"FileAccessed\", \"\",\r\n \"PutBucketAbac\", \"FolderModified\", \"\",\r\n \"PutBucketAccelerateConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketAcl\", \"FolderModified\", \"\",\r\n \"PutBucketAnalyticsConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketCors\", \"FolderModified\", \"\",\r\n \"PutBucketEncryption\", \"FolderModified\", \"\",\r\n \"PutBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketInventoryConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketLifecycle\", \"FolderModified\", \"\",\r\n \"PutBucketLifecycleConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketLogging\", \"FolderModified\", \"\",\r\n \"PutBucketMetricsConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketNotification\", \"FolderModified\", \"\",\r\n \"PutBucketNotificationConfiguration\", \"FolderModified\", \"\",\r\n \"PutBucketOwnershipControls\", \"FolderModified\", \"\",\r\n \"PutBucketPolicy\", \"FolderModified\", \"\",\r\n \"PutBucketReplication\", \"FolderModified\", \"\",\r\n \"PutBucketRequestPayment\", \"FolderModified\", \"\",\r\n \"PutBucketTagging\", \"FolderModified\", \"\",\r\n \"PutBucketVersioning\", \"FolderModified\", \"\",\r\n \"PutBucketWebsite\", \"FolderModified\", \"\",\r\n \"PutObject\", \"FileCreated\", \"Upload\",\r\n \"PutObjectAcl\", \"FileAttributesUpdated\", \"\",\r\n \"PutObjectLegalHold\", \"FileAttributesUpdated\", \"\",\r\n \"PutObjectLockConfiguration\", \"FileAttributesUpdated\", \"\",\r\n \"PutObjectRetention\", \"FileAttributesUpdated\", \"\",\r\n \"PutObjectTagging\", \"FileAttributesUpdated\", \"\",\r\n \"PutPublicAccessBlock\", \"FolderModified\", \"\",\r\n \"RenameObject\", \"FileRenamed\", \"\",\r\n \"RestoreObject\", \"FileCreated\", \"\",\r\n \"SelectObjectContent\", \"FileAccessed\", \"\",\r\n \"UpdateBucketMetadataInventoryTableConfiguration\", \"FolderModified\", \"\",\r\n \"UpdateBucketMetadataJournalTableConfiguration\", \"FolderModified\", \"\",\r\n \"UpdateObjectEncryption\", \"FileAttributesUpdated\", \"\",\r\n \"UploadPart\", \"FileCreated\", \"Upload\",\r\n \"UploadPartCopy\", \"FileCreated\", \"Upload\"\r\n // Omitted Actions\r\n // AbortMultipartUpload\r\n // CreateSession\r\n // ListMultipartUploads\r\n // WriteGetObjectResponse\r\n ];\r\n T\r\n | where EventSource == \"s3.amazonaws.com\"\r\n | lookup S3EventNameLookup on EventName\r\n | where isnotempty(EventType)\r\n | extend EventSubType = case(\r\n EventType == \"FileDeleted\" and ResponseElements[\"x-amz-delete-marker\"] == true, \"Versions\",\r\n EventSubType\r\n )\r\n | extend\r\n TargetFileDirectory = tostring(RequestParameters.bucketName),\r\n TargetFileName = coalesce(tostring(RequestParameters.key), tostring(RequestParameters.prefix))\r\n | extend\r\n TargetFilePathType = \"Unix\",\r\n TargetFilePath = strcat(TargetFileDirectory, \"/\", TargetFileName),\r\n TargetAppType = \"Service\"\r\n | extend\r\n SrcFilePath = tostring(RequestParameters[\"x-amz-copy-source\"])\r\n // Avoids using mv-apply as it filters insteads of assigning null\r\n // At most, the Resources array contains two objects: Bucket and Object\r\n // Resources may contain no objects, or just one of Bucket or Object\r\n | extend AdditionalData = iff(pack, bag_pack(\r\n \"BucketARN\", coalesce(\r\n iff(Resources[0].type == \"AWS::S3::Bucket\", tostring(Resources[0].ARN), \"\"),\r\n iff(Resources[1].type == \"AWS::S3::Bucket\", tostring(Resources[1].ARN), \"\")),\r\n \"ObjectARN\", coalesce(\r\n iff(Resources[0].type == \"AWS::S3::Object\", tostring(Resources[0].ARN), \"\"),\r\n iff(Resources[1].type == \"AWS::S3::Object\", tostring(Resources[1].ARN), \"\"))\r\n ), dynamic([]))\r\n};\r\nlet parser = (disabled: bool, pack: bool) {\r\nlet SupportedEventSources = dynamic([\r\n \"s3.amazonaws.com\"\r\n]);\r\nlet EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string)\r\n[\r\n \"s3.amazonaws.com\", \"Amazon S3\"\r\n];\r\nlet SupportedEvents = AWSCloudTrail\r\n | where not(disabled)\r\n | where EventSource in (SupportedEventSources)\r\n | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements), Resources = todynamic(Resources);\r\nParseS3Events(SupportedEvents)\r\n| extend\r\n Type = \"AWSCloudTrail\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = \"Informational\",\r\n EventSchema = \"FileEvent\",\r\n EventSchemaVersion = \"0.1.2\",\r\n EventVendor = \"AWS\",\r\n EventProduct = \"CloudTrail\",\r\n Dvc = \"CloudTrail\",\r\n EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), \"Success\", \"Failure\"),\r\n EventMessage = ErrorMessage\r\n| lookup EventSourceNameLookup on EventSource\r\n| project-rename\r\n EventOriginalSubType = EventTypeName,\r\n EventOriginalType = EventName,\r\n EventUid = AwsEventId,\r\n EventOriginalResultDetails = ErrorMessage,\r\n EventProductVersion = EventVersion\r\n| project-rename\r\n ActorUserId = UserIdentityAccountId,\r\n ActorUsername = UserIdentityUserName,\r\n ActorOriginalUserType = UserIdentityType,\r\n HttpUserAgent = UserAgent\r\n| extend\r\n ActorUserIdType = iff(isempty(ActorUserId), \"\", \"AWSId\"),\r\n ActorUsernameType = iff(isempty(ActorUsername), \"\", \"Simple\"),\r\n SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, \"0.0.0.0/0\"), SourceIpAddress, \"\")\r\n| extend AdditionalFields = iff(pack, bag_pack(\r\n \"ActorAccessKeyId\", UserIdentityAccessKeyId,\r\n \"AWSRegion\", AWSRegion,\r\n \"APIVersion\", APIVersion,\r\n \"ManagementEvent\", ManagementEvent,\r\n \"ReadOnly\", ReadOnly,\r\n \"RequestParameters\", RequestParameters,\r\n \"ResponseElements\", ResponseElements\r\n), dynamic([]))\r\n| extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([]))\r\n// Alias\r\n| extend\r\n User = ActorUsername,\r\n IpAddr = SrcIpAddr,\r\n FileName = TargetFileName,\r\n FilePath = TargetFilePath,\r\n Application = TargetAppName\r\n| project\r\n TimeGenerated,\r\n Type,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventSeverity,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventVendor,\r\n EventProduct,\r\n Dvc,\r\n EventResult,\r\n EventMessage,\r\n TargetAppName,\r\n EventOriginalSubType,\r\n EventOriginalType,\r\n EventUid,\r\n EventOriginalResultDetails,\r\n EventProductVersion,\r\n ActorUserId,\r\n ActorUsername,\r\n ActorOriginalUserType,\r\n HttpUserAgent,\r\n ActorUserIdType,\r\n ActorUsernameType,\r\n SrcIpAddr,\r\n AdditionalFields,\r\n User,\r\n IpAddr,\r\n FileName,\r\n FilePath,\r\n Application,\r\n TargetAppType,\r\n EventType,\r\n EventSubType,\r\n TargetFileDirectory,\r\n TargetFileName,\r\n TargetFilePathType,\r\n TargetFilePath,\r\n SrcFilePath\r\n};\r\nparser(disabled=disabled, pack=pack)","parameters":"disabled:bool = false, pack:bool = false","description":"FileEvent ASIM parser for AWS Cloud Trail.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"6891f070-90fe-572f-81cd-82858392278a","name":"_ASim_FileEvent_AzureBlobStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(disabled: bool=false)\r\n{\r\n let bloboperations=datatable(OperationName: string, EventType: string)\r\n[\r\n \"PutBlock\", \"FileCreated\",\r\n \"PutBlob\", \"FileCreated\",\r\n \"PutPage\", \"FileCreated\",\r\n \"CreateContainer\", \"FolderCreated\",\r\n \"CopyBlob\", \"FileCopied\",\r\n \"QueryBlobContents\", \"FileAccessed\",\r\n \"GetBlob\", \"FileAccessed\",\r\n \"AppendBlock\", \"FileModified\",\r\n \"ClearPage\", \"FileModified\",\r\n \"PutBlockFromURL\", \"FileModified\",\r\n \"DeleteBlob\", \"FileDeleted\",\r\n \"DeleteContainer\", \"FolderDeleted\"\r\n];\r\n StorageBlobLogs\r\n | where not(disabled)\r\n // **** relevant data filtering;\r\n | where OperationName in (bloboperations)\r\n //\r\n | lookup bloboperations on OperationName\r\n | project-rename \r\n EventOriginalUid = CorrelationId\r\n ,\r\n EventOriginalType=OperationName\r\n ,\r\n HttpUserAgent=UserAgentHeader\r\n ,\r\n TargetUrl=Uri\r\n | extend \r\n EventCount=int(1)\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n //\t, EventType :string ---> see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"File Activity ASIM parser for Azure Blob Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"d8d50a40-7f2f-546a-b7e0-5e1b645e4326","name":"_ASim_FileEvent_AzureFileStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(disabled:bool=false){\r\nlet fileoperations=datatable(OperationName:string, EventType:string)[\r\n\"DeleteFile\", \"FileDeleted\"\r\n, \"DeleteDirectory\", \"FolderDeleted\"\r\n, \"GetFile\", \"FileAccessed\"\r\n, \"CopyFile\", \"FileCopied\"\r\n, \"CreateFileSnapshot\", \"FileCreated\"\r\n, \"CreateDirectory\", \"FolderCreated\"\r\n, \"CreateFile\", \"FileCreated\"\r\n, \"CreateShare\", \"FolderCreated\"\r\n, \"DeleteShare\", \"FileDeleted\"\r\n, \"PutRange\", \"FileModified\"\r\n, \"CopyFileDestination\", \"FileCopied\"\r\n, \"CopyFileSource\", \"FileCopied\"\r\n];\r\nStorageFileLogs\r\n| where not(disabled)\r\n// **** relevant data filtering;\r\n| where OperationName in (fileoperations)\r\n//\r\n| extend \r\n EventCount=int(1)\r\n , EventStartTime=TimeGenerated\r\n , EventEndTime=TimeGenerated\r\n//\t, EventType :string ---> see lookup below\r\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n \t, EventOriginalUid = CorrelationId\r\n , EventOriginalType=OperationName\r\n , EventProduct='Azure File Storage' \r\n , EventVendor='Microsoft'\r\n , EventSchemaVersion='0.1.0'\r\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \r\n\t, TargetFilePathType='URL'\r\n \t, TargetUrl=Uri\r\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\r\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\r\n \t, HttpUserAgent=UserAgentHeader\r\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\r\n| lookup fileoperations on OperationName\r\n// Aliases\r\n| extend \r\n FilePath=TargetFilePath\r\n };\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"File Activity ASIM parser for Azure File Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ed507fbd-5ed6-5691-a314-83a588b86c30","name":"_ASim_FileEvent_AzureQueueStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(disabled: bool=false)\r\n{\r\n let queueoperations=datatable(OperationName: string, EventType: string)\r\n[\r\n \"ClearMessages\", \"FileDeleted\"\r\n ,\r\n \"CreateQueue\", \"FileCreated\"\r\n ,\r\n \"DeleteQueue\", \"FileDeleted\"\r\n ,\r\n \"DeleteMessage\", \"FileDeleted\"\r\n ,\r\n \"GetQueue\", \"FileAccessed\"\r\n ,\r\n \"GetMessage\", \"FileAccessed\"\r\n ,\r\n \"GetMessages\", \"FileAccessed\"\r\n ,\r\n \"PeekMessage\", \"FileAccessed\"\r\n ,\r\n \"PeekMessages\", \"FileAccessed\"\r\n ,\r\n \"PutMessage\", \"FileCreated\"\r\n ,\r\n \"UpdateMessage\", \"FileModified\" \r\n];\r\n StorageQueueLogs\r\n | where not(disabled)\r\n // **** relevant data filtering;\r\n | where OperationName in (queueoperations)\r\n //\r\n | extend \r\n EventCount=int(1)\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n //\t, EventType :string ---> see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventOriginalUid = CorrelationId\r\n ,\r\n EventOriginalType=OperationName\r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(Uri, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n TargetUrl=Uri\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n HttpUserAgent=UserAgentHeader\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n | lookup queueoperations on OperationName\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Activity ASIM parser for Azure Queue Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"772cfc0a-fa4a-57e9-81fa-2aea1c62c16e","name":"_ASim_FileEvent_AzureTableStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(disabled:bool=false){\r\nlet tableoperations=datatable(OperationName:string, EventType:string)[\r\n, \"CreateTable\", \"FileCreated\"\r\n, \"DeleteTable\", \"FileDeleted\"\r\n, \"DeleteEntity\", \"FileModified\"\r\n, \"InsertEntity\", \"FileModified\"\r\n, \"InsertOrMergeEntity\", \"FileModified\"\r\n, \"InsertOrReplaceEntity\", \"FileModified\"\r\n, \"QueryEntity\", \"FileAccessed\"\r\n, \"QueryEntities\", \"FileAccessed\"\r\n, \"QueryTable\", \"FileAccessed\"\r\n, \"QueryTables\", \"FileAccessed\"\r\n, \"UpdateEntity\", \"FileModified\"\r\n, \"MergeEntity\", \"FileModified\"\r\n ];\r\n StorageTableLogs\r\n | where not(disabled)\r\n // **** relevant data filtering;\r\n | where OperationName in (tableoperations)\r\n //\r\n | extend \r\n EventCount=int(1)\r\n , EventStartTime=TimeGenerated\r\n , EventEndTime=TimeGenerated\r\n //\t, EventType :string ---> see lookup below\r\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n , EventOriginalUid = CorrelationId\r\n , EventOriginalType=OperationName\r\n , EventProduct='Azure File Storage' \r\n , EventVendor='Microsoft'\r\n , EventSchemaVersion='0.1.0'\r\n , TargetFilePath=tostring(split(Uri,'?')[0]) \r\n , TargetFilePathType='URL'\r\n , TargetUrl=Uri\r\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\r\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\r\n , HttpUserAgent=UserAgentHeader\r\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\r\n | lookup tableoperations on OperationName\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n };\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Activity ASIM parser for Azure Table Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"c3eac87f-f4e3-5e2c-b77d-fe9811c31c72","name":"_ASim_FileEvent_GoogleWorkspaceV01","body":"let parser = (\r\n disabled: bool = false\r\n ) {\r\n let GoogleWorkspaceSchema = datatable (\r\n event_name_s: string,\r\n event_type_s: string,\r\n id_uniqueQualifier_s: string,\r\n actor_email_s: string,\r\n actor_profileId_s: string,\r\n IPAddress: string,\r\n doc_type_s: string,\r\n doc_title_s: string,\r\n originating_app_id_s: string,\r\n id_applicationName_s: string,\r\n old_value_s: string,\r\n new_value_s: string,\r\n destination_folder_title_s: string,\r\n source_folder_title_s: string,\r\n copy_type_s: string,\r\n target_user_s: string,\r\n doc_id_s: string,\r\n primary_event_b: bool,\r\n billable_b: bool,\r\n owner_s: string,\r\n owner_is_shared_drive_b: bool,\r\n is_encrypted_b: bool,\r\n visibility_s: string,\r\n shared_drive_id_s: string,\r\n destination_folder_id_s: string,\r\n source_folder_id_s: string,\r\n TimeGenerated: datetime,\r\n _ResourceId: string,\r\n Computer: string,\r\n MG: string,\r\n ManagementGroupName: string,\r\n RawData: string,\r\n SourceSystem: string,\r\n TenantId: string,\r\n _ItemId: string\r\n)[];\r\n let EventFieldsLookup = datatable (\r\n EventOriginalSubType: string,\r\n EventType: string,\r\n EventSubType: string\r\n)\r\n [\r\n \"download\", \"FileAccessed\", \"Download\",\r\n \"edit\", \"FileModified\", \"Checkin\",\r\n \"upload\", \"FileCreated\", \"Upload\",\r\n \"create\", \"FileCreated\", \"Checkin\",\r\n \"rename\", \"FileRenamed\", \"\",\r\n \"view\", \"FileAccessed\", \"Preview\",\r\n \"preview\", \"FileAccessed\", \"Preview\",\r\n \"copy\", \"FileCopied\", \"\",\r\n \"source_copy\", \"FileCopied\", \"\",\r\n \"delete\", \"FileDeleted\", \"\",\r\n \"trash\", \"FileDeleted\", \"Recycle\",\r\n \"move\", \"FileMoved\", \"\",\r\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\r\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\r\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\r\n \"request_access\", \"FileAccessed\", \"Preview\",\r\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\r\n \"approval_canceled\", \"FileAccessed\", \"\",\r\n \"approval_comment_added\", \"FileAccessed\", \"\",\r\n \"approval_completed\", \"FileAccessed\", \"Preview\",\r\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\r\n \"approval_due_time_change\", \"FileAccessed\", \"\",\r\n \"approval_requested\", \"FileAccessed\", \"Preview\",\r\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\r\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\r\n \"create_comment\", \"FileModified\", \"Checkin\",\r\n \"delete_comment\", \"FileModified\", \"Checkin\",\r\n \"edit_comment\", \"FileModified\", \"Checkin\",\r\n \"reassign_comment\", \"FileModified\", \"Checkin\",\r\n \"reopen_comment\", \"FileModified\", \"Checkin\",\r\n \"resolve_comment\", \"FileModified\", \"Checkin\",\r\n \"add_lock\", \"FileModified\", \"\",\r\n \"print\", \"FileAccessed\", \"Print\",\r\n \"remove_from_folder\", \"FileDeleted\", \"\",\r\n \"remove_lock\", \"FileModified\", \"\",\r\n];\r\n let SupportedEventNames = EventFieldsLookup\r\n | project EventOriginalSubType;\r\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\r\n | where not(disabled)\r\n | where event_name_s in (SupportedEventNames)\r\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\r\n | project-rename \r\n EventOriginalUid = id_uniqueQualifier_s,\r\n ActorUsername = actor_email_s,\r\n ActorUserId = actor_profileId_s,\r\n SrcIpAddr = IPAddress,\r\n TargetFileMimeType = doc_type_s,\r\n TargetFilePath = doc_title_s,\r\n ActingAppId = originating_app_id_s,\r\n EventOriginalType=event_type_s\r\n | extend\r\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\r\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\r\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\r\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\r\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\r\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\r\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\r\n EventType = case(\r\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\r\n \"FolderCreated\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\r\n \"FolderModified\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\r\n \"FolderDeleted\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\r\n \"FolderDeleted\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\r\n \"FolderMoved\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\r\n \"FolderCreated\",\r\n EventType\r\n ),\r\n EventSubType = case(\r\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\r\n \"\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\r\n \"\",\r\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\r\n \"\",\r\n EventSubType\r\n ),\r\n EventMessage = case(\r\n event_name_s == 'download',\r\n strcat(ActorUsername, \" deleted an item\"),\r\n event_name_s == 'edit',\r\n strcat(ActorUsername, \" edited an item\"),\r\n event_name_s == 'upload',\r\n strcat(ActorUsername, \" uploaded an item\"),\r\n event_name_s == 'create',\r\n strcat(ActorUsername, \" created an item\"),\r\n event_name_s == 'rename',\r\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\r\n event_name_s == 'view',\r\n strcat(ActorUsername, \" viewed an item\"),\r\n event_name_s == 'preview',\r\n strcat(ActorUsername, \" previewed an item\"),\r\n event_name_s == 'copy',\r\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\r\n event_name_s == 'delete',\r\n strcat(ActorUsername, \" deleted an item\"),\r\n event_name_s == 'trash',\r\n strcat(ActorUsername, \" trashed an item\"),\r\n event_name_s == 'move',\r\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\r\n event_name_s == 'untrash',\r\n strcat(ActorUsername, \" restored an item\"),\r\n event_name_s == 'source_copy',\r\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\r\n event_name_s == 'deny_access_request',\r\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\r\n event_name_s == 'expire_access_request',\r\n strcat(\"An access request for \", target_user_s, \" expired \"),\r\n event_name_s == 'request_access',\r\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\r\n event_name_s == 'add_to_folder',\r\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\r\n event_name_s == 'approval_canceled',\r\n strcat(ActorUsername, \" canceled an approval on an item\"),\r\n event_name_s == 'approval_comment_added',\r\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\r\n event_name_s == 'approval_completed',\r\n \"An approval was completed\",\r\n event_name_s == 'approval_decisions_reset',\r\n \"Approval decisions were reset\",\r\n event_name_s == 'approval_due_time_change',\r\n strcat(ActorUsername, \" requested a due time change on an approval\"),\r\n event_name_s == 'approval_requested',\r\n strcat(ActorUsername, \" requested approval on an item\"),\r\n event_name_s == 'approval_reviewer_change',\r\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\r\n event_name_s == 'approval_reviewer_responded',\r\n strcat(ActorUsername, \" reviewed an approval on an item\"),\r\n event_name_s == 'create_comment',\r\n strcat(ActorUsername, \" created a comment\"),\r\n event_name_s == 'delete_comment',\r\n strcat(ActorUsername, \" deleted a comment\"),\r\n event_name_s == 'edit_comment',\r\n strcat(ActorUsername, \" edited a comment\"),\r\n event_name_s == 'reassign_comment',\r\n strcat(ActorUsername, \" reassigned a comment\"),\r\n event_name_s == 'reopen_comment',\r\n strcat(ActorUsername, \" reopened a comment\"),\r\n event_name_s == 'resolve_comment',\r\n strcat(ActorUsername, \" resolved a comment\"),\r\n event_name_s == 'add_lock',\r\n strcat(ActorUsername, \" locked an item\"),\r\n event_name_s == 'print',\r\n strcat(ActorUsername, \" printed an item\"),\r\n event_name_s == 'remove_from_folder',\r\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\r\n event_name_s == 'remove_lock',\r\n strcat(ActorUsername, \" unlocked an item\"),\r\n \"\"\r\n ),\r\n AdditionalFields = bag_pack(\r\n \"Doc_Id\",\r\n doc_id_s,\r\n \"Primary_Event\",\r\n primary_event_b,\r\n \"Billable\",\r\n billable_b,\r\n \"Owner\",\r\n owner_s,\r\n \"Owner_Is_Shared_Drive\",\r\n owner_is_shared_drive_b,\r\n \"Is_Encrypted\",\r\n is_encrypted_b,\r\n \"Visibility\",\r\n visibility_s,\r\n \"Copy_Type\",\r\n copy_type_s,\r\n \"Shared_Drive_Id\",\r\n shared_drive_id_s,\r\n \"Destination_Folder_Id\",\r\n destination_folder_id_s,\r\n \"Source_Folder_Id\",\r\n source_folder_id_s\r\n )\r\n | extend\r\n EventOriginalSubType = event_name_s,\r\n Application = TargetAppName,\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n TargetFileName=TargetFilePath,\r\n FilePath = TargetFilePath,\r\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\r\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\r\n FileName = TargetFilePath,\r\n SrcFileName = SrcFilePath,\r\n User = ActorUsername,\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventProduct = \"Workspace\",\r\n EventVendor = \"Google\",\r\n EventResult = \"Success\",\r\n EventSchemaVersion = \"0.2.1\",\r\n EventSchema = \"FileEvent\",\r\n EventUid = _ItemId,\r\n Dvc = \"Workspace\"\r\n | project-away \r\n *_s,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"File events ASIM parser for Google Workspace.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"6698263a-5e7c-5d52-8b59-2b2100e45954","name":"_ASim_FileEvent_LinuxSysmonFileCreatedV02","body":"let parser = (\r\n disabled: bool=false\r\n)\r\n{\r\nSyslog\r\n| where not(disabled)\r\n| where SyslogMessage has_all ('11')\r\n| parse SyslogMessage with *\r\n ''msgEventRecordID:string''\r\n *\r\n //''msgComputer:string''\r\n ''\r\n * \r\n ''msgProcessGuid:string''\r\n ''msgProcessId:string''\r\n ''msgImage:string''\r\n ''msgTargetFileName:string''\r\n ''msgCreationUtcTime:datetime''*\r\n| parse SyslogMessage with *''ActorUsername ''*\r\n| extend\r\n EventCount=int(1)\r\n , EventStartTime =TimeGenerated \r\n , EventEndTime=TimeGenerated\r\n , EventType = 'FileCreated'\r\n , EventResult ='Success'\r\n , EventOriginalType ='11' \r\n , EventProduct='Sysmon for Linux'\r\n , EventProductVersion='v13.22'\r\n , EventVendor ='Microsoft'\r\n , EventSchemaVersion ='0.1.0'\r\n , DvcOs = 'Linux'\r\n , TargetFilePathType='Unix'\r\n , ActorUserType = iff(isnotempty(ActorUsername),'Simple', '') // make sure user type is okay\r\n| project-rename\r\n DvcHostname=Computer\r\n , EventOriginalUid=msgEventRecordID\r\n , ActingProcessName =msgImage\r\n , ActingProcessId=msgProcessId\r\n , ActingProcessGuid=msgProcessGuid\r\n , TargetFilePath =msgTargetFileName\r\n , TargetFileCreationTime =msgCreationUtcTime\r\n // ------ Alias\r\n| extend\r\n Process=ActingProcessName\r\n , FilePath=TargetFilePath\r\n , Dvc = DvcHostname\r\n , User = ActorUsername\r\n| project-away SyslogMessage\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"File create Activity ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"16c6a3b1-24d5-509c-a568-3dda0deda604","name":"_ASim_FileEvent_LinuxSysmonFileDeletedV02","body":"let parser = (\r\n disabled: bool=false\r\n ) {\r\n Syslog\r\n | where not(disabled)\r\n | where SyslogMessage has ('23', '26')\t\r\n | parse SyslogMessage with \r\n ''msgEventId: string''\r\n *\r\n ''msgEventRecordID: string''\r\n *\r\n ''msgComputer: string''\r\n ''\r\n *\r\n '{'msgProcessGuid: string'}'\r\n ''msgProcessId: string''\r\n ''msgUser: string''\r\n ''msgImage: string''\r\n ''msgTargetFilename: string''\r\n ''msgHashes: string'' *\t\r\n | extend\r\n EventCount=int(1)\r\n ,\r\n EventStartTime =TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType = 'FileDeleted'\r\n ,\r\n EventResult ='Success' \r\n ,\r\n EventProduct='Sysmon for Linux'\r\n ,\r\n EventProductVersion='v13.22' \r\n ,\r\n EventVendor ='Microsoft'\r\n ,\r\n EventSchemaVersion ='0.1.0'\r\n ,\r\n DvcOs = 'Linux'\r\n ,\r\n TargetFilePathType='Unix'\r\n ,\r\n ActorUsernameType='Simple'\r\n | project-rename\r\n DvcHostname=Computer\r\n ,\r\n EventOriginalUid=msgEventRecordID\r\n ,\r\n EventOriginalType =msgEventId \r\n ,\r\n ActorUsername=msgUser\r\n ,\r\n ActingProcessName =msgImage\r\n ,\r\n ActingProcessId=msgProcessId\r\n ,\r\n ActingProcessGuid=msgProcessGuid\r\n ,\r\n TargetFilePath =msgTargetFilename\r\n // ------ Alias\r\n | extend\r\n Process=ActingProcessName\r\n ,\r\n FilePath=TargetFilePath\r\n ,\r\n Dvc =DvcHostname\r\n ,\r\n User=ActorUsername\r\n | project-away SyslogMessage\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"File delete activity ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"5ed013bc-6070-5d6a-ace5-30b451f75b8b","name":"_ASim_FileEvent_Microsoft365DV02","body":"let protocols = dynamic(['smb']);\r\nlet parser=(disabled:bool=false){\r\n let remote_events = \r\n DeviceFileEvents\r\n | where not(disabled)\r\n | where isnotempty(RequestAccountName)\r\n | project-rename \r\n SrcIpAddr = RequestSourceIP,\r\n ActorUserSid = RequestAccountSid,\r\n TargetUserSid = InitiatingProcessAccountSid,\r\n TargetUserAadId = InitiatingProcessAccountObjectId,\r\n TargetUserUpn = InitiatingProcessAccountUpn\r\n | extend\r\n ActorWindowsUsername = strcat(RequestAccountDomain,'\\\\', RequestAccountName),\r\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName),\r\n ActorUserUpn = \"\",\r\n ActorUserAadId = \"\"\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\r\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\r\n | extend\r\n SrcPortNumber = toint(RequestSourcePort),\r\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\r\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\r\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \r\n TargetUserIdType = iff(isempty(TargetUserSid),'AADID','SID'),\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr\r\n ;\r\n let local_events = \r\n DeviceFileEvents\r\n | where not(disabled)\r\n | where isempty(RequestAccountName) \r\n | project-rename\r\n ActorUserSid = InitiatingProcessAccountSid,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn\r\n | extend \r\n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName) \r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\r\n | project-away RequestAccountSid, RequestSourceIP\r\n ;\r\n union \r\n remote_events\r\n , \r\n local_events\r\n | project-rename\r\n EventType = ActionType,\r\n DvcId = DeviceId,\r\n TargetFileMD5 = MD5,\r\n TargetFileSHA1 = SHA1,\r\n TargetFileSHA256 = SHA256,\r\n ActingProcessCommandLine = InitiatingProcessCommandLine,\r\n ActingProcessName =InitiatingProcessFolderPath,\r\n ActingProcessMD5 = InitiatingProcessMD5,\r\n ActingProcessSHA1 = InitiatingProcessSHA1,\r\n ActingProcessSHA256 = InitiatingProcessSHA256,\r\n ActingProcessParentFileName = InitiatingProcessParentFileName,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime,\r\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\r\n TargetFileName = FileName,\r\n SrcFileName = PreviousFileName\r\n | extend\r\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\r\n TargetFileSize = tolong(FileSize)\r\n | extend\r\n EventCount = int(1),\r\n EventOriginalUid = tostring(ReportId),\r\n ActingProcessId = tostring(InitiatingProcessId),\r\n EventStartTime = Timestamp, \r\n EventEndTime= Timestamp,\r\n EventResult = 'Success',\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventSchema = 'FileEvent',\r\n EventVendor = 'Microsoft',\r\n EventSeverity = 'Informational',\r\n EventSchemaVersion = '0.2.1',\r\n DvcIdType = \"MDEid\",\r\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\r\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\r\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \r\n ActorUserIdType = iff(isempty(ActorUserSid),'AADID','SID'),\r\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\r\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\r\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\r\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\r\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\r\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\r\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\r\n | project-away DeviceName\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),Hash)]) \r\n // ****** Aliases\r\n | extend \r\n User = ActorUsername,\r\n Dvc = coalesce(DvcFQDN, DvcHostname),\r\n FilePath = TargetFilePath,\r\n Process = ActingProcessName,\r\n CommandLine = ActingProcessCommandLine,\r\n DvcMDEid = DvcId,\r\n FileName = TargetFileName\r\n | project-away MachineGroup, ReportId, SourceSystem, Initiating*, Timestamp, TenantId, Request*, PreviousFolderPath, FolderPath, AppGuardContainerId\r\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\r\n };\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Event ASIM parser for Microsoft 365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"62ef56d4-509c-5f92-a5e4-264b93c6fff2","name":"_ASim_FileEvent_MicrosoftSecurityEventsV02","body":"let Parser=(disabled:bool=false)\r\n{\r\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\r\n[\r\n \"0x1\", \"ObjectAccessed\"\r\n , \"0x10\", \"MetadataModified\"\r\n , \"0x100\", \"MetadataModified\"\r\n , \"0x10000\", \"ObjectDeleted\"\r\n , \"0x2\", \"ObjectModified\"\r\n , \"0x20000\", \"MetadataAccessed\"\r\n , \"0x4\", \"ObjectModified\"\r\n , \"0x40\", \"ObjectDeleted\"\r\n , \"0x40000\", \"MetadataModified\"\r\n , \"0x6\", \"ObjectModified\"\r\n , \"0x8\", \"MetadataAccessed\"\r\n , \"0x80\", \"MetadataAccessed\"\r\n , \"0x80000\", \"MetadataModified\"\r\n];\r\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\r\n[\r\n 'User', 'Regular',\r\n 'Machine', 'Machine'\r\n]; \r\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\r\n[\r\n 'S-1-5-18', 'Local System', 'Simple',\r\n 'S-1-0-0', 'Nobody', 'Simple'\r\n];\r\nSecurityEvent\r\n| where not(disabled)\r\n| where EventID == 4663 \r\n and ObjectType == \"File\"\r\n and ObjectName !startswith @\"\\Device\\\"\r\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\r\n| lookup EventTypeLookup on AccessMask\r\n| lookup UserTypeLookup on AccountType\r\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\r\n| extend ActingProcessName = ProcessName\r\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\r\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , TargetFilePath = ObjectName\r\n , TargetFilePathFormat = \"Windows Local\"\r\n , ActingProcessId = tostring(toint(ProcessId))\r\n , EventOriginalType = tostring(EventID)\r\n , ActorUserIdType=\"SID\"\r\n , TargetFilePathType=\"Windows Local\"\r\n| project-away EventID, ProcessId, AccountType, username\r\n| project-rename ActorUserId = SubjectUserSid\r\n , DvcHostname = Computer\r\n , Process = ProcessName\r\n , FilePath = ObjectName\r\n , ActorSessionId = SubjectLogonId\r\n , FileSessionId = HandleId\r\n| extend EventSchema = \"FileEvent\"\r\n , EventSchemaVersion = \"0.1.1\"\r\n , EventResult = \"Success\"\r\n , EventCount = int(1)\r\n , EventVendor = 'Microsoft'\r\n , EventProduct = 'Security Events'\r\n , Dvc = DvcHostname\r\n , ActorWindowsUsername = ActorUsername\r\n , User = ActorUsername\r\n , ActorUserSid = ActorUserId\r\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\r\n};\r\nParser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Event ASIM parser for Microsoft Windows Events.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"6bb41b84-2964-571b-a653-0f5039c50af8","name":"_ASim_FileEvent_MicrosoftSharePointV03","body":"let _ASIM_ResolveActorUsername = (T:(*), UsernameField: string) { \r\n T\r\n | extend ActorUsername = column_ifexists(UsernameField,\"\")\r\n | extend windows = ActorUsername has '\\\\'\r\n | extend \r\n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\r\n ActorUserUpn = iff (windows, \"\", ActorUsername),\r\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\r\n};\r\n let operations = datatable (Operation:string, EventType:string, EventSubType:string) [\r\n \"FileUploaded\", \"FileCreated\", \"Upload\",\r\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\r\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\r\n \"FileDeleted\", \"FileDeleted\", \"\",\r\n \"FileAccessed\", \"FileAccessed\", \"\",\r\n \"FolderCreated\", \"FolderCreated\", \"\",\r\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\r\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\r\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\r\n \"FolderModified\", \"FolderModified\", \"\",\r\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\r\n \"FileModified\", \"FolderModified\", \"\",\r\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\r\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\r\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\r\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\r\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\r\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\r\n \"FileRenamed\", \"FileRenamed\", \"\",\r\n \"FileMoved\", \"FileMoved\", \"\",\r\n \"FileCopied\", \"FileCopied\", \"\",\r\n \"FolderCopied\", \"FolderCopied\", \"\",\r\n \"FolderMoved\", \"FolderMoved\", \"\",\r\n \"FolderRenamed\", \"FolderRenamed\", \"\",\r\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\r\n \"FolderDeleted\", \"FolderDeleted\", \"\",\r\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\r\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\r\n ];\r\n let multiple_file_operations = dynamic([\r\n \"FileRenamed\",\r\n \"FileMoved\",\r\n \"FileCopied\",\r\n \"FolderCopied\",\r\n \"FolderMoved\",\r\n \"FolderRenamed\"\r\n ]);\r\n let parser=(disabled:bool=false){\r\n let OfficeActivityProjected = \r\n OfficeActivity\r\n | where not(disabled)\r\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\r\n | project Operation, OrganizationId, OrganizationName, SourceRecordId, OfficeWorkload, UserId, ClientIP, UserAgent, Start_Time, TimeGenerated, Type, OfficeObjectId, SourceFileName, SourceFileExtension, DestinationFileName, DestinationFileExtension, Site_Url, DestinationRelativeUrl, UserKey, MachineDomainInfo, MachineId; // ,_ItemId \r\n let SingleFileOperationEvents = \r\n OfficeActivityProjected\r\n | where Operation !in (multiple_file_operations)\r\n | project-rename \r\n TargetFilePath = OfficeObjectId,\r\n TargetFileName = SourceFileName,\r\n TargetFileExtension = SourceFileExtension\r\n | extend \r\n TargetFilePathType = \"URL\"\r\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\r\n ;\r\n // single in dest: SiteDeleted\r\n let MultipleFileOperationsEvents = \r\n OfficeActivityProjected\r\n | where Operation in (multiple_file_operations)\r\n | project-rename \r\n SrcFilePath = OfficeObjectId,\r\n TargetFileName = DestinationFileName,\r\n TargetFileExtension = DestinationFileExtension,\r\n SrcFileName = SourceFileName,\r\n SrcFileExtension = SourceFileExtension\r\n | extend \r\n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\r\n TargetFilePathType = \"URL\",\r\n SrcFilePathType = \"URL\"\r\n | project-away DestinationRelativeUrl\r\n ;\r\n union SingleFileOperationEvents, MultipleFileOperationsEvents\r\n | lookup operations on Operation\r\n | invoke _ASIM_ResolveActorUsername('UserId')\r\n | project-away UserId\r\n | project-rename \r\n EventOriginalType = Operation,\r\n ActorScopeId = OrganizationId,\r\n ActorScope = OrganizationName,\r\n EventOriginalUid = SourceRecordId,\r\n EventProduct = OfficeWorkload,\r\n ActorUserId = UserKey,\r\n HttpUserAgent = UserAgent,\r\n SrcIpAddr = ClientIP,\r\n EventStartTime = Start_Time,\r\n // EvetUid = _ItemId,\r\n TargetUrl = Site_Url,\r\n SrcDvcId = MachineId,\r\n SrcDvcScopeId = MachineDomainInfo\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime = TimeGenerated,\r\n EventResult = \"Success\",\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.1',\r\n EventSchema = \"FileEvent\",\r\n ActorUserIdType = 'Other',\r\n SrcDvcIdType = 'Other',\r\n TargetAppName = EventProduct,\r\n TargetAppType = 'SaaS application',\r\n Dvc = strcat ('Microsoft ', EventProduct)\r\n // Aliases\r\n | extend \r\n User = ActorUsername,\r\n FilePath = TargetFilePath,\r\n FileName = TargetFileName,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Url = TargetUrl,\r\n Dvc = EventProduct,\r\n Application = EventProduct\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"File Activity ASIM parser for Sharepoint and OneDrive for business.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"5121531d-7e18-56eb-ab30-77af4fefd829","name":"_ASim_FileEvent_MicrosoftSysmonV04","body":"let parser = (disabled:bool=false) {\r\n // -- Event parser\r\n let EventParser = () {\r\n Event\r\n | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type // , _ItemId \r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\r\n | project-away Source\r\n | parse-kv EventData as (\r\n RuleName:string,\r\n UtcTime:datetime, \r\n ProcessGuid:string,\r\n ProcessId:string,\r\n Image:string,\r\n User:string,\r\n TargetFilename:string,\r\n Hashes:string,\r\n CreationUtcTime:datetime\r\n )\r\n with (regex=@'{?([^')\r\n | project-rename \r\n ActingProcessGuid = ProcessGuid,\r\n ActingProcessId = ProcessId,\r\n ActorUsername = User,\r\n ActingProcessName = Image,\r\n TargetFileCreationTime=CreationUtcTime,\r\n TargetFilePath=TargetFilename,\r\n EventStartTime=UtcTime\r\n | project-away EventData\r\n };\r\n //\r\n // -- WindowsEvent parser\r\n let WindowsEventParser=(){\r\n WindowsEvent \r\n | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type // , _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\r\n | project-away Provider\r\n | extend \r\n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\r\n TargetFilePath=tostring(EventData.TargetFilename),\r\n ActingProcessName = tostring(EventData.Image),\r\n ActingProcessId = tostring(EventData.ProcessId),\r\n ActingProcessGuid = tostring(EventData.ProcessGuid),\r\n ActorUsername = tostring(EventData.User),\r\n EventStartTime = todatetime(EventData.UtcTime),\r\n RuleName = tostring(EventData.RuleName),\r\n Hashes = tostring(EventData.Hashes)\r\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\r\n | project-away EventData\r\n };\r\n union isfuzzy=true \r\n WindowsEventParser,\r\n EventParser \r\n | project-rename\r\n DvcHostname = Computer,\r\n //EventUid = _ItemId,\r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'FileEvent',\r\n EventSchemaVersion = '0.2.1',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs='Windows',\r\n TargetFilePathType = 'Windows',\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventCount = int(1),\r\n EventEndTime = EventStartTime,\r\n EventOriginalType = tostring(EventID),\r\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName)\r\n | parse-kv Hashes as (\r\n MD5:string,\r\n SHA1:string,\r\n IMPHASH:string,\r\n SHA256:string\r\n )\r\n | project-rename\r\n TargetFileMD5 = MD5,\r\n TargetFileSHA1 = SHA1,\r\n TargetFileIMPHASH = IMPHASH,\r\n TargetFileSHA256 = SHA256\r\n | extend\r\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\r\n // -- Typed entity identifiers\r\n | extend\r\n ActorWindowsUsername = ActorUsername\r\n // -- Aliases\r\n | extend\r\n Process = ActingProcessName,\r\n Dvc = DvcHostname,\r\n FilePath = TargetFilePath,\r\n FileName = TargetFileName,\r\n User = ActorUsername\r\n | project-away EventID, Hashes\r\n };\r\n parser(disabled=disabled) ","parameters":"disabled:bool = false","description":"File event ASIM parser for Windows Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"8814d910-64c1-565b-aa6a-0e6fd05f0e37","name":"_ASim_FileEvent_MicrosoftSysmonV05","body":"let parser = (disabled:bool=false) {\r\n // -- Event parser\r\n let EventParser = () {\r\n Event\r\n | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\r\n | project-away Source\r\n | parse-kv EventData as (\r\n RuleName:string,\r\n UtcTime:datetime, \r\n ProcessGuid:string,\r\n ProcessId:string,\r\n Image:string,\r\n User:string,\r\n TargetFilename:string,\r\n Hashes:string,\r\n CreationUtcTime:datetime\r\n )\r\n with (regex=@'{?([^')\r\n | project-rename \r\n ActingProcessGuid = ProcessGuid,\r\n ActingProcessId = ProcessId,\r\n ActorUsername = User,\r\n ActingProcessName = Image,\r\n TargetFileCreationTime=CreationUtcTime,\r\n TargetFilePath=TargetFilename,\r\n EventStartTime=UtcTime\r\n | project-away EventData\r\n };\r\n EventParser \r\n | project-rename\r\n DvcHostname = Computer,\r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'FileEvent',\r\n EventSchemaVersion = '0.2.1',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs='Windows',\r\n TargetFilePathType = 'Windows',\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventCount = int(1),\r\n EventEndTime = EventStartTime,\r\n EventOriginalType = tostring(EventID),\r\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n EventUid = _ItemId\r\n | parse-kv Hashes as (\r\n MD5:string,\r\n SHA1:string,\r\n IMPHASH:string,\r\n SHA256:string\r\n )\r\n | project-rename\r\n TargetFileMD5 = MD5,\r\n TargetFileSHA1 = SHA1,\r\n TargetFileIMPHASH = IMPHASH,\r\n TargetFileSHA256 = SHA256\r\n | extend\r\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\r\n // -- Typed entity identifiers\r\n | extend\r\n ActorWindowsUsername = ActorUsername\r\n // -- Aliases\r\n | extend\r\n Process = ActingProcessName,\r\n Dvc = DvcHostname,\r\n FilePath = TargetFilePath,\r\n FileName = TargetFileName,\r\n User = ActorUsername\r\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\r\n };\r\n parser(disabled=disabled) ","parameters":"disabled:bool = false","description":"File event ASIM parser for Windows Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"f76bd818-694c-58bc-99ff-a552b43db6b6","name":"_ASim_FileEvent_MicrosoftSysmonWindowsEventV04","body":"let parser = (disabled:bool=false) {\r\n //\r\n // -- WindowsEvent parser\r\n let WindowsEventParser=(){\r\n WindowsEvent \r\n | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\r\n | project-away Provider\r\n | extend \r\n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\r\n TargetFilePath=tostring(EventData.TargetFilename),\r\n ActingProcessName = tostring(EventData.Image),\r\n ActingProcessId = tostring(EventData.ProcessId),\r\n ActingProcessGuid = tostring(EventData.ProcessGuid),\r\n ActorUsername = tostring(EventData.User),\r\n EventStartTime = todatetime(EventData.UtcTime),\r\n RuleName = tostring(EventData.RuleName),\r\n Hashes = tostring(EventData.Hashes)\r\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\r\n | project-away EventData\r\n };\r\n WindowsEventParser\r\n | project-rename\r\n DvcHostname = Computer,\r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'FileEvent',\r\n EventSchemaVersion = '0.2.1',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs='Windows',\r\n TargetFilePathType = 'Windows',\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventCount = int(1),\r\n EventEndTime = EventStartTime,\r\n EventOriginalType = tostring(EventID),\r\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n EventUid = _ItemId\r\n | parse-kv Hashes as (\r\n MD5:string,\r\n SHA1:string,\r\n IMPHASH:string,\r\n SHA256:string\r\n )\r\n | project-rename\r\n TargetFileMD5 = MD5,\r\n TargetFileSHA1 = SHA1,\r\n TargetFileIMPHASH = IMPHASH,\r\n TargetFileSHA256 = SHA256\r\n | extend\r\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\r\n // -- Typed entity identifiers\r\n | extend\r\n ActorWindowsUsername = ActorUsername\r\n // -- Aliases\r\n | extend\r\n Process = ActingProcessName,\r\n Dvc = DvcHostname,\r\n FilePath = TargetFilePath,\r\n FileName = TargetFileName,\r\n User = ActorUsername\r\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\r\n }; \r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"File event ASIM parser for Windows Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"f0586352-639f-538d-a91e-ce9701d3c92a","name":"_ASim_FileEvent_MicrosoftWindowsEventsV01","body":"let Parser=(disabled:bool=false)\r\n{\r\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\r\n[\r\n \"0x1\", \"ObjectAccessed\"\r\n , \"0x10\", \"MetadataModified\"\r\n , \"0x100\", \"MetadataModified\"\r\n , \"0x10000\", \"ObjectDeleted\"\r\n , \"0x2\", \"ObjectModified\"\r\n , \"0x20000\", \"MetadataAccessed\"\r\n , \"0x4\", \"ObjectModified\"\r\n , \"0x40\", \"ObjectDeleted\"\r\n , \"0x40000\", \"MetadataModified\"\r\n , \"0x6\", \"ObjectModified\"\r\n , \"0x8\", \"MetadataAccessed\"\r\n , \"0x80\", \"MetadataAccessed\"\r\n , \"0x80000\", \"MetadataModified\"\r\n];\r\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\r\n[\r\n 'User', 'Regular',\r\n 'Machine', 'Machine'\r\n]; \r\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\r\n[\r\n 'S-1-5-18', 'Local System', 'Simple',\r\n 'S-1-0-0', 'Nobody', 'Simple'\r\n];\r\nunion isfuzzy=false (WindowsEvent\r\n| where EventID == 4663 \r\n and EventData.ObjectType == \"File\"\r\n and EventData.ObjectName !startswith @\"\\Device\\\"\r\n| project TimeGenerated\r\n , EventID, AccessMask = tostring(EventData.AccessMask)\r\n , ProcessName = tostring(EventData.ProcessName)\r\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\r\n , AccountType = tostring(EventData.AccountType)\r\n , Computer = tostring(EventData.Computer)\r\n , ObjectName = tostring(EventData.ObjectName)\r\n , ProcessId = tostring(EventData.ProcessId)\r\n , SubjectUserName = tostring(EventData.SubjectUserName)\r\n , SubjectAccount = tostring(EventData.SubjectAccount)\r\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\r\n , HandleId = tostring(EventData.HandleId)\r\n)\r\n, (SecurityEvent\r\n| where not(disabled)\r\n| where EventID == 4663 \r\n and ObjectType == \"File\"\r\n and ObjectName !startswith @\"\\Device\\\"\r\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId)\r\n| lookup EventTypeLookup on AccessMask\r\n| lookup UserTypeLookup on AccountType\r\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\r\n| extend ActingProcessName = ProcessName\r\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\r\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , TargetFilePath = ObjectName\r\n , TargetFilePathFormat = \"Windows Local\"\r\n , ActingProcessId = tostring(toint(ProcessId))\r\n , EventOriginalType = tostring(EventID)\r\n| project-away EventID, ProcessId, AccountType, type, username\r\n| project-rename ActorUserId = SubjectUserSid\r\n , DvcHostname = Computer\r\n , Process = ProcessName\r\n , FilePath = ObjectName\r\n , ActorSessionId = SubjectLogonId\r\n , FileSessionId = HandleId\r\n| extend EventSchema = \"FileEvent\"\r\n , EventSchemaVersion = \"0.1.1\"\r\n , EventResult = \"Success\"\r\n , EventCount = int(1)\r\n , EventVendor = 'Microsoft'\r\n , EventProduct = 'Security Events'\r\n , Dvc = DvcHostname\r\n , ActorWindowsUsername = ActorUsername\r\n , User = ActorUsername\r\n , ActorUserSid = ActorUserId\r\n};\r\nParser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Event ASIM parser for Microsoft Windows Events.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ed15fe6c-29f1-5bdf-a190-f24bb012b6a2","name":"_ASim_FileEvent_MicrosoftWindowsEventsV02","body":"let Parser=(disabled:bool=false)\r\n{\r\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\r\n[\r\n \"0x1\", \"ObjectAccessed\"\r\n , \"0x10\", \"MetadataModified\"\r\n , \"0x100\", \"MetadataModified\"\r\n , \"0x10000\", \"ObjectDeleted\"\r\n , \"0x2\", \"ObjectModified\"\r\n , \"0x20000\", \"MetadataAccessed\"\r\n , \"0x4\", \"ObjectModified\"\r\n , \"0x40\", \"ObjectDeleted\"\r\n , \"0x40000\", \"MetadataModified\"\r\n , \"0x6\", \"ObjectModified\"\r\n , \"0x8\", \"MetadataAccessed\"\r\n , \"0x80\", \"MetadataAccessed\"\r\n , \"0x80000\", \"MetadataModified\"\r\n];\r\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\r\n[\r\n 'User', 'Regular',\r\n 'Machine', 'Machine'\r\n]; \r\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\r\n[\r\n 'S-1-5-18', 'Local System', 'Simple',\r\n 'S-1-0-0', 'Nobody', 'Simple'\r\n];\r\nWindowsEvent\r\n| where EventID == 4663 \r\n and EventData.ObjectType == \"File\"\r\n and EventData.ObjectName !startswith @\"\\Device\\\"\r\n| project TimeGenerated\r\n , EventID, AccessMask = tostring(EventData.AccessMask)\r\n , ProcessName = tostring(EventData.ProcessName)\r\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\r\n , AccountType = tostring(EventData.AccountType)\r\n , Computer = tostring(EventData.Computer)\r\n , ObjectName = tostring(EventData.ObjectName)\r\n , ProcessId = tostring(EventData.ProcessId)\r\n , SubjectUserName = tostring(EventData.SubjectUserName)\r\n , SubjectAccount = tostring(EventData.SubjectAccount)\r\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\r\n , HandleId = tostring(EventData.HandleId)\r\n , Type\r\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\r\n| lookup EventTypeLookup on AccessMask\r\n| lookup UserTypeLookup on AccountType\r\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\r\n| extend ActingProcessName = ProcessName\r\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\r\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , TargetFilePath = ObjectName\r\n , TargetFilePathFormat = \"Windows Local\"\r\n , ActingProcessId = tostring(toint(ProcessId))\r\n , EventOriginalType = tostring(EventID)\r\n| project-away EventID, ProcessId, AccountType, type, username\r\n| project-rename ActorUserId = SubjectUserSid\r\n , DvcHostname = Computer\r\n , Process = ProcessName\r\n , FilePath = ObjectName\r\n , ActorSessionId = SubjectLogonId\r\n , FileSessionId = HandleId\r\n| extend EventSchema = \"FileEvent\"\r\n , EventSchemaVersion = \"0.1.1\"\r\n , EventResult = \"Success\"\r\n , EventCount = int(1)\r\n , EventVendor = 'Microsoft'\r\n , EventProduct = 'Security Events'\r\n , Dvc = DvcHostname\r\n , ActorWindowsUsername = ActorUsername\r\n , User = ActorUsername\r\n , ActorUserSid = ActorUserId\r\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\r\n};\r\nParser (disabled = disabled)","parameters":"disabled:bool = false","description":"File Event ASIM parser for Microsoft Windows Events.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"f2b38451-801c-5a14-93b4-659c6f07b516","name":"_ASim_FileEvent_NativeV01","body":"let parser=(disabled: bool=false) {\r\n ASimFileEventLogs\r\n | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"FileEvent\",\r\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n User = ActorUsername,\r\n FileName = TargetFileName,\r\n FilePath = TargetFilePath,\r\n Process = ActingProcessName,\r\n Url = TargetUrl,\r\n Application = TargetAppName\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n _SubscriptionId,\r\n _ResourceId\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"File Event ASIM parser for Microsoft Sentinel native File Event table.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"d2f23ee9-87c4-5a3b-9c20-8f602f24c005","name":"_ASim_FileEvent_SentinelOneV01","body":"let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\r\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\r\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\r\n [\r\n \"FILECREATION\", \"FileCreated\",\r\n \"FILEMODIFICATION\", \"FileModified\",\r\n \"FILEDELETION\", \"FileDeleted\",\r\n \"FILERENAME\", \"FileRenamed\"\r\n];\r\nlet ThreatConfidenceLookup_undefined = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 5,\r\n \"Undefined\", 15,\r\n \"SUSPICIOUS\", 25,\r\n \"TRUE_POSITIVE\", 33 \r\n];\r\nlet ThreatConfidenceLookup_suspicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 40,\r\n \"Undefined\", 50,\r\n \"SUSPICIOUS\", 60,\r\n \"TRUE_POSITIVE\", 67 \r\n];\r\nlet ThreatConfidenceLookup_malicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 75,\r\n \"Undefined\", 80,\r\n \"SUSPICIOUS\", 90,\r\n \"TRUE_POSITIVE\", 100 \r\n];\r\nlet parser = (disabled: bool=false) {\r\n let allFileData = SentinelOne_CL\r\n | where not(disabled)\r\n and event_name_s == \"Alerts.\"\r\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\r\n let windowsFileData = allFileData\r\n | where agentDetectionInfo_osFamily_s == \"windows\"\r\n | extend\r\n TargetFilePathType = \"Windows Local\",\r\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\r\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\r\n let otherFileData = allFileData\r\n | where agentDetectionInfo_osFamily_s != \"windows\"\r\n | extend\r\n TargetFilePathType = \"Unix\",\r\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\r\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\r\n let parseddata = union windowsFileData, otherFileData\r\n | lookup EventTypeLookup on alertInfo_eventType_s;\r\n let undefineddata = parseddata\r\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\r\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\r\n let suspiciousdata = parseddata\r\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\r\n let maaliciousdata = parseddata\r\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\r\n union undefineddata, suspiciousdata, maaliciousdata\r\n | extend\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\r\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\r\n EventVendor = \"SentinelOne\",\r\n EventProduct = \"SentinelOne\",\r\n EventResult = \"Success\",\r\n EventSchema = \"FileEvent\",\r\n EventSchemaVersion = \"0.2.1\",\r\n EventCount = toint(1),\r\n DvcAction = \"Allowed\",\r\n ActorUsername = sourceProcessInfo_user_s\r\n | project-rename\r\n EventStartTime = sourceProcessInfo_pidStarttime_t,\r\n EventOriginalSeverity = ruleInfo_severity_s,\r\n EventUid = _ItemId,\r\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\r\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\r\n ActingProcessId = sourceProcessInfo_pid_s,\r\n ActingProcessName = sourceProcessInfo_name_s,\r\n DvcId = agentDetectionInfo_uuid_g,\r\n DvcOs = agentDetectionInfo_osName_s,\r\n DvcOsVersion = agentDetectionInfo_osRevision_s,\r\n EventOriginalType = alertInfo_eventType_s,\r\n EventOriginalUid = alertInfo_dvEventId_s,\r\n RuleName = ruleInfo_name_s,\r\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\r\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\r\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\r\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\r\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\r\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\r\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\r\n | extend\r\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\r\n EventEndTime = EventStartTime,\r\n Rule = RuleName,\r\n FileName = TargetFileName,\r\n FilePath = TargetFilePath,\r\n Process = ActingProcessName,\r\n User = ActorUsername,\r\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n HashType = case(\r\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\r\n \"TargetFileSHA256\",\r\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\r\n \"TargetFileSHA1\",\r\n \"\"\r\n ) \r\n | project-away \r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n ThreatConfidence_*\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"File Event ASIM Parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"e0e6bed3-9153-5831-b09e-05325637a8ef","name":"_ASim_FileEvent_VMwareCarbonBlackCloudV01","body":"let EventFieldsLookup = datatable(\r\n sensor_action_s: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)[\r\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\r\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\r\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\r\n \"ACTION_BREAK\", \"Break\", \"Failure\",\r\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\r\n \"\", \"\", \"Success\"\r\n];\r\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\r\n \"ACTION_FILE_CREATE\", \"FileCreated\",\r\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\r\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\r\n \"ACTION_FILE_LINK\", \"FileModified\",\r\n \"ACTION_FILE_READ\", \"FileAccessed\",\r\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\r\n \"ACTION_FILE_WRITE\", \"FileModified\",\r\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\r\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\r\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\r\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\r\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\r\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\r\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\r\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\r\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CarbonBlackEvents_CL\r\n | where not(disabled)\r\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\r\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\r\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\r\n | lookup EventFieldsLookup on sensor_action_s\r\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\r\n | lookup EventTypeLookup on action_s\r\n | extend EventType = case(\r\n isnotempty(EventType), EventType,\r\n temp_action has \"delete\", \"FileDeleted\",\r\n temp_action has \"link\", \"FileModified\",\r\n temp_action has \"rename\", \"FileRenamed\",\r\n temp_action has \"execute\", \"FileAccessed\",\r\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\r\n temp_action has \"truncate\", \"FileModified\",\r\n temp_action has \"write\", \"FileModified\",\r\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\r\n temp_action has \"create\", \"FileCreated\",\r\n \"\"\r\n )\r\n | extend\r\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\r\n TargetFilePathType = case(\r\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\r\n device_os_s == \"WINDOWS\", \"Windows Local\",\r\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\r\n \"\"\r\n ),\r\n ActingProcessId = tostring(toint(process_pid_d)),\r\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\r\n AdditionalFields = bag_pack(\r\n \"org_key\", org_key_s,\r\n \"process_publisher\", process_publisher_s,\r\n \"process_reputation\", process_reputation_s,\r\n \"process_guid\", process_guid_s\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\r\n | project-rename\r\n ActorUsername = process_username_s,\r\n DvcIpAddr = device_external_ip_s,\r\n EventUid = _ItemId,\r\n DvcScope = device_group_s,\r\n ActingProcessCommandLine = process_cmdline_s,\r\n ActingProcessName = process_path_s,\r\n DvcId = device_id_s,\r\n DvcOriginalAction = sensor_action_s,\r\n DvcOs = device_os_s,\r\n EventMessage = event_description_s,\r\n EventOriginalType = action_s,\r\n EventOriginalUid = event_id_g,\r\n EventOwner = event_origin_s,\r\n TargetFilePath = filemod_name_s\r\n | extend \r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchema = \"FileEvent\",\r\n EventSchemaVersion = \"0.2.1\",\r\n EventVendor = \"VMware\",\r\n EventCount = int(1),\r\n SrcIpAddr = DvcIpAddr\r\n | extend\r\n EventEndTime = EventStartTime,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n FileName = TargetFileName,\r\n FilePath = TargetFilePath,\r\n Process = ActingProcessName,\r\n User = ActorUsername,\r\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n HashType = case(\r\n isnotempty(TargetFileSHA256),\r\n \"TargetFileSHA256\",\r\n isnotempty(TargetFileMD5),\r\n \"TargetFileMD5\",\r\n \"\"\r\n )\r\n | project-away\r\n *_s,\r\n *_d,\r\n *_g,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n temp_action\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"File Event Parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"a18af53e-f058-5b49-bcd6-73f2ec59da4f","name":"_ASim_RegistryEvent","body":"union isfuzzy=true\r\n_ASim_RegistryEventBuiltIn(pack= pack),\r\nASim_RegistryEventSolutions(pack= pack),\r\nASim_RegistryEventCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"Registry Event ASIM Parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"bc2c82fe-fafd-5ffc-8665-bd7b1bb6ab0b","name":"_ASim_RegistryEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_RegistryEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_RegistryEventBuiltIn', 'Exclude_ASim_RegistryEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_RegistryEvent_Microsoft365DV01(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_Microsoft365D' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_MicrosoftSecurityEventV03(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_MicrosoftSecurityEvent' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_MicrosoftSysmonV03(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_MicrosoftSysmon' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_MicrosoftSysmonWindowsEventV03(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_MicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_MicrosoftWindowsEventV02(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_MicrosoftWindowsEvent' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_Native' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_SentinelOneV01(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_SentinelOne' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_TrendMicroVisionOneV01(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_TrendMicroVisionOne' in (DisabledParsers)))),\r\n_ASim_RegistryEvent_VMwareCarbonBlackCloudV01(disabled= (builtInDisabled or('Exclude_ASim_RegistryEvent_VMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_RegistryEvent_EmptyV02\r\n","parameters":"pack:bool = false","description":"Registry Event ASIM Parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"f2098813-1799-53cc-a8ad-8047b4f2d80e","name":"_ASim_RegistryEvent_Microsoft365DV01","body":"let RegistryType = datatable (TypeCode: string, TypeName: string)\r\n [\r\n \"None\", \"Reg_None\",\r\n \"String\", \"Reg_Sz\",\r\n \"ExpandString\", \"Reg_Expand_Sz\",\r\n \"Binary\", \"Reg_Binary\",\r\n \"Dword\", \"Reg_DWord\",\r\n \"MultiString\", \"Reg_Multi_Sz\",\r\n \"QWord\", \"Reg_QWord\"\r\n];\r\nlet parser = (\r\n disabled: bool=false\r\n ) {\r\n DeviceRegistryEvents\r\n | where not(disabled)\r\n | extend\r\n // Event\r\n EventOriginalUid = tostring(ReportId), \r\n EventCount = int(1), \r\n EventProduct = 'M365 Defender for Endpoint', \r\n EventVendor = 'Microsoft', \r\n EventSchemaVersion = '0.1.0', \r\n EventSchema = \"RegistryEvent\",\r\n EventResult = \"Success\",\r\n EventStartTime = TimeGenerated, \r\n EventEndTime = TimeGenerated, \r\n EventType = ActionType,\r\n // Registry\r\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\r\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\r\n // RegistryValueType -- original name is fine \r\n // RegistryValueData -- original name is fine \r\n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\r\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\r\n // RegistryValueTypeModified -- Not provided by Defender\r\n RegistryValueDataModified = PreviousRegistryValueData\r\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\r\n | extend RegistryValueType = TypeName\r\n | project-away\r\n TypeName,\r\n PreviousRegistryKey,\r\n PreviousRegistryValueName,\r\n PreviousRegistryValueData\r\n // Device\r\n | extend\r\n DvcHostname = DeviceName, \r\n DvcId = DeviceId, \r\n Dvc = DeviceName \r\n // Users\r\n | extend\r\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \r\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \r\n ActorUserIdType = 'SID'\r\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\r\n | project-rename\r\n ActorUserId = InitiatingProcessAccountSid, \r\n ActorUserAadId = InitiatingProcessAccountObjectId, \r\n ActorUserUpn = InitiatingProcessAccountUpn\r\n // Processes\r\n | extend\r\n ActingProcessId = tostring(InitiatingProcessId), \r\n ParentProcessId = tostring(InitiatingProcessParentId) \r\n | project-away InitiatingProcessId, InitiatingProcessParentId\r\n | project-rename\r\n ParentProcessName = InitiatingProcessParentFileName, \r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \r\n ActingProcessName = InitiatingProcessFolderPath, \r\n ActingProcessFileName = InitiatingProcessFileName,\r\n ActingProcessCommandLine = InitiatingProcessCommandLine, \r\n ActingProcessMD5 = InitiatingProcessMD5, \r\n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\r\n ActingProcessSHA256 = InitiatingProcessSHA256, \r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \r\n ActingProcessCreationTime = InitiatingProcessCreationTime \r\n // -- aliases\r\n | extend \r\n Username = ActorUsername,\r\n UserId = ActorUserId,\r\n UserIdType = ActorUserIdType,\r\n User = ActorUsername,\r\n CommandLine = ActingProcessCommandLine,\r\n Process = ActingProcessName\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft 365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"528bfedf-922a-5b1c-b2c2-bd6470ee94e9","name":"_ASim_RegistryEvent_MicrosoftSecurityEventV03","body":"let parser = (\r\ndisabled: bool=false\r\n) {\r\nlet ASIM_GetAccountType = (sid: string) { \r\niif ( \r\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\r\n\"Simple\"\r\n ,\r\n\"Windows\"\r\n)\r\n};\r\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\r\n SecurityEvent\r\n | project-rename\r\n ActorUsername = SubjectUserName\r\n ,\r\n ActorUserId = SubjectUserSid\r\n ,\r\n ActorSessionId = SubjectLogonId\r\n ,\r\n ActingProcessName = ProcessName\r\n ,\r\n ActorDomainName = SubjectDomainName\r\n | extend\r\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\r\n ,\r\n ActingProcessId = tostring(toint(tolong(ProcessId)))\r\n ,\r\n RegistryKey = iif(\r\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\r\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\r\n ,\r\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\r\n )\r\n};\r\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\r\n [\r\n \"0x1\", \"RegistryValueRead\"\r\n ,\r\n \"0x10\", \"RegistryKeyNotify\"\r\n ,\r\n \"0x10000\", \"RegistryKeyDeleted\"\r\n ,\r\n \"0x2\", \"RegistryValueSet\"\r\n ,\r\n \"0x20000\", \"MetadataAccessed\"\r\n ,\r\n \"0x20006\", \"RegistryValueSet\"\r\n ,\r\n \"0x40000\", \"MetadataModified\"\r\n ,\r\n \"0x8\", \"RegistrySubkeyEnumerated\"\r\n];\r\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\r\n [\r\n \"%%1904\", \"RegistryValueSet\"\r\n ,\r\n \"%%1905\", \"RegistryValueSet\"\r\n ,\r\n \"%%1906\", \"RegistryValueDeleted\"\r\n];\r\n let RegistryType = datatable (TypeCode: string, TypeName: string)\r\n [\r\n \"%%1872\", \"REG_NONE\"\r\n ,\r\n \"%%1873\", \"REG_SZ\"\r\n ,\r\n \"%%1874\", \"REG_EXPAND_SZ\"\r\n ,\r\n \"%%1875\", \"REG_BINARY\"\r\n ,\r\n \"%%1876\", \"REG_DWORD\"\r\n ,\r\n \"%%1879\", \"REG_MULTI_SZ\"\r\n ,\r\n \"%%1883\", \"REG_QWORD\"\r\n];\r\n union isfuzzy=false\r\n (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID == 4663 and ObjectType == \"Key\"\r\n | lookup Event4663TypeLookup on AccessMask\r\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\r\n | invoke ASIM_ParseSecurityEvents()\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n EventID,\r\n EventType,\r\n ActorUsername,\r\n ActorDomainName,\r\n ActorUserId,\r\n ActorSessionId,\r\n ActingProcessName,\r\n ActingProcessId,\r\n RegistryKey,\r\n _ResourceId,\r\n Type\r\n ),\r\n (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID == 4657\r\n | invoke ASIM_ParseSecurityEvents()\r\n | extend\r\n EventOriginalSubType = OperationType\r\n ,\r\n RegistryValue = ObjectValueName\r\n | lookup Event4567TypeLookup on EventOriginalSubType\r\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n EventID,\r\n EventType,\r\n ActorUsername,\r\n ActorDomainName,\r\n ActorUserId,\r\n ActorSessionId,\r\n ActingProcessName,\r\n ActingProcessId,\r\n RegistryKey,\r\n _ResourceId,\r\n Type,\r\n NewValueType,\r\n OldValueType,\r\n EventOriginalSubType,\r\n OldValue,\r\n NewValue,\r\n RegistryValue\r\n )\r\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\r\n | project-rename RegistryValueType = TypeName\r\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\r\n | project-rename RegistryPreviousValueType = TypeName\r\n | extend\r\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\r\n ,\r\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\r\n ,\r\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\r\n ,\r\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\r\n | project-away\r\n NewValueType,\r\n OldValueType,\r\n EventOriginalSubType,\r\n OldValue,\r\n NewValue\r\n | invoke _ASIM_ResolveFQDN (\"Computer\")\r\n | extend\r\n ActorUserIdType = iff (ActorUserId \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\")\r\n | project-rename\r\n DvcDomainType = DomainType\r\n ,\r\n DvcHostname = ExtractedHostname\r\n | extend\r\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\r\n ,\r\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n ,\r\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\r\n | extend\r\n User = ActorUsername\r\n ,\r\n UserId = ActorUserId\r\n ,\r\n ActorUserSid = ActorUserId\r\n ,\r\n Process = ActingProcessName\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventOriginalType = tostring(EventID)\r\n | extend\r\n EventSchemaVersion = \"0.1\" \r\n ,\r\n EventSchema = \"RegistryEvent\"\r\n ,\r\n EventCount = toint(1)\r\n ,\r\n EventResult = \"Success\"\r\n ,\r\n EventVendor = \"Microsoft\"\r\n ,\r\n EventProduct = \"Security Events\" \r\n ,\r\n DvcOs = \"Windows\"\r\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Windows Events (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"8691e151-39ce-582a-b524-7f54b65eea26","name":"_ASim_RegistryEvent_MicrosoftSysmonV02","body":"let parser = (\r\n disabled: bool=false\r\n ) {\r\n let RegistryAction = datatable (EventType: string, NewEventType: string)\r\n [\r\n \"CreateKey\", \"RegistryKeyCreated\",\r\n \"DeleteKey\", \"RegistryKeyDeleted\",\r\n \"DeleteValue\", \"RegistryValueDeleted\", \r\n \"SetValue\", \"RegistryValueSet\",\r\n \"RenameKey\", \"RegistryKeyRenamed\"\r\n ]; \r\n let Hives = datatable (KeyPrefix: string, Hive: string)\r\n [\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\", \r\n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \r\n ];\r\n // this is the parser for sysmon from Event table\r\n // Create the raw table from the raw XML file structure\r\n let ParsedRegistryEvent_Event=() {\r\n Event\r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\r\n | parse EventData with \r\n * ''RuleName // parsing the XML using the original fields name - for readibliy \r\n ''EventType\r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId\r\n ''Image\r\n ''TargetObject\r\n '' EventDataRemainder \r\n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\r\n | project-away EventDataRemainder\r\n // End of XML parse\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID), \r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | project-rename \r\n EventMessage = RenderedDescription, \r\n DvcHostName = Computer, \r\n ActingProcessId = ProcessId,\r\n ActingProcessGuid = ProcessGuid, \r\n ActingProcessName = Image \r\n // Lookup Event Type\r\n | lookup RegistryAction on EventType \r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData,\r\n ParameterXml\r\n };\r\n // this is the parser for sysmon from WindowsEvent table\r\n let ParsedRegistryEvent_WindowsEvent=() {\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID),\r\n EventType = tostring(EventData.EventType),\r\n DvcOs = \"Windows\",\r\n EventMessage = tostring(EventData.RenderedDescription), \r\n ActorUsername = tostring(EventData.User),\r\n ActingProcessId = tostring(EventData.ProcessId),\r\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n ActingProcessName = tostring(EventData.Image),\r\n TargetObject = tostring(EventData.TargetObject),\r\n Parameter = tostring(EventData.Parameter)\r\n | project-rename\r\n DvcHostName = Computer \r\n | lookup RegistryAction on EventType\r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData\r\n };\r\n union isfuzzy=true\r\n ParsedRegistryEvent_Event,\r\n ParsedRegistryEvent_WindowsEvent\r\n };\r\n parser (\r\n disabled = disabled\r\n )\r\n","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Sysmon (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"c1fbbe4b-04c8-5e0e-a89e-9217180f089c","name":"_ASim_RegistryEvent_MicrosoftSysmonV03","body":"let parser = (\r\n disabled: bool=false\r\n ) {\r\n let RegistryAction = datatable (EventType: string, NewEventType: string)\r\n [\r\n \"CreateKey\", \"RegistryKeyCreated\",\r\n \"DeleteKey\", \"RegistryKeyDeleted\",\r\n \"DeleteValue\", \"RegistryValueDeleted\", \r\n \"SetValue\", \"RegistryValueSet\",\r\n \"RenameKey\", \"RegistryKeyRenamed\"\r\n ]; \r\n let Hives = datatable (KeyPrefix: string, Hive: string)\r\n [\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\", \r\n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \r\n ];\r\n // this is the parser for sysmon from Event table\r\n // Create the raw table from the raw XML file structure\r\n let ParsedRegistryEvent_Event=() {\r\n Event\r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\r\n | parse EventData with \r\n * ''RuleName // parsing the XML using the original fields name - for readibliy \r\n ''EventType\r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId\r\n ''Image\r\n ''TargetObject\r\n '' EventDataRemainder \r\n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\r\n | project-away EventDataRemainder\r\n // End of XML parse\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID), \r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | project-rename \r\n EventMessage = RenderedDescription, \r\n DvcHostName = Computer, \r\n ActingProcessId = ProcessId,\r\n ActingProcessGuid = ProcessGuid, \r\n ActingProcessName = Image \r\n // Lookup Event Type\r\n | lookup RegistryAction on EventType \r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\r\n EventResult = \"Success\",\r\n EventSchema = \"RegistryEvent\",\r\n Rule=RuleName\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData,\r\n ParameterXml,\r\n DvcHostName,\r\n EventCategory,\r\n EventID,\r\n EventLevelName,\r\n EventLevel,\r\n EventLog,\r\n Hive1,\r\n MG,\r\n AzureDeploymentID,\r\n RegistryKeyModified,\r\n RegistryValueModified,\r\n Role,\r\n SourceSystem,\r\n Source,\r\n TenantId,\r\n UserName,\r\n UtcTime,\r\n ManagementGroupName,\r\n Message,_ResourceId\r\n };\r\n ParsedRegistryEvent_Event\r\n };\r\n parser (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Sysmon (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"100f0e91-b95c-5beb-80cf-17e776ee7393","name":"_ASim_RegistryEvent_MicrosoftSysmonWindowsEventV03","body":"let parser = (\r\n disabled: bool=false\r\n ) {\r\n let RegistryAction = datatable (EventType: string, NewEventType: string)\r\n [\r\n \"CreateKey\", \"RegistryKeyCreated\",\r\n \"DeleteKey\", \"RegistryKeyDeleted\",\r\n \"DeleteValue\", \"RegistryValueDeleted\", \r\n \"SetValue\", \"RegistryValueSet\",\r\n \"RenameKey\", \"RegistryKeyRenamed\"\r\n ]; \r\n let Hives = datatable (KeyPrefix: string, Hive: string)\r\n [\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\", \r\n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \r\n ];\r\n // this is the parser for sysmon from WindowsEvent table\r\n let ParsedRegistryEvent_WindowsEvent=() {\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID),\r\n EventType = tostring(EventData.EventType),\r\n DvcOs = \"Windows\",\r\n EventMessage = tostring(EventData.RenderedDescription), \r\n ActorUsername = tostring(EventData.User),\r\n ActingProcessId = tostring(EventData.ProcessId),\r\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n ActingProcessName = tostring(EventData.Image),\r\n TargetObject = tostring(EventData.TargetObject),\r\n Parameter = tostring(EventData.Parameter)\r\n | project-rename\r\n DvcHostName = Computer \r\n | lookup RegistryAction on EventType\r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName,\r\n EventResult = \"Success\",\r\n EventSchema = \"RegistryEvent\"\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData,\r\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\r\n };\r\n ParsedRegistryEvent_WindowsEvent\r\n };\r\n parser (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Sysmon (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ab79e25b-194f-593a-86c1-b0f0398e0749","name":"_ASim_RegistryEvent_MicrosoftWindowsEventV02","body":"let parser = (\r\ndisabled: bool=false\r\n) {\r\nlet ASIM_GetAccountType = (sid: string) { \r\niif ( \r\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\r\n\"Simple\"\r\n ,\r\n\"Windows\"\r\n)\r\n};\r\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\r\n WindowsEvent\r\n | extend\r\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\r\n ,\r\n ActorDomainName = tostring(EventData.SubjectDomainName)\r\n ,\r\n ActorUserId = tostring(EventData.SubjectUserSid)\r\n ,\r\n ActorSessionId = tostring(EventData.SubjectLogonId)\r\n ,\r\n ActingProcessName = tostring(EventData.ProcessName)\r\n ,\r\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\r\n ,\r\n RegistryKey = iif(\r\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\r\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\r\n ,\r\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\r\n )\r\n};\r\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\r\n [\r\n \"0x1\", \"RegistryValueRead\"\r\n ,\r\n \"0x10\", \"RegistryKeyNotify\"\r\n ,\r\n \"0x10000\", \"RegistryKeyDeleted\"\r\n ,\r\n \"0x2\", \"RegistryValueSet\"\r\n ,\r\n \"0x20000\", \"MetadataAccessed\"\r\n ,\r\n \"0x20006\", \"RegistryValueSet\"\r\n ,\r\n \"0x40000\", \"MetadataModified\"\r\n ,\r\n \"0x8\", \"RegistrySubkeyEnumerated\"\r\n];\r\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\r\n [\r\n \"%%1904\", \"RegistryValueSet\"\r\n ,\r\n \"%%1905\", \"RegistryValueSet\"\r\n ,\r\n \"%%1906\", \"RegistryValueDeleted\"\r\n];\r\n let RegistryType = datatable (TypeCode: string, TypeName: string)\r\n [\r\n \"%%1872\", \"REG_NONE\"\r\n ,\r\n \"%%1873\", \"REG_SZ\"\r\n ,\r\n \"%%1874\", \"REG_EXPAND_SZ\"\r\n ,\r\n \"%%1875\", \"REG_BINARY\"\r\n ,\r\n \"%%1876\", \"REG_DWORD\"\r\n ,\r\n \"%%1879\", \"REG_MULTI_SZ\"\r\n ,\r\n \"%%1883\", \"REG_QWORD\"\r\n];\r\n union isfuzzy=false\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\r\n | extend\r\n AccessMask = tostring(EventData.AccessMask)\r\n ,\r\n Type = \"WindowsEvent\"\r\n | lookup Event4663TypeLookup on AccessMask\r\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\r\n | invoke ASIM_ParseWindowsEvents()\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n EventID,\r\n EventType,\r\n ActorUsername,\r\n ActorDomainName,\r\n ActorUserId,\r\n ActorSessionId,\r\n ActingProcessName,\r\n ActingProcessId,\r\n RegistryKey,\r\n _ResourceId,\r\n Type\r\n ),\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID == 4657\r\n | invoke ASIM_ParseWindowsEvents()\r\n | extend\r\n EventOriginalSubType = tostring(EventData.OperationType)\r\n ,\r\n OldValue = tostring(EventData.OldValue)\r\n ,\r\n NewValue = tostring(EventData.NewValue)\r\n ,\r\n RegistryValue = tostring(EventData.ObjectValueName)\r\n ,\r\n NewValueType = tostring(EventData.NewValueType)\r\n ,\r\n OldValueType = tostring(EventData.OldValueType)\r\n | lookup Event4567TypeLookup on EventOriginalSubType\r\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n EventID,\r\n EventType,\r\n ActorUsername,\r\n ActorDomainName,\r\n ActorUserId,\r\n ActorSessionId,\r\n ActingProcessName,\r\n ActingProcessId,\r\n RegistryKey,\r\n _ResourceId,\r\n RegistryValue,\r\n Type,\r\n NewValueType,\r\n OldValueType,\r\n EventOriginalSubType,\r\n OldValue,\r\n NewValue\r\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\r\n | project-rename RegistryValueType = TypeName\r\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\r\n | project-rename RegistryPreviousValueType = TypeName\r\n | extend\r\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\r\n ,\r\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\r\n ,\r\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\r\n ,\r\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\r\n | project-away\r\n NewValueType,\r\n OldValueType,\r\n EventOriginalSubType,\r\n OldValue,\r\n NewValue\r\n )\r\n | invoke _ASIM_ResolveFQDN (\"Computer\")\r\n | extend\r\n ActorUserIdType = iff (ActorUserId \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\")\r\n | project-rename\r\n DvcDomainType = DomainType\r\n ,\r\n DvcHostname = ExtractedHostname\r\n | extend\r\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\r\n ,\r\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n ,\r\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\r\n | extend\r\n User = ActorUsername\r\n ,\r\n UserId = ActorUserId\r\n ,\r\n ActorUserSid = ActorUserId\r\n ,\r\n Process = ActingProcessName\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventOriginalType = tostring(EventID)\r\n | extend\r\n EventSchemaVersion = \"0.1\" \r\n ,\r\n EventSchema = \"RegistryEvent\"\r\n ,\r\n EventCount = toint(1)\r\n ,\r\n EventResult = \"Success\"\r\n ,\r\n EventVendor = \"Microsoft\"\r\n ,\r\n EventProduct = \"Security Events\" \r\n ,\r\n DvcOs = \"Windows\"\r\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId };\r\nparser (\r\n disabled = disabled\r\n)\r\n","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Windows Events (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"21ac799a-7fab-51e2-b708-5a3a0966c572","name":"_ASim_RegistryEvent_NativeV01","body":"let parser=(disabled: bool=false) {\r\n ASimRegistryEventLogs\r\n | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"RegistryEvent\",\r\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\r\n User = ActorUsername,\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n Process = ActingProcessName\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n _SubscriptionId,\r\n _ResourceId\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Registry Event ASIM parser for Microsoft Sentinel native Registry Event table.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"963f96dc-fb52-5e0e-9801-20afc546066b","name":"_ASim_RegistryEvent_SentinelOneV01","body":"let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\r\n[\r\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\r\n \"REGVALUECREATE\", \"RegistryValueSet\",\r\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\r\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\r\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\r\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\r\n];\r\nlet RegistryKeyPrefixLookup = datatable (\r\n RegistryKeyPrefix: string,\r\n RegistryKeyNormalizedPrefix: string\r\n)\r\n [\r\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\r\n \"USER\", \"HKEY_USERS\",\r\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\r\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\r\n];\r\nlet RegistryPreviousValueTypeLookup = datatable (\r\n alertInfo_registryOldValueType_s: string,\r\n RegistryPreviousValueType_lookup: string\r\n)\r\n [\r\n \"BINARY\", \"Reg_Binary\",\r\n \"DWORD\", \"Reg_DWord\",\r\n \"QWORD\", \"Reg_QWord\",\r\n \"SZ\", \"Reg_Sz\",\r\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\r\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\r\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\r\n];\r\nlet ThreatConfidenceLookup_undefined = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 5,\r\n \"Undefined\", 15,\r\n \"SUSPICIOUS\", 25,\r\n \"TRUE_POSITIVE\", 33 \r\n];\r\nlet ThreatConfidenceLookup_suspicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 40,\r\n \"Undefined\", 50,\r\n \"SUSPICIOUS\", 60,\r\n \"TRUE_POSITIVE\", 67 \r\n];\r\nlet ThreatConfidenceLookup_malicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 75,\r\n \"Undefined\", 80,\r\n \"SUSPICIOUS\", 90,\r\n \"TRUE_POSITIVE\", 100 \r\n];\r\nlet parser = (disabled: bool=false) { \r\n let alldata = SentinelOne_CL \r\n | where not(disabled)\r\n and event_name_s == \"Alerts.\"\r\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\r\n | lookup EventTypeLookup on alertInfo_eventType_s\r\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\r\n let undefineddata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\r\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\r\n let suspiciousdata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\r\n let maliciousdata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\r\n union undefineddata, suspiciousdata, maliciousdata\r\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\r\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\r\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\r\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\r\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\r\n | extend RegistryValueType = case(\r\n alertInfo_registryValue_s matches regex '^[0-9]+$',\r\n \"Reg_Dword\",\r\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) 10,\r\n \"Reg_QWord\",\r\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\r\n \"Reg_Binary\",\r\n \"\"\r\n )\r\n | extend RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\r\n | project-rename\r\n ActingProcessId = sourceProcessInfo_pid_s,\r\n ActorUsername = sourceProcessInfo_user_s,\r\n EventStartTime= sourceProcessInfo_pidStarttime_t,\r\n EventOriginalSeverity = ruleInfo_severity_s,\r\n EventUid = _ItemId,\r\n ParentProcessId = sourceParentProcessInfo_pid_s,\r\n ActingProcessName = sourceProcessInfo_name_s,\r\n DvcId = agentDetectionInfo_uuid_g,\r\n DvcOs = agentDetectionInfo_osName_s,\r\n DvcOsVersion = agentDetectionInfo_osRevision_s,\r\n EventOriginalType = alertInfo_eventType_s,\r\n ParentProcessName = sourceParentProcessInfo_name_s,\r\n RegistryValueData = alertInfo_registryValue_s,\r\n EventOriginalUid = alertInfo_dvEventId_s,\r\n RuleName = ruleInfo_name_s,\r\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"SentinelOne\",\r\n EventVendor = \"SentinelOne\",\r\n EventResult = \"Success\",\r\n DvcAction = \"Allowed\",\r\n EventSchema = \"RegistryEvent\",\r\n EventSchemaVersion = \"0.1.2\"\r\n | extend\r\n Dvc = coalesce(DvcHostname, EventProduct), \r\n EventEndTime = EventStartTime,\r\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\r\n RegistryPreviousKey = RegistryKey,\r\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\r\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\r\n RegistryPreviousValue = RegistryValue,\r\n Process = ActingProcessName,\r\n User = ActorUsername,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n Rule = RuleName\r\n | project-away \r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n RegistryKeyPrefix,\r\n RegistryKeyNormalizedPrefix,\r\n RegistryPreviousValueType_lookup,\r\n ThreatConfidence_*\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Registry Event ASIM Parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"373bc56b-9e24-5106-9592-644341642719","name":"_ASim_RegistryEvent_TrendMicroVisionOneV01","body":"let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\r\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\r\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\r\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\r\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\r\n];\r\nlet RegistryKeyPrefixLookup = datatable(\r\n RegistryKeyPrefix: string,\r\n RegistryKeyNormalizedPrefix: string\r\n)[\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\",\r\n \"HKCU\", \"HKEY_CURRENT_USER\",\r\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\r\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\r\n];\r\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\r\n 0, \"Reg_None\",\r\n 1, \"Reg_Sz\",\r\n 2, \"Reg_Expand_Sz\",\r\n 3, \"Reg_Binary\",\r\n 4, \"Reg_DWord\",\r\n 5, \"Reg_DWord\",\r\n 7, \"Reg_Multi_Sz\",\r\n 11, \"Reg_QWord\"\r\n];\r\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\r\n \"low\", \"Low\",\r\n \"medium\", \"Medium\",\r\n \"high\", \"High\",\r\n \"info\", \"Informational\",\r\n \"critical\", \"High\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n TrendMicro_XDR_OAT_CL\r\n | where not(disabled)\r\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\r\n | parse filters_s with * \"[\" filters: string \"]\"\r\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventTypeLookup on detail_eventSubId_s\r\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\r\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\r\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\r\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\r\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\r\n | extend \r\n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\r\n ActingProcessId = tostring(toint(detail_processPid_d)),\r\n ParentProcessId = tostring(toint(detail_parentPid_d)),\r\n ActorSessionId = tostring(toint(detail_authId_d)),\r\n AdditionalFields = bag_pack(\r\n \"name\", name,\r\n \"tags\", detail_tags_s,\r\n \"objectRegType\", detail_objectRegType_d\r\n )\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Vision One\",\r\n EventVendor = \"Trend Micro\",\r\n EventSchema = \"RegistryEvent\",\r\n EventSchemaVersion = \"0.1.2\",\r\n EventResult = \"Success\",\r\n DvcAction = \"Allowed\"\r\n | project-rename\r\n ActorUsername = detail_processUser_s,\r\n EventStartTime = detail_eventTimeDT_t,\r\n RegistryValue = detail_objectRegistryValue_s,\r\n RegistryValueData = detail_objectRegistryData_s,\r\n ActingProcessName = detail_processName_s,\r\n DvcId = detail_endpointGuid_g,\r\n DvcOs = detail_osName_s,\r\n DvcOsVersion = detail_osVer_s,\r\n EventUid = _ItemId,\r\n EventOriginalSubType = detail_eventSubId_s,\r\n EventOriginalType = detail_eventId_s,\r\n EventOriginalUid = detail_uuid_g,\r\n EventOriginalSeverity = detail_filterRiskLevel_s,\r\n EventProductVersion = detail_pver_s,\r\n EventMessage = description\r\n | extend\r\n User = ActorUsername,\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n Process = ActingProcessName,\r\n EventEndTime = EventStartTime,\r\n RegistryPreviousKey = RegistryKey,\r\n RegistryPreviousValue = RegistryValue,\r\n RegistryPreviousValueData = RegistryValueData,\r\n RegistryPreviousValueType = RegistryValueType\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n name,\r\n filters,\r\n *Prefix\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Registry Event ASIM Parser for Trend Micro Vision One.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"83325eec-c8cc-5790-ba09-a45873ca3498","name":"_ASim_RegistryEvent_VMwareCarbonBlackCloudV01","body":"let EventTypeLookup = datatable (temp_action: string, EventType: string)\r\n[\r\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\r\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\r\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\r\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\r\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\r\n];\r\nlet RegistryKeyPrefixLookup = datatable(\r\n RegistryKeyPrefix: string,\r\n RegistryKeyNormalizedPrefix: string\r\n)[\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\",\r\n \"HKCU\", \"HKEY_CURRENT_USER\",\r\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\r\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\r\n];\r\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\r\nlet parser=(disabled: bool=false) {\r\n CarbonBlackEvents_CL\r\n | where not(disabled)\r\n | where eventType_s == \"endpoint.event.regmod\"\r\n and isnotempty(regmod_name_s)\r\n | extend\r\n temp_action = case(\r\n action_s has \"|\" and action_s has \"delete\",\r\n \"ACTION_DELETE_KEY\",\r\n action_s has \"|\" and action_s !has \"delete\",\r\n \"ACTION_CREATE_KEY\",\r\n action_s\r\n ),\r\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\r\n | where temp_action in (actionvalues)\r\n | lookup EventTypeLookup on temp_action\r\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\r\n | extend\r\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\r\n ActingProcessId = tostring(toint(process_pid_d)),\r\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\r\n ParentProcessId = tostring(toint(parent_pid_d)),\r\n AdditionalFields = bag_pack(\r\n \"process_guid\", process_guid_s,\r\n \"parent_guid\", parent_guid_s \r\n )\r\n | project-rename\r\n ActorUsername = process_username_s,\r\n DvcIpAddr = device_external_ip_s,\r\n DvcScope = device_group_s,\r\n EventUid = _ItemId,\r\n ActingProcessName = process_path_s,\r\n DvcId = device_id_s,\r\n DvcOs = device_os_s,\r\n EventMessage = event_description_s,\r\n EventOriginalType = action_s,\r\n EventOriginalUid = event_id_g,\r\n EventOwner = event_origin_s,\r\n ParentProcessName = processDetails_parentName_s,\r\n ActorScopeId = org_key_s\r\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\r\n | extend\r\n EventCount = toint(1),\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventVendor = \"VMware\",\r\n EventResult = \"Success\",\r\n DvcAction = \"Allowed\",\r\n EventSchema = \"RegistryEvent\",\r\n EventSchemaVersion = \"0.1.2\"\r\n | extend\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n EventEndTime = EventStartTime,\r\n Process = ActingProcessName,\r\n User = ActorUsername,\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_g,\r\n *_b,\r\n temp_action,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n RegistryKeyPrefix,\r\n RegistryKeyNormalizedPrefix\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Registry Event ASIM Parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"77ed9d57-1e22-5298-bb95-f857e2c06b2f","name":"_ASim_UserManagement","body":"union isfuzzy=true\r\n_ASim_UserManagementBuiltIn(pack= pack),\r\nASim_UserManagementSolutions(pack= pack),\r\nASim_UserManagementCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"User Management ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ae8924bb-3358-5474-856c-32915255733e","name":"_ASim_UserManagementBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_UserManagement') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_UserManagementBuiltIn', 'Exclude_ASim_UserManagement', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_UserManagement_AWSCloudTrailV01(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_AWSCloudTrail' in (DisabledParsers))), pack= pack),\r\n_ASim_UserManagement_CiscoISEV01(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_CiscoISE' in (DisabledParsers)))),\r\n_ASim_UserManagement_LinuxAuthprivV01(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_LinuxAuthpriv' in (DisabledParsers)))),\r\n_ASim_UserManagement_MicrosoftSecurityEventV02(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_MicrosoftSecurityEvent' in (DisabledParsers)))),\r\n_ASim_UserManagement_MicrosoftWindowsEventV02(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_MicrosoftWindowsEvent' in (DisabledParsers)))),\r\n_ASim_UserManagement_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_Native' in (DisabledParsers)))),\r\n_ASim_UserManagement_SentinelOneV01(disabled= (builtInDisabled or('Exclude_ASim_UserManagement_SentinelOne' in (DisabledParsers)))),\r\n_Im_UserManagement_EmptyV02\r\n","parameters":"pack:bool = false","description":"User Management ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"701de73a-ce34-51a4-b7e0-7d4f1eae80a4","name":"_ASim_UserManagement_AWSCloudTrailV01","body":"let ParseIAMEvents = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic)) {\r\n let IAMEventNameLookup = datatable(EventName: string, EventType: string)\r\n [\r\n \"AddUserToGroup\", \"UserAddedToGroup\",\r\n \"AttachGroupPolicy\", \"GroupModified\",\r\n \"AttachUserPolicy\", \"UserModified\",\r\n \"ChangePassword\", \"PasswordChanged\",\r\n \"CreateGroup\", \"GroupCreated\",\r\n \"CreateLoginProfile\", \"UserModified\",\r\n \"CreateUser\", \"UserCreated\",\r\n \"DeleteGroup\", \"GroupDeleted\",\r\n \"DeleteGroupPolicy\", \"GroupModified\",\r\n \"DeleteLoginProfile\", \"UserModified\",\r\n \"DeleteRole\", \"UserDeleted\",\r\n \"DeleteUser\", \"UserDeleted\",\r\n \"DeleteUserPolicy\", \"UserModified\",\r\n \"DetachGroupPolicy\", \"GroupModified\",\r\n \"DetachRolePolicy\", \"UserModified\",\r\n \"DetachUserPolicy\", \"UserModified\",\r\n \"EnableMFADevice\", \"UserModified\",\r\n \"GetGroup\", \"GroupRead\",\r\n \"GetGroupPolicy\", \"GroupRead\",\r\n \"GetLoginProfile\", \"UserRead\",\r\n \"GetMFADevice\", \"UserRead\",\r\n \"GetRole\", \"UserRead\",\r\n \"GetUser\", \"UserRead\",\r\n \"ListAttachedGroupPolicies\", \"GroupRead\",\r\n \"ListAttachedRolePolicies\", \"UserRead\",\r\n \"ListAttachedUserPolicies\", \"UserRead\",\r\n \"ListGroups\", \"GroupEnumerated\",\r\n \"ListGroupsForUser\", \"UserRead\",\r\n \"ListMFADevices\", \"UserRead\",\r\n \"ListRoles\", \"UserRead\",\r\n \"ListUsers\", \"UserRead\",\r\n \"PutGroupPolicy\", \"GroupModified\",\r\n \"PutRolePolicy\", \"UserModified\",\r\n \"PutUserPolicy\", \"UserModified\",\r\n \"RemoveUserFromGroup\", \"UserRemovedFromGroup\",\r\n \"TagRole\", \"UserModified\",\r\n \"TagUser\", \"UserModified\",\r\n \"UntagUser\", \"UserModified\",\r\n \"UntagUser\", \"UserModified\",\r\n \"UpdateGroup\", \"GroupModified\",\r\n \"UpdateLoginProfile\", \"PasswordChanged\",\r\n \"UpdateRole\", \"UserModified\",\r\n \"UpdateRoleDescription\", \"UserModified\",\r\n \"UpdateSigningCertificate\", \"PasswordChanged\",\r\n \"UpdateSSHPublicKey\", \"PasswordChanged\",\r\n \"UpdateUser\", \"UserModified\",\r\n \"UploadSigningCertificate\", \"UserModified\",\r\n \"UploadSSHPublicKey\", \"UserModified\"\r\n ];\r\n T\r\n | where EventSource == \"iam.amazonaws.com\"\r\n | lookup IAMEventNameLookup on EventName\r\n | where isnotempty(EventType)\r\n | extend\r\n TargetUserId = coalesce(tostring(ResponseElements.user.userId), tostring(ResponseElements.role.roleId)),\r\n TargetUsername = coalesce(tostring(RequestParameters.userName), tostring(RequestParameters.roleName)),\r\n GroupId = tostring(ResponseElements.group.groupName),\r\n GroupName = tostring(RequestParameters.groupName)\r\n | extend \r\n TargetUserIdType = case(\r\n TargetUserId startswith \"AROA\", \"AWSIAMRoleId\",\r\n TargetUserId startswith \"AIDA\", \"AWSIAMUserId\",\r\n \"\"\r\n ),\r\n GroupOriginalType = iff(isempty(GroupName), \"\", \"IAM Group\")\r\n | extend AdditionalData = bag_pack(\r\n \"TargetUserARN\", coalesce(tostring(ResponseElements.user.arn), tostring(ResponseElements.role.arn)),\r\n \"GroupARN\", tostring(ResponseElements.group.arn)\r\n )\r\n };\r\n let ParseCognitoEvents = (T: (EventSource: string, EventName: string, RequestParameters: dynamic)) {\r\n let CognitoIDPEventNameLookup = datatable(EventName: string, EventType: string)\r\n [\r\n \"AddCustomAttributes\", \"GroupModified\",\r\n \"AdminAddUserToGroup\", \"UserAddedToGroup\",\r\n \"AdminConfirmSignUp\", \"UserEnabled\",\r\n \"AdminCreateUser\", \"UserCreated\",\r\n \"AdminDeleteUser\", \"UserDeleted\",\r\n \"AdminDeleteUserAttributes\", \"UserModified\",\r\n \"AdminDisableProviderForUser\", \"UserDisabled\",\r\n \"AdminDisableUser\", \"UserDisabled\",\r\n \"AdminEnableUser\", \"UserEnabled\",\r\n \"AdminForgetDevice\", \"UserModified\",\r\n \"AdminGetDevice\", \"UserRead\",\r\n \"AdminGetUser\", \"UserRead\",\r\n \"AdminLinkUserAuthEvents\", \"UserModified\",\r\n \"AdminListDevices\", \"UserRead\",\r\n \"AdminListGroupsForUser\", \"UserRead\",\r\n \"AdminListUserAuthEvents\", \"UserRead\",\r\n \"AdminRemoveUserFromGroup\", \"UserRemovedFromGroup\",\r\n \"AdminResetUserPassword\", \"PasswordReset\",\r\n \"AdminSetUserMFAPreference\", \"UserModified\",\r\n \"AdminSetUserPassword\", \"PasswordChanged\",\r\n \"AdminSetUserSettings\", \"UserModified\",\r\n \"AdminUpdateDeviceStatus\", \"UserModified\",\r\n \"AdminUpdateUserAttributes\", \"UserModified\",\r\n \"ChangePassword\", \"PasswordChanged\",\r\n \"CompleteWebAuthnRegistration\", \"UserModified\",\r\n \"ConfirmSignUp\", \"UserCreated\",\r\n \"CreateGroup\", \"GroupCreated\",\r\n \"CreateUserPool\", \"GroupCreated\",\r\n \"DeleteGroup\", \"GroupDeleted\",\r\n \"DeleteUser\", \"UserDeleted\",\r\n \"DeleteUserAttributes\", \"UserModified\",\r\n \"DeleteUserPool\", \"GroupDeleted\",\r\n \"DeleteWebAuthnCredential\", \"UserModified\",\r\n \"DescribeUserPool\", \"GroupRead\",\r\n \"GetGroup\", \"GroupRead\",\r\n \"GetUser\", \"UserRead\",\r\n \"GetUserPoolMfaConfig\", \"GroupRead\",\r\n \"ListGroups\", \"GroupRead\",\r\n \"ListIdentityProviders\", \"GroupRead\",\r\n \"ListResourceServers\", \"GroupRead\",\r\n \"ListTerms\", \"GroupRead\",\r\n \"ListUserPools\", \"GroupEnumerated\",\r\n \"ListUsers\", \"GroupEnumerated\",\r\n \"ListUsersInGroup\", \"GroupEnumerated\",\r\n \"SetUserPoolMfaConfig\", \"GroupModified\",\r\n \"SignUp\", \"UserCreated\",\r\n \"UpdateGroup\", \"GroupModified\",\r\n \"UpdateUserAttributes\", \"UserModified\",\r\n \"UpdateUserPool\", \"GroupModified\"\r\n ];\r\n T\r\n | where EventSource == \"cognito-idp.amazonaws.com\"\r\n | lookup CognitoIDPEventNameLookup on EventName\r\n | where isnotempty(EventType)\r\n | extend\r\n TargetUsername = tostring(RequestParameters.username),\r\n GroupName = coalesce(tostring(RequestParameters.poolName), tostring(RequestParameters.groupName)),\r\n GroupId = tostring(RequestParameters.userPoolId)\r\n | extend GroupOriginalType = case(\r\n isnotempty(tostring(RequestParameters.groupName)), \"UserPool Group\",\r\n isnotempty(GroupId), \"UserPool\",\r\n \"\")\r\n | extend AdditionalData = bag_pack(\r\n \"UserPoolId\", tostring(RequestParameters.UserPoolId)\r\n )\r\n };\r\n let parser = (disabled: bool, pack: bool) {\r\n let SupportedEventSources = dynamic([\r\n \"cognito-idp.amazonaws.com\",\r\n \"iam.amazonaws.com\"\r\n ]);\r\n let EventSourceNameLookup = datatable(EventSource: string, TargetUserScope: string)\r\n [\r\n \"cognito-idp.amazonaws.com\", \"Cognito User Pools\",\r\n \"iam.amazonaws.com\", \"IAM\"\r\n ];\r\n let SupportedEvents = AWSCloudTrail\r\n | where EventSource in (SupportedEventSources)\r\n | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements);\r\n union isfuzzy=false\r\n ParseIAMEvents(SupportedEvents),\r\n ParseCognitoEvents(SupportedEvents)\r\n | extend\r\n Type = \"AWSCloudTrail\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = \"Informational\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.2\",\r\n EventVendor = \"AWS\",\r\n EventProduct = \"CloudTrail\",\r\n Dvc = \"CloudTrail\",\r\n EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), \"Success\", \"Failure\"),\r\n EventMessage = ErrorMessage\r\n | lookup EventSourceNameLookup on EventSource\r\n | project-rename\r\n EventOriginalSubType = EventTypeName,\r\n EventOriginalType = EventName,\r\n EventUid = AwsEventId,\r\n EventOriginalResultDetails = ErrorMessage,\r\n EventProductVersion = EventVersion\r\n | project-rename\r\n ActorUserId = UserIdentityAccountId,\r\n ActorUsername = UserIdentityUserName,\r\n ActorOriginalUserType = UserIdentityType,\r\n HttpUserAgent = UserAgent\r\n | extend\r\n ActorUserIdType = iff(isempty(ActorUserId), \"\", \"AWSId\"),\r\n ActorUsernameType = iff(isempty(ActorUsername), \"\", \"Simple\"),\r\n SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, \"0.0.0.0/0\"), SourceIpAddress, \"\")\r\n | extend\r\n TargetUsernameType = iff(isempty(TargetUsername), \"\", \"Simple\"),\r\n GroupIdType = iff(isempty(GroupId), \"\", \"Simple\"),\r\n GroupNameType = iff(isempty(GroupName), \"\", \"Simple\")\r\n | extend AdditionalFields = iff(pack, bag_pack(\r\n \"ActorAccessKeyId\", UserIdentityAccessKeyId,\r\n \"AWSRegion\", AWSRegion,\r\n \"APIVersion\", APIVersion,\r\n \"ManagementEvent\", ManagementEvent,\r\n \"ReadOnly\", ReadOnly,\r\n \"RequestParameters\", RequestParameters,\r\n \"ResponseElements\", ResponseElements\r\n ), dynamic([]))\r\n | extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([]))\r\n // Alias\r\n | extend\r\n User = ActorUsername,\r\n IpAddr = SrcIpAddr\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventSeverity,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventVendor,\r\n EventProduct,\r\n TargetUserScope,\r\n Dvc,\r\n EventResult,\r\n EventMessage,\r\n EventType,\r\n EventOriginalSubType,\r\n EventOriginalType,\r\n EventUid,\r\n EventOriginalResultDetails,\r\n EventProductVersion,\r\n ActorUserId,\r\n ActorUsername,\r\n ActorOriginalUserType,\r\n HttpUserAgent,\r\n ActorUserIdType,\r\n ActorUsernameType,\r\n SrcIpAddr,\r\n TargetUserId,\r\n TargetUsername,\r\n TargetUserIdType,\r\n GroupId,\r\n GroupName,\r\n TargetUsernameType,\r\n GroupIdType,\r\n GroupNameType,\r\n GroupOriginalType,\r\n User,\r\n IpAddr,\r\n AdditionalFields\r\n};\r\nparser(disabled = disabled, pack = pack);","parameters":"disabled:bool = false, pack:bool = false","description":"User Management ASIM parser for AWS Cloud Trail.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"f48e9583-3107-5b75-bcb4-8fa6b344cc72","name":"_ASim_UserManagement_CiscoISEV01","body":"let EventFieldsLookup=datatable(\r\nEventOriginalType: int,\r\nEventResult: string,\r\nEventType: string,\r\nEventResultDetails: string,\r\nEventSubType: string,\r\nEventSeverity: string,\r\nEventOriginalSeverity: string,\r\nEventMessage: string\r\n)[\r\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\r\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\r\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\r\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\r\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\r\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\r\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\r\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\r\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\r\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\r\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\r\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\r\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\r\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\r\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\r\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\r\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\r\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\r\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\r\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\r\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\r\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\r\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\r\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\r\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\r\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\r\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\r\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\r\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\r\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\r\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\r\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\r\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\r\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\r\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\r\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\r\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\r\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\r\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\r\n];\r\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \r\n | summarize make_set(EventOriginalType));\r\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\r\n | where not(disabled)\r\n | where ProcessName has_any (\"CISE\", \"CSCO\")\r\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\r\n | where EventOriginalType in (EventOriginalTypeList)\r\n | lookup EventFieldsLookup on EventOriginalType\r\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n | project-rename\r\n SrcIpAddr=['Remote-Address']\r\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\r\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \r\n | extend\r\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n , EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n , EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"UserManagement\"\r\n , EventSchemaVersion = \"0.1.1\"\r\n // ***************** ********************\r\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\r\n | extend \r\n Hostname = DvcHostname\r\n , IpAddr = SrcIpAddr\r\n , Src = SrcIpAddr\r\n , UpdatedPropertyName = EventSubType\r\n , User = ActorUsername\r\n // ***************** *******************\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n NetworkDeviceName,\r\n dvcHostname,\r\n ['User-Name'],\r\n UserName\r\n};\r\nCiscoISEUsrMgmtParser(disabled=disabled)","parameters":"disabled:bool = false","description":"User Management ASIM parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"68815256-8748-5527-987c-0eaf06283fa5","name":"_ASim_UserManagement_LinuxAuthprivV01","body":"let parser = (\r\n disabled:bool = false\r\n) {\r\nlet ActionLookup = datatable (Action:string, EventType:string)\r\n[\r\n \"added\", \"UserAddedToGroup\",\r\n \"removed\",\"UserRemovedFromGroup\"\r\n];\r\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\r\n[\r\n \"info\", \"Informational\",\r\n \"warn\", \"Low\",\r\n \"err\", \"Medium\",\r\n \"crit\", \"High\"\r\n]; \r\nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\r\n T\r\n | lookup SeverityLookup on SeverityLevel\r\n | extend ActingAppId = tostring(ProcessID)\r\n | project-away SyslogMessage,SeverityLevel, ProcessID\r\n};\r\nlet SyslogParsed = (\r\n Syslog\r\n | where not(disabled)\r\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\r\n | where Facility == \"authpriv\"\r\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\r\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\r\n);\r\nunion (\r\n SyslogParsed\r\n | where ProcessName == \"useradd\"\r\n and SyslogMessage startswith \"new user: name=\"\r\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\r\n | extend \r\n EventType = \"UserCreated\", \r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"useradd\"\r\n and SyslogMessage startswith \"failed adding user '\"\r\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\r\n | extend \r\n EventType = \"UserCreated\", \r\n EventResult = \"Failure\",\r\n EventResultDetails = \"Other\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"useradd\"\r\n and SyslogMessage startswith \"new group: name=\"\r\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\r\n | extend \r\n EventType = \"UserCreated\", \r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"useradd\"\r\n and SyslogMessage startswith \"cannot open login definitions\"\r\n | extend EventType = \"UserCreated\", \r\n EventResult = \"Failure\",\r\n EventResultDetails = \"NotAuthorized\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName ==\"useradd\" \r\n and SyslogMessage startswith \"add '\"\r\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \r\n | extend \r\n EventType = \"UserCreated\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"usermod\"\r\n and SyslogMessage startswith \"change user name '\"\r\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\r\n | extend \r\n EventType = \"UserModified\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName ==\"usermod\" \r\n and SyslogMessage startswith \"add '\"\r\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \r\n | extend \r\n EventType = \"UserAddedToGroup\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"usermod\"\r\n and SyslogMessage startswith \"change user '\"\r\n and not (SyslogMessage endswith \"' password\")\r\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\r\n | extend \r\n EventType = case (\r\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\r\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\r\n \"UserModified\"\r\n ),\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"usermod\"\r\n and SyslogMessage startswith \"cannot open login definitions\"\r\n | extend \r\n EventType = \"UserCreated\", \r\n EventResult = \"Failure\",\r\n EventResultDetails = \"NotAuthorized\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"usermod\"\r\n and SyslogMessage startswith \"change user '\"\r\n and SyslogMessage endswith \"password\"\r\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\r\n | extend \r\n EventType = \"PasswordChanged\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"usermod\"\r\n and SyslogMessage startswith \"lock user '\"\r\n and SyslogMessage endswith \"' password\"\r\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\r\n | extend \r\n EventType = \"UserLocked\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"userdel\"\r\n and SyslogMessage startswith \"delete '\"\r\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\r\n | extend \r\n EventType = \"UserDeleted\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"userdel\"\r\n and SyslogMessage startswith \"delete user '\"\r\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\r\n | extend \r\n EventType = \"UserDeleted\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"userdel\"\r\n and (SyslogMessage startswith \"removed group '\" \r\n or SyslogMessage startswith \"removed shadow group '\")\r\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\r\n | extend \r\n EventType = \"UserDeleted\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupadd\"\r\n and SyslogMessage startswith \"group added to \"\r\n and SyslogMessage has \"GID=\"\r\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\r\n | extend \r\n EventType = \"GroupCreated\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupadd\"\r\n and SyslogMessage startswith \"group added to \"\r\n and not(SyslogMessage has \"GID=\")\r\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\r\n | extend \r\n EventType = \"GroupCreated\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupadd\"\r\n and SyslogMessage startswith \"new group: name=\"\r\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\r\n | extend \r\n EventType = \"GroupCreated\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupadd\"\r\n and SyslogMessage startswith \"cannot open login definitions\"\r\n | extend \r\n EventType = \"GroupCreated\", \r\n EventResult = \"Failure\",\r\n EventResultDetails = \"NotAuthorized\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupmod\"\r\n and SyslogMessage startswith \"group changed in \"\r\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\r\n | extend \r\n split(Temp_GroupName, \"/\")\r\n | extend \r\n GroupName = tostring(Temp_GroupName[0]),\r\n GroupId = tostring(Temp_GroupName[1])\r\n | project-away Temp_GroupName\r\n | extend \r\n EventType = \"GroupModified\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupmod\"\r\n and SyslogMessage startswith \"failed to change \"\r\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\r\n | extend split(Temp_GroupName, \"/\")\r\n | extend \r\n GroupName = tostring(Temp_GroupName[0]),\r\n GroupId = tostring(Temp_GroupName[1])\r\n | project-away Temp_GroupName\r\n | extend \r\n EventType = \"GroupModified\",\r\n EventResult = \"Failure\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"groupdel\"\r\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\r\n | extend \r\n EventType = \"GroupDeleted\",\r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n),(\r\n SyslogParsed\r\n | where ProcessName == \"gpasswd\"\r\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\r\n | lookup ActionLookup on Action\r\n | project-away Action\r\n | extend \r\n EventResult = \"Success\"\r\n | invoke ItemParser()\r\n)\r\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\r\n| project-rename \r\n ActingAppName = ProcessName,\r\n DvcId = _ResourceId,\r\n EventUid = _ItemId\r\n| extend\r\n ActingAppType = \"Process\",\r\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\r\n DvcOs = \"Linux\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = \"Authpriv\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Linux\",\r\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\r\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\r\n Hostname = DvcHostname,\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\r\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\r\n UpdatedPropertyName = EventSubType,\r\n User = ActorUsername\r\n | extend SrcIpAddr = DvcIpAddr\r\n| project-away Computer, HostIP, HostName\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"User Management ASIM parser for Linux Authpriv logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"93448a67-dbab-5c6e-b14d-89ab7db2b316","name":"_ASim_UserManagement_MicrosoftSecurityEventV01","body":"let parser = (\r\n disabled:bool = false\r\n) {\r\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\r\n [ \r\n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \r\n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \r\n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \r\n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \r\n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \r\n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \r\n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \r\n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \r\n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4738\", \"UserModified\", \"UserModified\", \"\", \r\n \"4740\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \r\n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \r\n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \r\n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \r\n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \r\n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \r\n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \r\n \"4767\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4781\", \"UserModified\", \"UserModified\", \"\" \r\n ];\r\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n [\r\n 'Machine', 'Machine',\r\n 'User', 'Regular'\r\n ]; \r\n let UserEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"UserCreated\",\"UserModified\") \r\n | summarize make_set(EventID)\r\n );\r\n let GroupEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \r\n | summarize make_set(EventID)\r\n );\r\n union (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(UserEventID)\r\n | extend\r\n ActorOriginalUserType = tostring(EventData.AccountType),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n NewTargetUserName = tostring(EventData.NewTargetUserName),\r\n OldTargetUserName = tostring(EventData.OldTargetUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n TargetDomain = tostring(EventData.TargetDomainName),\r\n TargetUserId = tostring(EventData.TargetSid),\r\n TargetUsername = tostring(EventData.TargetUserName),\r\n EventMessage = tostring(EventData.Activity)\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in(UserEventID)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n TargetDomain = TargetDomainName,\r\n TargetUserId = TargetSid,\r\n TargetUsername = TargetUserName,\r\n EventMessage = Activity\r\n | parse-kv EventData as \r\n (\r\n OldTargetUserName:string,\r\n NewTargetUserName:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(GroupEventID)\r\n | extend \r\n ActorOriginalUserType = tostring(EventData.AccountType),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n GroupDomain = tostring(EventData.TargetDomainName),\r\n GroupId = tostring(EventData.TargetSid),\r\n GroupName = tostring(EventData.TargetUserName),\r\n MemberName = tostring(EventData.MemberName),\r\n MemberSid = tostring(EventData.MemberSid),\r\n NewTargetUserName = tostring(EventData.NewTargetUserName),\r\n OldTargetUserName = tostring(EventData.OldTargetUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n EventMessage = tostring(EventData.Activity)\r\n | extend \r\n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\r\n | where EventID in(GroupEventID)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\r\n | parse-kv EventData as \r\n (\r\n TargetUserName:string,\r\n TargetDomainName:string,\r\n TargetSid:string,\r\n SubjectUserSid:string,\r\n AccountType:string,\r\n SubjectLogonId:string,\r\n SubjectDomainName:string,\r\n SubjectUserName:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n )\r\n| lookup EventIDLookup on EventID\r\n| extend UpdatedPropertyName = EventSubType\r\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n| lookup UserTypeLookup on ActorOriginalUserType\r\n| extend \r\n DvcId = coalesce(_ResourceId, SourceComputerId),\r\n EventOriginalType = tostring(EventID)\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend \r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n Dvc = DvcHostname,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\r\n DvcOs = \"Windows\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventResult = \"Success\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventSeverity = \"Informational\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Microsoft',\r\n Hostname = DvcHostname\r\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\r\n| extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\r\n GroupNameType = _ASIM_GetUsernameType(GroupName),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\r\n User = ActorUsername\r\n};\r\n parser (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"User Management ASIM parser for Microsoft Security Event logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"b86d87fd-aeb5-5a46-9f74-e4b50a0205f9","name":"_ASim_UserManagement_MicrosoftSecurityEventV02","body":"let parser = (\r\n disabled:bool = false\r\n) {\r\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\r\n [ \r\n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \r\n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \r\n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \r\n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \r\n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \r\n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \r\n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \r\n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \r\n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4738\", \"UserModified\", \"UserModified\", \"\", \r\n \"4740\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \r\n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \r\n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \r\n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \r\n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \r\n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \r\n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \r\n \"4767\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4781\", \"UserModified\", \"UserModified\", \"\" \r\n ];\r\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n [\r\n 'Machine', 'Machine',\r\n 'User', 'Regular'\r\n ]; \r\n let UserEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"UserCreated\",\"UserModified\") \r\n | summarize make_set(EventID)\r\n );\r\n let GroupEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \r\n | summarize make_set(EventID)\r\n );\r\n union (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in(UserEventID)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n TargetDomain = TargetDomainName,\r\n TargetUserId = TargetSid,\r\n TargetUsername = TargetUserName,\r\n EventMessage = Activity\r\n | parse-kv EventData as \r\n (\r\n OldTargetUserName:string,\r\n NewTargetUserName:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\r\n | where EventID in(GroupEventID)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\r\n | parse-kv EventData as \r\n (\r\n TargetUserName:string,\r\n TargetDomainName:string,\r\n TargetSid:string,\r\n SubjectUserSid:string,\r\n AccountType:string,\r\n SubjectLogonId:string,\r\n SubjectDomainName:string,\r\n SubjectUserName:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n )\r\n| lookup EventIDLookup on EventID\r\n| extend UpdatedPropertyName = EventSubType\r\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n| lookup UserTypeLookup on ActorOriginalUserType\r\n| extend \r\n DvcId = coalesce(_ResourceId, SourceComputerId),\r\n EventOriginalType = tostring(EventID)\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend \r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n Dvc = DvcHostname,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\r\n DvcOs = \"Windows\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventResult = \"Success\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventSeverity = \"Informational\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Microsoft',\r\n Hostname = DvcHostname, \r\n ActorUserIdType=\"SID\"\r\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\r\n| extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\r\n GroupNameType = _ASIM_GetUsernameType(GroupName),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\r\n User = ActorUsername\r\n};\r\n parser (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"User Management ASIM parser for Microsoft Security Event logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"76d067a3-4cb1-5032-8baa-8168393e91c4","name":"_ASim_UserManagement_MicrosoftWindowsEventV02","body":"let parser = (\r\n disabled:bool = false\r\n) {\r\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\r\n [ \r\n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \r\n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \r\n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \r\n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \r\n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \r\n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \r\n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \r\n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \r\n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4738\", \"UserModified\", \"UserModified\", \"\", \r\n \"4740\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \r\n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \r\n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \r\n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \r\n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \r\n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \r\n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \r\n \"4767\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4781\", \"UserModified\", \"UserModified\", \"\" \r\n ];\r\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n [\r\n 'Machine', 'Machine',\r\n 'User', 'Regular'\r\n ]; \r\n let UserEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"UserCreated\",\"UserModified\") \r\n | summarize make_set(EventID)\r\n );\r\n let GroupEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \r\n | summarize make_set(EventID)\r\n );\r\n union (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(UserEventID)\r\n | extend\r\n ActorOriginalUserType = tostring(EventData.AccountType),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n NewTargetUserName = tostring(EventData.NewTargetUserName),\r\n OldTargetUserName = tostring(EventData.OldTargetUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n TargetDomain = tostring(EventData.TargetDomainName),\r\n TargetUserId = tostring(EventData.TargetSid),\r\n TargetUsername = tostring(EventData.TargetUserName),\r\n EventMessage = tostring(EventData.Activity)\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(GroupEventID)\r\n | extend \r\n ActorOriginalUserType = tostring(EventData.AccountType),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n GroupDomain = tostring(EventData.TargetDomainName),\r\n GroupId = tostring(EventData.TargetSid),\r\n GroupName = tostring(EventData.TargetUserName),\r\n MemberName = tostring(EventData.MemberName),\r\n MemberSid = tostring(EventData.MemberSid),\r\n NewTargetUserName = tostring(EventData.NewTargetUserName),\r\n OldTargetUserName = tostring(EventData.OldTargetUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n EventMessage = tostring(EventData.Activity)\r\n | extend \r\n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n )\r\n| lookup EventIDLookup on EventID\r\n| extend UpdatedPropertyName = EventSubType\r\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n| lookup UserTypeLookup on ActorOriginalUserType\r\n| extend EventOriginalType = tostring(EventID)\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend \r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n Dvc = DvcHostname,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\r\n DvcOs = \"Windows\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventResult = \"Success\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventSeverity = \"Informational\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Microsoft',\r\n Hostname = DvcHostname,\r\n ActorUserIdType=\"SID\"\r\n| project-away Subject*, Computer, _ResourceId,EventID\r\n| extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\r\n GroupNameType = _ASIM_GetUsernameType(GroupName),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\r\n User = ActorUsername\r\n};\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"User Management ASIM parser for Microsoft Windows Event logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"4765afde-a6fc-5a38-863f-72ec306ed465","name":"_ASim_UserManagement_NativeV01","body":"let parser = (\r\n disabled:bool = false\r\n)\r\n{\r\n ASimUserManagementActivityLogs\r\n | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"UserManagement\",\r\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n User = ActorUsername,\r\n Hostname = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\r\n UpdatedPropertyName = EventSubType\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n _SubscriptionId,\r\n _ResourceId\r\n};\r\nparser (disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"User Management activity ASIM parser for Microsoft Sentinel native User Management activity table.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"2e8e7c1a-5104-5885-b659-d26e17f9af4c","name":"_ASim_UserManagement_SentinelOneV01","body":"let EventTypeLookup = datatable (\r\n activityType_d: real,\r\n EventType: string,\r\n EventOriginalType: string,\r\n EventSubType: string\r\n)[\r\n 23, \"UserCreated\", \"User Added\", \"\",\r\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\r\n 25, \"UserDeleted\", \"User Deleted\", \"\",\r\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\r\n 102, \"UserDeleted\", \"User Deleted\", \"\",\r\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\r\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\r\n 140, \"UserCreated\", \"Service User creation\", \"\",\r\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\r\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\r\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\r\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\r\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\r\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\r\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\r\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\r\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\r\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\r\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\r\n 67, \"\", \"User 2FA Modified\", \"\",\r\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\r\n 146, \"UserModified\", \"Reset 2FA\", \"\",\r\n 42, \"\", \"Global 2FA modified\", \"\",\r\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\r\n];\r\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\r\nlet parser = (disabled: bool=false) {\r\n SentinelOne_CL\r\n | where not(disabled)\r\n | where event_name_s == \"Activities.\"\r\n and activityType_d in (UsermanagementactivityIds)\r\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\r\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\r\n | lookup EventTypeLookup on activityType_d\r\n | extend\r\n EventType = case (\r\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\r\n \"UserEnabled\",\r\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\r\n \"UserDisabled\",\r\n EventType\r\n ),\r\n PreviousPropertyValue = case(\r\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\r\n \"disabled\",\r\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\r\n \"enabled\",\r\n activityType_d == 141 and descriptionChanged == \"true\",\r\n oldDescription, \r\n activityType_d == 141 and descriptionChanged == \"false\",\r\n oldRole,\r\n \"\"\r\n ),\r\n NewPropertyValue = case(\r\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\r\n \"enabled\", \r\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\r\n \"disabled\",\r\n activityType_d == 141 and descriptionChanged == \"true\",\r\n description, \r\n activityType_d == 141 and descriptionChanged == \"false\",\r\n role,\r\n \"\"\r\n ),\r\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \r\n GroupName = coalesce(group, groupName, name),\r\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\r\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\r\n | project-rename\r\n EventStartTime = createdAt_t,\r\n SrcIpAddr = ipAddress,\r\n EventUid = _ItemId,\r\n ActorUserId = id,\r\n GroupId = groupId_s,\r\n EventMessage = primaryDescription_s,\r\n EventOriginalUid = activityUuid_g\r\n | extend\r\n EventCount = int(1),\r\n EventResult = \"Success\",\r\n DvcAction = \"Allowed\",\r\n EventSeverity = \"Informational\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventProduct = \"SentinelOne\",\r\n EventVendor = \"SentinelOne\",\r\n EventResultDetails = \"Other\"\r\n | extend\r\n Dvc = EventProduct,\r\n EventEndTime = EventStartTime,\r\n IpAddr = SrcIpAddr,\r\n User = ActorUsername,\r\n UpdatedPropertyName = EventSubType,\r\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\r\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\r\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\r\n GroupOriginalType = groupType,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n AdditionalFields = bag_pack(\r\n \"userScope\", userScope,\r\n \"scopeLevelName\", scopeLevelName,\r\n \"scopeName\", scopeName,\r\n \"modifiedFields\", modifiedFields,\r\n \"roleName\", roleName,\r\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\r\n \"descriptionChanged\", descriptionChanged\r\n )\r\n | project-away \r\n *_b,\r\n *_d,\r\n *_g,\r\n *_s,\r\n *_t,\r\n byUser,\r\n username,\r\n email,\r\n group,\r\n groupName,\r\n groupType,\r\n name,\r\n oldDescription,\r\n oldRole,\r\n description,\r\n role,\r\n userScope,\r\n scopeLevelName,\r\n scopeName,\r\n roleName,\r\n modifiedFields,\r\n ModifiedFields,\r\n deactivationPeriodInDays,\r\n descriptionChanged,\r\n restOfMessage,\r\n _ResourceId,\r\n TenantId,\r\n RawData,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n SourceSystem,\r\n newValue\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"User Management ASIM parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"cce83520-0fd8-5bff-88a1-14a21dbd431c","name":"_Im_DhcpEvent","body":"union isfuzzy=true\r\n_Im_DhcpEventBuiltIn(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, srcusername_has_any= srcusername_has_any, eventresult= eventresult, disabled= disabled, pack= pack),\r\nIm_DhcpEventSolutions(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, srcusername_has_any= srcusername_has_any, eventresult= eventresult, disabled= disabled, pack= pack),\r\nIm_DhcpEventCustom(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, srcusername_has_any= srcusername_has_any, eventresult= eventresult, disabled= disabled, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), srcusername_has_any:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false, pack:bool = false","description":"Dhcp event ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"d3e75b28-3354-5d5b-813a-1f82deb43217","name":"_Im_DhcpEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_DhcpEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_DhcpEventBuiltIn', 'Exclude_Im_DhcpEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_DhcpEvent_EmptyV02,\r\n_Im_DhcpEvent_InfobloxBloxOneV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, srcusername_has_any= srcusername_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_DhcpEvent_InfobloxBloxOne' in (DisabledParsers)))),\r\n_Im_DhcpEvent_NativeV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, srcusername_has_any= srcusername_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_DhcpEvent_Native' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), srcusername_has_any:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false, pack:bool = false","description":"Dhcp event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"002f8919-da28-5edc-9480-9c679de0e646","name":"_Im_DhcpEvent_EmptyV01","body":"let EmptyDhcpEvents =datatable (\r\n TimeGenerated:datetime\r\n, _ResourceId:string\r\n, Type:string\r\n// ****** Event fields ******\r\n, EventType:string\r\n, EventProduct:string\r\n, EventProductVersion:string\r\n, EventCount:int\r\n, EventMessage:string\r\n, EventVendor:string\r\n, EventSchema:string\r\n, EventSchemaVersion:string\r\n, EventSeverity:string\r\n, EventSubType:string\r\n, EventOriginalUid:string\r\n, EventOriginalType:string\r\n, EventOriginalResultDetails:string\r\n, EventOriginalSeverity:string\r\n, EventOriginalSubType:string\r\n, EventStartTime:datetime\r\n, EventEndTime:datetime\r\n, EventReportUrl:string\r\n, EventResult: string\r\n, EventResultDetails: string\r\n, AdditionalFields:dynamic\r\n, EventOwner:string\r\n// ****** Device fields ******\r\n, DvcId:string\r\n, DvcHostname:string\r\n, DvcDomain:string\r\n, DvcDomainType:string\r\n, DvcFQDN:string\r\n, DvcIpAddr:string\r\n, DvcOs:string\r\n, DvcOsVersion:string\r\n, DvcMacAddr:string\r\n, DvcAction:string\r\n, DvcOriginalAction:string\r\n, DvcDescription: string\r\n, DvcIdType: string\r\n, DvcInterface: string\r\n, DvcZone: string\r\n, DvcScopeId:string\r\n, DvcScope:string\r\n// ****** Source User fields ******\r\n, SrcUserId:string\r\n, SrcUserUid:string\r\n, SrcUserIdType:string\r\n, SrcUserScopeId:string\r\n, SrcUserScope:string\r\n, SrcUsername:string\r\n, SrcUsernameType:string\r\n, SrcUserType:string\r\n, SrcOriginalUserType:string\r\n, SrcUserSessionId:string\r\n// ****** Source System fields ******\r\n, SrcIpAddr: string\r\n, SrcPortNumber:int\r\n, SrcHostname:string\r\n, SrcMacAddr:string\r\n, SrcDomain:string\r\n, SrcDomainType:string\r\n, SrcFQDN:string\r\n, SrcDescription:string\r\n, SrcDvcId:string\r\n, SrcDvcIdType:string\r\n, SrcDvcScopeId:string\r\n, SrcDvcScope:string\r\n, SrcDeviceType:string\r\n, SrcGeoCountry:string\r\n, SrcGeoLatitude:real\r\n, SrcGeoLongitude:real\r\n, SrcGeoRegion:string\r\n, SrcGeoCity:string\r\n, SrcRiskLevel:int\r\n, SrcOriginalRiskLevel:string\r\n// ****** Dhcp Event Fields ******\r\n, RequestedIpAddr:string //Optional\r\n, DhcpLeaseDuration:int\r\n, DhcpSessionId:string\r\n, DhcpSessionDuration:int\r\n, DhcpSrcDHCId:string\r\n, DhcpCircuitId:string\r\n, DhcpSubscriberId:string\r\n, DhcpVendorClassId:string\r\n, DhcpVendorClass:string\r\n, DhcpUserClassId:string\r\n, DhcpUserClass:string\r\n// ****** aliases ******\r\n, SessionId:string\r\n, Duration:int\r\n, Src: string\r\n, Dst: string\r\n, User: string\r\n, IpAddr:string\r\n, Hostname:string\r\n//****** Inspection fields ******\r\n, RuleName:string\r\n, RuleNumber:int\r\n, ThreatId:string\r\n, ThreatName:string\r\n, ThreatCategory:string\r\n, ThreatRiskLevel:int\r\n, ThreatOriginalRiskLevel:string\r\n, ThreatConfidence:int\r\n, ThreatOriginalConfidence:string\r\n, ThreatIsActive:bool\r\n, ThreatFirstReportedTime:datetime\r\n, ThreatLastReportedTime:datetime\r\n, ThreatField:string\r\n)[];\r\nEmptyDhcpEvents","description":"Dhcp event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"5c3e07b7-f5e1-5829-bea5-9760a8433fbe","name":"_Im_DhcpEvent_EmptyV02","body":"let EmptyDhcpEvents =datatable (\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n AdditionalFields:dynamic,\r\n DhcpCircuitId:string,\r\n DhcpLeaseDuration:int,\r\n DhcpSessionDuration:int,\r\n DhcpSessionId:string,\r\n DhcpSrcDHCId:string,\r\n DhcpSubscriberId:string,\r\n DhcpUserClass:string,\r\n DhcpUserClassId:string,\r\n DhcpVendorClass:string,\r\n DhcpVendorClassId:string,\r\n Duration:int,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n Hostname:string,\r\n IpAddr:string,\r\n RequestedIpAddr:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n SessionId:string,\r\n Src:string,\r\n SrcDescription:string,\r\n SrcDeviceType:string,\r\n SrcDomain:string,\r\n SrcDomainType:string,\r\n SrcDvcId:string,\r\n SrcDvcIdType:string,\r\n SrcDvcScope:string,\r\n SrcDvcScopeId:string,\r\n SrcFQDN:string,\r\n SrcGeoCity:string,\r\n SrcGeoCountry:string,\r\n SrcGeoLatitude:real,\r\n SrcGeoLongitude:real,\r\n SrcGeoRegion:string,\r\n SrcHostname:string,\r\n SrcIpAddr:string,\r\n SrcMacAddr:string,\r\n SrcOriginalRiskLevel:string,\r\n SrcOriginalUserType:string,\r\n SrcPortNumber:int,\r\n SrcRiskLevel:int,\r\n SrcUserId:string,\r\n SrcUserIdType:string,\r\n SrcUsername:string,\r\n SrcUsernameType:string,\r\n SrcUserScope:string,\r\n SrcUserScopeId:string,\r\n SrcUserSessionId:string,\r\n SrcUserType:string,\r\n SrcUserUid:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n User:string\r\n)[];\r\nEmptyDhcpEvents","description":"Dhcp event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"137e5ce5-8fc3-5083-b9b3-b7a476008b0a","name":"_Im_DhcpEvent_InfobloxBloxOneV01","body":"let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)\r\n [\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Medium\",\r\n \"5\", \"Medium\",\r\n \"6\", \"Medium\",\r\n \"7\", \"High\",\r\n \"8\", \"High\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\r\n srchostname_has_any:dynamic=dynamic([]),\r\n srcusername_has_any:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n ) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser\r\n(\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File Activity ASIM filtering parser for Azure Blob Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"61b00b6e-dda8-5932-a906-948f9bb7365e","name":"_Im_FileEvent_AzureFileStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n let fileoperations=datatable(OperationName: string, EventType: string)[\r\n \"DeleteFile\", \"FileDeleted\"\r\n ,\r\n \"DeleteDirectory\", \"FolderDeleted\"\r\n ,\r\n \"GetFile\", \"FileAccessed\"\r\n ,\r\n \"CopyFile\", \"FileCopied\"\r\n ,\r\n \"CreateFileSnapshot\", \"FileCreated\"\r\n ,\r\n \"CreateDirectory\", \"FolderCreated\"\r\n ,\r\n \"CreateFile\", \"FileCreated\"\r\n ,\r\n \"CreateShare\", \"FolderCreated\"\r\n ,\r\n \"DeleteShare\", \"FileDeleted\"\r\n ,\r\n \"PutRange\", \"FileModified\"\r\n ,\r\n \"CopyFileDestination\", \"FileCopied\"\r\n ,\r\n \"CopyFileSource\", \"FileCopied\"\r\n];\r\n StorageFileLogs\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventOriginalUid = CorrelationId\r\n ,\r\n EventOriginalType=OperationName\r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(Uri, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n TargetUrl=Uri\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n HttpUserAgent=UserAgentHeader\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n | lookup fileoperations on OperationName\r\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File Activity ASIM filtering parser for Azure File Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"a43850a6-f2f3-53cc-babe-cfb0767e7f70","name":"_Im_FileEvent_AzureQueueStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n )\r\n{\r\n let queueoperations=datatable(OperationName: string, EventType: string)\r\n[\r\n \"ClearMessages\", \"FileDeleted\"\r\n ,\r\n \"CreateQueue\", \"FileCreated\"\r\n ,\r\n \"DeleteQueue\", \"FileDeleted\"\r\n ,\r\n \"DeleteMessage\", \"FileDeleted\"\r\n ,\r\n \"GetQueue\", \"FileAccessed\"\r\n ,\r\n \"GetMessage\", \"FileAccessed\"\r\n ,\r\n \"GetMessages\", \"FileAccessed\"\r\n ,\r\n \"PeekMessage\", \"FileAccessed\"\r\n ,\r\n \"PeekMessages\", \"FileAccessed\"\r\n ,\r\n \"PutMessage\", \"FileCreated\"\r\n ,\r\n \"UpdateMessage\", \"FileModified\" \r\n];\r\n StorageQueueLogs\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventOriginalUid = CorrelationId\r\n ,\r\n EventOriginalType=OperationName\r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(Uri, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n TargetUrl=Uri\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n HttpUserAgent=UserAgentHeader\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n | lookup queueoperations on OperationName\r\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser\r\n(\r\n starttime=datetime(null), \r\n endtime=datetime(null), \r\n eventtype_in=dynamic([]),\r\n srcipaddr_has_any_prefix=dynamic([]),\r\n actorusername_has_any=dynamic([]),\r\n targetfilepath_has_any=dynamic([]),\r\n srcfilepath_has_any=dynamic([]),\r\n hashes_has_any=dynamic([]),\r\n dvchostname_has_any=dynamic([]),\r\n disabled=false\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File Activity ASIM filtering parser for Azure Queue Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"4307fca3-d9f8-5aa4-b086-c4aa15308cdb","name":"_Im_FileEvent_AzureTableStorageV01","body":"// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\r\nlet parser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n )\r\n{\r\n let tableoperations=datatable(OperationName: string, EventType: string)\r\n[\r\n ,\r\n \"CreateTable\", \"FileCreated\"\r\n ,\r\n \"DeleteTable\", \"FileDeleted\"\r\n ,\r\n \"DeleteEntity\", \"FileModified\"\r\n ,\r\n \"InsertEntity\", \"FileModified\"\r\n ,\r\n \"InsertOrMergeEntity\", \"FileModified\"\r\n ,\r\n \"InsertOrReplaceEntity\", \"FileModified\"\r\n ,\r\n \"QueryEntity\", \"FileAccessed\"\r\n ,\r\n \"QueryEntities\", \"FileAccessed\"\r\n ,\r\n \"QueryTable\", \"FileAccessed\"\r\n ,\r\n \"QueryTables\", \"FileAccessed\"\r\n ,\r\n \"UpdateEntity\", \"FileModified\"\r\n ,\r\n \"MergeEntity\", \"FileModified\"\r\n];\r\n StorageTableLogs\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated see lookup below\r\n ,\r\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \r\n ,\r\n EventOriginalUid = CorrelationId\r\n ,\r\n EventOriginalType=OperationName\r\n ,\r\n EventProduct='Azure File Storage' \r\n ,\r\n EventVendor='Microsoft'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n TargetFilePath=tostring(split(Uri, '?')[0]) \r\n ,\r\n TargetFilePathType='URL'\r\n ,\r\n TargetUrl=Uri\r\n ,\r\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\r\n ,\r\n HttpUserAgent=UserAgentHeader\r\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\r\n | lookup tableoperations on OperationName\r\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\r\n // Aliases\r\n | extend \r\n FilePath=TargetFilePath\r\n};\r\nparser\r\n(\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File Activity ASIM filtering parser for Azure Table Storage.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"224cf01f-0221-5923-abf8-1cc94412bff9","name":"_Im_FileEvent_EmptyV01","body":"let FileEvent=datatable(\r\n _ResourceId:string,\r\n ActingProcessCommandLine:string,\r\n ActingProcessGuid:string,\r\n ActingProcessId:string,\r\n ActingProcessName:string,\r\n ActorOriginalUserType:string,\r\n ActorScope:string,\r\n ActorScopeId:string,\r\n ActorSessionId:string,\r\n ActorUserAadId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserSid:string,\r\n ActorUserType:string,\r\n AdditionalFields:dynamic,\r\n Application:string,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScopeId:string,\r\n DvcScope:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n EventSubType:string,\r\n EventResultDetails:string,\r\n FileName:string,\r\n FilePath:string,\r\n Hash:string,\r\n HashType:string,\r\n HttpUserAgent:string,\r\n IpAddr:string,\r\n NetworkApplicationProtocol:string,\r\n Process:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n Src:string,\r\n SrcDescription:string,\r\n SrcDeviceType:string,\r\n SrcDomain:string,\r\n SrcDomainType:string,\r\n SrcDvcId:string,\r\n SrcDvcIdType:string,\r\n SrcDvcScope:string,\r\n SrcDvcScopeId:string,\r\n SrcFileCreationTime:datetime,\r\n SrcFileDirectory:string,\r\n SrcFileExtension:string,\r\n SrcFileMD5:string,\r\n SrcFileMimeType:string,\r\n SrcFileName:string,\r\n SrcFilePath:string,\r\n SrcFilePathType:string,\r\n SrcFileSHA1:string,\r\n SrcFileSHA256:string,\r\n SrcFileSHA512:string,\r\n SrcFileSize:long,\r\n SrcFQDN:string,\r\n SrcGeoCity:string,\r\n SrcGeoCountry:string,\r\n SrcGeoLatitude:real,\r\n SrcGeoLongitude:real,\r\n SrcGeoRegion:string,\r\n SrcHostname:string,\r\n SrcIpAddr:string,\r\n SrcPortNumber:int,\r\n SrcMacAddr:string,\r\n SrcRiskLevel:int,\r\n SrcOriginalRiskLevel:string,\r\n TargetAppId:string,\r\n TargetAppName:string,\r\n TargetAppType:string,\r\n TargetOriginalAppType:string,\r\n TargetFileCreationTime:datetime,\r\n TargetFileDirectory:string,\r\n TargetFileExtension:string,\r\n TargetFileMD5:string,\r\n TargetFileMimeType:string,\r\n TargetFileName:string,\r\n TargetFilePath:string,\r\n TargetFilePathType:string,\r\n TargetFileSHA1:string,\r\n TargetFileSHA256:string,\r\n TargetFileSHA512:string,\r\n TargetFileSize:long,\r\n TargetUrl:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFilePath:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIpAddr:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n TimeGenerated:datetime,\r\n Type:string,\r\n Url:string,\r\n User:string,\r\n ActorUserPuid:string,\r\n ActorUpn:string,\r\n Dst:string\r\n)[];\r\nFileEvent","description":"File Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"1255cda1-6244-5213-9ac0-e9c70be77046","name":"_Im_FileEvent_EmptyV02","body":"let FileEvent=datatable(\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n ActingAppId:string,\r\n ActingAppName:string,\r\n ActingAppType:string,\r\n ActingProcessCommandLine:string,\r\n ActingProcessGuid:string,\r\n ActingProcessId:string,\r\n ActingProcessName:string,\r\n ActorDNUsername:string,\r\n ActorOriginalUserType:string,\r\n ActorScope:string,\r\n ActorScopeId:string,\r\n ActorSessionId:string,\r\n ActorSimpleUsername:string,\r\n ActorUpn:string,\r\n ActorUserAadId:string,\r\n ActorUserAWSId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserOktaId:string,\r\n ActorUserPuid:string,\r\n ActorUserSid:string,\r\n ActorUserType:string,\r\n ActorUserUid:string,\r\n ActorUserUpn:string,\r\n ActorWindowsUsername:string,\r\n AdditionalFields:dynamic,\r\n Application:string,\r\n Dst:string,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n FileName:string,\r\n FilePath:string,\r\n Hash:string,\r\n HashType:string,\r\n HttpUserAgent:string,\r\n IpAddr:string,\r\n NetworkApplicationProtocol:string,\r\n Process:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n Src:string,\r\n SrcDescription:string,\r\n SrcDeviceType:string,\r\n SrcDomain:string,\r\n SrcDomainType:string,\r\n SrcDvcId:string,\r\n SrcDvcIdType:string,\r\n SrcDvcScope:string,\r\n SrcDvcScopeId:string,\r\n SrcFileCreationTime:datetime,\r\n SrcFileDirectory:string,\r\n SrcFileExtension:string,\r\n SrcFileMD5:string,\r\n SrcFileMimeType:string,\r\n SrcFileName:string,\r\n SrcFilePath:string,\r\n SrcFilePathType:string,\r\n SrcFileSHA1:string,\r\n SrcFileSHA256:string,\r\n SrcFileSHA512:string,\r\n SrcFileSize:long,\r\n SrcFQDN:string,\r\n SrcGeoCity:string,\r\n SrcGeoCountry:string,\r\n SrcGeoLatitude:real,\r\n SrcGeoLongitude:real,\r\n SrcGeoRegion:string,\r\n SrcHostname:string,\r\n SrcIpAddr:string,\r\n SrcPortNumber:int,\r\n TargetAppId:string,\r\n TargetAppName:string,\r\n TargetAppType:string,\r\n TargetFileCreationTime:datetime,\r\n TargetFileDirectory:string,\r\n TargetFileExtension:string,\r\n TargetFileMD5:string,\r\n TargetFileMimeType:string,\r\n TargetFileName:string,\r\n TargetFilePath:string,\r\n TargetFilePathType:string,\r\n TargetFileSHA1:string,\r\n TargetFileSHA256:string,\r\n TargetFileSHA512:string,\r\n TargetFileSize:long,\r\n TargetOriginalAppType:string,\r\n TargetUrl:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFilePath:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIpAddr:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n Url:string,\r\n User:string\r\n)[];\r\nFileEvent","description":"File Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"421a3eaf-8242-501c-a0e1-71f1d4352bae","name":"_Im_FileEvent_GoogleWorkspaceV01","body":"let parser = (\r\n starttime: datetime = datetime(null)\r\n , endtime: datetime = datetime(null)\r\n , eventtype_in: dynamic = dynamic([])\r\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\r\n , actorusername_has_any: dynamic = dynamic([])\r\n , targetfilepath_has_any: dynamic = dynamic([])\r\n , srcfilepath_has_any: dynamic = dynamic([])\r\n , hashes_has_any: dynamic = dynamic([])\r\n , dvchostname_has_any: dynamic = dynamic([])\r\n , disabled: bool = false\r\n ) {\r\n let GoogleWorkspaceSchema = datatable (\r\n event_name_s: string,\r\n event_type_s: string,\r\n id_uniqueQualifier_s: string,\r\n actor_email_s: string,\r\n actor_profileId_s: string,\r\n IPAddress: string,\r\n doc_type_s: string,\r\n doc_title_s: string,\r\n originating_app_id_s: string,\r\n id_applicationName_s: string,\r\n old_value_s: string,\r\n new_value_s: string,\r\n destination_folder_title_s: string,\r\n source_folder_title_s: string,\r\n copy_type_s: string,\r\n target_user_s: string,\r\n doc_id_s: string,\r\n primary_event_b: bool,\r\n billable_b: bool,\r\n owner_s: string,\r\n owner_is_shared_drive_b: bool,\r\n is_encrypted_b: bool,\r\n visibility_s: string,\r\n shared_drive_id_s: string,\r\n destination_folder_id_s: string,\r\n source_folder_id_s: string,\r\n TimeGenerated: datetime,\r\n _ResourceId: string,\r\n Computer: string,\r\n MG: string,\r\n ManagementGroupName: string,\r\n RawData: string,\r\n SourceSystem: string,\r\n TenantId: string,\r\n _ItemId: string\r\n)[];\r\n let EventFieldsLookup = datatable (\r\n EventOriginalSubType: string,\r\n EventType: string,\r\n EventSubType: string\r\n)\r\n [\r\n \"download\", \"FileAccessed\", \"Download\",\r\n \"edit\", \"FileModified\", \"Checkin\",\r\n \"upload\", \"FileCreated\", \"Upload\",\r\n \"create\", \"FileCreated\", \"Checkin\",\r\n \"rename\", \"FileRenamed\", \"\",\r\n \"view\", \"FileAccessed\", \"Preview\",\r\n \"preview\", \"FileAccessed\", \"Preview\",\r\n \"copy\", \"FileCopied\", \"\",\r\n \"source_copy\", \"FileCopied\", \"\",\r\n \"delete\", \"FileDeleted\", \"\",\r\n \"trash\", \"FileDeleted\", \"Recycle\",\r\n \"move\", \"FileMoved\", \"\",\r\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\r\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\r\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\r\n \"request_access\", \"FileAccessed\", \"Preview\",\r\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\r\n \"approval_canceled\", \"FileAccessed\", \"\",\r\n \"approval_comment_added\", \"FileAccessed\", \"\",\r\n \"approval_completed\", \"FileAccessed\", \"Preview\",\r\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\r\n \"approval_due_time_change\", \"FileAccessed\", \"\",\r\n \"approval_requested\", \"FileAccessed\", \"Preview\",\r\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\r\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\r\n \"create_comment\", \"FileModified\", \"Checkin\",\r\n \"delete_comment\", \"FileModified\", \"Checkin\",\r\n \"edit_comment\", \"FileModified\", \"Checkin\",\r\n \"reassign_comment\", \"FileModified\", \"Checkin\",\r\n \"reopen_comment\", \"FileModified\", \"Checkin\",\r\n \"resolve_comment\", \"FileModified\", \"Checkin\",\r\n \"add_lock\", \"FileModified\", \"\",\r\n \"print\", \"FileAccessed\", \"Print\",\r\n \"remove_from_folder\", \"FileDeleted\", \"\",\r\n \"remove_lock\", \"FileModified\", \"\",\r\n];\r\n let SupportedEventNames = EventFieldsLookup\r\n | project EventOriginalSubType;\r\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\r\n | where not(disabled)\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated 11')\r\n // pre-filtering\r\n | where ((array_length(eventtype_in) == 0) or ('FileCreated' in~ (eventtype_in))) and\r\n (array_length(srcipaddr_has_any_prefix) == 0) and\r\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\r\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\r\n ((array_length(srcfilepath_has_any) == 0)) and\r\n (array_length(hashes_has_any) == 0) and \r\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \r\n | parse SyslogMessage with *\r\n ''msgEventRecordID: string''\r\n *\r\n //''msgComputer:string''\r\n ''\r\n * \r\n ''msgProcessGuid: string''\r\n ''msgProcessId: string''\r\n ''msgImage: string''\r\n ''msgTargetFileName: string''\r\n ''msgCreationUtcTime: datetime''*\r\n | where ((array_length(targetfilepath_has_any) == 0) or (msgTargetFileName has_any (targetfilepath_has_any)))\r\n | parse SyslogMessage with *''ActorUsername ''*\r\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)))\r\n | extend\r\n EventCount=int(1)\r\n ,\r\n EventStartTime =TimeGenerated \r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType = 'FileCreated'\r\n ,\r\n EventResult ='Success'\r\n ,\r\n EventOriginalType ='11' \r\n ,\r\n EventProduct='Sysmon for Linux'\r\n ,\r\n EventProductVersion='v13.22'\r\n ,\r\n EventVendor ='Microsoft'\r\n ,\r\n EventSchemaVersion ='0.1.0'\r\n ,\r\n DvcOs = 'Linux'\r\n ,\r\n TargetFilePathType='Unix'\r\n ,\r\n ActorUserType = iff(isnotempty(ActorUsername), 'Simple', '') // make sure user type is okay\r\n | project-rename\r\n DvcHostname=Computer\r\n ,\r\n EventOriginalUid=msgEventRecordID\r\n ,\r\n ActingProcessName =msgImage\r\n ,\r\n ActingProcessId=msgProcessId\r\n ,\r\n ActingProcessGuid=msgProcessGuid\r\n ,\r\n TargetFilePath =msgTargetFileName\r\n ,\r\n TargetFileCreationTime =msgCreationUtcTime\r\n // ------ Alias\r\n | extend\r\n Process=ActingProcessName\r\n ,\r\n FilePath=TargetFilePath\r\n ,\r\n Dvc = DvcHostname\r\n ,\r\n User = ActorUsername\r\n | project-away SyslogMessage\r\n};\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File create Activity ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"8b81bec8-5153-5410-99d9-c3540fb3da49","name":"_Im_FileEvent_LinuxSysmonFileDeletedV02","body":"let parser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n Syslog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated 23', '26')\r\n // pre-filtering\r\n | where ((array_length(eventtype_in) == 0) or ('FileDeleted' in~ (eventtype_in))) and\r\n (array_length(srcipaddr_has_any_prefix) == 0) and\r\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\r\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\r\n (array_length(srcfilepath_has_any) == 0) and\r\n (array_length(hashes_has_any) == 0) and\r\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\r\n | parse SyslogMessage with \r\n ''msgEventId: string''\r\n *\r\n ''msgEventRecordID: string''\r\n *\r\n ''msgComputer: string''\r\n ''\r\n *\r\n '{'msgProcessGuid: string'}'\r\n ''msgProcessId: string''\r\n ''msgUser: string''\r\n ''msgImage: string''\r\n ''msgTargetFilename: string''\r\n ''msgHashes: string'' *\r\n // post-filtering\r\n | where ((array_length(actorusername_has_any) == 0) or (msgUser has_any (actorusername_has_any))) and\r\n ((array_length(targetfilepath_has_any) == 0) or (msgTargetFilename has_any (targetfilepath_has_any)))\r\n | extend\r\n EventCount=int(1)\r\n ,\r\n EventStartTime =TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType = 'FileDeleted'\r\n ,\r\n EventResult ='Success' \r\n ,\r\n EventProduct='Sysmon for Linux'\r\n ,\r\n EventProductVersion='v13.22' \r\n ,\r\n EventVendor ='Microsoft'\r\n ,\r\n EventSchemaVersion ='0.1.0'\r\n ,\r\n DvcOs = 'Linux'\r\n ,\r\n TargetFilePathType='Unix'\r\n ,\r\n ActorUsernameType='Simple'\r\n | project-rename\r\n DvcHostname=Computer\r\n ,\r\n EventOriginalUid=msgEventRecordID\r\n ,\r\n EventOriginalType =msgEventId \r\n ,\r\n ActorUsername=msgUser\r\n ,\r\n ActingProcessName =msgImage\r\n ,\r\n ActingProcessId=msgProcessId\r\n ,\r\n ActingProcessGuid=msgProcessGuid\r\n ,\r\n TargetFilePath =msgTargetFilename\r\n // ------ Alias\r\n | extend\r\n Process=ActingProcessName\r\n ,\r\n FilePath=TargetFilePath\r\n ,\r\n Dvc =DvcHostname\r\n ,\r\n User=ActorUsername\r\n | project-away SyslogMessage\r\n};\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File delete activity ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"d6059a71-ae14-5e4e-8cfb-1ff54c3eb450","name":"_Im_FileEvent_Microsoft365DV02","body":"let protocols = dynamic(['smb']);\r\nlet parser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n let remote_events = \r\n DeviceFileEvents\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename \r\n ActingProcessGuid = ProcessGuid,\r\n ActingProcessId = ProcessId,\r\n ActorUsername = User,\r\n ActingProcessName = Image,\r\n TargetFileCreationTime=CreationUtcTime,\r\n TargetFilePath=TargetFilename,\r\n EventStartTime=UtcTime\r\n // Filter for ActorUsername and TargetFilePath\r\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \r\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\r\n | project-away EventData\r\n};\r\n //\r\n // -- WindowsEvent parser\r\n let WindowsEventParser=() {\r\n WindowsEvent \r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename \r\n ActingProcessGuid = ProcessGuid,\r\n ActingProcessId = ProcessId,\r\n ActorUsername = User,\r\n ActingProcessName = Image,\r\n TargetFileCreationTime=CreationUtcTime,\r\n TargetFilePath=TargetFilename,\r\n EventStartTime=UtcTime\r\n // Filter for ActorUsername and TargetFilePath\r\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \r\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\r\n | project-away EventData\r\n};\r\n EventParser \r\n | project-rename\r\n DvcHostname = Computer,\r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'FileEvent',\r\n EventSchemaVersion = '0.2.1',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs='Windows',\r\n TargetFilePathType = 'Windows',\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventCount = int(1),\r\n EventEndTime = EventStartTime,\r\n EventOriginalType = tostring(EventID),\r\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n EventUid = _ItemId\r\n | parse-kv Hashes as (\r\n MD5: string,\r\n SHA1: string,\r\n IMPHASH: string,\r\n SHA256: string\r\n )\r\n | project-rename\r\n TargetFileMD5 = MD5,\r\n TargetFileSHA1 = SHA1,\r\n TargetFileIMPHASH = IMPHASH,\r\n TargetFileSHA256 = SHA256\r\n // Filter for hash\r\n | where (array_length(hashes_has_any) == 0)\r\n or (TargetFileMD5 has_any (hashes_has_any))\r\n or (TargetFileSHA1 has_any (hashes_has_any))\r\n or (TargetFileIMPHASH has_any (hashes_has_any))\r\n or (TargetFileSHA256 has_any (hashes_has_any))\r\n | extend\r\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\r\n // -- Typed entity identifiers\r\n | extend\r\n ActorWindowsUsername = ActorUsername\r\n // -- Aliases\r\n | extend\r\n Process = ActingProcessName,\r\n Dvc = DvcHostname,\r\n FilePath = TargetFilePath,\r\n FileName = TargetFileName,\r\n User = ActorUsername\r\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\r\n};\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n eventtype_in=eventtype_in,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n actorusername_has_any=actorusername_has_any,\r\n targetfilepath_has_any=targetfilepath_has_any,\r\n srcfilepath_has_any=srcfilepath_has_any,\r\n hashes_has_any=hashes_has_any,\r\n dvchostname_has_any=dvchostname_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetfilepath_has_any:dynamic = dynamic([]), srcfilepath_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"File event ASIM filtering parser for Windows Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"1af05a29-0c94-5018-b197-e7d99ce83356","name":"_Im_FileEvent_MicrosoftSysmonWindowsEventV05","body":"let parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n targetfilepath_has_any: dynamic=dynamic([]),\r\n srcfilepath_has_any: dynamic=dynamic([]),\r\n hashes_has_any: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n //\r\n // -- WindowsEvent parser\r\n let WindowsEventParser=() {\r\n WindowsEvent \r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated EventEndTime\r\n _ResourceId:string,\r\n Type:string,\r\n// ****** Event fields ******\r\n EventType:string,\r\n EventSubType:string,\r\n EventProduct:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventOriginalSubType:string,\r\n EventOriginalResultDetails:string,\r\n EventSeverity:string,\r\n EventOriginalSeverity:string,\r\n EventSchema:string,\r\n EventOwner:string,\r\n EventProductVersion:string, \r\n EventCount:int, \r\n EventMessage:string, \r\n EventVendor:string, \r\n EventSchemaVersion:string, \r\n EventOriginalUid:string, \r\n EventOriginalType:string,\r\n EventStartTime:datetime, \r\n EventEndTime:datetime, \r\n EventReportUrl:string, \r\n AdditionalFields:dynamic, \r\n //****** RegistryFields ****** \r\n RegistryKey:string,\r\n RegistryValue:string,\r\n RegistryValueType:string,\r\n RegistryValueData:string,\r\n RegistryPreviousKey:string,\r\n RegistryPreviousValue:string,\r\n RegistryPreviousValueType:string,\r\n RegistryPreviousValueData:string,\r\n //****** Device fields ******\r\n DvcId:string, \r\n DvcHostname:string, \r\n DvcIpAddr:string, \r\n DvcOs:string, \r\n DvcOsVersion:string, \r\n DvcMacAddr:string,\r\n DvcFQDN:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcDescription:string,\r\n DvcZone:string,\r\n DvcAction:string,\r\n DvcOriginalAction:string,\r\n DvcInterface:string,\r\n DvcScopeId:string,\r\n DvcScope:string,\r\n DvcIdType:string,\r\n // -- User fields\r\n ActorUsername:string, \r\n ActorUsernameType:string, \r\n ActorUserId:string, \r\n ActorUserIdType:string, \r\n ActorSessionId:string,\r\n ActorUserAadId:string,\r\n ActorUserSid:string,\r\n ActorScopeId:string,\r\n ActorScope:string,\r\n ActorUserType:string,\r\n ActorOriginalUserType:string,\r\n ActingProcessCommandLine:string,\r\n //****** Process fields ******\r\n ActingProcessName:string,\r\n ActingProcessId:string,\r\n ActingProcessGuid:string,\r\n ParentProcessName:string,\r\n ParentProcessId:string,\r\n ParentProcessGuid:string,\r\n ParentProcessCommandLine:string,\r\n //****** Inspection fields ******\r\n RuleName:string,\r\n RuleNumber:int,\r\n ThreatId:string,\r\n ThreatName:string,\r\n ThreatCategory:string,\r\n ThreatRiskLevel:int,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatConfidence:int,\r\n ThreatOriginalConfidence:string,\r\n ThreatIsActive:bool,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatLastReportedTime:datetime,\r\n ThreatField:string,\r\n //****** aliases ****** \r\n Dvc:string,\r\n User:string,\r\n Process:string,\r\n Src:string,\r\n Dst:string\r\n )[];\r\n EmptyNewRegistryEvents","description":"Registry Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"92893c93-bc5c-5379-a55c-6606ef842d92","name":"_Im_RegistryEvent_EmptyV02","body":"let EmptyNewRegistryEvents = datatable(\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n ActingProcessCommandLine:string,\r\n ActingProcessGuid:string,\r\n ActingProcessId:string,\r\n ActingProcessName:string,\r\n ActorDNUsername:string,\r\n ActorOriginalUserType:string,\r\n ActorScope:string,\r\n ActorScopeId:string,\r\n ActorSessionId:string,\r\n ActorSimpleUsername:string,\r\n ActorUserAadId:string,\r\n ActorUserAWSId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserOktaId:string,\r\n ActorUserPuid:string,\r\n ActorUserSid:string,\r\n ActorUserType:string,\r\n ActorUserUid:string,\r\n ActorUserUpn:string,\r\n ActorWindowsUsername:string,\r\n AdditionalFields:dynamic,\r\n Dst:string,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n ParentProcessGuid:string,\r\n ParentProcessId:string,\r\n ParentProcessName:string,\r\n Process:string,\r\n RegistryKey:string,\r\n RegistryPreviousKey:string,\r\n RegistryPreviousValue:string,\r\n RegistryPreviousValueData:string,\r\n RegistryPreviousValueType:string,\r\n RegistryValue:string,\r\n RegistryValueData:string,\r\n RegistryValueType:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n Src:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n User:string\r\n )[];\r\n EmptyNewRegistryEvents","description":"Registry Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"3589c230-1df7-54c2-b179-7780bafa7229","name":"_Im_RegistryEvent_Microsoft365DV01","body":"let RegistryType = datatable (TypeCode: string, TypeName: string)\r\n [\r\n \"None\", \"Reg_None\",\r\n \"String\", \"Reg_Sz\",\r\n \"ExpandString\", \"Reg_Expand_Sz\",\r\n \"Binary\", \"Reg_Binary\",\r\n \"Dword\", \"Reg_DWord\",\r\n \"MultiString\", \"Reg_Multi_Sz\",\r\n \"QWord\", \"Reg_QWord\"\r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n registrykey_has_any: dynamic =dynamic([]),\r\n registryvalue_has_any: dynamic =dynamic([]),\r\n registrydata_has_any: dynamic =dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n DeviceRegistryEvents\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\")\r\n | project-rename\r\n DvcDomainType = DomainType\r\n ,\r\n DvcHostname = ExtractedHostname\r\n | extend\r\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\r\n ,\r\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n ,\r\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\r\n | extend\r\n User = ActorUsername\r\n ,\r\n UserId = ActorUserId\r\n ,\r\n ActorUserSid = ActorUserId\r\n ,\r\n Process = ActingProcessName\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventOriginalType = tostring(EventID)\r\n | extend\r\n EventSchemaVersion = \"0.1\"\r\n ,\r\n EventSchema = \"RegistryEvent\"\r\n ,\r\n EventCount = toint(1)\r\n ,\r\n EventResult = \"Success\"\r\n ,\r\n EventVendor = \"Microsoft\"\r\n ,\r\n EventProduct = \"Security Events\"\r\n ,\r\n DvcOs = \"Windows\"\r\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\r\n};\r\nparser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n registrykey_has_any = registrykey_has_any,\r\n registryvalue_has_any = registryvalue_has_any,\r\n registrydata_has_any = registrydata_has_any,\r\n dvchostname_has_any= dvchostname_has_any,\r\n disabled = disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), registrykey_has_any:dynamic = dynamic([]), registryvalue_has_any:dynamic = dynamic([]), registrydata_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"12d89e36-3e8e-5e54-8fd5-ba969eb266e6","name":"_Im_RegistryEvent_MicrosoftSysmonV02","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n registrykey_has_any: dynamic =dynamic([]),\r\n registryvalue_has_any: dynamic =dynamic([]),\r\n registrydata_has_any: dynamic =dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n let RegistryAction = datatable (EventType: string, NewEventType: string)\r\n [\r\n \"CreateKey\", \"RegistryKeyCreated\",\r\n \"DeleteKey\", \"RegistryKeyDeleted\",\r\n \"DeleteValue\", \"RegistryValueDeleted\", \r\n \"SetValue\", \"RegistryValueSet\",\r\n \"RenameKey\", \"RegistryKeyRenamed\"\r\n ]; \r\n let Hives = datatable (KeyPrefix: string, Hive: string)\r\n [\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\", \r\n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \r\n ];\r\n // this is the parser for sysmon from Event table\r\n // Create the raw table from the raw XML file structure\r\n let ParsedRegistryEvent_Event=() {\r\n Event\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated 'RuleName // parsing the XML using the original fields name - for readibliy \r\n ''EventType\r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId\r\n ''Image\r\n ''TargetObject\r\n '' EventDataRemainder \r\n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\r\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\r\n | project-away EventDataRemainder\r\n // End of XML parse\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID), \r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | project-rename \r\n EventMessage = RenderedDescription, \r\n DvcHostName = Computer, \r\n ActingProcessId = ProcessId,\r\n ActingProcessGuid = ProcessGuid, \r\n ActingProcessName = Image \r\n // Lookup Event Type\r\n | lookup RegistryAction on EventType \r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\r\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \r\n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \r\n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData,\r\n ParameterXml\r\n };\r\n // this is the parser for sysmon from WindowsEvent table\r\n let ParsedRegistryEvent_WindowsEvent=() {\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated 'RuleName // parsing the XML using the original fields name - for readibliy \r\n ''EventType\r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId\r\n ''Image\r\n ''TargetObject\r\n '' EventDataRemainder \r\n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\r\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\r\n | project-away EventDataRemainder\r\n // End of XML parse\r\n | extend \r\n EventStartTime = todatetime(TimeGenerated), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventCount = int(1), \r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\", \r\n EventProduct = \"Sysmon\",\r\n EventOriginalType = tostring(EventID), \r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\r\n | project-rename \r\n EventMessage = RenderedDescription, \r\n DvcHostName = Computer, \r\n ActingProcessId = ProcessId,\r\n ActingProcessGuid = ProcessGuid, \r\n ActingProcessName = Image \r\n // Lookup Event Type\r\n | lookup RegistryAction on EventType \r\n | project-rename EventOriginalSubType = EventType\r\n | project-rename EventType = NewEventType\r\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n // Normalize Key Hive\r\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\r\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\r\n | lookup Hives on KeyPrefix\r\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\r\n | project-away KeyPrefix, KeyMain, Hive\r\n // Split Key and Value for relevant events \r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\r\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\r\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\r\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\r\n | extend NewKey = ParsedKey[0][0]\r\n | extend NewValue = ParsedKey[0][1]\r\n | project-away ParsedKey, TargetObject, NewName\r\n // Set normalized registry fields\r\n | extend\r\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\r\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\r\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\r\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\r\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\r\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \r\n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \r\n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = ActingProcessName,\r\n Dvc = DvcHostName,\r\n EventResult = \"Success\",\r\n EventSchema = \"RegistryEvent\",\r\n Rule = RuleName\r\n | project-away\r\n Parameter,\r\n Value,\r\n Key,\r\n NewKey,\r\n NewValue,\r\n EventData,\r\n ParameterXml,\r\n AzureDeploymentID,DvcHostName,EventCategory,EventID,EventLevelName,EventLevel,EventLog,Hive1,MG,ManagementGroupName,Message,RegistryKeyModified,_ResourceId,RegistryValueModified,Role,SourceSystem,Source,TenantId,UserName,UtcTime\r\n };\r\n ParsedRegistryEvent_Event \r\n };\r\n parser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n registrykey_has_any = registrykey_has_any,\r\n registryvalue_has_any = registryvalue_has_any,\r\n registrydata_has_any = registrydata_has_any,\r\n dvchostname_has_any= dvchostname_has_any,\r\n disabled = disabled\r\n )","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), registrykey_has_any:dynamic = dynamic([]), registryvalue_has_any:dynamic = dynamic([]), registrydata_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"0cf3c1bf-2658-565e-9154-c468d4e14ddd","name":"_Im_RegistryEvent_MicrosoftSysmonWindowsEventV03","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n registrykey_has_any: dynamic =dynamic([]),\r\n registryvalue_has_any: dynamic =dynamic([]),\r\n registrydata_has_any: dynamic =dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n let RegistryAction = datatable (EventType: string, NewEventType: string)\r\n [\r\n \"CreateKey\", \"RegistryKeyCreated\",\r\n \"DeleteKey\", \"RegistryKeyDeleted\",\r\n \"DeleteValue\", \"RegistryValueDeleted\", \r\n \"SetValue\", \"RegistryValueSet\",\r\n \"RenameKey\", \"RegistryKeyRenamed\"\r\n ]; \r\n let Hives = datatable (KeyPrefix: string, Hive: string)\r\n [\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\", \r\n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \r\n ];\r\n // this is the parser for sysmon from WindowsEvent table\r\n let ParsedRegistryEvent_WindowsEvent=() {\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\")\r\n | project-rename\r\n DvcDomainType = DomainType\r\n ,\r\n DvcHostname = ExtractedHostname\r\n | extend\r\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\r\n ,\r\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n ,\r\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\r\n | extend\r\n User = ActorUsername\r\n ,\r\n UserId = ActorUserId\r\n ,\r\n ActorUserSid = ActorUserId\r\n ,\r\n Process = ActingProcessName\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventOriginalType = tostring(EventID)\r\n | extend\r\n EventSchemaVersion = \"0.1\" \r\n ,\r\n EventSchema = \"RegistryEvent\"\r\n ,\r\n EventCount = toint(1)\r\n ,\r\n EventResult = \"Success\"\r\n ,\r\n EventVendor = \"Microsoft\"\r\n ,\r\n EventProduct = \"Security Events\" \r\n ,\r\n DvcOs = \"Windows\"\r\n};\r\nparser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n registrykey_has_any = registrykey_has_any,\r\n registryvalue_has_any = registryvalue_has_any,\r\n registrydata_has_any = registrydata_has_any,\r\n dvchostname_has_any= dvchostname_has_any,\r\n disabled = disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), registrykey_has_any:dynamic = dynamic([]), registryvalue_has_any:dynamic = dynamic([]), registrydata_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"cd7d5892-fe13-5d47-9c11-8ad77413e1d1","name":"_Im_RegistryEvent_MicrosoftWindowsEventV03","body":"let parser = (\r\nstarttime: datetime=datetime(null), \r\nendtime: datetime=datetime(null),\r\neventtype_in: dynamic=dynamic([]),\r\nactorusername_has_any: dynamic=dynamic([]),\r\nregistrykey_has_any: dynamic =dynamic([]),\r\nregistryvalue_has_any: dynamic =dynamic([]),\r\nregistrydata_has_any: dynamic =dynamic([]),\r\ndvchostname_has_any: dynamic=dynamic([]),\r\ndisabled: bool=false\r\n) {\r\nlet ASIM_GetAccountType = (sid: string) { \r\niif ( \r\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\r\n\"Simple\"\r\n ,\r\n\"Windows\"\r\n)\r\n};\r\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\r\n WindowsEvent\r\n | extend\r\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\r\n ,\r\n ActorDomainName = tostring(EventData.SubjectDomainName)\r\n ,\r\n ActorUserId = tostring(EventData.SubjectUserSid)\r\n ,\r\n ActorSessionId = tostring(EventData.SubjectLogonId)\r\n ,\r\n ActingProcessName = tostring(EventData.ProcessName)\r\n ,\r\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\r\n ,\r\n RegistryKey = iif(\r\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\r\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\r\n ,\r\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\r\n )\r\n};\r\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\r\n [\r\n \"0x1\", \"RegistryValueRead\"\r\n ,\r\n \"0x10\", \"RegistryKeyNotify\"\r\n ,\r\n \"0x10000\", \"RegistryKeyDeleted\"\r\n ,\r\n \"0x2\", \"RegistryValueSet\"\r\n ,\r\n \"0x20000\", \"MetadataAccessed\"\r\n ,\r\n \"0x20006\", \"RegistryValueSet\"\r\n ,\r\n \"0x40000\", \"MetadataModified\"\r\n ,\r\n \"0x8\", \"RegistrySubkeyEnumerated\"\r\n];\r\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\r\n [\r\n \"%%1904\", \"RegistryValueSet\"\r\n ,\r\n \"%%1905\", \"RegistryValueSet\"\r\n ,\r\n \"%%1906\", \"RegistryValueDeleted\"\r\n];\r\n let RegistryType = datatable (TypeCode: string, TypeName: string)\r\n [\r\n \"%%1872\", \"REG_NONE\"\r\n ,\r\n \"%%1873\", \"REG_SZ\"\r\n ,\r\n \"%%1874\", \"REG_EXPAND_SZ\"\r\n ,\r\n \"%%1875\", \"REG_BINARY\"\r\n ,\r\n \"%%1876\", \"REG_DWORD\"\r\n ,\r\n \"%%1879\", \"REG_MULTI_SZ\"\r\n ,\r\n \"%%1883\", \"REG_QWORD\"\r\n];\r\n union isfuzzy=false\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\")\r\n | project-rename\r\n DvcDomainType = DomainType\r\n ,\r\n DvcHostname = ExtractedHostname\r\n | extend\r\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\r\n ,\r\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n ,\r\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\r\n | extend\r\n User = ActorUsername\r\n ,\r\n UserId = ActorUserId\r\n ,\r\n ActorUserSid = ActorUserId\r\n ,\r\n Process = ActingProcessName\r\n ,\r\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventOriginalType = tostring(EventID)\r\n | extend\r\n EventSchemaVersion = \"0.1\" \r\n ,\r\n EventSchema = \"RegistryEvent\"\r\n ,\r\n EventCount = toint(1)\r\n ,\r\n EventResult = \"Success\"\r\n ,\r\n EventVendor = \"Microsoft\"\r\n ,\r\n EventProduct = \"Security Events\" \r\n ,\r\n DvcOs = \"Windows\"\r\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\r\n};\r\nparser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n registrykey_has_any = registrykey_has_any,\r\n registryvalue_has_any = registryvalue_has_any,\r\n registrydata_has_any = registrydata_has_any,\r\n dvchostname_has_any= dvchostname_has_any,\r\n disabled = disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), registrykey_has_any:dynamic = dynamic([]), registryvalue_has_any:dynamic = dynamic([]), registrydata_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event).","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"5d59511a-8bd8-59ba-b49a-c7fc5e7011c3","name":"_Im_RegistryEvent_NativeV01","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n eventtype_in: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n registrykey_has_any: dynamic =dynamic([]),\r\n registryvalue_has_any: dynamic =dynamic([]),\r\n registrydata_has_any: dynamic =dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n ASimRegistryEventLogs\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated 10,\r\n \"Reg_QWord\",\r\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\r\n \"Reg_Binary\",\r\n \"\"\r\n )\r\n | extend\r\n RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\r\n | project-rename\r\n ActingProcessId = sourceProcessInfo_pid_s,\r\n ActorUsername = sourceProcessInfo_user_s,\r\n EventStartTime= sourceProcessInfo_pidStarttime_t,\r\n EventOriginalSeverity = ruleInfo_severity_s,\r\n EventUid = _ItemId,\r\n ParentProcessId = sourceParentProcessInfo_pid_s,\r\n ActingProcessName = sourceProcessInfo_name_s,\r\n DvcId = agentDetectionInfo_uuid_g,\r\n DvcOs = agentDetectionInfo_osName_s,\r\n DvcOsVersion = agentDetectionInfo_osRevision_s,\r\n EventOriginalType = alertInfo_eventType_s,\r\n ParentProcessName = sourceParentProcessInfo_name_s,\r\n RegistryValueData = alertInfo_registryValue_s,\r\n EventOriginalUid = alertInfo_dvEventId_s,\r\n RuleName = ruleInfo_name_s,\r\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"SentinelOne\",\r\n EventVendor = \"SentinelOne\",\r\n EventResult = \"Success\",\r\n DvcAction = \"Allowed\",\r\n EventSchema = \"RegistryEvent\",\r\n EventSchemaVersion = \"0.1.2\"\r\n | extend\r\n Dvc = coalesce(DvcHostname, EventProduct), \r\n EventEndTime = EventStartTime,\r\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\r\n RegistryPreviousKey = RegistryKey,\r\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\r\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\r\n RegistryPreviousValue = RegistryValue,\r\n Process = ActingProcessName,\r\n User = ActorUsername,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n Rule = RuleName\r\n | project-away \r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n RegistryKeyPrefix,\r\n RegistryKeyNormalizedPrefix,\r\n RegistryPreviousValueType_lookup,\r\n ThreatConfidence_*\r\n};\r\nparser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n registrykey_has_any = registrykey_has_any,\r\n registryvalue_has_any = registryvalue_has_any,\r\n registrydata_has_any = registrydata_has_any,\r\n dvchostname_has_any= dvchostname_has_any,\r\n disabled = disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), eventtype_in:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), registrykey_has_any:dynamic = dynamic([]), registryvalue_has_any:dynamic = dynamic([]), registrydata_has_any:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Registry Event ASIM Parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ee2df6e1-b687-580c-8a94-e9e1e7eefcfc","name":"_Im_RegistryEvent_TrendMicroVisionOneV01","body":"let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\r\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\r\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\r\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\r\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\r\n];\r\nlet RegistryKeyPrefixLookup = datatable(\r\n RegistryKeyPrefix: string,\r\n RegistryKeyNormalizedPrefix: string\r\n)[\r\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\r\n \"HKU\", \"HKEY_USERS\",\r\n \"HKCU\", \"HKEY_CURRENT_USER\",\r\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\r\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\r\n];\r\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\r\n 0, \"Reg_None\",\r\n 1, \"Reg_Sz\",\r\n 2, \"Reg_Expand_Sz\",\r\n 3, \"Reg_Binary\",\r\n 4, \"Reg_DWord\",\r\n 5, \"Reg_DWord\",\r\n 7, \"Reg_Multi_Sz\",\r\n 11, \"Reg_QWord\"\r\n];\r\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\r\n \"low\", \"Low\",\r\n \"medium\", \"Medium\",\r\n \"high\", \"High\",\r\n \"info\", \"Informational\",\r\n \"critical\", \"High\"\r\n];\r\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\r\n TrendMicro_XDR_OAT_CL\r\n | where not(disabled)\r\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated **************************\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated *************************\r\n | where ProcessName has_any (\"CISE\", \"CSCO\")\r\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\r\n | where EventOriginalType in (EventOriginalTypeList)\r\n | project\r\n TimeGenerated,\r\n EventTime,\r\n EventOriginalType,\r\n Computer,\r\n SyslogMessage,\r\n HostName,\r\n HostIP\r\n | lookup EventFieldsLookup on EventOriginalType\r\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n | project-rename\r\n SrcIpAddr=['Remote-Address']\r\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\r\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\r\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \r\n | extend\r\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n , EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n , EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"UserManagement\"\r\n , EventSchemaVersion = \"0.1.1\"\r\n // ***************** ********************\r\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\r\n | extend \r\n Hostname = DvcHostname\r\n , IpAddr = SrcIpAddr\r\n , Src = SrcIpAddr\r\n , UpdatedPropertyName = EventSubType\r\n , User = ActorUsername\r\n // ***************** *******************\r\n | project-away\r\n Computer,\r\n SyslogMessage,\r\n HostIP,\r\n NetworkDeviceName,\r\n HostName,\r\n dvcHostname,\r\n ['User-Name'],\r\n UserName\r\n}; \r\nCiscoISEUsrMgmtParser(\r\n starttime = starttime,\r\n endtime = endtime,\r\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\r\n eventtype_in = eventtype_in,\r\n actorusername_has_any = actorusername_has_any,\r\n targetusername_has_any = targetusername_has_any,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetusername_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), disabled:bool = false","description":"User Management ASIM filtering parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"9cbf2c15-f05c-5385-8f28-6ae28a427608","name":"_Im_UserManagement_EmptyV01","body":"let parser=datatable(\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n //****** Event fields ******\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventProduct:string,\r\n EventResult:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventType:string,\r\n EventVendor:string,\r\n EventResultDetails:string,\r\n EventUid:string,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventSubType:string,\r\n AdditionalFields:dynamic,\r\n // ****** Device fields ******\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcIpAddr:string,\r\n DvcDescription:string,\r\n DvcInterface:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n Src:string,\r\n SrcDomain:string,\r\n SrcDomainType:string,\r\n SrcHostname:string,\r\n SrcIpAddr:string,\r\n //****** Actor fields ******\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorOriginalUserType:string,\r\n ActorSessionId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUserType:string,\r\n ActingAppId:string,\r\n ActingAppType:string,\r\n ActingOriginalAppType:string,\r\n ActingAppName:string,\r\n ActorUserAadId:string,\r\n ActorUserSid:string,\r\n ActorScopeId:string,\r\n ActorScope:string,\r\n //****** Group fields ******\r\n GroupId:string,\r\n GroupIdType:string,\r\n GroupName:string,\r\n GroupNameType:string,\r\n GroupOriginalType:string,\r\n GroupType:string,\r\n HttpUserAgent:string,\r\n NewPropertyValue:string,\r\n PreviousPropertyValue:string,\r\n SrcDeviceType:string,\r\n SrcDvcId:string,\r\n SrcDvcIdType:string,\r\n SrcDvcScope:string,\r\n SrcDvcScopeId:string,\r\n SrcFQDN:string,\r\n SrcGeoCity:string,\r\n SrcGeoCountry:string,\r\n SrcGeoLatitude:real,\r\n SrcGeoLongitude:real,\r\n SrcGeoRegion:string,\r\n SrcMacAddr:string,\r\n SrcPortNumber :int,\r\n SrcDescription:string,\r\n SrcRiskLevel:int,\r\n SrcOriginalRiskLevel:string,\r\n //****** Target fields ******\r\n TargetOriginalUserType:string,\r\n TargetUserId:string,\r\n TargetUserIdType:string,\r\n TargetUsername:string,\r\n TargetUsernameType:string,\r\n TargetUserType:string,\r\n TargetUserUid:string,\r\n TargetUserScopeId:string,\r\n TargetUserScope:string,\r\n TargetUserSessionId:string,\r\n // ****** Inspection fields ******\r\n RuleName:string,\r\n RuleNumber:int,\r\n ThreatId:string,\r\n ThreatName:string,\r\n ThreatCategory:string,\r\n ThreatRiskLevel:int,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatConfidence:int,\r\n ThreatOriginalConfidence:string,\r\n ThreatIsActive:bool,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatLastReportedTime:datetime,\r\n ThreatField:string,\r\n //****** aliases ******\r\n Hostname:string,\r\n IpAddr:string,\r\n UpdatedPropertyName:string,\r\n User:string,\r\n Dst:string\r\n )[];\r\n parser","description":"User Management ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ab36b294-4cfa-5980-9aa9-902a4e25448f","name":"_Im_UserManagement_EmptyV02","body":"let parser=datatable(\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n ActingAppId:string,\r\n ActingAppName:string,\r\n ActingAppType:string,\r\n ActingOriginalAppType:string,\r\n ActorDNUsername:string,\r\n ActorOriginalUserType:string,\r\n ActorScope:string,\r\n ActorScopeId:string,\r\n ActorSessionId:string,\r\n ActorSimpleUsername:string,\r\n ActorUserAadId:string,\r\n ActorUserAWSId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserOktaId:string,\r\n ActorUserPuid:string,\r\n ActorUserSid:string,\r\n ActorUserType:string,\r\n ActorUserUid:string,\r\n ActorUserUpn:string,\r\n ActorWindowsUsername:string,\r\n AdditionalFields:dynamic,\r\n Dst:string,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n GroupId:string,\r\n GroupIdType:string,\r\n GroupName:string,\r\n GroupNameType:string,\r\n GroupOriginalType:string,\r\n GroupType:string,\r\n Hostname:string,\r\n HttpUserAgent:string,\r\n IpAddr:string,\r\n NewPropertyValue:string,\r\n PreviousPropertyValue:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n Src:string,\r\n SrcDescription:string,\r\n SrcDeviceType:string,\r\n SrcDomain:string,\r\n SrcDomainType:string,\r\n SrcDvcId:string,\r\n SrcDvcIdType:string,\r\n SrcDvcScope:string,\r\n SrcDvcScopeId:string,\r\n SrcFQDN:string,\r\n SrcGeoCity:string,\r\n SrcGeoCountry:string,\r\n SrcGeoLatitude:real,\r\n SrcGeoLongitude:real,\r\n SrcGeoRegion:string,\r\n SrcHostname:string,\r\n SrcIpAddr:string,\r\n SrcMacAddr:string,\r\n SrcOriginalRiskLevel:string,\r\n SrcPortNumber:int,\r\n SrcRiskLevel:int,\r\n TargetDNUsername:string,\r\n TargetOriginalUserType:string,\r\n TargetSimpleUsername:string,\r\n TargetUserAadId:string,\r\n TargetUserAWSId:string,\r\n TargetUserId:string,\r\n TargetUserIdType:string,\r\n TargetUsername:string,\r\n TargetUsernameType:string,\r\n TargetUserOktaId:string,\r\n TargetUserPuid:string,\r\n TargetUserScope:string,\r\n TargetUserScopeId:string,\r\n TargetUserSessionId:string,\r\n TargetUserSid:string,\r\n TargetUserType:string,\r\n TargetUserUid:string,\r\n TargetUserUpn:string,\r\n TargetWindowsUsername:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n UpdatedPropertyName:string,\r\n User:string\r\n )[];\r\n parser","description":"User Management ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"be182916-38f9-564c-b476-fe81169d7e84","name":"_Im_UserManagement_LinuxAuthprivV01","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n targetusername_has_any: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n eventtype_in: dynamic=dynamic([]),\r\n disabled:bool=false\r\n ) {\r\nlet ActionLookup = datatable (Action:string, EventType:string)\r\n[\r\n \"added\", \"UserAddedToGroup\",\r\n \"removed\",\"UserRemovedFromGroup\"\r\n];\r\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\r\n[\r\n \"info\", \"Informational\",\r\n \"warn\", \"Low\",\r\n \"err\", \"Medium\",\r\n \"crit\", \"High\"\r\n]; \r\nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\r\n T\r\n | lookup SeverityLookup on SeverityLevel\r\n | extend ActingAppId = tostring(ProcessID)\r\n | project-away SyslogMessage,SeverityLevel, ProcessID\r\n};\r\nlet SyslogParsed = (\r\n Syslog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\r\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\r\n (array_length(srcipaddr_has_any_prefix) == 0)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n )\r\n| lookup EventIDLookup on EventID\r\n| extend UpdatedPropertyName = EventSubType\r\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n| lookup UserTypeLookup on ActorOriginalUserType\r\n| extend \r\n DvcId = coalesce(_ResourceId, SourceComputerId),\r\n EventOriginalType = tostring(EventID)\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend \r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n Dvc = DvcHostname,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\r\n DvcOs = \"Windows\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventResult = \"Success\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventSeverity = \"Informational\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Microsoft',\r\n Hostname = DvcHostname\r\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\r\n| extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\r\n GroupNameType = _ASIM_GetUsernameType(GroupName),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\r\n User = ActorUsername\r\n};\r\n parser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\r\n targetusername_has_any = targetusername_has_any,\r\n actorusername_has_any = actorusername_has_any,\r\n eventtype_in = eventtype_in,\r\n disabled = disabled\r\n )","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetusername_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), disabled:bool = false","description":"User Management ASIM parser for Microsoft Security Event logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"18fdeceb-99ab-5194-9098-7cbb5980f991","name":"_Im_UserManagement_MicrosoftSecurityEventV02","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n targetusername_has_any: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n eventtype_in: dynamic=dynamic([]),\r\n disabled:bool=false\r\n ) {\r\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\r\n [ \r\n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \r\n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \r\n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \r\n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \r\n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \r\n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \r\n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \r\n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \r\n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4738\", \"UserModified\", \"UserModified\", \"\", \r\n \"4740\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \r\n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \r\n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \r\n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \r\n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \r\n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \r\n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \r\n \"4767\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4781\", \"UserModified\", \"UserModified\", \"\" \r\n ];\r\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n [\r\n 'Machine', 'Machine',\r\n 'User', 'Regular'\r\n ]; \r\n let UserEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\r\n | where EventSubType in(\"UserCreated\",\"UserModified\") \r\n | summarize make_set(EventID)\r\n );\r\n let GroupEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\r\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \r\n | summarize make_set(EventID)\r\n );\r\n union (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename\r\n NewPropertyValue = NewTargetUserName,\r\n PreviousPropertyValue = OldTargetUserName\r\n | extend \r\n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\r\n | extend\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\r\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\r\n | project-away TargetDomain\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n ),(\r\n SecurityEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\r\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\r\n (array_length(srcipaddr_has_any_prefix) == 0)\r\n | project-rename \r\n ActorOriginalUserType = AccountType,\r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n GroupDomain = TargetDomainName,\r\n GroupId = TargetSid,\r\n GroupName = TargetUserName,\r\n EventMessage = Activity\r\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\r\n | parse-kv EventData as \r\n (\r\n MemberName:string,\r\n MemberSid:string\r\n ) \r\n with (regex=@'{?([^')\r\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\r\n | project-rename \r\n TargetUserId = MemberSid,\r\n TargetUsername = MemberName\r\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\r\n | extend \r\n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\r\n )\r\n| lookup EventIDLookup on EventID\r\n| where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in))) // Post filtering based on event type\r\n| extend UpdatedPropertyName = EventSubType\r\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n| lookup UserTypeLookup on ActorOriginalUserType\r\n| extend \r\n DvcId = coalesce(_ResourceId, SourceComputerId),\r\n EventOriginalType = tostring(EventID)\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend \r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n Dvc = DvcHostname,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\r\n DvcOs = \"Windows\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventResult = \"Success\",\r\n EventSchema = \"UserManagement\",\r\n EventSchemaVersion = \"0.1.1\",\r\n EventSeverity = \"Informational\",\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Microsoft',\r\n Hostname = DvcHostname, \r\n ActorUserIdType=\"SID\"\r\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\r\n| extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\r\n GroupNameType = _ASIM_GetUsernameType(GroupName),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\r\n User = ActorUsername\r\n};\r\n parser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\r\n targetusername_has_any = targetusername_has_any,\r\n actorusername_has_any = actorusername_has_any,\r\n eventtype_in = eventtype_in,\r\n disabled = disabled\r\n )","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), targetusername_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), disabled:bool = false","description":"User Management ASIM parser for Microsoft Security Event logs.","related":{"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"4661400d-2647-54cf-bd02-6e02e56054f3","name":"_Im_UserManagement_MicrosoftWindowsEventV02","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n targetusername_has_any: dynamic=dynamic([]),\r\n actorusername_has_any: dynamic=dynamic([]),\r\n eventtype_in: dynamic=dynamic([]),\r\n disabled: bool=false\r\n ) {\r\n let EventIDLookup = datatable(\r\n EventID: int,\r\n EventType: string,\r\n EventSubType: string,\r\n GroupType: string\r\n )\r\n [ \r\n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \r\n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \r\n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \r\n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \r\n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \r\n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \r\n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \r\n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \r\n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \r\n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \r\n \"4738\", \"UserModified\", \"UserModified\", \"\", \r\n \"4740\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \r\n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \r\n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \r\n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \r\n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \r\n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \r\n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \r\n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \r\n \"4767\", \"UserLocked\", \"UserModified\", \"\", \r\n \"4781\", \"UserModified\", \"UserModified\", \"\" \r\n ];\r\n let UserTypeLookup = datatable (ActorOriginalUserType: string, ActorUserType: string)\r\n [\r\n 'Machine', 'Machine',\r\n 'User', 'Regular'\r\n ]; \r\n let UserEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\r\n | where EventSubType in(\"UserCreated\", \"UserModified\") \r\n | summarize make_set(EventID)\r\n );\r\n let GroupEventID = toscalar(\r\n EventIDLookup\r\n | where not(disabled)\r\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\r\n | where EventSubType in(\"GroupCreated\", \"GroupModified\") \r\n | summarize make_set(EventID)\r\n );\r\n union\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\",\r\n \"NA\"\r\n ),\r\n EventResultDetails = case(\r\n HttpStatusCode == 200, \"\",\r\n HttpStatusCode == 201, \"Created\",\r\n HttpStatusCode == 202, \"Accepted\",\r\n HttpStatusCode == 204, \"No content\",\r\n HttpStatusCode == 400, \"Bad request\",\r\n HttpStatusCode == 401, \"Unauthorized\",\r\n HttpStatusCode == 403, \"Unauthorized\",\r\n HttpStatusCode == 404, \"Not found\",\r\n HttpStatusCode == 409, \"Conflict\",\r\n HttpStatusCode == 429, \"Throttled\",\r\n HttpStatusCode >= 500, \"Internal error\",\r\n \"\"\r\n ),\r\n EventOriginalResultDetails = strcat(\"HTTP status code: \", tostring(HttpStatusCode), iff(ResultDescription != \"\", strcat(\", \", ResultDescription), \"\")) \r\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventType,\r\n EventResult,\r\n EventResultDetails,\r\n EventOriginalResultDetails,\r\n EventSeverity,\r\n EventProduct,\r\n EventVendor,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventOriginalUid,\r\n Operation,\r\n Object,\r\n ObjectType,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActorUserIdType,\r\n ActorUserId,\r\n TargetAppName,\r\n TargetAppType,\r\n SrcIpAddr,\r\n DvcId,\r\n DvcIdType,\r\n IpAddr,\r\n User,\r\n Application,\r\n EventUid,\r\n Dst,\r\n Src,\r\n Dvc\r\n};\r\nCombined (disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Azure Key Vault.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"b5ec674b-3a68-5feb-8fb1-f769fbb085f3","name":"_ASim_AuditEvent_BarracudaCEFV02","body":"let EventTypeLookup = datatable (\r\n ChangeType_s: string,\r\n EventType_lookup: string\r\n)\r\n [\r\n \"SET\", \"Set\",\r\n \"ADD\", \"Create\",\r\n \"DEL\", \"Delete\",\r\n \"NONE\", \"Other\",\r\n \"\", \"Other\"\r\n];\r\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\r\n [\r\n 0, \"High\", \r\n 1, \"High\", \r\n 2, \"High\", \r\n 3, \"Medium\",\r\n 4, \"Low\",\r\n 5, \"Low\", \r\n 6, \"Informational\",\r\n 7, \"Informational\" \r\n];\r\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\r\n \"global\", \"Other\",\r\n \"Services\", \"Service\",\r\n \"web_firewall_policy\", \"Policy Rule\",\r\n \"service\", \"Service\",\r\n \"json_url_profile\", \"Other\",\r\n \"server\", \"Service\",\r\n \"header_acl\", \"Directory Service Object\",\r\n \"virtual_ip_config_address\", \"Configuration Atom\",\r\n \"aps_req_rewrite_policy\", \"Policy Rule\",\r\n \"aps_url_acl\", \"Directory Service Object\",\r\n \"websocket_security_policy\", \"Policy Rule\",\r\n \"aps_ftp_acl\", \"Directory Service Object\",\r\n \"user_system_ip\", \"Configuration Atom\",\r\n \"syslog_server\", \"Service\",\r\n \"attack_action\", \"Configuration Atom\",\r\n \"global_adr\", \"Configuration Atom\",\r\n \"aps_content_protection\", \"Other\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let BarracudaCEF = \r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor startswith \"Barracuda\"\r\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\r\n | where DeviceEventCategory == \"AUDIT\" \r\n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\r\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \r\n | extend Reason = trim('\"', Reason)\r\n | extend \r\n EventResultDetails = Reason,\r\n severity = toint(LogSeverity)\r\n | lookup SeverityLookup on severity\r\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\r\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\r\n | extend\r\n EventResult = \"Success\", \r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventVendor = \"Barracuda\",\r\n EventProduct = \"WAF\",\r\n EventCount = toint(1)\r\n | extend\r\n EventType = EventType_lookup,\r\n Dvc = DeviceName, \r\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\r\n Operation = ProcessName,\r\n DvcIpAddr = DeviceAddress,\r\n NewValue = DeviceCustomString1,\r\n SrcIpAddr = SourceIP,\r\n EventMessage = Message,\r\n OldValue = DeviceCustomString2,\r\n DvcHostname = DeviceName,\r\n ActorUsername = DestinationUserName,\r\n Object = FileName,\r\n ThreatConfidence = toint(ThreatConfidence) ,\r\n EventUid = _ItemId \r\n | extend\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime,\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\r\n User = ActorUsername,\r\n Value = NewValue \r\n | extend\r\n IpAddr = SrcIpAddr,\r\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\r\n | project-away\r\n EventType_lookup,\r\n ThreatConfidence,\r\n CommunicationDirection,\r\n AdditionalExtensions,\r\n Device*,\r\n Source*,\r\n Reason,\r\n Destination*,\r\n Activity,\r\n LogSeverity,\r\n ApplicationProtocol,\r\n ProcessID,\r\n ExtID,\r\n Protocol,\r\n ReceiptTime,\r\n SimplifiedDeviceAction,\r\n OriginalLogSeverity,\r\n ProcessName,\r\n EndTime,\r\n ExternalID,\r\n File*,\r\n ReceivedBytes,\r\n Message,\r\n Old*,\r\n EventOutcome,\r\n Request*,\r\n StartTime,\r\n Field*,\r\n Flex*,\r\n Remote*,\r\n Malicious*,\r\n severity,\r\n ThreatSeverity,\r\n IndicatorThreatType,\r\n ThreatDescription,\r\n _ResourceId,\r\n SentBytes,\r\n ReportReferenceLink,\r\n Computer,\r\n TenantId,\r\n CollectorHostName,\r\n _ItemId;\r\n BarracudaCEF\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Barracuda WAF.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"02b4eeed-157c-5172-b75c-151fcfd068ac","name":"_ASim_AuditEvent_BarracudaWAFV01","body":"let barracudaSchema = datatable(\r\n LogType_s: string,\r\n UnitName_s: string,\r\n EventName_s: string,\r\n DeviceReceiptTime_s: string,\r\n ChangeType_s: string,\r\n CommandName_s: string,\r\n Severity_s: string,\r\n LoginIP_s: string,\r\n NewValue_s: string,\r\n HostIP_s: string,\r\n host_s: string,\r\n OldValue_s: string,\r\n EventMessage_s: string,\r\n AdminName_s: string,\r\n ObjectType_s: string,\r\n ObjectName_s: string,\r\n TimeTaken_d: real,\r\n _ResourceId: string,\r\n RawData: string,\r\n SourceIP: string,\r\n Message: string,\r\n Computer: string,\r\n MG: string,\r\n ManagementGroupName: string,\r\n TenantId: string,\r\n SourceSystem: string\r\n)[];\r\nlet EventTypeLookup = datatable (\r\n ChangeType_s: string,\r\n EventType_lookup: string\r\n)\r\n [\r\n \"SET\", \"Set\",\r\n \"ADD\", \"Create\",\r\n \"DEL\", \"Delete\",\r\n \"NONE\", \"Other\",\r\n \"\", \"Other\"\r\n];\r\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\r\n [\r\n 0, \"High\", \r\n 1, \"High\", \r\n 2, \"High\", \r\n 3, \"Medium\",\r\n 4, \"Low\",\r\n 5, \"Low\", \r\n 6, \"Informational\",\r\n 7, \"Informational\" \r\n];\r\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\r\n \"global\", \"Other\",\r\n \"Services\", \"Service\",\r\n \"web_firewall_policy\", \"Policy Rule\",\r\n \"service\", \"Service\",\r\n \"json_url_profile\", \"Other\",\r\n \"server\", \"Service\",\r\n \"header_acl\", \"Directory Service Object\",\r\n \"virtual_ip_config_address\", \"Configuration Atom\",\r\n \"aps_req_rewrite_policy\", \"Policy Rule\",\r\n \"aps_url_acl\", \"Directory Service Object\",\r\n \"websocket_security_policy\", \"Policy Rule\",\r\n \"aps_ftp_acl\", \"Directory Service Object\",\r\n \"user_system_ip\", \"Configuration Atom\",\r\n \"syslog_server\", \"Service\",\r\n \"attack_action\", \"Configuration Atom\",\r\n \"global_adr\", \"Configuration Atom\",\r\n \"aps_content_protection\", \"Other\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let BarracudaCustom = \r\n (union isfuzzy=true\r\n barracudaSchema,\r\n barracuda_CL\r\n | where not(disabled) \r\n and LogType_s == \"AUDIT\" \r\n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\r\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\r\n | extend Reason = trim('\"', Reason)\r\n | extend\r\n EventResultDetails = Reason,\r\n severity = toint(Severity_s)\r\n | lookup SeverityLookup on severity\r\n | lookup EventTypeLookup on ChangeType_s\r\n | lookup ObjectTypeLookup on ObjectType_s\r\n | extend\r\n EventType = EventType_lookup,\r\n EventResult = \"Success\", \r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventVendor = \"Barracuda\",\r\n EventProduct = \"WAF\",\r\n EventCount = toint(1)\r\n | extend\r\n Dvc = UnitName_s, \r\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\r\n Operation = CommandName_s,\r\n DvcIpAddr = HostIP_s,\r\n NewValue = NewValue_s,\r\n SrcIpAddr = LoginIP_s,\r\n EventMessage = EventMessage_s,\r\n OldValue = OldValue_s,\r\n DvcHostname = host_s,\r\n ActorUsername = AdminName_s,\r\n Object = ObjectName_s \r\n | extend\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime,\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\r\n User = ActorUsername,\r\n Value = NewValue \r\n | extend\r\n IpAddr = SrcIpAddr,\r\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\r\n | project-away\r\n *_d,\r\n *_s,\r\n EventType_lookup,\r\n _ResourceId,\r\n Reason,\r\n severity,\r\n RawData,\r\n SourceIP,\r\n Message,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n TenantId,\r\n SourceSystem\r\n );\r\n let BarracudaCEF = \r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor startswith \"Barracuda\"\r\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\r\n | where DeviceEventCategory == \"AUDIT\" \r\n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\r\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \r\n | extend Reason = trim('\"', Reason)\r\n | extend \r\n EventResultDetails = Reason,\r\n severity = toint(LogSeverity)\r\n | lookup SeverityLookup on severity\r\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\r\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\r\n | extend\r\n EventResult = \"Success\", \r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventVendor = \"Barracuda\",\r\n EventProduct = \"WAF\",\r\n EventCount = toint(1)\r\n | extend\r\n EventType = EventType_lookup,\r\n Dvc = DeviceName, \r\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\r\n Operation = ProcessName,\r\n DvcIpAddr = DeviceAddress,\r\n NewValue = DeviceCustomString1,\r\n SrcIpAddr = SourceIP,\r\n EventMessage = Message,\r\n OldValue = DeviceCustomString2,\r\n DvcHostname = DeviceName,\r\n ActorUsername = DestinationUserName,\r\n Object = FileName,\r\n ThreatConfidence = toint(ThreatConfidence) \r\n | extend\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime,\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\r\n User = ActorUsername,\r\n Value = NewValue \r\n | extend\r\n IpAddr = SrcIpAddr,\r\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\r\n | project-away\r\n EventType_lookup,\r\n ThreatConfidence,\r\n CommunicationDirection,\r\n AdditionalExtensions,\r\n Device*,\r\n Source*,\r\n Reason,\r\n Destination*,\r\n Activity,\r\n LogSeverity,\r\n ApplicationProtocol,\r\n ProcessID,\r\n ExtID,\r\n Protocol,\r\n ReceiptTime,\r\n SimplifiedDeviceAction,\r\n OriginalLogSeverity,\r\n ProcessName,\r\n EndTime,\r\n ExternalID,\r\n File*,\r\n ReceivedBytes,\r\n Message,\r\n Old*,\r\n EventOutcome,\r\n Request*,\r\n StartTime,\r\n Field*,\r\n Flex*,\r\n Remote*,\r\n Malicious*,\r\n severity,\r\n ThreatSeverity,\r\n IndicatorThreatType,\r\n ThreatDescription,\r\n _ResourceId,\r\n SentBytes,\r\n ReportReferenceLink,\r\n Computer,\r\n TenantId;\r\n union isfuzzy = true \r\n BarracudaCustom,\r\n BarracudaCEF\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Barracuda WAF.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"f16f12cd-dd7b-51e3-8c99-2ed4d857bb31","name":"_ASim_AuditEvent_BarracudaWAFV02","body":"let barracudaSchema = datatable(\r\n LogType_s: string,\r\n UnitName_s: string,\r\n EventName_s: string,\r\n DeviceReceiptTime_s: string,\r\n ChangeType_s: string,\r\n CommandName_s: string,\r\n Severity_s: string,\r\n LoginIP_s: string,\r\n NewValue_s: string,\r\n HostIP_s: string,\r\n host_s: string,\r\n OldValue_s: string,\r\n EventMessage_s: string,\r\n AdminName_s: string,\r\n ObjectType_s: string,\r\n ObjectName_s: string,\r\n TimeTaken_d: real,\r\n _ResourceId: string,\r\n RawData: string,\r\n SourceIP: string,\r\n Message: string,\r\n Computer: string,\r\n MG: string,\r\n ManagementGroupName: string,\r\n TenantId: string,\r\n SourceSystem: string\r\n)[];\r\nlet EventTypeLookup = datatable (\r\n ChangeType_s: string,\r\n EventType_lookup: string\r\n)\r\n [\r\n \"SET\", \"Set\",\r\n \"ADD\", \"Create\",\r\n \"DEL\", \"Delete\",\r\n \"NONE\", \"Other\",\r\n \"\", \"Other\"\r\n];\r\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\r\n [\r\n 0, \"High\", \r\n 1, \"High\", \r\n 2, \"High\", \r\n 3, \"Medium\",\r\n 4, \"Low\",\r\n 5, \"Low\", \r\n 6, \"Informational\",\r\n 7, \"Informational\" \r\n];\r\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\r\n \"global\", \"Other\",\r\n \"Services\", \"Service\",\r\n \"web_firewall_policy\", \"Policy Rule\",\r\n \"service\", \"Service\",\r\n \"json_url_profile\", \"Other\",\r\n \"server\", \"Service\",\r\n \"header_acl\", \"Directory Service Object\",\r\n \"virtual_ip_config_address\", \"Configuration Atom\",\r\n \"aps_req_rewrite_policy\", \"Policy Rule\",\r\n \"aps_url_acl\", \"Directory Service Object\",\r\n \"websocket_security_policy\", \"Policy Rule\",\r\n \"aps_ftp_acl\", \"Directory Service Object\",\r\n \"user_system_ip\", \"Configuration Atom\",\r\n \"syslog_server\", \"Service\",\r\n \"attack_action\", \"Configuration Atom\",\r\n \"global_adr\", \"Configuration Atom\",\r\n \"aps_content_protection\", \"Other\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let BarracudaCustom = \r\n (union isfuzzy=true\r\n barracudaSchema,\r\n barracuda_CL\r\n | where not(disabled) \r\n and LogType_s == \"AUDIT\" \r\n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\r\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\r\n | extend Reason = trim('\"', Reason)\r\n | extend\r\n EventResultDetails = Reason,\r\n severity = toint(Severity_s)\r\n | lookup SeverityLookup on severity\r\n | lookup EventTypeLookup on ChangeType_s\r\n | lookup ObjectTypeLookup on ObjectType_s\r\n | extend\r\n EventType = EventType_lookup,\r\n EventResult = \"Success\", \r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventVendor = \"Barracuda\",\r\n EventProduct = \"WAF\",\r\n EventCount = toint(1)\r\n | extend\r\n Dvc = UnitName_s, \r\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\r\n Operation = CommandName_s,\r\n DvcIpAddr = HostIP_s,\r\n NewValue = NewValue_s,\r\n SrcIpAddr = LoginIP_s,\r\n EventMessage = EventMessage_s,\r\n OldValue = OldValue_s,\r\n DvcHostname = host_s,\r\n ActorUsername = AdminName_s,\r\n Object = ObjectName_s \r\n | extend\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime,\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\r\n User = ActorUsername,\r\n Value = NewValue \r\n | extend\r\n IpAddr = SrcIpAddr,\r\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\r\n | project-away\r\n *_d,\r\n *_s,\r\n EventType_lookup,\r\n _ResourceId,\r\n Reason,\r\n severity,\r\n RawData,\r\n SourceIP,\r\n Message,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n TenantId,\r\n SourceSystem\r\n );\r\n BarracudaCustom\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Barracuda WAF.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"cb8ce4aa-25e2-5141-a5b4-337c24285e3d","name":"_ASim_AuditEvent_CiscoISEV01","body":"let EventFieldsLookup=datatable(\r\nEventOriginalType: int,\r\nEventType: string,\r\nEventResult: string,\r\nEventOriginalSeverity: string,\r\nEventSeverity: string,\r\nObject: string,\r\nOperation: string,\r\nEventMessage: string\r\n)[\r\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\r\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\r\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\r\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\r\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\r\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\r\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\r\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\r\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\r\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\r\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\r\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\r\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\r\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\r\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\r\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\r\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\r\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\r\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\r\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\r\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\r\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\r\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\r\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\r\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\r\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\r\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\r\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\r\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\r\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\r\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\r\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\r\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\r\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\r\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\r\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\r\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\r\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\r\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\r\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\r\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\r\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\r\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\r\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\r\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\r\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\r\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\r\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\r\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\r\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\r\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\r\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\r\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\r\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\r\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\r\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\r\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\r\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\r\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\r\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\r\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\r\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\r\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\r\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\r\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\r\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\r\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\r\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\r\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\r\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\r\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\r\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\r\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\r\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\r\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\r\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\r\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\r\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\r\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\r\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\r\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\r\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\r\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\r\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\r\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\r\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\r\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\r\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\r\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\r\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\r\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\r\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\r\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\r\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\r\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\r\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\r\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\r\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\r\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\r\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\r\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\r\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\r\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\r\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\r\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\r\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\r\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\r\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\r\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\r\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\r\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\r\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\r\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\r\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\r\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\r\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\r\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\r\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\r\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\r\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\r\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\r\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\r\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\r\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\r\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\r\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\r\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\r\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\r\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\r\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\r\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\r\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\r\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\r\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\r\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\r\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\r\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\r\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\r\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\r\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\r\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\r\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\r\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\r\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\r\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\r\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\r\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\r\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\r\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\r\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\r\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\r\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\r\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\r\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\r\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\r\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\r\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\r\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\r\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\r\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\r\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\r\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\r\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\r\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\r\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\r\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\r\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\r\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\r\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\r\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\r\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\r\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\r\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\r\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\r\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\r\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\r\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\r\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\r\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\r\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\r\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\r\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\r\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\r\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\r\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\r\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\r\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\r\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\r\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\r\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\r\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\r\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\r\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\r\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\r\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\r\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\r\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\r\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\r\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\r\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\r\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\r\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\r\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\r\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\r\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\r\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \r\n| summarize make_set(EventOriginalType));\r\nlet CiscoISEAuditParser=(disabled: bool=false) {\r\nSyslog\r\n| where not(disabled)\r\n| where ProcessName has_any (\"CISE\", \"CSCO\")\r\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\r\n| where EventOriginalType in (EventOriginalTypeList)\r\n| lookup EventFieldsLookup on EventOriginalType \r\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\r\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\r\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \r\n| extend \r\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n , EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n , EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"AuditEvent\"\r\n , EventSchemaVersion = \"0.1.0\"\r\n , ObjectType = \"Configuration Atom\"\r\n , TargetAppName = \"ISE\"\r\n , TargetAppType = \"Service\"\r\n// ***************** ********************\r\n| extend \r\n Dvc = coalesce(DvcIpAddr, DvcHostname)\r\n , Application = TargetAppName\r\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\r\n , Dst = TargetIpAddr\r\n , Src = SrcIpAddr\r\n , User = ActorUsername\r\n// ***************** *******************\r\n| project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName\r\n};\r\nCiscoISEAuditParser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM filtering parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"55a6be07-1def-5523-92b4-f63c80049713","name":"_ASim_AuditEvent_CiscoMerakiSyslogV02","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool=false) {\r\nlet allData = union isfuzzy=true\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\";\r\nlet SiteToSiteData = PreFilteredData\r\n | where Substring has_cs \"Site-to-site\";\r\nlet SiteToSite_deleted = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA deleted\"\r\n | extend TempOperation = \"ISAKMP-SA deleted\"\r\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_deletedSrcIp,\r\n temp_targetipport = temp_deletedTargetIp;\r\nlet SiteToSite_negotiation = SiteToSiteData\r\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"\" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | extend Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1])\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | lookup EventFieldsLookup on TempOperation\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName,CollectorHostName\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"723f7b25-c699-5469-9ac6-1b5704a2b63a","name":"_ASim_AuditEvent_CiscoMerakiV01","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool=false) {\r\nlet allData = union isfuzzy=true\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n ),\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\";\r\nlet SiteToSiteData = PreFilteredData\r\n | where Substring has_cs \"Site-to-site\";\r\nlet SiteToSite_deleted = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA deleted\"\r\n | extend TempOperation = \"ISAKMP-SA deleted\"\r\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_deletedSrcIp,\r\n temp_targetipport = temp_deletedTargetIp;\r\nlet SiteToSite_negotiation = SiteToSiteData\r\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"\" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | extend Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1])\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | lookup EventFieldsLookup on TempOperation\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"569d9b71-efa7-52d9-9150-03214bc7e742","name":"_ASim_AuditEvent_CiscoMerakiV02","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool=false) {\r\nlet allData = union isfuzzy=true\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\";\r\nlet SiteToSiteData = PreFilteredData\r\n | where Substring has_cs \"Site-to-site\";\r\nlet SiteToSite_deleted = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA deleted\"\r\n | extend TempOperation = \"ISAKMP-SA deleted\"\r\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_deletedSrcIp,\r\n temp_targetipport = temp_deletedTargetIp;\r\nlet SiteToSite_negotiation = SiteToSiteData\r\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"\" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | extend Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1])\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | lookup EventFieldsLookup on TempOperation\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n ManagementGroupName,\r\n RawData\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"2e444f79-0b97-5b7b-967b-1e3f9605e1e2","name":"_ASim_AuditEvent_CrowdStrikeFalconHostV01","body":"let EventFieldsLookup = datatable(\r\n Activity: string,\r\n Operation: string,\r\n EventType_lookup: string,\r\n EventSubType: string,\r\n Object: string,\r\n ObjectType: string\r\n) \r\n [\r\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\r\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\r\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\r\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\r\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\r\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\r\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\r\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\r\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\r\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\r\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\r\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\r\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\r\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\r\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\r\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\r\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\r\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\r\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\r\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\r\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\r\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\r\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\r\n];\r\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n [\r\n \"0\", \"Informational\",\r\n \"1\", \"Informational\",\r\n \"2\", \"Low\",\r\n \"3\", \"Medium\",\r\n \"4\", \"High\",\r\n \"5\", \"High\"\r\n];\r\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\r\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\r\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\r\n | lookup EventFieldsLookup on Activity\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n EventType = EventType_lookup,\r\n EventStartTime = case(\r\n DeviceEventClassID == \"UserActivityAuditEvent\",\r\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\r\n DeviceEventCategory == \"AuthActivityAuditEvent\",\r\n todatetime(DeviceCustomDate1),\r\n datetime(null)\r\n ),\r\n EventOriginalType = case(\r\n DeviceEventClassID == \"UserActivityAuditEvent\",\r\n DeviceEventClassID,\r\n DeviceEventCategory == \"AuthActivityAuditEvent\",\r\n DeviceEventCategory,\r\n \"\"\r\n ),\r\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\",\r\n EventCount = int(1),\r\n DvcAction = \"Allowed\",\r\n EventProduct = \"FalconHost\",\r\n EventVendor = \"CrowdStrike\"\r\n | project-rename\r\n ActorUsername = DestinationUserName,\r\n EventUid = _ItemId,\r\n DvcIpAddr = DestinationTranslatedAddress,\r\n EventOriginalSeverity = LogSeverity,\r\n EventProductVersion = DeviceVersion,\r\n TargetAppName = ProcessName,\r\n EventOriginalResultDetails = EventOutcome,\r\n EventOriginalSubType = Activity\r\n | extend\r\n EventEndTime = EventStartTime,\r\n Application = TargetAppName,\r\n TargetIpAddr = DvcIpAddr,\r\n User = ActorUsername,\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\r\n | extend\r\n Dvc = coalesce(DvcIpAddr, EventProduct),\r\n Dst = TargetIpAddr\r\n | project-away \r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n Computer,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n Threat*,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Reason,\r\n ApplicationProtocol,\r\n _ResourceId,\r\n ExtID,\r\n Message,\r\n IndicatorThreatType,\r\n EventType_*\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"e61fa185-7fbc-5367-a10c-45e05f1c7eee","name":"_ASim_AuditEvent_IllumioSaaSCoreV02","body":"let EventTypeLookup = datatable(\r\n event_type: string, // what Illumio sends\r\n Operation: string,\r\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\r\n Object:string,\r\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\r\n)\r\n[\r\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\r\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\r\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\r\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\r\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\r\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\r\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\r\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\r\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\r\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\r\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\r\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\r\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\r\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\r\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\r\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\r\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\r\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\r\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\r\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\r\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\r\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\r\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\r\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\r\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\r\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\r\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\r\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\r\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\r\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\r\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\r\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\r\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\r\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\r\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\r\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\r\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\r\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\r\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\r\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\r\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\r\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\r\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\r\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\r\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\r\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\r\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\r\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\r\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\r\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\r\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\r\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\r\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\r\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\r\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\r\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\r\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\r\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\r\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\r\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\r\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\r\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\r\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\r\n 'license.update', 'License updated', 'Other', 'License', 'Set',\r\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\r\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\r\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\r\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\r\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\r\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\r\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\r\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\r\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\r\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\r\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\r\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\r\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\r\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\r\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\r\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\r\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\r\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\r\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\r\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\r\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\r\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\r\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\r\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\r\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\r\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\r\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\r\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\r\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\r\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\r\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\r\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\r\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\r\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\r\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\r\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\r\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\r\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\r\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\r\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\r\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\r\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\r\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\r\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\r\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\r\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\r\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\r\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\r\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\r\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\r\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\r\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\r\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\r\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\r\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\r\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\r\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\r\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\r\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\r\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\r\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\r\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\r\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\r\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\r\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\r\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\r\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\r\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\r\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\r\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\r\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\r\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\r\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\r\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\r\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\r\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\r\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\r\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\r\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\r\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\r\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\r\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\r\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\r\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\r\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\r\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\r\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\r\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\r\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\r\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\r\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\r\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\r\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\r\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\r\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\r\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\r\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\r\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\r\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\r\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\r\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\r\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\r\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\r\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\r\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\r\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\r\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\r\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\r\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\r\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\r\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\r\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\r\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\r\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\r\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\r\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\r\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\r\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\r\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\r\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\r\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \r\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\r\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\r\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\r\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\r\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\r\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\r\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\r\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\r\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\r\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\r\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\r\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\r\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\r\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\r\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\r\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\r\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\r\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\r\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\r\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\r\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\r\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\r\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\r\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\r\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\r\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\r\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\r\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\r\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\r\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\r\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\r\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\r\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\r\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\r\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\r\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\r\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\r\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\r\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\r\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\r\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\r\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\r\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\r\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\r\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\r\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\r\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\r\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\r\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\r\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\r\n];\r\nlet EventSeverityLookup = datatable(\r\n severity: string,\r\n EventSeverity: string\r\n)\r\n [\r\n \"err\", \"High\",\r\n \"info\", \"Informational\",\r\n \"warning\", \"Medium\"\r\n];\r\nlet EventResultLookup = datatable(\r\n status: string,\r\n EventResult: string\r\n)\r\n [\r\n \"success\", \"Success\",\r\n \"failure\", \"Failure\",\r\n \"\", \"NA\"\r\n];\r\nlet parser = (disabled: bool = false) {\r\n Illumio_Auditable_Events_CL\r\n | where not(disabled) and event_type !startswith \"user\" // filter out user auth events \r\n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\r\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\r\n | lookup EventResultLookup on status // fetch EventResult from lookup\r\n | extend\r\n ActorUsername = case(\r\n isnotnull(created_by.system), \"System\",\r\n isnotnull(created_by.user), created_by.user.username,\r\n isnotnull(created_by.agent), created_by.agent.hostname,\r\n \"Unknown\"\r\n )\r\n | extend ActorUsernameType = \"Simple\",\r\n temp_resource_changes = parse_json(resource_changes), \r\n temp_notifications = parse_json(notifications)\r\n | extend\r\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\r\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \r\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip),\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Core',\r\n EventVendor = 'Illumio',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n Dvc = pce_fqdn,\r\n EventType = iff(isnull(EventType), event_type, EventType),\r\n EventOriginalUid = href,\r\n EventUid = _ItemId\r\n //aliases\r\n | extend \r\n IpAddr = SrcIpAddr,\r\n User = ActorUsername,\r\n Value = NewValue\r\n | project-away\r\n temp_*,\r\n event_type, // used by EventType\r\n severity, // used by EventSeverity\r\n resource_changes, // used by NewValue and EventMessage\r\n notifications,\r\n version, // simply drop version, no need to translate\r\n action, //used by src_ip\r\n status, // used by EventResult\r\n created_by, // used by ActorUsername and ActorType\r\n pce_fqdn, // used by Dvc\r\n href, // used by EventOriginalUid\r\n TenantId\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Illumio SaaS Core audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"721cf9fc-2ce7-51fc-bf6b-da02a715fedc","name":"_ASim_AuditEvent_InfobloxBloxOneV01","body":"let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\", \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\", \"Create\", \"Network Resource\", \"Service\", \"Update\", \"Network Resource\", \"Service\", \"Restore\", \"Infoblox Resource\", \"Service\", \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\", \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\", \"MoveToRecyclebin\", \"Recyclebin\", \"Other\", \"CreateCategoryFilter\", \"Category Filter\", \"Other\", \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\", \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\", \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\", \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"AUDIT\" | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, Operation = DeviceAction, ActorUsername = SourceUserName, SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = case( Operation has_any (\"update\", \"upsert\"), \"Set\", Operation has \"create\", \"Create\", Operation has \"delete\", \"Delete\", \"Other\" ), Object = iff(isempty(Object), \"Infoblox Network Resource\", Object), ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType), Src = SrcIpAddr, ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"), AdditionalFields = bag_pack( \"InfobloxHTTPReqBody\", InfobloxHTTPReqBody, \"InfobloxHTTPRespBody\", InfobloxHTTPRespBody ), User = ActorUsername, IpAddr = SrcIpAddr, ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventSchema = \"AuditEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason, Activity, Infoblox* }; parser(disabled=disabled)","parameters":"disabled:bool = false","description":"AuditEvent ASIM parser for Infoblox BloxOne.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"c298eab0-cb86-5053-ad52-404467af7507","name":"_ASim_AuditEvent_MicrosoftEventV02","body":"let parser = (disabled: bool = false) {\r\n // Parsed Events Ids\r\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\r\n // Eventlog Event Ids\r\n let EventlogEventIds = dynamic([1102]);\r\n // Scheduled Task Event Ids\r\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\r\n // Active Directory Replica Source Naming Context Event Ids\r\n let ActiveDirectoryReplicaIds = dynamic([4929]);\r\n // Firewall Event Ids\r\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\r\n // Service Event Ids\r\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \r\n // Directory Service Object Ids\r\n let DirectoryServiceIds = dynamic([5136]);\r\n // Clear Audit Log Event\r\n let AuditLogClearedEventID = dynamic([1102]); \r\n // EventID Lookup\r\n let EventIDLookup = datatable(\r\n EventID: int,\r\n Operation: string,\r\n EventType: string,\r\n Object: string,\r\n ObjectType: string,\r\n EventResult: string\r\n )\r\n [ \r\n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\r\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\r\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\r\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\r\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\r\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\r\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\r\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\r\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\r\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\r\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\r\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\r\n ];\r\n let ParsedEvents =\r\n Event\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | parse-kv EventData as \r\n (\r\n SubjectUserSid: string,\r\n SubjectUserName: string,\r\n SubjectDomainName: string,\r\n SubjectLogonId: string,\r\n TaskName: string,\r\n TaskContent: string,\r\n TaskContentNew: string,\r\n ClientProcessId: string,\r\n DestinationDRA: string,\r\n SourceDRA: string,\r\n SourceAddr: string,\r\n ObjectDN: string,\r\n AttributeValue: string\r\n )\r\n with (regex=@'{?([^')\r\n | project-away EventData\r\n | lookup EventIDLookup on EventID\r\n ;\r\n // Parse EventLog\r\n let EventLog = ParsedEvents\r\n | where EventID in(EventlogEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\r\n // Parse Scheduled Task\r\n let ScheduledTask = ParsedEvents\r\n | where EventID in(ScheduledTaskEventIds)\r\n | extend \r\n Object = TaskName,\r\n NewValue = coalesce(\r\n TaskContent,\r\n TaskContentNew\r\n )\r\n | extend \r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ADR\r\n let ActiveDirectoryReplica = ParsedEvents\r\n | where EventID in(ActiveDirectoryReplicaIds)\r\n | extend \r\n NewValue = SourceDRA,\r\n OldValue = DestinationDRA,\r\n SrcFQDN = SourceAddr\r\n | extend \r\n Value = NewValue,\r\n Object = OldValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse WindowsFirewall\r\n let WindowsFirewall = ParsedEvents\r\n | where EventID in(FirewallEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ServiceEvent\r\n let ServiceEvent = ParsedEvents\r\n | where EventID in(ServiceEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse DirectoryService\r\n let DirectoryService = ParsedEvents\r\n | where EventID in(DirectoryServiceIds)\r\n | extend \r\n Object = ObjectDN\r\n | project-rename \r\n NewValue = AttributeValue\r\n | extend\r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN\r\n ;\r\n // Union Events\r\n union\r\n EventLog,\r\n ScheduledTask,\r\n ActiveDirectoryReplica,\r\n WindowsFirewall,\r\n ServiceEvent,\r\n DirectoryService\r\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\r\n | project-rename \r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n DvcId = _ResourceId,\r\n ActingAppId = ClientProcessId,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n EventOriginalType = tostring(EventID),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\r\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\r\n ActingAppType = \"Process\"\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcFQDN\r\n | project-away Subject*, EventID, Computer\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Windows Events audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"f1022015-c977-5720-9d94-b64c4a5d5636","name":"_ASim_AuditEvent_MicrosoftExchangeAdmin365V01","body":"let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n[\r\n // Regular, Regular\r\n \"Admin\", \"Admin\"\r\n , \"DcAdmin\", \"Admin\"\r\n , \"System\", \"System\"\r\n , \"Application\", \"Application\"\r\n , \"ServicePrincipal\", \"Service Principal\"\r\n , \"CustomPolicy\", \"Other\"\r\n , \"SystemPolicy\", \"Other\"\r\n , \"Reserved\", \"Other\"\r\n];\r\nlet eventtypes=datatable (op:string, EventType:string)\r\n[\r\n \"Remove\", \"Delete\",\r\n \"New\", \"Create\",\r\n \"Add\", \"Create\",\r\n \"Enable\", \"Enable\",\r\n \"Install\", \"Install\",\r\n \"Set\", \"Set\",\r\n \"Disable\", \"Disable\",\r\n \"disable\", \"Disable\"\r\n];\r\nlet parser=(disabled:bool=false){\r\n OfficeActivity\r\n | where not(disabled)\r\n | where RecordType in ('ExchangeAdmin')\r\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\r\n | extend \r\n SplitOp = split (Operation,\"-\")\r\n | extend\r\n op=tostring(SplitOp[0])\r\n | lookup eventtypes on op\r\n | project-away op\r\n // --\r\n // Calculate Object\r\n | extend\r\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\r\n | extend \r\n Object = case (\r\n SplitObject[0] == OrganizationName, SplitObject[1], \r\n OfficeObjectId == \"\", SplitOp[1],\r\n OfficeObjectId\r\n )\r\n | project-away SplitOp, OfficeObjectId\r\n // --\r\n // Calculate source IP address and port\r\n | extend \r\n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\r\n | extend \r\n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\r\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\r\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\r\n | extend \r\n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\r\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\r\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\r\n | project-rename\r\n SrcDescription = OriginatingServer,\r\n NewValue = Parameters \r\n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\r\n | project-rename\r\n HttpUserAgent = UserAgent, \r\n ActorOriginalUserType = UserType,\r\n ActorScopeId = OrganizationId,\r\n ActorScope = OrganizationName,\r\n EventOriginalUid = SourceRecordId\r\n | lookup usertypes on ActorOriginalUserType\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Exchange 365',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n TargetAppName = 'Exchange 365',\r\n TargetAppType = 'SaaS application',\r\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\r\n | project-away \r\n ResultStatus\r\n | extend\r\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\r\n // Aliases\r\n | extend \r\n User=ActorUsername,\r\n IpAddr = SrcIpAddr,\r\n Value = NewValue,\r\n Application = TargetAppName,\r\n Dst = TargetAppName,\r\n Src = coalesce (SrcIpAddr, SrcDescription),\r\n Dvc = TargetAppName\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Exchange 365 administrative activity.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"d6bacb8f-166f-5712-9bbb-cffd517caf31","name":"_ASim_AuditEvent_MicrosoftExchangeAdmin365V02","body":"let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n[\r\n // Regular, Regular\r\n \"Admin\", \"Admin\"\r\n , \"DcAdmin\", \"Admin\"\r\n , \"System\", \"System\"\r\n , \"Application\", \"Application\"\r\n , \"ServicePrincipal\", \"Service Principal\"\r\n , \"CustomPolicy\", \"Other\"\r\n , \"SystemPolicy\", \"Other\"\r\n , \"Reserved\", \"Other\"\r\n];\r\nlet eventtypes=datatable (op:string, EventType:string)\r\n[\r\n \"Remove\", \"Delete\",\r\n \"New\", \"Create\",\r\n \"Add\", \"Create\",\r\n \"Enable\", \"Enable\",\r\n \"Install\", \"Install\",\r\n \"Set\", \"Set\",\r\n \"Disable\", \"Disable\",\r\n \"disable\", \"Disable\"\r\n];\r\nlet parser=(disabled:bool=false){\r\n OfficeActivity\r\n | where not(disabled)\r\n | where RecordType in ('ExchangeAdmin')\r\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\r\n | extend \r\n SplitOp = split (Operation,\"-\")\r\n | extend\r\n op=tostring(SplitOp[0])\r\n | lookup eventtypes on op\r\n | project-away op\r\n // --\r\n // Calculate Object\r\n | extend\r\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\r\n | extend \r\n Object = case (\r\n SplitObject[0] == OrganizationName, SplitObject[1], \r\n OfficeObjectId == \"\", SplitOp[1],\r\n OfficeObjectId\r\n )\r\n | project-away SplitOp, OfficeObjectId\r\n // --\r\n // Calculate source IP address and port\r\n | extend \r\n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\r\n | extend \r\n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\r\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\r\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\r\n | extend \r\n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\r\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\r\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\r\n | project-rename\r\n SrcDescription = OriginatingServer,\r\n NewValue = Parameters \r\n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\r\n | project-rename\r\n HttpUserAgent = UserAgent, \r\n ActorOriginalUserType = UserType,\r\n ActorScopeId = OrganizationId,\r\n ActorScope = OrganizationName,\r\n EventOriginalUid = SourceRecordId\r\n | lookup usertypes on ActorOriginalUserType\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Exchange 365',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n TargetAppName = 'Exchange 365',\r\n TargetAppType = 'SaaS application',\r\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\r\n | project-away \r\n ResultStatus\r\n | extend\r\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\r\n // -- Aliases\r\n | extend \r\n User=ActorUsername,\r\n IpAddr = SrcIpAddr,\r\n Value = NewValue,\r\n Application = TargetAppName,\r\n Dst = TargetAppName,\r\n Src = coalesce (SrcIpAddr, SrcDescription),\r\n Dvc = TargetAppName,\r\n // -- Entity identifier explicit aliases\r\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\r\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Exchange 365 administrative activity.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"4a54ec8c-be13-5974-bf97-ecbaa51d3a5e","name":"_ASim_AuditEvent_MicrosoftSecurityEventsV02","body":"let parser = (disabled: bool = false) {\r\n // Parsed Events Ids\r\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\r\n // Eventlog Event Ids\r\n let EventlogEventIds = dynamic([1102]);\r\n // Scheduled Task Event Ids\r\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\r\n // Active Directory Replica Source Naming Context Event Ids\r\n let ActiveDirectoryReplicaIds = dynamic([4929]);\r\n // Firewall Event Ids\r\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\r\n // Service Event Ids\r\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \r\n // Directory Service Object Ids\r\n let DirectoryServiceIds = dynamic([5136]);\r\n // Clear Audit Log Event\r\n let AuditLogClearedEventID = dynamic([1102]); \r\n // EventID Lookup\r\n let EventIDLookup = datatable(\r\n EventID: int,\r\n Operation: string,\r\n EventType: string,\r\n Object: string,\r\n ObjectType: string,\r\n EventResult: string\r\n )\r\n [ \r\n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\r\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\r\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\r\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\r\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\r\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\r\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\r\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\r\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\r\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\r\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\r\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\r\n ];\r\n let ParsedEvents =\r\n union\r\n (\r\n // SecurityEvents\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | parse-kv EventData as \r\n (\r\n SubjectUserSid: string,\r\n SubjectUserName: string,\r\n SubjectDomainName: string,\r\n SubjectLogonId: string,\r\n TaskName: string,\r\n TaskContent: string,\r\n TaskContentNew: string,\r\n ClientProcessId: string,\r\n DestinationDRA: string,\r\n SourceDRA: string,\r\n SourceAddr: string,\r\n ObjectDN: string,\r\n AttributeValue: string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-away EventData\r\n ),\r\n (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend Parsed_EventData = parse_xml(EventData)\r\n | extend\r\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\r\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\r\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\r\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\r\n | project-away EventData, Parsed_EventData\r\n )\r\n | lookup EventIDLookup on EventID\r\n ;\r\n // Parse EventLog\r\n let EventLog = ParsedEvents\r\n | where EventID in(EventlogEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\r\n // Parse Scheduled Task\r\n let ScheduledTask = ParsedEvents\r\n | where EventID in(ScheduledTaskEventIds)\r\n | extend \r\n Object = TaskName,\r\n NewValue = coalesce(\r\n TaskContent,\r\n TaskContentNew\r\n )\r\n | extend \r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ADR\r\n let ActiveDirectoryReplica = ParsedEvents\r\n | where EventID in(ActiveDirectoryReplicaIds)\r\n | extend \r\n NewValue = SourceDRA,\r\n OldValue = DestinationDRA,\r\n SrcFQDN = SourceAddr\r\n | extend \r\n Value = NewValue,\r\n Object = OldValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse WindowsFirewall\r\n let WindowsFirewall = ParsedEvents\r\n | where EventID in(FirewallEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ServiceEvent\r\n let ServiceEvent = ParsedEvents\r\n | where EventID in(ServiceEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse DirectoryService\r\n let DirectoryService = ParsedEvents\r\n | where EventID in(DirectoryServiceIds)\r\n | extend \r\n Object = ObjectDN\r\n | project-rename \r\n NewValue = AttributeValue\r\n | extend\r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN\r\n ;\r\n // Union Events\r\n union\r\n EventLog,\r\n ScheduledTask,\r\n ActiveDirectoryReplica,\r\n WindowsFirewall,\r\n ServiceEvent,\r\n DirectoryService\r\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\r\n | project-rename \r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n DvcId = _ResourceId,\r\n ActingAppId = ClientProcessId,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n EventOriginalType = tostring(EventID),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\r\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\r\n ActingAppType = \"Process\"\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcFQDN\r\n | project-away Subject*, EventID, Computer\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Windows Events audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"719d3b89-0644-5cc5-ba2e-53eac0ee8207","name":"_ASim_AuditEvent_MicrosoftWindowsEventsV01","body":"let parser = (disabled: bool = false) {\r\n // Parsed Events Ids\r\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\r\n // Eventlog Event Ids\r\n let EventlogEventIds = dynamic([1102]);\r\n // Scheduled Task Event Ids\r\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\r\n // Active Directory Replica Source Naming Context Event Ids\r\n let ActiveDirectoryReplicaIds = dynamic([4929]);\r\n // Firewall Event Ids\r\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\r\n // Service Event Ids\r\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \r\n // Directory Service Object Ids\r\n let DirectoryServiceIds = dynamic([5136]);\r\n // Clear Audit Log Event\r\n let AuditLogClearedEventID = dynamic([1102]); \r\n // EventID Lookup\r\n let EventIDLookup = datatable(\r\n EventID: int,\r\n Operation: string,\r\n EventType: string,\r\n Object: string,\r\n ObjectType: string,\r\n EventResult: string\r\n )\r\n [ \r\n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\r\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\r\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\r\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\r\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\r\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\r\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\r\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\r\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\r\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\r\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\r\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\r\n ];\r\n let ParsedEvents =\r\n union\r\n (\r\n union\r\n (\r\n // SecurityEvents\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n ),\r\n (\r\n // Event\r\n Event\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n )\r\n | parse-kv EventData as \r\n (\r\n SubjectUserSid: string,\r\n SubjectUserName: string,\r\n SubjectDomainName: string,\r\n SubjectLogonId: string,\r\n TaskName: string,\r\n TaskContent: string,\r\n TaskContentNew: string,\r\n ClientProcessId: string,\r\n DestinationDRA: string,\r\n SourceDRA: string,\r\n SourceAddr: string,\r\n ObjectDN: string,\r\n AttributeValue: string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-away EventData\r\n ),\r\n // WindowsEvents\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend\r\n SubjectUserSid = tostring(EventData.SubjectUserSid),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectLogonId = tostring(EventData.SubjectLogonId),\r\n TaskName = tostring(EventData.TaskName),\r\n TaskContent = tostring(EventData.TaskContent),\r\n TaskContentNew = tostring(EventData.TaskContentNew),\r\n ClientProcessId = tostring(EventData.ClientProcessId),\r\n DestinationDRA = tostring(EventData.DestinationDRA),\r\n SourceDRA = tostring(EventData.SourceDRA),\r\n SourceAddr = tostring(EventData.SourceAddr),\r\n ObjectDN = tostring(EventData.ObjectDN),\r\n AttributeValue = tostring(EventData.AttributeValue)\r\n | project-away EventData\r\n ),\r\n //Section for SecurityEvent(1102)\r\n (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend Parsed_EventData = parse_xml(EventData)\r\n | extend\r\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\r\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\r\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\r\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\r\n | project-away EventData, Parsed_EventData\r\n ),\r\n // Section for WindowsEvent(1102)\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend\r\n SubjectUserSid = tostring(EventData.SubjectUserSid),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectLogonId = tostring(EventData.SubjectLogonId)\r\n | project-away EventData\r\n )\r\n | lookup EventIDLookup on EventID\r\n ;\r\n // Parse EventLog\r\n let EventLog = ParsedEvents\r\n | where EventID in(EventlogEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\r\n // Parse Scheduled Task\r\n let ScheduledTask = ParsedEvents\r\n | where EventID in(ScheduledTaskEventIds)\r\n | extend \r\n Object = TaskName,\r\n NewValue = coalesce(\r\n TaskContent,\r\n TaskContentNew\r\n )\r\n | extend \r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ADR\r\n let ActiveDirectoryReplica = ParsedEvents\r\n | where EventID in(ActiveDirectoryReplicaIds)\r\n | extend \r\n NewValue = SourceDRA,\r\n OldValue = DestinationDRA,\r\n SrcFQDN = SourceAddr\r\n | extend \r\n Value = NewValue,\r\n Object = OldValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse WindowsFirewall\r\n let WindowsFirewall = ParsedEvents\r\n | where EventID in(FirewallEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ServiceEvent\r\n let ServiceEvent = ParsedEvents\r\n | where EventID in(ServiceEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse DirectoryService\r\n let DirectoryService = ParsedEvents\r\n | where EventID in(DirectoryServiceIds)\r\n | extend \r\n Object = ObjectDN\r\n | project-rename \r\n NewValue = AttributeValue\r\n | extend\r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN\r\n ;\r\n // Union Events\r\n union\r\n EventLog,\r\n ScheduledTask,\r\n ActiveDirectoryReplica,\r\n WindowsFirewall,\r\n ServiceEvent,\r\n DirectoryService\r\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\r\n | project-rename \r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n DvcId = _ResourceId,\r\n ActingAppId = ClientProcessId,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n EventOriginalType = tostring(EventID),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\r\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\r\n ActingAppType = \"Process\"\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcFQDN\r\n | project-away Subject*, EventID, Computer\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Windows Events audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"46ffe79a-a94f-53e3-88cb-b9a178c9c932","name":"_ASim_AuditEvent_MicrosoftWindowsEventsV02","body":"let parser = (disabled: bool = false) {\r\n // Parsed Events Ids\r\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\r\n // Eventlog Event Ids\r\n let EventlogEventIds = dynamic([1102]);\r\n // Scheduled Task Event Ids\r\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\r\n // Active Directory Replica Source Naming Context Event Ids\r\n let ActiveDirectoryReplicaIds = dynamic([4929]);\r\n // Firewall Event Ids\r\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\r\n // Service Event Ids\r\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \r\n // Directory Service Object Ids\r\n let DirectoryServiceIds = dynamic([5136]);\r\n // Clear Audit Log Event\r\n let AuditLogClearedEventID = dynamic([1102]); \r\n // EventID Lookup\r\n let EventIDLookup = datatable(\r\n EventID: int,\r\n Operation: string,\r\n EventType: string,\r\n Object: string,\r\n ObjectType: string,\r\n EventResult: string\r\n )\r\n [ \r\n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\r\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\r\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\r\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\r\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\r\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\r\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\r\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\r\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\r\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\r\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\r\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\r\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\r\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\r\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\r\n ];\r\n let ParsedEvents =\r\n union\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in(ParsedEventIds)\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend\r\n SubjectUserSid = tostring(EventData.SubjectUserSid),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectLogonId = tostring(EventData.SubjectLogonId),\r\n TaskName = tostring(EventData.TaskName),\r\n TaskContent = tostring(EventData.TaskContent),\r\n TaskContentNew = tostring(EventData.TaskContentNew),\r\n ClientProcessId = tostring(EventData.ClientProcessId),\r\n DestinationDRA = tostring(EventData.DestinationDRA),\r\n SourceDRA = tostring(EventData.SourceDRA),\r\n SourceAddr = tostring(EventData.SourceAddr),\r\n ObjectDN = tostring(EventData.ObjectDN),\r\n AttributeValue = tostring(EventData.AttributeValue)\r\n | project-away EventData\r\n ),\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\r\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\r\n | extend\r\n SubjectUserSid = tostring(EventData.SubjectUserSid),\r\n SubjectUserName = tostring(EventData.SubjectUserName),\r\n SubjectDomainName = tostring(EventData.SubjectDomainName),\r\n SubjectLogonId = tostring(EventData.SubjectLogonId)\r\n | project-away EventData\r\n )\r\n | lookup EventIDLookup on EventID\r\n ;\r\n // Parse EventLog\r\n let EventLog = ParsedEvents\r\n | where EventID in(EventlogEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\r\n // Parse Scheduled Task\r\n let ScheduledTask = ParsedEvents\r\n | where EventID in(ScheduledTaskEventIds)\r\n | extend \r\n Object = TaskName,\r\n NewValue = coalesce(\r\n TaskContent,\r\n TaskContentNew\r\n )\r\n | extend \r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ADR\r\n let ActiveDirectoryReplica = ParsedEvents\r\n | where EventID in(ActiveDirectoryReplicaIds)\r\n | extend \r\n NewValue = SourceDRA,\r\n OldValue = DestinationDRA,\r\n SrcFQDN = SourceAddr\r\n | extend \r\n Value = NewValue,\r\n Object = OldValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse WindowsFirewall\r\n let WindowsFirewall = ParsedEvents\r\n | where EventID in(FirewallEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ServiceEvent\r\n let ServiceEvent = ParsedEvents\r\n | where EventID in(ServiceEventIds)\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse DirectoryService\r\n let DirectoryService = ParsedEvents\r\n | where EventID in(DirectoryServiceIds)\r\n | extend \r\n Object = ObjectDN\r\n | project-rename \r\n NewValue = AttributeValue\r\n | extend\r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN\r\n ;\r\n // Union Events\r\n union\r\n EventLog,\r\n ScheduledTask,\r\n ActiveDirectoryReplica,\r\n WindowsFirewall,\r\n ServiceEvent,\r\n DirectoryService\r\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\r\n | project-rename \r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n DvcId = _ResourceId,\r\n ActingAppId = ClientProcessId,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n EventOriginalType = tostring(EventID),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\r\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\r\n ActingAppType = \"Process\"\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcFQDN\r\n | project-away Subject*, EventID, Computer\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Windows Events audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"e0efc4c1-efd6-5481-a2b1-0e3fd1cb6684","name":"_ASim_AuditEvent_NativeV01","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimAuditEventLogs | where not(disabled)\r\n | extend EventSchema = \"AuditEvent\"\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend\r\n Value\t= NewValue,\r\n User = ActorUsername,\r\n Application = TargetAppName,\r\n Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)), \r\n Rule=RuleName,\r\n IpAddr=SrcIpAddr,\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId)\r\n | project-away\r\n _ResourceId, _SubscriptionId\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Microsoft Sentinel native Audit Event table.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"963fd114-e2de-522f-86ef-2e6b7edcfea1","name":"_ASim_AuditEvent_SQLSecurityAuditV01","body":"let parser=(disabled:bool=false, pack:bool=false){\r\n let SqlAuditEventTypeLookup = datatable (ActionType:string, EventType:string)\r\n [\r\n \"SELECT\", \"Read\",\r\n \"EXECUTE\", \"Execute\",\r\n \"INSERT\", \"Create\",\r\n \"UPDATE\", \"Set\",\r\n \"DELETE\", \"Delete\",\r\n \"CREATE\", \"Create\",\r\n \"ALTER\", \"Set\",\r\n \"DROP\", \"Delete\",\r\n \"GRANT\", \"Set\",\r\n \"DENY\", \"Set\",\r\n \"REVOKE\", \"Set\",\r\n \"BATCH\", \"Execute\",\r\n \"LOGIN\", \"Execute\",\r\n \"LOGOUT\", \"Execute\",\r\n \"ENABLE\", \"Enable\",\r\n \"DISABLE\", \"Disable\",\r\n \"BACKUP\", \"Read\",\r\n \"RESTORE\", \"Set\",\r\n \"RENAME\", \"Set\",\r\n \"TRUNCATE\", \"Delete\",\r\n \"OPEN\", \"Execute\",\r\n \"CLOSE\", \"Execute\",\r\n \"FETCH\", \"Read\",\r\n \"RECEIVE\", \"Read\"\r\n ];\r\n let SqlSecurityAuditDedicated = \r\n SQLSecurityAuditEvents\r\n | where not(disabled)\r\n | project-rename\r\n EventOriginalType = ActionName\r\n | extend\r\n SrcIpAddr = iff(isnotnull(parse_ipv4(ClientIp)), ClientIp, \"\"),\r\n EventOriginalUid = tostring(EventId),\r\n ActorUsername = ServerPrincipalName,\r\n ActorUserId = tostring(ServerPrincipalSid),\r\n Object = ObjectName,\r\n Operation = EventOriginalType,\r\n ActorSessionId = tostring(SessionId),\r\n EventResult = iff(Succeeded == true, \"Success\", \"Failure\"),\r\n TargetAppName = strcat(LogicalServerName, \"/\", DatabaseName),\r\n AdditionalFields = iff(pack, bag_pack(\r\n \"Statement\", Statement,\r\n \"SchemaName\", SchemaName,\r\n \"DurationMs\", DurationMs,\r\n \"AffectedRows\", AffectedRows,\r\n \"ResponseRows\", ResponseRows,\r\n \"ApplicationName\", ApplicationName,\r\n \"ClassTypeDescription\", ClassTypeDescription,\r\n \"HostName\", HostName\r\n ), dynamic([]))\r\n ;\r\n let SqlSecurityAuditDiag =\r\n AzureDiagnostics\r\n | where not(disabled)\r\n | where Category == \"SQLSecurityAuditEvents\"\r\n | project-rename\r\n EventOriginalType = action_name_s\r\n | extend\r\n SrcIpAddr = iff(isnotnull(parse_ipv4(client_ip_s)), client_ip_s, \"\"),\r\n EventOriginalUid = tostring(event_id_g),\r\n ActorUsername = server_principal_name_s,\r\n ActorUserId = tostring(server_principal_sid_s),\r\n Object = object_name_s,\r\n Operation = EventOriginalType,\r\n ActorSessionId = tostring(session_id_d),\r\n EventResult = iff(succeeded_s == \"true\", \"Success\", \"Failure\"),\r\n TargetAppName = strcat(LogicalServerName_s, \"/\", database_name_s),\r\n AdditionalFields = iff(pack, bag_pack(\r\n \"Statement\", statement_s,\r\n \"SchemaName\", schema_name_s,\r\n \"DurationMs\", duration_milliseconds_d,\r\n \"AffectedRows\", affected_rows_d,\r\n \"ResponseRows\", response_rows_d,\r\n \"ApplicationName\", application_name_s,\r\n \"ClassTypeDescription\", class_type_description_s,\r\n \"HostName\", host_name_s\r\n ), dynamic([]))\r\n ;\r\n union isfuzzy=true SqlSecurityAuditDedicated, SqlSecurityAuditDiag\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventProduct = \"SQL Audit Logs\",\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.2\",\r\n EventSchema = \"AuditEvent\",\r\n TargetAppType = \"SaaS application\",\r\n ObjectType = \"Cloud Resource\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SID\", \"\"),\r\n // Audit events are usually data, configuration or policy changes, not detections.\r\n // Hence most ASIM Audit events are expected to be Information or Low.\r\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\r\n // Map EventType from action name\r\n | extend ActionType = toupper(tostring(split(Operation, \" \")[0]))\r\n | lookup SqlAuditEventTypeLookup on ActionType\r\n | extend EventType = iff(isempty(EventType), \"Other\", EventType)\r\n // Recommended fields\r\n | extend\r\n EventUid = EventOriginalUid,\r\n EventResultDetails = iff(EventResult == \"Failure\", \"Other\", \"\")\r\n // Aliases\r\n | extend\r\n IpAddr = SrcIpAddr,\r\n User = ActorUsername,\r\n Application = TargetAppName,\r\n Dst = TargetAppName,\r\n Src = SrcIpAddr,\r\n Dvc = EventProduct\r\n | project\r\n Type,\r\n TimeGenerated,\r\n EventOriginalUid,\r\n EventUid,\r\n EventResult,\r\n EventResultDetails,\r\n EventSeverity,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventProduct,\r\n EventVendor,\r\n EventSchemaVersion,\r\n EventSchema,\r\n EventType,\r\n EventOriginalType,\r\n Operation,\r\n Object,\r\n ObjectType,\r\n TargetAppName,\r\n TargetAppType,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActorUserId,\r\n ActorUserIdType,\r\n ActorSessionId,\r\n SrcIpAddr,\r\n AdditionalFields,\r\n IpAddr,\r\n User,\r\n Application,\r\n Dst,\r\n Src,\r\n Dvc\r\n};\r\nparser(disabled=disabled, pack=pack)\r\n","parameters":"disabled:bool = false, pack:bool = false","description":"Audit Event ASIM parser for SQLSecurityAudit Logs.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"aa0ba80d-de2a-5ab2-8329-1369094df8b4","name":"_ASim_AuditEvent_SentinelOneV01","body":"let EventFieldsLookup = datatable(\r\n activityType_d: real,\r\n Operation: string,\r\n EventType_activity: string,\r\n EventSubType: string,\r\n EventResult: string,\r\n Object: string,\r\n ObjectType: string\r\n )\r\n [\r\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\r\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\r\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\r\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\r\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\r\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\r\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\r\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\r\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\r\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\r\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\r\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\r\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\r\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\r\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\r\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\r\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\r\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\r\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\r\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\r\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\r\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\r\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\r\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\r\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\r\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\r\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\r\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\r\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\r\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\r\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\r\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\r\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\r\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\r\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\r\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\r\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\r\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\r\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\r\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\r\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\r\n ];\r\n let EventFieldsLookupMachineActivity = datatable(\r\n activityType_d: real,\r\n Operation: string,\r\n EventType_machineactivity: string,\r\n EventSubType_machineactivity: string,\r\n EventResult: string,\r\n Object: string,\r\n ObjectType: string\r\n )\r\n [\r\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\r\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\r\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\r\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\r\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\r\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\r\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\r\n ];\r\n let EventFieldsLookupAccountActivity = datatable(\r\n activityType_d: real,\r\n Operation: string,\r\n EventType_accountactivity: string,\r\n EventSubType_accountactivity: string,\r\n EventResult: string,\r\n Object: string,\r\n ObjectType: string\r\n )\r\n [\r\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\r\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\r\n ];\r\n let EventFieldsLookup_useractivity = datatable(\r\n activityType_d: real,\r\n Operation: string,\r\n EventType_useractivity: string,\r\n EventSubType_useractivity: string,\r\n EventResult: string,\r\n Object: string,\r\n ObjectType: string\r\n )\r\n [\r\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\r\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\r\n ];\r\n let EventFieldsLookup_otheractivity = datatable(\r\n activityType_d: real,\r\n Operation: string,\r\n EventType_otheractivity: string,\r\n EventSubType_otheractivity: string,\r\n EventResult: string,\r\n Object: string,\r\n ObjectType: string\r\n )\r\n [\r\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\r\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\r\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\r\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\r\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\r\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\r\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\r\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\r\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\r\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\r\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\r\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\r\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\r\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\r\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\r\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\r\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\r\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\r\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\r\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\r\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\r\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\r\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\r\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\r\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\r\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\r\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\r\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\r\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\r\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\r\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\r\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\r\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\r\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\r\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\r\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\r\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\r\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\r\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\r\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\r\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\r\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\r\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\r\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\r\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\r\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\r\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\r\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\r\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\r\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\r\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\r\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\r\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\r\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\r\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\r\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\r\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \r\n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\r\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\r\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\r\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\r\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\r\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\r\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\r\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\r\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\r\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\r\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\r\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\r\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\r\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\r\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\r\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\r\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\r\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\r\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\r\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\r\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\r\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\r\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\r\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\r\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\r\n ];\r\n let EventTypeLookup_onoff = datatable(\r\n field: string,\r\n EventType_field: string,\r\n NewValue_field: string\r\n )\r\n [\r\n \"true\", \"Enable\", \"on\",\r\n \"false\", \"Disable\", \"off\"\r\n ];\r\n let EventTypeLookup_enableddisabled = datatable(\r\n field: string,\r\n EventType_fieldenableddisabled: string,\r\n NewValue_fieldenableddisabled: string\r\n )\r\n [\r\n \"true\", \"Enable\", \"enabled\",\r\n \"false\", \"Disable\", \"disabled\"\r\n ];\r\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\r\n [\r\n \"Success\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n ];\r\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\r\n [\r\n 4100, \"Medium\",\r\n 4101, \"High\",\r\n 2016, \"Medium\",\r\n 2028, \"Low\",\r\n 4001, \"Medium\",\r\n 4002, \"Low\",\r\n 4007, \"Low\",\r\n 4008, \"Medium\",\r\n 4009, \"Medium\",\r\n 4011, \"High\",\r\n 2, \"Medium\",\r\n 2011, \"Low\",\r\n 2012, \"Low\",\r\n 2013, \"Medium\",\r\n 2014, \"Low\",\r\n 2015, \"Low\",\r\n 4002, \"Low\",\r\n 4104, \"High\",\r\n 4105, \"Medium\"\r\n ];\r\n let ThreatConfidenceLookup_undefined = datatable(\r\n threatInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n )\r\n [\r\n \"false_positive\", 5,\r\n \"undefined\", 15,\r\n \"suspicious\", 25,\r\n \"true_positive\", 33 \r\n ];\r\n let ThreatConfidenceLookup_suspicious = datatable(\r\n threatInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n )\r\n [\r\n \"false_positive\", 40,\r\n \"undefined\", 50,\r\n \"suspicious\", 60,\r\n \"true_positive\", 67 \r\n ];\r\n let ThreatConfidenceLookup_malicious = datatable(\r\n threatInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n )\r\n [\r\n \"false_positive\", 75,\r\n \"undefined\", 80,\r\n \"suspicious\", 90,\r\n \"true_positive\", 100 \r\n ];\r\n let parser = (disabled: bool=false) {\r\n let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\r\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\r\n let activitydata = SentinelOne_CL\r\n | where not(disabled) and event_name_s == \"Activities.\"\r\n | project-away\r\n threatInfo_confidenceLevel_s,\r\n threatInfo_analystVerdict_s,\r\n threatInfo_threatName_s,\r\n threatInfo_incidentStatus_s,\r\n threatInfo_identifiedAt_t,\r\n threatInfo_updatedAt_t,\r\n threatInfo_threatId_s,\r\n mitigationStatus_s;\r\n let rawgroupsiteactivitydata = activitydata\r\n | where activityType_d in (RawGroupSiteActivityIds)\r\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | project-rename ObjectId = id\r\n | lookup EventFieldsLookup on activityType_d;\r\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\r\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\r\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\r\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\r\n | extend\r\n EventType = coalesce(EventType_field, EventType_field1),\r\n NewValue = coalesce(NewValue_field, NewValue_field1);\r\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\r\n | where activityType_d in (70, 82, 83, 201)\r\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\r\n | extend\r\n EventType = EventType_fieldenableddisabled,\r\n NewValue = NewValue_fieldenableddisabled;\r\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\r\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\r\n | extend EventType = EventType_activity;\r\n let groupsiteactivitydata = union\r\n groupsiteactivitydata_onoff,\r\n groupsiteactivitydata_enabledisabled,\r\n groupsiteactivitydata_other\r\n | extend\r\n ActorUsername = coalesce(username, userName, userFullName),\r\n Object = coalesce(Object, siteName, oldSiteName),\r\n NewValue = coalesce(NewValue, newValue),\r\n OldValue = oldValue;\r\n let machineactivitydata = activitydata\r\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\r\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventFieldsLookupMachineActivity on activityType_d\r\n | extend\r\n EventType = EventType_machineactivity,\r\n EventSubType = EventSubType_machineactivity,\r\n ThreatCategory_datafields = threatClassification,\r\n OldValue = groupName,\r\n NewValue = targetGroupName,\r\n ObjectId = agentId_s\r\n | extend ActorUsername = coalesce(username, userName)\r\n | invoke _ASIM_ResolveDvcFQDN('computerName');\r\n let accountactivitydata = activitydata\r\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\r\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventFieldsLookupAccountActivity on activityType_d\r\n | extend\r\n EventType = EventType_accountactivity,\r\n EventSubType = EventSubType_accountactivity,\r\n Object = coalesce(accountName, cloudProviderAccountName),\r\n ObjectId = accountId;\r\n let useractivitydata = activitydata\r\n | where activityType_d in (88, 114)\r\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventFieldsLookup_useractivity on activityType_d\r\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\r\n | extend\r\n ActorUsername = byUser,\r\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\r\n EventSubType = EventSubType_useractivity,\r\n NewValue = NewValue_fieldenableddisabled;\r\n let rawotheractivitydata = activitydata\r\n | where activityType_d in (RawOtherActivityIds)\r\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventFieldsLookup_otheractivity on activityType_d\r\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\r\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\r\n | extend\r\n ActorUsername = coalesce(username, userName),\r\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\r\n EventSubType = EventSubType_otheractivity,\r\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\r\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\r\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\r\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\r\n ThreatCategory_datafields = threatClassification,\r\n RuleName = ruleName,\r\n TargetDvcId = deviceId,\r\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\r\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\r\n | project-rename\r\n TargetHostname = DstHostname,\r\n TargetDomain = DstDomain,\r\n TargetDomainType = DstDomainType,\r\n TargetFQDN = DstFQDN,\r\n TargetUrl = consoleUrl;\r\n let parsedotheractivitydata_eventtype = rawotheractivitydata\r\n | where activityType_d in (5256, 5258)\r\n | extend EventType = case(\r\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\r\n \"Create\",\r\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\r\n \"Delete\",\r\n \"Set\"\r\n );\r\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\r\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\r\n | extend Object = strcat(Object, ' ', value);\r\n let parsedotheractivitydata_severity = rawotheractivitydata\r\n | where activityType_d in (2036, 2037, 2030)\r\n | extend EventSeverity_specific = case(\r\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\r\n \"High\", \r\n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\r\n \"Medium\",\r\n primaryDescription_s has \"to False positive\",\r\n \"Low\",\r\n \"Informational\"\r\n );\r\n let ParsedActivitydata = union\r\n groupsiteactivitydata,\r\n machineactivitydata,\r\n accountactivitydata,\r\n useractivitydata,\r\n rawotheractivitydata,\r\n parsedotheractivitydata_eventtype,\r\n parsedotheractivitydata_objectvalue\r\n | where activityType_d !in(2030, 2036, 2037)\r\n | lookup EventSeverityLookup on EventResult\r\n | lookup EventSeverityLookup_activity on activityType_d;\r\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\r\n | where isnotempty(threatId_s)\r\n | join kind=inner (SentinelOne_CL\r\n | where event_name_s == \"Threats.\"\r\n | project\r\n TimeGenerated,\r\n threatInfo_confidenceLevel_s,\r\n threatInfo_analystVerdict_s,\r\n threatInfo_threatName_s,\r\n threatInfo_incidentStatus_s,\r\n threatInfo_identifiedAt_t,\r\n threatInfo_updatedAt_t,\r\n threatInfo_threatId_s,\r\n mitigationStatus_s)\r\n on $left.threatId_s == $right.threatInfo_threatId_s\r\n | where TimeGenerated1 >= TimeGenerated\r\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\r\n let undefineddata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"Undefined\"\r\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\r\n let suspiciousdata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\r\n let maliciousdata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\r\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\r\n | extend\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\r\n AdditionalFields = bag_pack(\r\n \"threatUpdatedAt\",\r\n threatInfo_updatedAt_t,\r\n \"threatAnalystVerdict\",\r\n threatInfo_analystVerdict_s,\r\n \"threatIncidentStatus\",\r\n threatInfo_incidentStatus_s,\r\n \"mitigationStatus\",\r\n mitigationStatus_s\r\n )\r\n | project-rename\r\n ThreatId = threatId_s,\r\n ThreatName = threatInfo_threatName_s,\r\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\r\n ThreatCategory_threats = threatInfo_classification_s,\r\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\r\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\r\n | where isempty(threatId_s);\r\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\r\n | extend \r\n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\r\n EventProduct = \"SentinelOne\",\r\n EventVendor = \"SentinelOne\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\",\r\n EventCount = toint(1),\r\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\r\n EventOriginalType = tostring(toint(activityType_d)),\r\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\r\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\r\n ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\r\n | project-rename\r\n EventStartTime = createdAt_t,\r\n EventUid = _ItemId,\r\n EventMessage = primaryDescription_s,\r\n ActorUserId = userId_s,\r\n DvcId = agentId_s,\r\n EventOriginalUid = activityUuid_g\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\r\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\r\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\r\n | extend\r\n EventEndTime = EventStartTime,\r\n User = ActorUsername,\r\n IpAddr = SrcIpAddr,\r\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\r\n Dst = coalesce(TargetHostname, TargetIpAddr),\r\n Src = SrcIpAddr,\r\n Rule = RuleName,\r\n Value = NewValue\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_t,\r\n *_g,\r\n *_b,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n username,\r\n userName,\r\n userFullName,\r\n newValue,\r\n policyEnabled,\r\n siteName,\r\n oldValue,\r\n computerName,\r\n accountName,\r\n cloudProviderAccountName,\r\n email,\r\n globalTwoFaEnabled,\r\n cloudIntelligenceOn,\r\n fileDisplayName,\r\n roleName,\r\n oldIncidentStatusTitle,\r\n oldTicketId,\r\n oldAnalystVerdictTitle,\r\n oldConfidenceLevel,\r\n previous,\r\n oldStatus,\r\n oldTagName,\r\n oldTagDescription,\r\n newIncidentStatusTitle,\r\n newTicketId,\r\n newAnalystVerdictTitle,\r\n newConfidenceLevel,\r\n newStatus,\r\n current,\r\n Status,\r\n newTagName,\r\n newTagDescription,\r\n value,\r\n rulesAdded,\r\n rulesRemoved,\r\n tagsAdded,\r\n tagsRemoved,\r\n incidentName,\r\n ruleName,\r\n deviceId,\r\n ip,\r\n externalIp,\r\n affectedDevices,\r\n featureValue,\r\n featureName,\r\n recoveryEmail,\r\n policyName,\r\n policy,\r\n tagName,\r\n gatewayExternalIp,\r\n gatewayMac,\r\n threatClassification,\r\n applicationPath,\r\n externalId,\r\n groupName,\r\n oldSiteName,\r\n targetGroupName,\r\n ipAddress,\r\n EventType_*,\r\n EventSubType_*,\r\n EventSeverity_*,\r\n NewValue_*,\r\n _ResourceId,\r\n TimeGenerated1,\r\n ThreatCategory_*,\r\n ThreatConfidence_*,\r\n accountId,\r\n policyId,\r\n ruleId,\r\n byUser\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"22c176d1-ff14-5e53-8045-c2ffdda4051a","name":"_ASim_AuditEvent_VMwareCarbonBlackCloudV02","body":"let EventTypeLookup = datatable(temp_type: string, EventType: string)[\r\n\"created\", \"Create\",\r\n\"updated\", \"Set\",\r\n\"deleted\", \"Delete\",\r\n\"added\", \"Create\",\r\n\"modified\", \"Set\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let allData = CarbonBlackAuditLogs_CL\r\n | where not(disabled)\r\n | where not(description_s has_any (\"logged in\", \"login\"));\r\n let Enabled = allData\r\n | where description_s has_cs \"Enabled\"\r\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\r\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\r\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\r\n | extend\r\n EventType = \"Enable\",\r\n Operation = description_s,\r\n Object = coalesce(temp_object1, temp_object2, temp_object3),\r\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\r\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\r\n let Set = allData\r\n | where description_s startswith \"Set\"\r\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\r\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\r\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\r\n | extend\r\n Object = temp_field_s,\r\n EventType = \"Set\",\r\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\r\n ObjectType = \"Configuration Atom\",\r\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\r\n let AlertNotify = allData\r\n | where description_s has \"alert notification\"\r\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\r\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\r\n | extend\r\n Operation = strcat(temp_type, \" alert notification\"),\r\n temp_type = tolower(temp_type),\r\n Object = coalesce(name, \"alert notification\"),\r\n ObjectType = \"Service\"\r\n | lookup EventTypeLookup on temp_type;\r\n let CustomRole = allData\r\n | where description_s has \"custom role\"\r\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \r\n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\r\n | extend\r\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\r\n Object = coalesce(temp_rolename1, temp_rolename2),\r\n ObjectType = \"Other\"\r\n | lookup EventTypeLookup on temp_type\r\n | extend\r\n Operation = strcat(temp_type, \" custom role \", Object),\r\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\r\n let Policy = allData\r\n | where description_s startswith \"Policy\"\r\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\r\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\r\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\r\n | extend\r\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\r\n ObjectType = \"Policy Rule\",\r\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\r\n OldValue = temp_policyname2,\r\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\r\n | lookup EventTypeLookup on temp_type\r\n | extend\r\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\r\n let Changed = allData\r\n | where description_s startswith \"Changed policy\"\r\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \r\n | extend\r\n EventType = \"Set\",\r\n Operation = strcat(temp_operation_s, \" to \", NewValue),\r\n Object = NewValue,\r\n ObjectType = \"Policy Rule\",\r\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\r\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\r\n let ParamsUpdated = allData\r\n | where description_s startswith \"Parameters updated\"\r\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\r\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\r\n | extend\r\n temp_operation = coalesce(temp_config1, temp_config2),\r\n temp_configid = coalesce(temp_configid1, temp_configid2)\r\n | extend\r\n EventType = \"Set\", \r\n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\r\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\r\n ObjectType = \"Policy Rule\",\r\n AdditionalFields = bag_pack(\"config id\", temp_configid);\r\n let Reputation = allData\r\n | where description_s has_cs \"Reputation\"\r\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\r\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\r\n | extend\r\n temp_type = coalesce(temp_type1, temp_type2),\r\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\r\n ObjectType = \"Configuration Atom\"\r\n | lookup EventTypeLookup on temp_type\r\n | extend\r\n Operation = strcat(temp_type, \" \", Object),\r\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\r\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\r\n let PolicyUpdateApplied = allData\r\n | where description_s has \"Policy update applied\"\r\n | parse description_s with * \"policy to \" Object: string\r\n | extend\r\n EventType = \"Set\",\r\n Operation = \"Policy update applied\",\r\n ObjectType = \"Policy Rule\",\r\n OriginalObjectType = \"Policy\"\r\n ;\r\n let auto_deletion = allData\r\n | where description_s has_all (\"auto-deletion\", \"devices\")\r\n | parse description_s with TargetFQDN: string \" \" *\r\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\r\n | extend\r\n EventType = \"Delete\",\r\n Operation = \"auto-deletion\",\r\n Object = TargetFQDN,\r\n ObjectType = \"Directory Service Object\",\r\n OriginalObjectType = \"Device\";\r\n let Hash_Deleted = allData\r\n | where description_s startswith \"Hash - \"\r\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\r\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\r\n | extend\r\n EventType = \"Delete\",\r\n Operation = \"Delete Request\",\r\n Object = HashName_s,\r\n ObjectType = \"Configuration Atom\",\r\n OriginalObjectType = \"Hash\";\r\n let Failure_Deleting_Hash = allData\r\n | where description_s startswith \"Failure deleting hash\"\r\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\r\n | extend\r\n EventType = \"Delete\",\r\n Operation = \"Deleting hash\",\r\n Object = HashName_s,\r\n ObjectType = \"Configuration Atom\",\r\n OriginalObjectType = \"Hash\",\r\n EventResult = \"Failure\";\r\n let Delete_Hash = allData\r\n | where description_s startswith \"Delete Hash\"\r\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\r\n | extend\r\n EventType = \"Delete\",\r\n Operation = \"Delete Hash\",\r\n Object = HashName_s,\r\n ObjectType = \"Configuration Atom\",\r\n OriginalObjectType = \"Hash\",\r\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\r\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\r\n let Success_Deleting_Hash = allData\r\n | where description_s startswith \"Success deleting hash\"\r\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\r\n | extend\r\n EventType = \"Delete\",\r\n Operation = \"Deleting hash\",\r\n Object = HashName_s,\r\n ObjectType = \"Configuration Atom\",\r\n OriginalObjectType = \"Hash\",\r\n EventResult = \"Success\";\r\n let DeviceUninstalled = allData\r\n | where description_s has_all (\"Device\", \"uninstalled\")\r\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\r\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\r\n | extend\r\n EventType = \"Uninstall\",\r\n Operation = \"Uninstall\",\r\n Object = TargetFQDN,\r\n ObjectType = \"Directory Service Object\",\r\n OriginalObjectType = \"Device\";\r\n let DeviceReset = allData\r\n | where description_s startswith (\"Device reset requested\")\r\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\r\n | extend \r\n EventType = \"Set\",\r\n Operation = \"Device reset\",\r\n Object = TargetDvcId,\r\n ObjectType = \"Directory Service Object\",\r\n OriginalObjectType = \"Device\";\r\n let CreateOrModifyPolicy = allData\r\n | where description_s startswith \"Request received to\"\r\n | parse description_s with * \"policy \" Object: string\r\n | extend\r\n EventType = case(\r\n description_s has \"modify policy\",\r\n \"Set\", \r\n description_s has \"create new policy\",\r\n \"Create\",\r\n \"\"\r\n ),\r\n Operation = case(\r\n description_s has \"modify policy\",\r\n \"modify policy\", \r\n description_s has \"create new policy\",\r\n \"create new policy\",\r\n \"\"\r\n ),\r\n Object = replace_string(Object, \"- \", \"\"),\r\n ObjectType = \"Policy Rule\",\r\n OriginalObjectType = \"Policy\";\r\n let LogsRequested = allData\r\n | where description_s startswith (\"Logs requested\")\r\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\r\n | extend \r\n EventType = \"Read\",\r\n Operation = \"Logs requested\",\r\n Object = TargetDvcId,\r\n ObjectType = \"Directory Service Object\",\r\n OriginalObjectType = \"Device\";\r\n let Re_Registration = allData\r\n | where description_s startswith \"Re-registration of device\"\r\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\r\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\r\n | extend\r\n EventType = \"Enable\",\r\n Operation = \"Re-registration of device\",\r\n Object = TargetFQDN,\r\n ObjectType = \"Directory Service Object\",\r\n OriginalObjectType = \"Device\";\r\n union\r\n Enabled,\r\n Set,\r\n AlertNotify,\r\n CustomRole,\r\n Policy,\r\n Changed,\r\n ParamsUpdated,\r\n Reputation,\r\n PolicyUpdateApplied,\r\n auto_deletion,\r\n Hash_Deleted,\r\n Failure_Deleting_Hash,\r\n Delete_Hash,\r\n Success_Deleting_Hash,\r\n DeviceUninstalled,\r\n DeviceReset,\r\n CreateOrModifyPolicy,\r\n LogsRequested,\r\n Re_Registration\r\n | extend\r\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\r\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\r\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\r\n | extend\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\",\r\n EventVendor = \"VMware\",\r\n EventResult = iif(isnotempty(EventResult), EventResult, \"Success\"),\r\n EventCount = int(1)\r\n | project-rename\r\n ActorUsername = loginName_s,\r\n EventUid = _ItemId,\r\n SrcIpAddr = clientIp_s,\r\n EventMessage = description_s,\r\n EventOriginalUid = eventId_g,\r\n ActorScope = orgName_s\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\r\n EventEndTime = EventStartTime,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Dvc = EventProduct,\r\n User = ActorUsername,\r\n Value = NewValue,\r\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\r\n | project-away \r\n *_s,\r\n *_d,\r\n *_b,\r\n temp*,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n _ResourceId,\r\n name,\r\n EventSeverity1\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"2ce6a16e-0477-5513-9727-033e4a21887a","name":"_ASim_AuditEvent_VectraXDRAuditV01","body":"let parser = (disabled:bool = false)\r\n{\r\n Audits_Data_CL\r\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\r\n | extend\r\n EventEndTime = event_timestamp_t,\r\n EventProduct = 'XDR',\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventStartTime = event_timestamp_t,\r\n EventType = \"Other\",\r\n EventVendor = 'Vectra',\r\n Type = \"Audit Log\",\r\n EventUid = tostring(toint(id_d)),\r\n ActorUserId = tostring(toint(user_id_d)),\r\n ActorUserIdType = \"UID\",\r\n ActorUsernameType = \"UPN\",\r\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\r\n | project-rename\r\n Dvc = source_ip_s,\r\n Operation = event_action_s,\r\n ActorUsername = username_s,\r\n Object = event_object_s,\r\n ActorOriginalUserType = user_type_s,\r\n EventMessage = Message,\r\n EventProductVersion = version_s\r\n | extend User = ActorUsername\r\n | project-away\r\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Audit Event ASIM parser for Vectra XDR Audit Logs Event.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"e40a1659-cd0a-5d18-bd5c-c02e366ae3ff","name":"_Im_AuditEvent","body":"union isfuzzy=true\r\n_Im_AuditEventBuiltIn(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, pack= pack),\r\nIm_AuditEventSolutions(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, pack= pack),\r\nIm_AuditEventCustom(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([]), pack:bool = false","description":"Audit event ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"dd2fa0d1-84ff-519c-87d9-2dc811b31b69","name":"_Im_AuditEventBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_AuditEvent') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_AuditEventBuiltIn', 'Exclude_Im_AuditEvent', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_AuditEvent_AWSCloudTrailV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_AWSCloudTrail' in (DisabledParsers))), pack= pack),\r\n_Im_AuditEvent_AzureActivityV03(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_AzureActivity' in (DisabledParsers)))),\r\n_Im_AuditEvent_AzureKeyVaultV01(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_AzureKeyVault' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any),\r\n_Im_AuditEvent_BarracudaCEFV02(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_BarracudaCEF' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, eventtype_in= eventtype_in, eventresult= eventresult, newvalue_has_any= newvalue_has_any, operation_has_any= operation_has_any),\r\n_Im_AuditEvent_BarracudaWAFV02(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_BarracudaWAF' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, eventtype_in= eventtype_in, eventresult= eventresult, newvalue_has_any= newvalue_has_any, operation_has_any= operation_has_any),\r\n_Im_AuditEvent_CiscoISEV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_CiscoISE' in (DisabledParsers)))),\r\n_Im_AuditEvent_CiscoMerakiV02(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_CiscoMeraki' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any),\r\n_Im_AuditEvent_CiscoMerakiSyslogV02(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_CiscoMerakiSyslog' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any),\r\n_Im_AuditEvent_CrowdStrikeFalconHostV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_CrowdStrikeFalconHost' in (DisabledParsers)))),\r\n_Im_AuditEvent_EmptyV03,\r\n_Im_AuditEvent_IllumioSaaSCoreV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_IllumioSaaSCore' in (DisabledParsers)))),\r\n_Im_AuditEvent_InfobloxBloxOneV01(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_InfobloxBloxOne' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any),\r\n_Im_AuditEvent_MicrosoftEventV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_MicrosoftEvent' in (DisabledParsers)))),\r\n_Im_AuditEvent_MicrosoftExchangeAdmin365V02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_MicrosoftExchangeAdmin365' in (DisabledParsers)))),\r\n_Im_AuditEvent_MicrosoftSecurityEventsV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_MicrosoftSecurityEvents' in (DisabledParsers)))),\r\n_Im_AuditEvent_MicrosoftWindowsEventsV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_MicrosoftWindowsEvents' in (DisabledParsers)))),\r\n_Im_AuditEvent_NativeV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_Native' in (DisabledParsers)))),\r\n_Im_AuditEvent_SentinelOneV01(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_SentinelOne' in (DisabledParsers))), starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any),\r\n_Im_AuditEvent_SQLSecurityAuditV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, eventtype_in= eventtype_in, eventresult= eventresult, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_SQLSecurityAudit' in (DisabledParsers))), pack= pack),\r\n_Im_AuditEvent_VectraXDRAuditV01(disabled= (builtInDisabled or('Exclude_Im_AuditEvent_VectraXDRAudit' in (DisabledParsers))), eventresult= eventresult, starttime= starttime, endtime= endtime, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, object_has_any= object_has_any),\r\n_Im_AuditEvent_VMwareCarbonBlackCloudV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, eventtype_in= eventtype_in, eventresult= eventresult, actorusername_has_any= actorusername_has_any, operation_has_any= operation_has_any, object_has_any= object_has_any, newvalue_has_any= newvalue_has_any, disabled= (builtInDisabled or('Exclude_Im_AuditEvent_VMwareCarbonBlackCloud' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([]), pack:bool = false","description":"Audit event ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"8cd8a334-35a9-5099-9075-443aa11153eb","name":"_Im_AuditEvent_AWSCloudTrailV01","body":"let DetermineEC2NewValue = (T: (EventResult: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic)) {\r\n T\r\n | extend NewValue = iff(EventResult == \"Success\", case(\r\n EventName == \"AcceptTransitGatewayMulticastDomainAssociations\", ResponseElements.associations,\r\n EventName == \"AcceptTransitGatewayPeeringAttachment\", ResponseElements.transitGatewayPeeringAttachment,\r\n EventName == \"AcceptTransitGatewayVpcAttachment\", ResponseElements.transitGatewayVpcAttachment,\r\n EventName == \"AcceptVpcPeeringConnection\", ResponseElements.vpcPeeringConnection,\r\n EventName == \"AllocateAddress\", ResponseElements.allocationId,\r\n EventName == \"AllocateHosts\", ResponseElements.hostIdSet,\r\n EventName == \"AllocateIpamPoolCidr\", RequestParameters.AllowedCidr,\r\n EventName == \"ApplySecurityGroupsToClientVpnTargetNetwork\", ResponseElements.securityGroupIds,\r\n EventName == \"AssignIpv6Addresses\", ResponseElements.assignedIpv6Addresses,\r\n EventName == \"AssignPrivateIpAddresses\", ResponseElements.assignedIpv4PrefixSet,\r\n EventName == \"AssignPrivateNatGatewayAddress\", RequestParameters.PrivateIpAddress,\r\n EventName == \"AssociateAddress\", ResponseElements.associationId,\r\n EventName == \"AssociateCapacityReservationBillingOwner\", RequestParameters.CapacityReservationId,\r\n EventName == \"AssociateClientVpnTargetNetwork\", ResponseElements.associationId,\r\n EventName == \"AssociateDhcpOptions\", RequestParameters.DhcpOptionsId,\r\n EventName == \"AssociateEnclaveCertificateIamRole\", RequestParameters.RoleArn,\r\n EventName == \"AssociateIamInstanceProfile\", ResponseElements.iamInstanceProfileAssociation,\r\n EventName == \"AssociateInstanceEventWindow\", ResponseElements.instanceEventWindow,\r\n EventName == \"AssociateIpamByoasn\", ResponseElements.asnAssociation,\r\n EventName == \"AssociateIpamResourceDiscovery\", ResponseElements.ipamResourceDiscoveryAssociation,\r\n EventName == \"AssociateNatGatewayAddress\", ResponseElements.natGatewayAddressSet,\r\n EventName == \"AssociateRouteServer\", ResponseElements.routeServerAssociation,\r\n EventName == \"AssociateRouteTable\", ResponseElements.associationId,\r\n EventName == \"AssociateSecurityGroupVpc\", RequestParameters.GroupId,\r\n EventName == \"AssociateSubnetCidrBlock\", ResponseElements.ipv6CidrBlockAssociation,\r\n EventName == \"AssociateTransitGatewayMulticastDomain\", ResponseElements.associations,\r\n EventName == \"AssociateTransitGatewayPolicyTable\", ResponseElements.association,\r\n EventName == \"AssociateTransitGatewayRouteTable\", ResponseElements.association,\r\n EventName == \"AssociateTrunkInterface\", ResponseElements.interfaceAssociation,\r\n EventName == \"AssociateVpcCidrBlock\", coalesce(ResponseElements.cidrBlockAssociation,ResponseElements.ipv6CidrBlockAssociation),\r\n EventName == \"AttachClassicLinkVpc\", RequestParameters.InstanceId,\r\n EventName == \"AttachInternetGateway\", RequestParameters.InternetGatewayId,\r\n EventName == \"AttachNetworkInterface\", ResponseElements.attachmentId,\r\n EventName == \"AttachVerifiedAccessTrustProvider\", ResponseElements.verifiedAccessInstance,\r\n EventName == \"AttachVolume\", ResponseElements.volumeId,\r\n EventName == \"AttachVpnGateway\", ResponseElements.attachment,\r\n EventName == \"AuthorizeClientVpnIngress\", ResponseElements.status,\r\n EventName == \"AuthorizeSecurityGroupEgress\", ResponseElements.securityGroupRuleSet,\r\n EventName == \"AuthorizeSecurityGroupIngress\", ResponseElements.securityGroupRuleSet,\r\n EventName == \"BundleInstance\", ResponseElements.bundleInstanceTask,\r\n EventName == \"CancelBundleTask\", ResponseElements.bundleInstanceTask,\r\n EventName == \"CancelCapacityReservationFleets\", ResponseElements.successfulFleetCancellationSet,\r\n EventName == \"CancelReservedInstancesListing\", ResponseElements.reservedInstancesListingsSet,\r\n EventName == \"CancelSpotFleetRequests\", ResponseElements.successfulFleetRequestSet,\r\n EventName == \"CancelSpotInstanceRequests\", ResponseElements.spotInstanceRequestSet,\r\n EventName == \"ConfirmProductInstance\", ResponseElements.ownerId,\r\n EventName == \"CopyFpgaImage\", ResponseElements.fpgaImageId,\r\n EventName == \"CopyImage\", ResponseElements.imageId,\r\n EventName == \"CopySnapshot\", ResponseElements.snapshotId,\r\n EventName == \"CopyVolumes\", ResponseElements.volumeSet,\r\n EventName == \"CreateCapacityManagerDataExport\", ResponseElements.capacityManagerDataExportId,\r\n EventName == \"CreateCapacityReservation\", ResponseElements.capacityReservation,\r\n EventName == \"CreateCapacityReservationBySplitting\", ResponseElements.destinationCapacityReservation,\r\n EventName == \"CreateCapacityReservationFleet\", ResponseElements.state,\r\n EventName == \"CreateCarrierGateway\", ResponseElements.carrierGateway,\r\n EventName == \"CreateClientVpnEndpoint\", ResponseElements.dnsName,\r\n EventName == \"CreateClientVpnRoute\", ResponseElements.status,\r\n EventName == \"CreateCoipCidr\", ResponseElements.coipCidr,\r\n EventName == \"CreateCoipPool\", ResponseElements.coipPool,\r\n EventName == \"CreateCustomerGateway\", ResponseElements.customerGateway,\r\n EventName == \"CreateDefaultSubnet\", ResponseElements.subnet,\r\n EventName == \"CreateDefaultVpc\", ResponseElements.vpc,\r\n EventName == \"CreateDelegateMacVolumeOwnershipTask\", ResponseElements.macModificationTask,\r\n EventName == \"CreateDhcpOptions\", ResponseElements.dhcpOptions,\r\n EventName == \"CreateEgressOnlyInternetGateway\", ResponseElements.egressOnlyInternetGateway,\r\n EventName == \"CreateFleet\", ResponseElements.fleetInstanceSet,\r\n EventName == \"CreateFlowLogs\", ResponseElements.unsuccessful,\r\n EventName == \"CreateFpgaImage\", ResponseElements.fpgaImageGlobalId,\r\n EventName == \"CreateImage\", ResponseElements.imageId,\r\n EventName == \"CreateImageUsageReport\", ResponseElements.reportId,\r\n EventName == \"CreateInstanceConnectEndpoint\", ResponseElements.instanceConnectEndpoint,\r\n EventName == \"CreateInstanceEventWindow\", ResponseElements.instanceEventWindow,\r\n EventName == \"CreateInstanceExportTask\", ResponseElements.exportTask,\r\n EventName == \"CreateInternetGateway\", ResponseElements.internetGateway,\r\n EventName == \"CreateInterruptibleCapacityReservationAllocation\", ResponseElements.interruptionType,\r\n EventName == \"CreateIpam\", ResponseElements.ipam,\r\n EventName == \"CreateIpamExternalResourceVerificationToken\", ResponseElements.ipamExternalResourceVerificationToken,\r\n EventName == \"CreateIpamPolicy\", ResponseElements.ipamPolicy,\r\n EventName == \"CreateIpamPool\", ResponseElements.ipamPool,\r\n EventName == \"CreateIpamPrefixListResolver\", ResponseElements.ipamPrefixListResolver,\r\n EventName == \"CreateIpamPrefixListResolverTarget\", ResponseElements.ipamPrefixListResolverTarget,\r\n EventName == \"CreateIpamResourceDiscovery\", ResponseElements.ipamResourceDiscovery,\r\n EventName == \"CreateIpamScope\", ResponseElements.ipamScope,\r\n EventName == \"CreateLaunchTemplate\", ResponseElements.launchTemplate,\r\n EventName == \"CreateLaunchTemplateVersion\", ResponseElements.launchTemplateVersion,\r\n EventName == \"CreateLocalGatewayRoute\", ResponseElements.route,\r\n EventName == \"CreateLocalGatewayRouteTable\", ResponseElements.localGatewayRouteTable,\r\n EventName == \"CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", ResponseElements.localGatewayRouteTableVirtualInterfaceGroupAssociation,\r\n EventName == \"CreateLocalGatewayRouteTableVpcAssociation\", ResponseElements.localGatewayRouteTableVpcAssociation,\r\n EventName == \"CreateLocalGatewayVirtualInterface\", ResponseElements.localGatewayVirtualInterface,\r\n EventName == \"CreateLocalGatewayVirtualInterfaceGroup\", ResponseElements.localGatewayVirtualInterfaceGroup,\r\n EventName == \"CreateMacSystemIntegrityProtectionModificationTask\", ResponseElements.macModificationTask,\r\n EventName == \"CreateManagedPrefixList\", ResponseElements.prefixList,\r\n EventName == \"CreateNatGateway\", ResponseElements.natGateway,\r\n EventName == \"CreateNetworkAcl\", ResponseElements.networkAcl,\r\n EventName == \"CreateNetworkAclEntry\", RequestParameters.RuleNumber,\r\n EventName == \"CreateNetworkInsightsAccessScope\", ResponseElements.networkInsightsAccessScopeContent,\r\n EventName == \"CreateNetworkInsightsPath\", ResponseElements.networkInsightsPath,\r\n EventName == \"CreateNetworkInterface\", ResponseElements.networkInterface,\r\n EventName == \"CreateNetworkInterfacePermission\", ResponseElements.interfacePermission,\r\n EventName == \"CreatePlacementGroup\", ResponseElements.placementGroup,\r\n EventName == \"CreateReplaceRootVolumeTask\", ResponseElements.replaceRootVolumeTask,\r\n EventName == \"CreateReservedInstancesListing\", ResponseElements.reservedInstancesListingsSet,\r\n EventName == \"CreateRestoreImageTask\", ResponseElements.imageId,\r\n EventName == \"CreateRouteServer\", ResponseElements.routeServer,\r\n EventName == \"CreateRouteServerEndpoint\", ResponseElements.routeServerEndpoint,\r\n EventName == \"CreateRouteServerPeer\", ResponseElements.routeServerPeer,\r\n EventName == \"CreateRouteTable\", ResponseElements.routeTable,\r\n EventName == \"CreateSecondaryNetwork\", ResponseElements.secondaryNetwork,\r\n EventName == \"CreateSecondarySubnet\", ResponseElements.secondarySubnet,\r\n EventName == \"CreateSecurityGroup\", ResponseElements.groupId,\r\n EventName == \"CreateSnapshot\", ResponseElements,\r\n EventName == \"CreateSnapshots\", ResponseElements.snapshotSet,\r\n EventName == \"CreateSpotDatafeedSubscription\", ResponseElements.spotDatafeedSubscription,\r\n EventName == \"CreateSubnet\", ResponseElements.subnet,\r\n EventName == \"CreateSubnetCidrReservation\", ResponseElements.subnetCidrReservation,\r\n EventName == \"CreateTags\", RequestParameters.tagSet.items,\r\n EventName == \"CreateTrafficMirrorFilter\", ResponseElements.trafficMirrorFilter,\r\n EventName == \"CreateTrafficMirrorFilterRule\", ResponseElements.trafficMirrorFilterRule,\r\n EventName == \"CreateTrafficMirrorSession\", ResponseElements.trafficMirrorSession,\r\n EventName == \"CreateTrafficMirrorTarget\", ResponseElements.trafficMirrorTarget,\r\n EventName == \"CreateTransitGateway\", ResponseElements.transitGateway,\r\n EventName == \"CreateTransitGatewayConnect\", ResponseElements.transitGatewayConnect,\r\n EventName == \"CreateTransitGatewayConnectPeer\", ResponseElements.transitGatewayConnectPeer,\r\n EventName == \"CreateTransitGatewayMeteringPolicy\", ResponseElements.transitGatewayMeteringPolicy,\r\n EventName == \"CreateTransitGatewayMeteringPolicyEntry\", ResponseElements.transitGatewayMeteringPolicyEntry,\r\n EventName == \"CreateTransitGatewayMulticastDomain\", ResponseElements.transitGatewayMulticastDomain,\r\n EventName == \"CreateTransitGatewayPeeringAttachment\", ResponseElements.transitGatewayPeeringAttachment,\r\n EventName == \"CreateTransitGatewayPolicyTable\", ResponseElements.transitGatewayPolicyTable,\r\n EventName == \"CreateTransitGatewayPrefixListReference\", ResponseElements.transitGatewayPrefixListReference,\r\n EventName == \"CreateTransitGatewayRoute\", ResponseElements.route,\r\n EventName == \"CreateTransitGatewayRouteTable\", ResponseElements.transitGatewayRouteTable,\r\n EventName == \"CreateTransitGatewayRouteTableAnnouncement\", ResponseElements.transitGatewayRouteTableAnnouncement,\r\n EventName == \"CreateTransitGatewayVpcAttachment\", ResponseElements.transitGatewayVpcAttachment,\r\n EventName == \"CreateVerifiedAccessEndpoint\", ResponseElements.verifiedAccessEndpoint,\r\n EventName == \"CreateVerifiedAccessGroup\", ResponseElements.verifiedAccessGroup,\r\n EventName == \"CreateVerifiedAccessInstance\", ResponseElements.verifiedAccessInstance,\r\n EventName == \"CreateVerifiedAccessTrustProvider\", ResponseElements.verifiedAccessTrustProvider,\r\n EventName == \"CreateVolume\", ResponseElements,\r\n EventName == \"CreateVpc\", ResponseElements.vpc,\r\n EventName == \"CreateVpcBlockPublicAccessExclusion\", ResponseElements.vpcBlockPublicAccessExclusion,\r\n EventName == \"CreateVpcEncryptionControl\", ResponseElements.vpcEncryptionControl,\r\n EventName == \"CreateVpcEndpoint\", ResponseElements.vpcEndpoint,\r\n EventName == \"CreateVpcEndpointConnectionNotification\", ResponseElements.connectionNotification,\r\n EventName == \"CreateVpcEndpointServiceConfiguration\", ResponseElements.serviceConfiguration,\r\n EventName == \"CreateVpcPeeringConnection\", ResponseElements.vpcPeeringConnection,\r\n EventName == \"CreateVpnConcentrator\", ResponseElements.vpnConcentrator,\r\n EventName == \"CreateVpnConnection\", ResponseElements.vpnConnection,\r\n EventName == \"CreateVpnConnectionRoute\", RequestParameters.DestinationCidrBlock,\r\n EventName == \"CreateVpnGateway\", ResponseElements.vpnGateway,\r\n EventName == \"DeleteClientVpnRoute\", ResponseElements.status,\r\n EventName == \"DeleteCoipCidr\", ResponseElements.coipCidr,\r\n EventName == \"DeleteLocalGatewayRoute\", ResponseElements.route,\r\n EventName == \"DeleteNetworkAclEntry\", RequestParameters.RuleNumber,\r\n EventName == \"DeleteTransitGatewayMeteringPolicyEntry\", ResponseElements.transitGatewayMeteringPolicyEntry,\r\n EventName == \"DeleteTransitGatewayPrefixListReference\", ResponseElements.transitGatewayPrefixListReference,\r\n EventName == \"DeleteTransitGatewayRoute\", ResponseElements.route,\r\n EventName == \"DeprovisionByoipCidr\", ResponseElements.byoipCidr,\r\n EventName == \"DeprovisionIpamByoasn\", ResponseElements.byoasn,\r\n EventName == \"DeprovisionIpamPoolCidr\", ResponseElements.ipamPoolCidr,\r\n EventName == \"DeprovisionPublicIpv4PoolCidr\", ResponseElements.deprovisionedAddressSet,\r\n EventName == \"DeregisterTransitGatewayMulticastGroupMembers\", ResponseElements.deregisteredMulticastGroupMembers,\r\n EventName == \"DeregisterTransitGatewayMulticastGroupSources\", ResponseElements.deregisteredMulticastGroupSources,\r\n EventName == \"EnableAddressTransfer\", ResponseElements.addressTransfer,\r\n EventName == \"EnableAllowedImagesSettings\", RequestParameters.AllowedImagesSettingsState,\r\n EventName == \"EnableAwsNetworkPerformanceMetricSubscription\", RequestParameters.Source,\r\n EventName == \"EnableCapacityManager\", ResponseElements.output,\r\n EventName == \"EnableEbsEncryptionByDefault\", ResponseElements.ebsEncryptionByDefault,\r\n EventName == \"EnableIpamOrganizationAdminAccount\", ResponseElements.success,\r\n EventName == \"EnableRouteServerPropagation\", ResponseElements.routeServerPropagation,\r\n EventName == \"EnableSerialConsoleAccess\", ResponseElements.serialConsoleAccessEnabled,\r\n EventName == \"EnableTransitGatewayRouteTablePropagation\", ResponseElements.propagation,\r\n EventName == \"ExportClientVpnClientCertificateRevocationList\", ResponseElements.status,\r\n EventName == \"ExportClientVpnClientConfiguration\", ResponseElements.clientConfiguration,\r\n EventName == \"ExportImage\", ResponseElements.s3ExportLocation,\r\n EventName == \"ExportTransitGatewayRoutes\", ResponseElements.s3Location,\r\n EventName == \"ExportVerifiedAccessInstanceClientConfiguration\", ResponseElements.openVpnConfigurationSet,\r\n EventName == \"ImportImage\", ResponseElements,\r\n EventName == \"ImportInstance\", ResponseElements.conversionTask,\r\n EventName == \"ImportKeyPair\", ResponseElements,\r\n EventName == \"ImportSnapshot\", ResponseElements.snapshotTaskDetail,\r\n EventName == \"ImportVolume\", ResponseElements.conversionTask,\r\n EventName == \"LockSnapshot\", ResponseElements,\r\n EventName == \"ModifyAddressAttribute\", ResponseElements.address,\r\n EventName == \"ModifyClientVpnEndpoint\", RequestParameters.Description,\r\n EventName == \"ModifyDefaultCreditSpecification\", ResponseElements.instanceFamilyCreditSpecification,\r\n EventName == \"ModifyEbsDefaultKmsKeyId\", ResponseElements.kmsKeyId,\r\n EventName == \"ModifyFpgaImageAttribute\", ResponseElements.fpgaImageAttribute,\r\n EventName == \"ModifyInstanceAttribute\", RequestParameters.Attribute,\r\n EventName == \"ModifyInstanceCapacityReservationAttributes\", RequestParameters.CapacityReservationSpecification,\r\n EventName == \"ModifyInstanceConnectEndpoint\", RequestParameters.PreserveClientIp,\r\n EventName == \"ModifyInstanceCpuOptions\", ResponseElements,\r\n EventName == \"ModifyInstanceEventStartTime\", ResponseElements.event,\r\n EventName == \"ModifyIpam\", ResponseElements.ipam,\r\n EventName == \"ModifyIpamPolicyAllocationRules\", ResponseElements.ipamPolicyDocument,\r\n EventName == \"ModifyIpamPool\", ResponseElements.ipamPoolId,\r\n EventName == \"ModifyIpamPrefixListResolver\", ResponseElements.ipamPrefixListResolver,\r\n EventName == \"ModifyIpamPrefixListResolverTarget\", ResponseElements.ipamPrefixListResolverTarget,\r\n EventName == \"ModifyIpamResourceCidr\", ResponseElements.ipamResourceCidr,\r\n EventName == \"ModifyIpamResourceDiscovery\", ResponseElements.ipamResourceDiscovery,\r\n EventName == \"ModifyIpamScope\", ResponseElements.ipamScope,\r\n EventName == \"ModifyLaunchTemplate\", RequestParameters.LaunchTemplateName,\r\n EventName == \"ModifyPublicIpDnsNameOptions\", RequestParameters.HostnameType,\r\n EventName == \"ModifyReservedInstances\", RequestParameters.ReservedInstancesConfigurationSetItemType.N,\r\n EventName == \"ModifyRouteServer\", ResponseElements.routeServer,\r\n EventName == \"ModifySecurityGroupRules\", RequestParameters.SecurityGroupRule.N,\r\n EventName == \"ModifySnapshotTier\", RequestParameters.StorageTier,\r\n EventName == \"ModifyTrafficMirrorFilterNetworkServices\", ResponseElements.trafficMirrorFilter,\r\n EventName == \"ModifyTrafficMirrorFilterRule\", ResponseElements.trafficMirrorFilterRule,\r\n EventName == \"ModifyTrafficMirrorSession\", ResponseElements.trafficMirrorSession,\r\n EventName == \"ModifyTransitGateway\", ResponseElements.transitGateway,\r\n EventName == \"ModifyTransitGatewayMeteringPolicy\", ResponseElements.transitGatewayMeteringPolicy,\r\n EventName == \"ModifyTransitGatewayPrefixListReference\", ResponseElements.transitGatewayPrefixListReference,\r\n EventName == \"ModifyTransitGatewayVpcAttachment\", ResponseElements.transitGatewayVpcAttachment,\r\n EventName == \"ModifyVerifiedAccessEndpoint\", ResponseElements.verifiedAccessEndpoint,\r\n EventName == \"ModifyVerifiedAccessEndpointPolicy\", ResponseElements.sseSpecification,\r\n EventName == \"ModifyVerifiedAccessGroup\", ResponseElements.verifiedAccessGroup,\r\n EventName == \"ModifyVerifiedAccessGroupPolicy\", ResponseElements.sseSpecification,\r\n EventName == \"ModifyVerifiedAccessInstance\", ResponseElements.verifiedAccessInstance,\r\n EventName == \"ModifyVerifiedAccessInstanceLoggingConfiguration\", ResponseElements.loggingConfiguration,\r\n EventName == \"ModifyVerifiedAccessTrustProvider\", ResponseElements.verifiedAccessTrustProvider,\r\n EventName == \"ModifyVolume\", ResponseElements.volumeModification,\r\n EventName == \"ModifyVolumeAttribute\", RequestParameters.AutoEnableIO,\r\n EventName == \"ModifyVpcBlockPublicAccessExclusion\", ResponseElements.vpcBlockPublicAccessExclusion,\r\n EventName == \"ModifyVpcBlockPublicAccessOptions\", ResponseElements.vpcBlockPublicAccessOptions,\r\n EventName == \"ModifyVpcEncryptionControl\", ResponseElements.vpcEncryptionControl,\r\n EventName == \"ModifyVpcEndpointServicePayerResponsibility\", RequestParameters.PayerResponsibility,\r\n EventName == \"ModifyVpcEndpointServicePermissions\", RequestParameters.AddAllowedPrincipals.N,\r\n EventName == \"ModifyVpcPeeringConnectionOptions\", RequestParameters.RequesterPeeringConnectionOptions,\r\n EventName == \"ModifyVpcTenancy\", RequestParameters.InstanceTenancy,\r\n EventName == \"ModifyVpnConnection\", ResponseElements.vpnConnection,\r\n EventName == \"ModifyVpnConnectionOptions\", ResponseElements.vpnConnection,\r\n EventName == \"ModifyVpnTunnelCertificate\", ResponseElements.vpnConnection,\r\n EventName == \"ModifyVpnTunnelOptions\", ResponseElements.vpnConnection,\r\n EventName == \"MonitorInstances\", ResponseElements.instancesSet,\r\n EventName == \"MoveAddressToVpc\", ResponseElements.status,\r\n EventName == \"MoveByoipCidrToIpam\", ResponseElements.byoipCidr,\r\n EventName == \"MoveCapacityReservationInstances\", ResponseElements.destinationCapacityReservation,\r\n EventName == \"ProvisionByoipCidr\", ResponseElements.byoipCidr,\r\n EventName == \"ProvisionIpamByoasn\", ResponseElements.byoasn,\r\n EventName == \"ProvisionIpamPoolCidr\", ResponseElements.ipamPoolCidr,\r\n EventName == \"ProvisionPublicIpv4PoolCidr\", ResponseElements.poolAddressRange,\r\n EventName == \"PurchaseCapacityBlock\", ResponseElements.capacityBlockSet,\r\n EventName == \"PurchaseCapacityBlockExtension\", ResponseElements.capacityBlockExtensionSet,\r\n EventName == \"PurchaseReservedInstancesOffering\", ResponseElements.reservedInstancesId,\r\n EventName == \"PurchaseScheduledInstances\", ResponseElements.scheduledInstanceSet,\r\n EventName == \"RegisterInstanceEventNotificationAttributes\", ResponseElements.instanceTagAttribute,\r\n EventName == \"RegisterTransitGatewayMulticastGroupMembers\", ResponseElements.registeredMulticastGroupMembers,\r\n EventName == \"RegisterTransitGatewayMulticastGroupSources\", ResponseElements.registeredMulticastGroupSources,\r\n EventName == \"RejectTransitGatewayMulticastDomainAssociations\", ResponseElements.associations,\r\n EventName == \"RejectTransitGatewayPeeringAttachment\", ResponseElements.transitGatewayPeeringAttachment,\r\n EventName == \"RejectTransitGatewayVpcAttachment\", ResponseElements.transitGatewayVpcAttachment,\r\n EventName == \"RejectVpcEndpointConnections\", ResponseElements.unsuccessful,\r\n EventName == \"ReplaceIamInstanceProfileAssociation\", ResponseElements.iamInstanceProfileAssociation,\r\n EventName == \"ReplaceNetworkAclAssociation\", ResponseElements.newAssociationId,\r\n EventName == \"ReplaceRouteTableAssociation\", ResponseElements.newAssociationId,\r\n EventName == \"ReplaceVpnTunnel\", RequestParameters.VpnTunnelOutsideIpAddress,\r\n EventName == \"RequestSpotInstances\", ResponseElements.spotInstanceRequestSet,\r\n EventName == \"ResetAddressAttribute\", ResponseElements.address,\r\n EventName == \"RestoreManagedPrefixListVersion\", ResponseElements.prefixList,\r\n EventName == \"RestoreSnapshotFromRecycleBin\", ResponseElements,\r\n EventName == \"RestoreSnapshotTier\", ResponseElements,\r\n EventName == \"RevokeClientVpnIngress\", ResponseElements.status,\r\n EventName == \"RevokeSecurityGroupEgress\", ResponseElements.revokedSecurityGroupRuleSet,\r\n EventName == \"RevokeSecurityGroupIngress\", ResponseElements.revokedSecurityGroupRuleSet,\r\n EventName == \"RunInstances\", ResponseElements.groupSet,\r\n EventName == \"RunScheduledInstances\", ResponseElements.instanceIdSet,\r\n EventName == \"StartInstances\", ResponseElements.instancesSet,\r\n EventName == \"StartNetworkInsightsAccessScopeAnalysis\", ResponseElements.networkInsightsAccessScopeAnalysis,\r\n EventName == \"StartNetworkInsightsAnalysis\", ResponseElements.networkInsightsAnalysis,\r\n EventName == \"StopInstances\", ResponseElements.instancesSet,\r\n EventName == \"UnmonitorInstances\", ResponseElements.instancesSet,\r\n EventName == \"UpdateInterruptibleCapacityReservationAllocation\", RequestParameters.TargetInstanceCount,\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsEgress\", RequestParameters.IpPermissions,\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsIngress\", RequestParameters.IpPermissions,\r\n EventName == \"WithdrawByoipCidr\", ResponseElements.byoipCidr,\r\n \"\"\r\n ), \"\")\r\n};\r\nlet DetermineEC2Object = (T: (EventName: string, RequestParameters: dynamic, ResponseElements: dynamic)) {\r\n T\r\n | extend Object = case(\r\n EventName == \"AcceptAddressTransfer\", \"Elastic IP Address\",\r\n EventName == \"AcceptCapacityReservationBillingOwnership\", \"Capacity Reservation\",\r\n EventName == \"AcceptReservedInstancesExchangeQuote\", \"Convertible Reserved Instance\",\r\n EventName == \"AcceptTransitGatewayMulticastDomainAssociations\", \"Transit Gateway Attachment\",\r\n EventName == \"AcceptTransitGatewayPeeringAttachment\", \"Transit Gateway Attachment\",\r\n EventName == \"AcceptTransitGatewayVpcAttachment\", \"Transit Gateway Attachment\",\r\n EventName == \"AcceptVpcEndpointConnections\", \"VPC\",\r\n EventName == \"AcceptVpcPeeringConnection\", \"VPC\",\r\n EventName == \"AdvertiseByoipCidr\", \"BYOIP CIDR\",\r\n EventName == \"AllocateAddress\", \"Elastic IP Address\",\r\n EventName == \"AllocateHosts\", \"Dedicated Host\",\r\n EventName == \"AllocateIpamPoolCidr\", \"IPAM Pool\",\r\n EventName == \"ApplySecurityGroupsToClientVpnTargetNetwork\", \"VPC\",\r\n EventName == \"AssignIpv6Addresses\", \"Network Interface\",\r\n EventName == \"AssignPrivateIpAddresses\", \"Network Interface\",\r\n EventName == \"AssignPrivateNatGatewayAddress\", \"NAT Gateway\",\r\n EventName == \"AssociateAddress\", \"Elastic IP Association\",\r\n EventName == \"AssociateCapacityReservationBillingOwner\", \"Capacity Reservation\",\r\n EventName == \"AssociateClientVpnTargetNetwork\", \"Client VPN Endpoint\",\r\n EventName == \"AssociateDhcpOptions\", \"VPC\",\r\n EventName == \"AssociateEnclaveCertificateIamRole\", \"AWS Certificate Manager Certificate\",\r\n EventName == \"AssociateIamInstanceProfile\", \"EC2 Instance\",\r\n EventName == \"AssociateInstanceEventWindow\", \"Instance Event Window\",\r\n EventName == \"AssociateIpamByoasn\", \"BYOIP CIDR\",\r\n EventName == \"AssociateIpamResourceDiscovery\", \"VPC IPAM\",\r\n EventName == \"AssociateNatGatewayAddress\", \"NAT Gateway\",\r\n EventName == \"AssociateRouteServer\", \"VPC\",\r\n EventName == \"AssociateRouteTable\", \"VPC Route Table\",\r\n EventName == \"AssociateSecurityGroupVpc\", \"VPC\",\r\n EventName == \"AssociateSubnetCidrBlock\", \"Subnet\",\r\n EventName == \"AssociateTransitGatewayMulticastDomain\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"AssociateTransitGatewayPolicyTable\", \"Transit Gateway Policy Table\",\r\n EventName == \"AssociateTransitGatewayRouteTable\", \"Transit Gateway Route Table\",\r\n EventName == \"AssociateTrunkInterface\", \"Trunk Network Interface\",\r\n EventName == \"AssociateVpcCidrBlock\", \"VPC\",\r\n EventName == \"AttachClassicLinkVpc\", \"VPC\",\r\n EventName == \"AttachInternetGateway\", \"VPC\",\r\n EventName == \"AttachNetworkInterface\", \"EC2 Instance\",\r\n EventName == \"AttachVerifiedAccessTrustProvider\", \"EC2 Instance\",\r\n EventName == \"AttachVolume\", \"EC2 Instance\",\r\n EventName == \"AttachVpnGateway\", \"VPC\",\r\n EventName == \"AuthorizeClientVpnIngress\", \"Client VPN Endpoint\",\r\n EventName == \"AuthorizeSecurityGroupEgress\", \"Security Group\",\r\n EventName == \"AuthorizeSecurityGroupIngress\", \"Security Group\",\r\n EventName == \"BundleInstance\", \"EC2 Instance\",\r\n EventName == \"CancelBundleTask\", \"Bundle Task\",\r\n EventName == \"CancelCapacityReservation\", \"Capacity Reservation\",\r\n EventName == \"CancelCapacityReservationFleets\", \"Capacity Reservation\",\r\n EventName == \"CancelConversionTask\", \"Conversion Task\",\r\n EventName == \"CancelDeclarativePoliciesReport\", \"Account Status Report\",\r\n EventName == \"CancelExportTask\", \"Export Task\",\r\n EventName == \"CancelImageLaunchPermission\", \"AMI\",\r\n EventName == \"CancelImportTask\", \"Import Task\",\r\n EventName == \"CancelReservedInstancesListing\", \"Reserved Instance Listing\",\r\n EventName == \"CancelSpotFleetRequests\", \"Spot Fleet Request\",\r\n EventName == \"CancelSpotInstanceRequests\", \"Spot Instance Request\",\r\n EventName == \"ConfirmProductInstance\", \"EC2 Instance\",\r\n EventName == \"CopyFpgaImage\", \"FPGA Image\",\r\n EventName == \"CopyImage\", \"AMI\",\r\n EventName == \"CopySnapshot\", \"EBS Snapshot\",\r\n EventName == \"CopyVolumes\", \"EBS Volume\",\r\n EventName == \"CreateCapacityManagerDataExport\", \"EC2 Capacity Manager Data Report\",\r\n EventName == \"CreateCapacityReservation\", \"Capacity Reservation\",\r\n EventName == \"CreateCapacityReservationBySplitting\", \"Capacity Reservation\",\r\n EventName == \"CreateCapacityReservationFleet\", \"Capacity Reservation Fleet\",\r\n EventName == \"CreateCarrierGateway\", \"Carrier Gateway\",\r\n EventName == \"CreateClientVpnEndpoint\", \"Client VPN Endpoint\",\r\n EventName == \"CreateClientVpnRoute\", \"Client VPN Endpoint\",\r\n EventName == \"CreateCoipCidr\", \"COIP Pool\",\r\n EventName == \"CreateCoipPool\", \"COIP Pool\",\r\n EventName == \"CreateCustomerGateway\", \"Customer Gateway\",\r\n EventName == \"CreateDefaultSubnet\", \"Subnet\",\r\n EventName == \"CreateDefaultVpc\", \"VPC\",\r\n EventName == \"CreateDelegateMacVolumeOwnershipTask\", \"Mac Modification Task\",\r\n EventName == \"CreateDhcpOptions\", \"Dhcp Options\",\r\n EventName == \"CreateEgressOnlyInternetGateway\", \"Egress-only Internet Gateway\",\r\n EventName == \"CreateFleet\", \"EC2 Fleet\",\r\n EventName == \"CreateFlowLogs\", \"Flow Logs\",\r\n EventName == \"CreateFpgaImage\", \"FPGA Image\",\r\n EventName == \"CreateImage\", \"AMI\",\r\n EventName == \"CreateImageUsageReport\", \"Image Usage Report\",\r\n EventName == \"CreateInstanceConnectEndpoint\", \"EC2 Instance Connect Endpoint\",\r\n EventName == \"CreateInstanceEventWindow\", \"Instance Event Window\",\r\n EventName == \"CreateInstanceExportTask\", \"Instance Export Task\",\r\n EventName == \"CreateInternetGateway\", \"Internet Gateway\",\r\n EventName == \"CreateInterruptibleCapacityReservationAllocation\", \"Capacity Reservation\",\r\n EventName == \"CreateIpam\", \"IPAM\",\r\n EventName == \"CreateIpamExternalResourceVerificationToken\", \"IPAM Verification Token\",\r\n EventName == \"CreateIpamPolicy\", \"IPAM Policy\",\r\n EventName == \"CreateIpamPool\", \"IPAM Pool\",\r\n EventName == \"CreateIpamPrefixListResolver\", \"IPAM Prefix List Resolver\",\r\n EventName == \"CreateIpamPrefixListResolverTarget\", \"IPAM Prefix List Resolver Target\",\r\n EventName == \"CreateIpamResourceDiscovery\", \"IPAM Resource Discovery\",\r\n EventName == \"CreateIpamScope\", \"IPAM Scope\",\r\n EventName == \"CreateKeyPair\", \"Key Pair\",\r\n EventName == \"CreateLaunchTemplate\", \"Launch Template\",\r\n EventName == \"CreateLaunchTemplateVersion\", \"Launch Template Version\",\r\n EventName == \"CreateLocalGatewayRoute\", \"Local Gateway Route Table\",\r\n EventName == \"CreateLocalGatewayRouteTable\", \"Local Gateway Route Table\",\r\n EventName == \"CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", \"Local Gateway Route Table Virtual Interface Group Association\",\r\n EventName == \"CreateLocalGatewayRouteTableVpcAssociation\", \"Local Gateway Route Table VPC Association\",\r\n EventName == \"CreateLocalGatewayVirtualInterface\", \"Local Gateway Virtual Interface\",\r\n EventName == \"CreateLocalGatewayVirtualInterfaceGroup\", \"Local Gateway Virtual Interface Group\",\r\n EventName == \"CreateMacSystemIntegrityProtectionModificationTask\", \"Mac Modification Task\",\r\n EventName == \"CreateManagedPrefixList\", \"Prefix List\",\r\n EventName == \"CreateNatGateway\", \"NAT Gateway\",\r\n EventName == \"CreateNetworkAcl\", \"Network ACL\",\r\n EventName == \"CreateNetworkAclEntry\", \"Network ACL\",\r\n EventName == \"CreateNetworkInsightsAccessScope\", \"Network Insights Access Scope\",\r\n EventName == \"CreateNetworkInsightsPath\", \"Network Insights Path\",\r\n EventName == \"CreateNetworkInterface\", \"Network Interface\",\r\n EventName == \"CreateNetworkInterfacePermission\", \"Network Interface Permission\",\r\n EventName == \"CreatePlacementGroup\", \"Placement Group\",\r\n EventName == \"CreatePublicIpv4Pool\", \"Public Ipv4 Pool\",\r\n EventName == \"CreateReplaceRootVolumeTask\", \"Replace Root Volume Task\",\r\n EventName == \"CreateReservedInstancesListing\", \"Reserved Instance Listing\",\r\n EventName == \"CreateRestoreImageTask\", \"AMI\",\r\n EventName == \"CreateRoute\", \"Route Table\",\r\n EventName == \"CreateRouteServer\", \"Route Server\",\r\n EventName == \"CreateRouteServerEndpoint\", \"Route Server Endpoint\",\r\n EventName == \"CreateRouteServerPeer\", \"Route Server Peer\",\r\n EventName == \"CreateRouteTable\", \"Route Table\",\r\n EventName == \"CreateSecondaryNetwork\", \"Secondary Network\",\r\n EventName == \"CreateSecondarySubnet\", \"Secondary Subnet\",\r\n EventName == \"CreateSecurityGroup\", \"Security Group\",\r\n EventName == \"CreateSnapshot\", \"EBS Volume Snapshot\",\r\n EventName == \"CreateSnapshots\", \"EBS Volume Snapshot\",\r\n EventName == \"CreateSpotDatafeedSubscription\", \"Spot Datafeed Subscription\",\r\n EventName == \"CreateStoreImageTask\", \"AMI\",\r\n EventName == \"CreateSubnet\", \"Subnet\",\r\n EventName == \"CreateSubnetCidrReservation\", \"Subnet CIDR Reservation\",\r\n EventName == \"CreateTags\", \"EC2 Resources\",\r\n EventName == \"CreateTrafficMirrorFilter\", \"Traffic Mirror Filter\",\r\n EventName == \"CreateTrafficMirrorFilterRule\", \"Traffic Mirror Filter Rule\",\r\n EventName == \"CreateTrafficMirrorSession\", \"Traffic Mirror Session\",\r\n EventName == \"CreateTrafficMirrorTarget\", \"Traffic Mirror Target\",\r\n EventName == \"CreateTransitGateway\", \"Transit Gateway\",\r\n EventName == \"CreateTransitGatewayConnect\", \"Transit Gateway Connect\",\r\n EventName == \"CreateTransitGatewayConnectPeer\", \"Transit Gateway Connect Peer\",\r\n EventName == \"CreateTransitGatewayMeteringPolicy\", \"Transit Gateway Metering Policy\",\r\n EventName == \"CreateTransitGatewayMeteringPolicyEntry\", \"Transit Gateway Metering Policy Entry\",\r\n EventName == \"CreateTransitGatewayMulticastDomain\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"CreateTransitGatewayPeeringAttachment\", \"Transit Gateway Peering Attachment\",\r\n EventName == \"CreateTransitGatewayPolicyTable\", \"Transit Gateway Policy Table\",\r\n EventName == \"CreateTransitGatewayPrefixListReference\", \"Transit Gateway Prefix List Reference\",\r\n EventName == \"CreateTransitGatewayRoute\", \"Transit Gateway Route Table\",\r\n EventName == \"CreateTransitGatewayRouteTable\", \"Transit Gateway Route Table\",\r\n EventName == \"CreateTransitGatewayRouteTableAnnouncement\", \"Transit Gateway Route Table Announcement\",\r\n EventName == \"CreateTransitGatewayVpcAttachment\", \"Transit Gateway\",\r\n EventName == \"CreateVerifiedAccessEndpoint\", \"Verified Access Endpoint\",\r\n EventName == \"CreateVerifiedAccessGroup\", \"Verified Access Group\",\r\n EventName == \"CreateVerifiedAccessInstance\", \"Verified Access Instance\",\r\n EventName == \"CreateVerifiedAccessTrustProvider\", \"Verified Access Trust Provider\",\r\n EventName == \"CreateVolume\", \"EBS Volume\",\r\n EventName == \"CreateVpc\", \"VPC\",\r\n EventName == \"CreateVpcBlockPublicAccessExclusion\", \"VPC BPA Exclusion\",\r\n EventName == \"CreateVpcEncryptionControl\", \"VPC Encryption Control\",\r\n EventName == \"CreateVpcEndpoint\", \"VPC Endpoint\",\r\n EventName == \"CreateVpcEndpointConnectionNotification\", \"VPC Connection Notification\",\r\n EventName == \"CreateVpcEndpointServiceConfiguration\", \"VPC Endpoint Service\",\r\n EventName == \"CreateVpcPeeringConnection\", \"VPC Peering Connection\",\r\n EventName == \"CreateVpnConcentrator\", \"VPN Concentrator\",\r\n EventName == \"CreateVpnConnection\", \"VPN Connection\",\r\n EventName == \"CreateVpnConnectionRoute\", \"VPN Connection\",\r\n EventName == \"CreateVpnGateway\", \"VPC\",\r\n EventName == \"DeleteCapacityManagerDataExport\", \"Capacity Manager Configuration\",\r\n EventName == \"DeleteCarrierGateway\", \"Carrier Gateway\",\r\n EventName == \"DeleteClientVpnEndpoint\", \"Client VPN Endpoint\",\r\n EventName == \"DeleteClientVpnRoute\", \"Client VPN Endpoint\",\r\n EventName == \"DeleteCoipCidr\", \"COIP Pool\",\r\n EventName == \"DeleteCoipPool\", \"COIP Pool\",\r\n EventName == \"DeleteCustomerGateway\", \"Customer Gateway\",\r\n EventName == \"DeleteDhcpOptions\", \"DHCP Options\",\r\n EventName == \"DeleteEgressOnlyInternetGateway\", \"Egress-only Internet Gateway\",\r\n EventName == \"DeleteFleets\", \"EC2 Fleet Request\",\r\n EventName == \"DeleteFlowLogs\", \"Flow Logs\",\r\n EventName == \"DeleteFpgaImage\", \"FPGA Image\",\r\n EventName == \"DeleteImageUsageReport\", \"AMI Usage Report\",\r\n EventName == \"DeleteInstanceConnectEndpoint\", \"EC2 Instance Connect Endpoint\",\r\n EventName == \"DeleteInstanceEventWindow\", \"Instance Event Window\",\r\n EventName == \"DeleteInternetGateway\", \"Internet Gateway\",\r\n EventName == \"DeleteIpam\", \"IPAM\",\r\n EventName == \"DeleteIpamExternalResourceVerificationToken\", \"IPAM Verification Token\",\r\n EventName == \"DeleteIpamPolicy\", \"IPAM Policy\",\r\n EventName == \"DeleteIpamPool\", \"IPAM Pool\",\r\n EventName == \"DeleteIpamPrefixListResolver\", \"IPAM Prefix List Resolver\",\r\n EventName == \"DeleteIpamPrefixListResolverTarget\", \"IPAM Prefix List Resolver Target\",\r\n EventName == \"DeleteIpamResourceDiscovery\", \"IPAM Resource Discovery\",\r\n EventName == \"DeleteIpamScope\", \"IPAM Scope\",\r\n EventName == \"DeleteKeyPair\", \"Key Pair\",\r\n EventName == \"DeleteLaunchTemplate\", \"Launch Template\",\r\n EventName == \"DeleteLaunchTemplateVersions\", \"Launch Template\",\r\n EventName == \"DeleteLocalGatewayRoute\", \"Local Gateway Route Table\",\r\n EventName == \"DeleteLocalGatewayRouteTable\", \"Local Gateway Route Table\",\r\n EventName == \"DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", \"Local Gateway Route Table Virtual Interface Group Association\",\r\n EventName == \"DeleteLocalGatewayRouteTableVpcAssociation\", \"Local Gateway Route Table VPC Association\",\r\n EventName == \"DeleteLocalGatewayVirtualInterface\", \"Local Gateway Virtual Interface\",\r\n EventName == \"DeleteLocalGatewayVirtualInterfaceGroup\", \"Local Gateway Virtual Interface\",\r\n EventName == \"DeleteManagedPrefixList\", \"Managed Prefix List\",\r\n EventName == \"DeleteNatGateway\", \"NAT Gateway\",\r\n EventName == \"DeleteNetworkAcl\", \"Network ACL\",\r\n EventName == \"DeleteNetworkAclEntry\", \"Network ACL\",\r\n EventName == \"DeleteNetworkInsightsAccessScope\", \"Network Insights Access Scope\",\r\n EventName == \"DeleteNetworkInsightsAccessScopeAnalysis\", \"Network Insights Access Scope Analysis\",\r\n EventName == \"DeleteNetworkInsightsAnalysis\", \"Network Insights Analysis\",\r\n EventName == \"DeleteNetworkInsightsPath\", \"Network Insights Path\",\r\n EventName == \"DeleteNetworkInterface\", \"Network Interface\",\r\n EventName == \"DeleteNetworkInterfacePermission\", \"Network Interface Permission\",\r\n EventName == \"DeletePlacementGroup\", \"Placement Group\",\r\n EventName == \"DeletePublicIpv4Pool\", \"Public Ipv4 Pool\",\r\n EventName == \"DeleteQueuedReservedInstances\", \"Reserved Instance\",\r\n EventName == \"DeleteRoute\", \"Route Table\",\r\n EventName == \"DeleteRouteServer\", \"Route Server\",\r\n EventName == \"DeleteRouteServerEndpoint\", \"Route Server Endpoint\",\r\n EventName == \"DeleteRouteServerPeer\", \"Route Server Peer\",\r\n EventName == \"DeleteRouteTable\", \"Route Table\",\r\n EventName == \"DeleteSecondaryNetwork\", \"Secondary Network\",\r\n EventName == \"DeleteSecondarySubnet\", \"Secondary Subnet\",\r\n EventName == \"DeleteSecurityGroup\", \"Security Group\",\r\n EventName == \"DeleteSnapshot\", \"EBS Snapshot\",\r\n EventName == \"DeleteSpotDatafeedSubscription\", \"Spot Datafeed Subscription\",\r\n EventName == \"DeleteSubnet\", \"Subnet\",\r\n EventName == \"DeleteSubnetCidrReservation\", \"Subnet CIDR Reservation\",\r\n EventName == \"DeleteTags\", \"EC2 Resources\",\r\n EventName == \"DeleteTrafficMirrorFilter\", \"Traffic Mirror Filter\",\r\n EventName == \"DeleteTrafficMirrorFilterRule\", \"Traffic Mirror Filter Rule\",\r\n EventName == \"DeleteTrafficMirrorSession\", \"Traffic Mirror Session\",\r\n EventName == \"DeleteTrafficMirrorTarget\", \"Traffic Mirror Target\",\r\n EventName == \"DeleteTransitGateway\", \"Transit Gateway\",\r\n EventName == \"DeleteTransitGatewayConnect\", \"Transit Gateway Connect\",\r\n EventName == \"DeleteTransitGatewayConnectPeer\", \"Transit Gateway Connect Peer\",\r\n EventName == \"DeleteTransitGatewayMeteringPolicy\", \"Transit Gateway Metering Policy\",\r\n EventName == \"DeleteTransitGatewayMeteringPolicyEntry\", \"Transit Gateway Metering Policy\",\r\n EventName == \"DeleteTransitGatewayMulticastDomain\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"DeleteTransitGatewayPeeringAttachment\", \"Transit Gateway Peering Attachment\",\r\n EventName == \"DeleteTransitGatewayPolicyTable\", \"Transit Gateway Policy Table\",\r\n EventName == \"DeleteTransitGatewayPrefixListReference\", \"Transit Gateway Route Table\",\r\n EventName == \"DeleteTransitGatewayRoute\", \"Transit Gateway Route Table\",\r\n EventName == \"DeleteTransitGatewayRouteTable\", \"Transit Gateway Route Table\",\r\n EventName == \"DeleteTransitGatewayRouteTableAnnouncement\", \"Transit Gateway Route Table Announcement\",\r\n EventName == \"DeleteTransitGatewayVpcAttachment\", \"Transit Gateway VPC Attachment\",\r\n EventName == \"DeleteVerifiedAccessEndpoint\", \"Verified Access Endpoint\",\r\n EventName == \"DeleteVerifiedAccessGroup\", \"Verified Access Group\",\r\n EventName == \"DeleteVerifiedAccessInstance\", \"Verified Access Instance\",\r\n EventName == \"DeleteVerifiedAccessTrustProvider\", \"Verified Access Trust Provider\",\r\n EventName == \"DeleteVolume\", \"EBS Volume\",\r\n EventName == \"DeleteVpc\", \"VPC\",\r\n EventName == \"DeleteVpcBlockPublicAccessExclusion\", \"VPC BPA Exclusion\",\r\n EventName == \"DeleteVpcEncryptionControl\", \"VPC Encryption Control\",\r\n EventName == \"DeleteVpcEndpointConnectionNotifications\", \"VPC Endpoint Connection Notification\",\r\n EventName == \"DeleteVpcEndpoints\", \"VPC Endpoint\",\r\n EventName == \"DeleteVpcEndpointServiceConfigurations\", \"VPC Endpoint Service\",\r\n EventName == \"DeleteVpcPeeringConnection\", \"VPC Peering Connection\",\r\n EventName == \"DeleteVpnConcentrator\", \"VPN Concentrator\",\r\n EventName == \"DeleteVpnConnection\", \"VPN Connection\",\r\n EventName == \"DeleteVpnConnectionRoute\", \"VPN Connection\",\r\n EventName == \"DeleteVpnGateway\", \"VPN Gateway\",\r\n EventName == \"DeprovisionByoipCidr\", \"BYOIP CIDR\",\r\n EventName == \"DeprovisionIpamByoasn\", \"IPAM\",\r\n EventName == \"DeprovisionIpamPoolCidr\", \"IPAM Pool\",\r\n EventName == \"DeprovisionPublicIpv4PoolCidr\", \"Public Ipv4 Pool\",\r\n EventName == \"DeregisterImage\", \"AMI\",\r\n EventName == \"DeregisterInstanceEventNotificationAttributes\", \"Tag Key\",\r\n EventName == \"DeregisterTransitGatewayMulticastGroupMembers\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"DeregisterTransitGatewayMulticastGroupSources\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"DescribeAccountAttributes\", \"Account Attributes\",\r\n EventName == \"DescribeAddresses\", \"Elastic Ip Address\",\r\n EventName == \"DescribeAddressesAttribute\", \"Elastic Ip Address\",\r\n EventName == \"DescribeAddressTransfers\", \"Elastic Ip Address Transfer\",\r\n EventName == \"DescribeAggregateIdFormat\", \"EC2 Resources\",\r\n EventName == \"DescribeAvailabilityZones\", \"Availability Zones\",\r\n EventName == \"DescribeAwsNetworkPerformanceMetricSubscriptions\", \"Infrastructure Performance Metric Subscriptions\",\r\n EventName == \"DescribeBundleTasks\", \"Bundle Task\",\r\n EventName == \"DescribeByoipCidrs\", \"BYOIP CIDR\",\r\n EventName == \"DescribeCapacityBlockExtensionHistory\", \"Capacity Block Extension History\",\r\n EventName == \"DescribeCapacityBlockExtensionOfferings\", \"Capacity Block Extension Offering\",\r\n EventName == \"DescribeCapacityBlockOfferings\", \"Capacity Block\",\r\n EventName == \"DescribeCapacityBlocks\", \"Capacity Block\",\r\n EventName == \"DescribeCapacityBlockStatus\", \"Capacity Block\",\r\n EventName == \"DescribeCapacityManagerDataExports\", \"Capacity Manager Data Exports\",\r\n EventName == \"DescribeCapacityReservationBillingRequests\", \"Capacity Reservation\",\r\n EventName == \"DescribeCapacityReservationFleets\", \"Capacity Reservation Fleet\",\r\n EventName == \"DescribeCapacityReservations\", \"Capacity Reservation\",\r\n EventName == \"DescribeCapacityReservationTopology\", \"Capacity Reservation\",\r\n EventName == \"DescribeCarrierGateways\", \"Carrier Gateway\",\r\n EventName == \"DescribeClassicLinkInstances\", \"EC2 Classic Instances\",\r\n EventName == \"DescribeClientVpnAuthorizationRules\", \"Client VPN Endpoint\",\r\n EventName == \"DescribeClientVpnConnections\", \"Client VPN Endpoint\",\r\n EventName == \"DescribeClientVpnEndpoints\", \"Client VPN Endpoint\",\r\n EventName == \"DescribeClientVpnRoutes\", \"Client VPN Endpoint\",\r\n EventName == \"DescribeClientVpnTargetNetworks\", \"Client VPN Endpoint\",\r\n EventName == \"DescribeCoipPools\", \"COIP Pool\",\r\n EventName == \"DescribeConversionTasks\", \"Conversion Task\",\r\n EventName == \"DescribeCustomerGateways\", \"Customer Gateway\",\r\n EventName == \"DescribeDeclarativePoliciesReports\", \"Account Status Report\",\r\n EventName == \"DescribeDhcpOptions\", \"DHCP Options\",\r\n EventName == \"DescribeEgressOnlyInternetGateways\", \"Egress-only Internet Gateway\",\r\n EventName == \"DescribeElasticGpus\", \"Elastic Gpu\",\r\n EventName == \"DescribeExportImageTasks\", \"Export Image Task\",\r\n EventName == \"DescribeExportTasks\", \"Export Task\",\r\n EventName == \"DescribeFastLaunchImages\", \"AMI\",\r\n EventName == \"DescribeFastSnapshotRestores\", \"EBS Snapshot\",\r\n EventName == \"DescribeFleetHistory\", \"EC2 Fleet\",\r\n EventName == \"DescribeFleetInstances\", \"EC2 Fleet\",\r\n EventName == \"DescribeFleets\", \"EC2 Fleet\",\r\n EventName == \"DescribeFlowLogs\", \"Flow Logs\",\r\n EventName == \"DescribeFpgaImageAttribute\", \"FPGA Image\",\r\n EventName == \"DescribeFpgaImages\", \"FPGA Image\",\r\n EventName == \"DescribeHostReservationOfferings\", \"Dedicated Host Reservation\",\r\n EventName == \"DescribeHostReservations\", \"Dedicated Host Reservation\",\r\n EventName == \"DescribeHosts\", \"Dedicated Host\",\r\n EventName == \"DescribeIamInstanceProfileAssociations\", \"IAM Instance Profile Association\",\r\n EventName == \"DescribeIdentityIdFormat\", \"EC2 Resources\",\r\n EventName == \"DescribeIdFormat\", \"EC2 Resources\",\r\n EventName == \"DescribeImageAttribute\", \"AMI\",\r\n EventName == \"DescribeImageReferences\", \"AMI\",\r\n EventName == \"DescribeImages\", \"AMI\",\r\n EventName == \"DescribeImageUsageReportEntries\", \"AMI Usage Report\",\r\n EventName == \"DescribeImageUsageReports\", \"AMI Usage Report\",\r\n EventName == \"DescribeImportImageTasks\", \"Import Image Task\",\r\n EventName == \"DescribeImportSnapshotTasks\", \"Import Snapshot Task\",\r\n EventName == \"DescribeInstanceAttribute\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceConnectEndpoints\", \"Instance Connect Endpoint\",\r\n EventName == \"DescribeInstanceCreditSpecifications\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceEventNotificationAttributes\", \"Instance Event Notification Attribute\",\r\n EventName == \"DescribeInstanceEventWindows\", \"Instance Event Window\",\r\n EventName == \"DescribeInstanceImageMetadata\", \"EC2 Instance\",\r\n EventName == \"DescribeInstances\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceSqlHaHistoryStates\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceSqlHaStates\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceStatus\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceTopology\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceTypeOfferings\", \"EC2 Instance\",\r\n EventName == \"DescribeInstanceTypes\", \"EC2 Instance\",\r\n EventName == \"DescribeInternetGateways\", \"Internet Gateway\",\r\n EventName == \"DescribeIpamByoasn\", \"ASN\",\r\n EventName == \"DescribeIpamExternalResourceVerificationTokens\", \"IPAM Verification Token\",\r\n EventName == \"DescribeIpamPolicies\", \"IPAM Policy\",\r\n EventName == \"DescribeIpamPools\", \"IPAM Pool\",\r\n EventName == \"DescribeIpamPrefixListResolvers\", \"IPAM Prefix List Resolver\",\r\n EventName == \"DescribeIpamPrefixListResolverTargets\", \"IPAM Prefix List Resolver Target\",\r\n EventName == \"DescribeIpamResourceDiscoveries\", \"IPAM Resource Discovery\",\r\n EventName == \"DescribeIpamResourceDiscoveryAssociations\", \"IPAM Resource Discovery Association\",\r\n EventName == \"DescribeIpams\", \"IPAM\",\r\n EventName == \"DescribeIpamScopes\", \"IPAM Scope\",\r\n EventName == \"DescribeIpv6Pools\", \"IPV6 Pool CIDR\",\r\n EventName == \"DescribeKeyPairs\", \"Key Pair\",\r\n EventName == \"DescribeLaunchTemplates\", \"Launch Template\",\r\n EventName == \"DescribeLaunchTemplateVersions\", \"Launch Template\",\r\n EventName == \"DescribeLocalGatewayRouteTables\", \"Local Gateway Route Table\",\r\n EventName == \"DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations\", \"Local Gateway Route Table Virtual Interface Group Association\",\r\n EventName == \"DescribeLocalGatewayRouteTableVpcAssociations\", \"Local Gateway Route Table VPC Association\",\r\n EventName == \"DescribeLocalGateways\", \"Local Gateway\",\r\n EventName == \"DescribeLocalGatewayVirtualInterfaceGroups\", \"Local Gateway Virtual Interface Group\",\r\n EventName == \"DescribeLocalGatewayVirtualInterfaces\", \"Local Gateway Virtual Interface Group\",\r\n EventName == \"DescribeLockedSnapshots\", \"EBS Snapshot\",\r\n EventName == \"DescribeMacHosts\", \"Dedicated Host\",\r\n EventName == \"DescribeMacModificationTasks\", \"Mac Modification Task\",\r\n EventName == \"DescribeManagedPrefixLists\", \"Prefix List\",\r\n EventName == \"DescribeMovingAddresses\", \"Elastic IP address\",\r\n EventName == \"DescribeNatGateways\", \"NAT Gateway\",\r\n EventName == \"DescribeNetworkAcls\", \"Network ACL\",\r\n EventName == \"DescribeNetworkInsightsAccessScopeAnalyses\", \"Network Insights Access Scope Analysis\",\r\n EventName == \"DescribeNetworkInsightsAccessScopes\", \"Network Insights Access Scope\",\r\n EventName == \"DescribeNetworkInsightsAnalyses\", \"Network Insights Analysis\",\r\n EventName == \"DescribeNetworkInsightsPaths\", \"Network Insights Path\",\r\n EventName == \"DescribeNetworkInterfaceAttribute\", \"Network Interface\",\r\n EventName == \"DescribeNetworkInterfacePermissions\", \"Network Interface\",\r\n EventName == \"DescribeNetworkInterfaces\", \"Network Interface\",\r\n EventName == \"DescribeOutpostLags\", \"LAGs\",\r\n EventName == \"DescribePlacementGroups\", \"Placement Group\",\r\n EventName == \"DescribePrefixLists\", \"Prefix List\",\r\n EventName == \"DescribePrincipalIdFormat\", \"EC2 Resources\",\r\n EventName == \"DescribePublicIpv4Pools\", \"Public Ipv4 Pool\",\r\n EventName == \"DescribeRegions\", \"EC2 Resources\",\r\n EventName == \"DescribeReplaceRootVolumeTasks\", \"Replace Root Volume Task\",\r\n EventName == \"DescribeReservedInstances\", \"Reserved Instance\",\r\n EventName == \"DescribeReservedInstancesListings\", \"Reserved Instance Listing\",\r\n EventName == \"DescribeReservedInstancesModifications\", \"Reserved Instance Modification\",\r\n EventName == \"DescribeReservedInstancesOfferings\", \"Reserved Instance Offering\",\r\n EventName == \"DescribeRouteServerEndpoints\", \"Route Server Endpoint\",\r\n EventName == \"DescribeRouteServerPeers\", \"Route Server Peer\",\r\n EventName == \"DescribeRouteServers\", \"Route Sever\",\r\n EventName == \"DescribeRouteTables\", \"Route Table\",\r\n EventName == \"DescribeScheduledInstanceAvailability\", \"EC2 Instance\",\r\n EventName == \"DescribeScheduledInstances\", \"EC2 Instance\",\r\n EventName == \"DescribeSecondaryInterfaces\", \"Secondary Interface\",\r\n EventName == \"DescribeSecondaryNetworks\", \"Secondary Network\",\r\n EventName == \"DescribeSecondarySubnets\", \"Secondary Subnet\",\r\n EventName == \"DescribeSecurityGroupReferences\", \"Security Group\",\r\n EventName == \"DescribeSecurityGroupRules\", \"Security Group Rule\",\r\n EventName == \"DescribeSecurityGroups\", \"Security Group\",\r\n EventName == \"DescribeSecurityGroupVpcAssociations\", \"Security Group VPC Association\",\r\n EventName == \"DescribeServiceLinkVirtualInterfaces\", \"Service Link Virtual Interface\",\r\n EventName == \"DescribeSnapshotAttribute\", \"Snapshot\",\r\n EventName == \"DescribeSnapshots\", \"Snapshot\",\r\n EventName == \"DescribeSnapshotTierStatus\", \"Snapshot\",\r\n EventName == \"DescribeSpotDatafeedSubscription\", \"Spot Datafeed Subscription\",\r\n EventName == \"DescribeSpotFleetInstances\", \"Spot Fleet\",\r\n EventName == \"DescribeSpotFleetRequestHistory\", \"Spot Fleet\",\r\n EventName == \"DescribeSpotFleetRequests\", \"Spot Fleet\",\r\n EventName == \"DescribeSpotInstanceRequests\", \"Spot Instance\",\r\n EventName == \"DescribeSpotPriceHistory\", \"Spot Price History\",\r\n EventName == \"DescribeStaleSecurityGroups\", \"VPC\",\r\n EventName == \"DescribeStoreImageTasks\", \"Store Image Task\",\r\n EventName == \"DescribeSubnets\", \"Subnet\",\r\n EventName == \"DescribeTags\", \"EC2 Tags\",\r\n EventName == \"DescribeTrafficMirrorFilterRules\", \"Traffic Mirror Filter Rule\",\r\n EventName == \"DescribeTrafficMirrorFilters\", \"Traffic Mirror Filter\",\r\n EventName == \"DescribeTrafficMirrorSessions\", \"Traffic Mirror Session\",\r\n EventName == \"DescribeTrafficMirrorTargets\", \"Traffic Mirror Target\",\r\n EventName == \"DescribeTransitGatewayAttachments\", \"Transit Gateway Attachment\",\r\n EventName == \"DescribeTransitGatewayConnectPeers\", \"Transit Gateway Connect Peer\",\r\n EventName == \"DescribeTransitGatewayConnects\", \"Transit Gateway Connect\",\r\n EventName == \"DescribeTransitGatewayMeteringPolicies\", \"Transit Gateway Metering Policy\",\r\n EventName == \"DescribeTransitGatewayMulticastDomains\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"DescribeTransitGatewayPeeringAttachments\", \"Transit Gateway Peering Attachment\",\r\n EventName == \"DescribeTransitGatewayPolicyTables\", \"Transit Gateway Policy Table\",\r\n EventName == \"DescribeTransitGatewayRouteTableAnnouncements\", \"Transit Gateway Route Table Announcement\",\r\n EventName == \"DescribeTransitGatewayRouteTables\", \"Transit Gateway Route Table\",\r\n EventName == \"DescribeTransitGateways\", \"Transit Gateway\",\r\n EventName == \"DescribeTransitGatewayVpcAttachments\", \"Transit Gateway VPC Attachment\",\r\n EventName == \"DescribeTrunkInterfaceAssociations\", \"Trunk Interface Association\",\r\n EventName == \"DescribeVerifiedAccessEndpoints\", \"Verified Access Endpoint\",\r\n EventName == \"DescribeVerifiedAccessGroups\", \"Verified Access Group\",\r\n EventName == \"DescribeVerifiedAccessInstanceLoggingConfigurations\", \"Verified Access Instance Logging Configuration\",\r\n EventName == \"DescribeVerifiedAccessInstances\", \"Verified Access Instance\",\r\n EventName == \"DescribeVerifiedAccessTrustProviders\", \"Verified Access Trust Provider\",\r\n EventName == \"DescribeVolumeAttribute\", \"EBS Volume\",\r\n EventName == \"DescribeVolumes\", \"EBS Volume\",\r\n EventName == \"DescribeVolumesModifications\", \"EBS Volume\",\r\n EventName == \"DescribeVolumeStatus\", \"EBS Volume\",\r\n EventName == \"DescribeVpcAttribute\", \"VPC\",\r\n EventName == \"DescribeVpcBlockPublicAccessExclusions\", \"VPC BPA Exclusion\",\r\n EventName == \"DescribeVpcBlockPublicAccessOptions\", \"VPC BPA\",\r\n EventName == \"DescribeVpcClassicLink\", \"VPC Classic Link\",\r\n EventName == \"DescribeVpcClassicLinkDnsSupport\", \"VPC Classic Link\",\r\n EventName == \"DescribeVpcEncryptionControls\", \"VPC\",\r\n EventName == \"DescribeVpcEndpointAssociations\", \"VPC Endpoint\",\r\n EventName == \"DescribeVpcEndpointConnectionNotifications\", \"VPC Endpoint Connection Notification\",\r\n EventName == \"DescribeVpcEndpointConnections\", \"VPC Endpoint Connection\",\r\n EventName == \"DescribeVpcEndpoints\", \"VPC Endpoint\",\r\n EventName == \"DescribeVpcEndpointServiceConfigurations\", \"VPC Endpoint Service\",\r\n EventName == \"DescribeVpcEndpointServicePermissions\", \"Vpc Endpoint Service\",\r\n EventName == \"DescribeVpcEndpointServices\", \"VPC Endpoint Service\",\r\n EventName == \"DescribeVpcPeeringConnections\", \"VPC Peering Connection\",\r\n EventName == \"DescribeVpcs\", \"VPC\",\r\n EventName == \"DescribeVpnConcentrators\", \"VPN Concentrator\",\r\n EventName == \"DescribeVpnConnections\", \"VPN Connection\",\r\n EventName == \"DescribeVpnGateways\", \"VPN Gateway\",\r\n EventName == \"DetachClassicLinkVpc\", \"VPC\",\r\n EventName == \"DetachInternetGateway\", \"VPC\",\r\n EventName == \"DetachNetworkInterface\", \"Network Interface\",\r\n EventName == \"DetachVerifiedAccessTrustProvider\", \"Verified Access Trust Provider\",\r\n EventName == \"DetachVolume\", \"EC2 Instance\",\r\n EventName == \"DetachVpnGateway\", \"VPC\",\r\n EventName == \"DisableAddressTransfer\", \"Elastic IP Address\",\r\n EventName == \"DisableAllowedImagesSettings\", \"AMI\",\r\n EventName == \"DisableAwsNetworkPerformanceMetricSubscription\", \"Metric Subscription\",\r\n EventName == \"DisableCapacityManager\", \"Capacity Manager\",\r\n EventName == \"DisableEbsEncryptionByDefault\", \"EBS Encryption\",\r\n EventName == \"DisableFastLaunch\", \"AMI\",\r\n EventName == \"DisableFastSnapshotRestores\", \"Snapshot\",\r\n EventName == \"DisableImage\", \"AMI\",\r\n EventName == \"DisableImageBlockPublicAccess\", \"AMI\",\r\n EventName == \"DisableImageDeprecation\", \"AMI\",\r\n EventName == \"DisableImageDeregistrationProtection\", \"AMI\",\r\n EventName == \"DisableInstanceSqlHaStandbyDetections\", \"EC2 Instance\",\r\n EventName == \"DisableIpamOrganizationAdminAccount\", \"IPAM Account\",\r\n EventName == \"DisableIpamPolicy\", \"IPAM Policy\",\r\n EventName == \"DisableRouteServerPropagation\", \"Route Table\",\r\n EventName == \"DisableSerialConsoleAccess\", \"EC2 Serial Console\",\r\n EventName == \"DisableSnapshotBlockPublicAccess\", \"EBS Snapshot\",\r\n EventName == \"DisableTransitGatewayRouteTablePropagation\", \"Transit Gateway Route Table\",\r\n EventName == \"DisableVgwRoutePropagation\", \"Virtual Private Gateway\",\r\n EventName == \"DisableVpcClassicLink\", \"VPC Classic Link\",\r\n EventName == \"DisableVpcClassicLinkDnsSupport\", \"VPC Classic Link\",\r\n EventName == \"DisassociateAddress\", \"Elastic IP Address\",\r\n EventName == \"DisassociateCapacityReservationBillingOwner\", \"Capacity Reservation\",\r\n EventName == \"DisassociateClientVpnTargetNetwork\", \"Target Network\",\r\n EventName == \"DisassociateEnclaveCertificateIamRole\", \"IAM Role\",\r\n EventName == \"DisassociateIamInstanceProfile\", \"IAM Instance Profile Association\",\r\n EventName == \"DisassociateInstanceEventWindow\", \"Instance Event Window\",\r\n EventName == \"DisassociateIpamByoasn\", \"ASN\",\r\n EventName == \"DisassociateIpamResourceDiscovery\", \"IPAM Resource Discovery Assocation\",\r\n EventName == \"DisassociateNatGatewayAddress\", \"NAT Gateway\",\r\n EventName == \"DisassociateRouteServer\", \"VPC\",\r\n EventName == \"DisassociateRouteTable\", \"Route Table\",\r\n EventName == \"DisassociateSecurityGroupVpc\", \"VPC\",\r\n EventName == \"DisassociateSubnetCidrBlock\", \"Subnet\",\r\n EventName == \"DisassociateTransitGatewayMulticastDomain\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"DisassociateTransitGatewayPolicyTable\", \"Transit Gateway Policy Table\",\r\n EventName == \"DisassociateTransitGatewayRouteTable\", \"Transit Gateway Route Table\",\r\n EventName == \"DisassociateTrunkInterface\", \"Trunk Interface Association\",\r\n EventName == \"DisassociateVpcCidrBlock\", \"VPC\",\r\n EventName == \"EnableAddressTransfer\", \"Elastic IP Address\",\r\n EventName == \"EnableAllowedImagesSettings\", \"AMI\",\r\n EventName == \"EnableAwsNetworkPerformanceMetricSubscription\", \"Metric Subscription\",\r\n EventName == \"EnableCapacityManager\", \"Capacity Manager\",\r\n EventName == \"EnableEbsEncryptionByDefault\", \"EBS Encryption\",\r\n EventName == \"EnableFastLaunch\", \"AMI\",\r\n EventName == \"EnableFastSnapshotRestores\", \"Snapshot\",\r\n EventName == \"EnableImage\", \"EC2 Instance\",\r\n EventName == \"EnableImageBlockPublicAccess\", \"AMI\",\r\n EventName == \"EnableImageDeprecation\", \"AMI\",\r\n EventName == \"EnableImageDeregistrationProtection\", \"AMI\",\r\n EventName == \"EnableInstanceSqlHaStandbyDetections\", \"EC2 Instance\",\r\n EventName == \"EnableIpamOrganizationAdminAccount\", \"VPC\",\r\n EventName == \"EnableIpamPolicy\", \"IPAM Policy\",\r\n EventName == \"EnableRouteServerPropagation\", \"Route Server\",\r\n EventName == \"EnableSerialConsoleAccess\", \"EC2 Serial Console\",\r\n EventName == \"EnableSnapshotBlockPublicAccess\", \"Snapshot\",\r\n EventName == \"EnableTransitGatewayRouteTablePropagation\", \"Transit Gateway Table Propagation\",\r\n EventName == \"EnableVgwRoutePropagation\", \"Virtual Private Gateway\",\r\n EventName == \"EnableVolumeIO\", \"EBS Volume\",\r\n EventName == \"EnableVpcClassicLink\", \"VPC Classic Link\",\r\n EventName == \"EnableVpcClassicLinkDnsSupport\", \"VPC Classic Link\",\r\n EventName == \"ExportClientVpnClientCertificateRevocationList\", \"Client VPN Client\",\r\n EventName == \"ExportClientVpnClientConfiguration\", \"Client VPN Client\",\r\n EventName == \"ExportImage\", \"AMI\",\r\n EventName == \"ExportTransitGatewayRoutes\", \"Transit Gateway Route Table\",\r\n EventName == \"ExportVerifiedAccessInstanceClientConfiguration\", \"Verfied Access Instance\",\r\n EventName == \"GetActiveVpnTunnelStatus\", \"VPN Connection\",\r\n EventName == \"GetAllowedImagesSettings\", \"AMI\",\r\n EventName == \"GetAssociatedEnclaveCertificateIamRoles\", \"IAM Role\",\r\n EventName == \"GetAssociatedIpv6PoolCidrs\", \"IPV6 Pool CIDR\",\r\n EventName == \"GetAwsNetworkPerformanceData\", \"Network Performance Data\",\r\n EventName == \"GetCapacityManagerAttributes\", \"Capacity Manager\",\r\n EventName == \"GetCapacityManagerMetricData\", \"Capacity Manager\",\r\n EventName == \"GetCapacityManagerMetricDimensions\", \"Capacity Manager\",\r\n EventName == \"GetCapacityReservationUsage\", \"Capacity Reservation\",\r\n EventName == \"GetCoipPoolUsage\", \"COIP Pool\",\r\n EventName == \"GetConsoleOutput\", \"EC2 Instance\",\r\n EventName == \"GetConsoleScreenshot\", \"EC2 Instance\",\r\n EventName == \"GetDeclarativePoliciesReportSummary\", \"Account Status Report\",\r\n EventName == \"GetDefaultCreditSpecification\", \"EC2 Instance\",\r\n EventName == \"GetEbsDefaultKmsKeyId\", \"AWS KMS Key\",\r\n EventName == \"GetEbsEncryptionByDefault\", \"EBS Encryption\",\r\n EventName == \"GetEnabledIpamPolicy\", \"IPAM Policy\",\r\n EventName == \"GetFlowLogsIntegrationTemplate\", \"Flow Logs\",\r\n EventName == \"GetGroupsForCapacityReservation\", \"Capacity Reservation\",\r\n EventName == \"GetHostReservationPurchasePreview\", \"Dedicated Host\",\r\n EventName == \"GetImageAncestry\", \"AMI\",\r\n EventName == \"GetImageBlockPublicAccessState\", \"AMI\",\r\n EventName == \"GetInstanceMetadataDefaults\", \"Instance Metadata Defaults\",\r\n EventName == \"GetInstanceTpmEkPub\", \"EC2 Instance\",\r\n EventName == \"GetInstanceTypesFromInstanceRequirements\", \"EC2 Instance\",\r\n EventName == \"GetInstanceUefiData\", \"EC2 Instance\",\r\n EventName == \"GetIpamAddressHistory\", \"IPAM Scope\",\r\n EventName == \"GetIpamDiscoveredAccounts\", \"IPAM Discovery\",\r\n EventName == \"GetIpamDiscoveredPublicAddresses\", \"IPAM Discovery\",\r\n EventName == \"GetIpamDiscoveredResourceCidrs\", \"IPAM Discovery\",\r\n EventName == \"GetIpamPolicyAllocationRules\", \"IPAM Policy\",\r\n EventName == \"GetIpamPolicyOrganizationTargets\", \"IPAM Policy\",\r\n EventName == \"GetIpamPoolAllocations\", \"IPAM Pool\",\r\n EventName == \"GetIpamPoolCidrs\", \"IPAM Pool\",\r\n EventName == \"GetIpamPrefixListResolverRules\", \"IPAM Prefix List Resolver\",\r\n EventName == \"GetIpamPrefixListResolverVersionEntries\", \"IPAM Prefix List Resolver\",\r\n EventName == \"GetIpamPrefixListResolverVersions\", \"IPAM Prefix List Resolver\",\r\n EventName == \"GetIpamResourceCidrs\", \"IPAM Pool\",\r\n EventName == \"GetLaunchTemplateData\", \"EC2 Instance\",\r\n EventName == \"GetManagedPrefixListAssociations\", \"Managed Prefix List\",\r\n EventName == \"GetManagedPrefixListEntries\", \"Managed Prefix List\",\r\n EventName == \"GetNetworkInsightsAccessScopeAnalysisFindings\", \"Network Insights Access Scope Analysis\",\r\n EventName == \"GetNetworkInsightsAccessScopeContent\", \"Network Insights Access Scope\",\r\n EventName == \"GetPasswordData\", \"EC2 Instance\",\r\n EventName == \"GetReservedInstancesExchangeQuote\", \"Reserved Instance\",\r\n EventName == \"GetRouteServerAssociations\", \"Route Server\",\r\n EventName == \"GetRouteServerPropagations\", \"Route Server\",\r\n EventName == \"GetRouteServerRoutingDatabase\", \"Route Server\",\r\n EventName == \"GetSecurityGroupsForVpc\", \"VPC\",\r\n EventName == \"GetSerialConsoleAccessStatus\", \"EC2 Serial Console\",\r\n EventName == \"GetSnapshotBlockPublicAccessState\", \"Snapshot\",\r\n EventName == \"GetSpotPlacementScores\", \"Spot Placement Score\",\r\n EventName == \"GetSubnetCidrReservations\", \"Subnet\",\r\n EventName == \"GetTransitGatewayAttachmentPropagations\", \"Transit Gateway Attachment\",\r\n EventName == \"GetTransitGatewayMeteringPolicyEntries\", \"Transit Gateway Petering Policy\",\r\n EventName == \"GetTransitGatewayMulticastDomainAssociations\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"GetTransitGatewayPolicyTableAssociations\", \"Transit Gateway Policy Table\",\r\n EventName == \"GetTransitGatewayPolicyTableEntries\", \"Transit Gateway Policy Table\",\r\n EventName == \"GetTransitGatewayPrefixListReferences\", \"Transit Gateway Policy Table\",\r\n EventName == \"GetTransitGatewayRouteTableAssociations\", \"Transit Gateway Policy Table\",\r\n EventName == \"GetTransitGatewayRouteTablePropagations\", \"Transit Gateway Policy Table\",\r\n EventName == \"GetVerifiedAccessEndpointPolicy\", \"Verified Access Endpoint\",\r\n EventName == \"GetVerifiedAccessEndpointTargets\", \"Verified Access Endpoint\",\r\n EventName == \"GetVerifiedAccessGroupPolicy\", \"Verified Access Group Policy\",\r\n EventName == \"GetVpcResourcesBlockingEncryptionEnforcement\", \"VPC\",\r\n EventName == \"GetVpnConnectionDeviceSampleConfiguration\", \"VPN Connection\",\r\n EventName == \"GetVpnConnectionDeviceTypes\", \"VPN Connection\",\r\n EventName == \"GetVpnTunnelReplacementStatus\", \"VPN Connection\",\r\n EventName == \"ImportClientVpnClientCertificateRevocationList\", \"VPN Connection\",\r\n EventName == \"ImportImage\", \"AMI\",\r\n EventName == \"ImportInstance\", \"EC2 Instance\",\r\n EventName == \"ImportKeyPair\", \"Key Pair\",\r\n EventName == \"ImportSnapshot\", \"EBS Snapshot\",\r\n EventName == \"ImportVolume\", \"EBS Volume\",\r\n EventName == \"ListImagesInRecycleBin\", \"AMI\",\r\n EventName == \"ListSnapshotsInRecycleBin\", \"EBS Snapshot\",\r\n EventName == \"ListVolumesInRecycleBin\", \"EBS Volume\",\r\n EventName == \"LockSnapshot\", \"EBS Snapshot\",\r\n EventName == \"ModifyAddressAttribute\", \"Elastic IP address\",\r\n EventName == \"ModifyAvailabilityZoneGroup\", \"Availability Zone Group\",\r\n EventName == \"ModifyCapacityReservation\", \"Capacity Reservation\",\r\n EventName == \"ModifyCapacityReservationFleet\", \"Capacity Reservation Fleet\",\r\n EventName == \"ModifyClientVpnEndpoint\", \"Client VPN Endpoint\",\r\n EventName == \"ModifyDefaultCreditSpecification\", \"EC2 Instance\",\r\n EventName == \"ModifyEbsDefaultKmsKeyId\", \"EBS KMS Key\",\r\n EventName == \"ModifyFleet\", \"EC2 Fleet\",\r\n EventName == \"ModifyFpgaImageAttribute\", \"FPGA Image\",\r\n EventName == \"ModifyHosts\", \"Dedicated Host\",\r\n EventName == \"ModifyIdentityIdFormat\", \"EC2 Resources\",\r\n EventName == \"ModifyIdFormat\", \"EC2 Resources\",\r\n EventName == \"ModifyImageAttribute\", \"AMI\",\r\n EventName == \"ModifyInstanceAttribute\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceCapacityReservationAttributes\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceConnectEndpoint\", \"Instance Connect Endpoint\",\r\n EventName == \"ModifyInstanceCpuOptions\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceCreditSpecification\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceEventStartTime\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceEventWindow\", \"Instance Event Window\",\r\n EventName == \"ModifyInstanceMaintenanceOptions\", \"IMDS\",\r\n EventName == \"ModifyInstanceMetadataDefaults\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceMetadataOptions\", \"EC2 Instance\",\r\n EventName == \"ModifyInstanceNetworkPerformanceOptions\", \"EC2 Instance\",\r\n EventName == \"ModifyInstancePlacement\", \"EC2 Instance\",\r\n EventName == \"ModifyIpam\", \"IPAM\",\r\n EventName == \"ModifyIpamPolicyAllocationRules\", \"IPAM Policy\",\r\n EventName == \"ModifyIpamPool\", \"IPAM Pool\",\r\n EventName == \"ModifyIpamPrefixListResolver\", \"IPAM Prefix List Resolver\",\r\n EventName == \"ModifyIpamPrefixListResolverTarget\", \"IPAM Prefix List Resolver Target\",\r\n EventName == \"ModifyIpamResourceCidr\", \"IPAM Resource\",\r\n EventName == \"ModifyIpamResourceDiscovery\", \"IPAM Resource Discovery\",\r\n EventName == \"ModifyIpamScope\", \"IPAM Scope\",\r\n EventName == \"ModifyLaunchTemplate\", \"Launch Template\",\r\n EventName == \"ModifyLocalGatewayRoute\", \"Local Gateway Route Table\",\r\n EventName == \"ModifyManagedPrefixList\", \"Managed Prefix List\",\r\n EventName == \"ModifyNetworkInterfaceAttribute\", \"Network Interface\",\r\n EventName == \"ModifyPrivateDnsNameOptions\", \"EC2 Instance\",\r\n EventName == \"ModifyPublicIpDnsNameOptions\", \"Network Interface\",\r\n EventName == \"ModifyReservedInstances\", \"Reserved Instance\",\r\n EventName == \"ModifyRouteServer\", \"Route Server\",\r\n EventName == \"ModifySecurityGroupRules\", \"SecurityGroup\",\r\n EventName == \"ModifySnapshotAttribute\", \"EBS Snapshot\",\r\n EventName == \"ModifySnapshotTier\", \"EBS Snapshot\",\r\n EventName == \"ModifySpotFleetRequest\", \"Spot Fleet Request\",\r\n EventName == \"ModifySubnetAttribute\", \"Subnet\",\r\n EventName == \"ModifyTrafficMirrorFilterNetworkServices\", \"Traffic Mirror Filter\",\r\n EventName == \"ModifyTrafficMirrorFilterRule\", \"Traffic Mirror Filter Rule\",\r\n EventName == \"ModifyTrafficMirrorSession\", \"Traffic Mirror Session\",\r\n EventName == \"ModifyTransitGateway\", \"Transit Gateway\",\r\n EventName == \"ModifyTransitGatewayMeteringPolicy\", \"Transit Gateway Metering Policy\",\r\n EventName == \"ModifyTransitGatewayPrefixListReference\", \"Transit Gateway Prefix List Reference\",\r\n EventName == \"ModifyTransitGatewayVpcAttachment\", \"Transit Gateway VPC Attachment\",\r\n EventName == \"ModifyVerifiedAccessEndpoint\", \"Verified Access Endpoint\",\r\n EventName == \"ModifyVerifiedAccessEndpointPolicy\", \"Verified Access Endpoint Policy\",\r\n EventName == \"ModifyVerifiedAccessGroup\", \"Verified Access Group\",\r\n EventName == \"ModifyVerifiedAccessGroupPolicy\", \"Verified Access Group Policy\",\r\n EventName == \"ModifyVerifiedAccessInstance\", \"Verified Access Instance\",\r\n EventName == \"ModifyVerifiedAccessInstanceLoggingConfiguration\", \"Verified Access Instance\",\r\n EventName == \"ModifyVerifiedAccessTrustProvider\", \"Verified Access Trust Provider\",\r\n EventName == \"ModifyVolume\", \"EBS Volume\",\r\n EventName == \"ModifyVolumeAttribute\", \"EBS Volume\",\r\n EventName == \"ModifyVpcAttribute\", \"VPC\",\r\n EventName == \"ModifyVpcBlockPublicAccessExclusion\", \"VPC BPA Exclusion\",\r\n EventName == \"ModifyVpcBlockPublicAccessOptions\", \"VPC BPA\",\r\n EventName == \"ModifyVpcEncryptionControl\", \"VPC Encryption\",\r\n EventName == \"ModifyVpcEndpoint\", \"VPC Endpoint\",\r\n EventName == \"ModifyVpcEndpointConnectionNotification\", \"VPC Endpoint Connection Notification\",\r\n EventName == \"ModifyVpcEndpointServiceConfiguration\", \"VPC Endpoint Service\",\r\n EventName == \"ModifyVpcEndpointServicePayerResponsibility\", \"VPC Endpoint Service\",\r\n EventName == \"ModifyVpcEndpointServicePermissions\", \"VPC Endpoint Service\",\r\n EventName == \"ModifyVpcPeeringConnectionOptions\", \"VPC Peering Connection\",\r\n EventName == \"ModifyVpcTenancy\", \"VPC\",\r\n EventName == \"ModifyVpnConnection\", \"VPN Connection\",\r\n EventName == \"ModifyVpnConnectionOptions\", \"VPN Connection\",\r\n EventName == \"ModifyVpnTunnelCertificate\", \"VPN Connection\",\r\n EventName == \"ModifyVpnTunnelOptions\", \"VPN Connection\",\r\n EventName == \"MonitorInstances\", \"EC2 Instance\",\r\n EventName == \"MoveAddressToVpc\", \"Elastic Ip Address\",\r\n EventName == \"MoveByoipCidrToIpam\", \"BYOIP CIDR\",\r\n EventName == \"MoveCapacityReservationInstances\", \"Capacity Reservation\",\r\n EventName == \"ProvisionByoipCidr\", \"Elastic IP address\",\r\n EventName == \"ProvisionIpamByoasn\", \"ASN\",\r\n EventName == \"ProvisionIpamPoolCidr\", \"IPAM Pool\",\r\n EventName == \"ProvisionPublicIpv4PoolCidr\", \"Public Ipv4 Pool\",\r\n EventName == \"PurchaseCapacityBlock\", \"Capacity Block\",\r\n EventName == \"PurchaseCapacityBlockExtension\", \"Capacity Block\",\r\n EventName == \"PurchaseHostReservation\", \"Dedicated Host\",\r\n EventName == \"PurchaseReservedInstancesOffering\", \"Reserved Instance\",\r\n EventName == \"PurchaseScheduledInstances\", \"Scheduled Instance\",\r\n EventName == \"RebootInstances\", \"EC2 Instance\",\r\n EventName == \"RegisterImage\", \"AMI\",\r\n EventName == \"RegisterInstanceEventNotificationAttributes\", \"Instance Event Notification Attribute\",\r\n EventName == \"RegisterTransitGatewayMulticastGroupMembers\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"RegisterTransitGatewayMulticastGroupSources\", \"Transit Gateway Multicast Group Source\",\r\n EventName == \"RejectCapacityReservationBillingOwnership\", \"Capacity Reservation\",\r\n EventName == \"RejectTransitGatewayMulticastDomainAssociations\", \"Transit Gateway Multicast Domain\",\r\n EventName == \"RejectTransitGatewayPeeringAttachment\", \"Transit Gateway Attachment\",\r\n EventName == \"RejectTransitGatewayVpcAttachment\", \"Transit Gateway VPC Attachment\",\r\n EventName == \"RejectVpcEndpointConnections\", \"VPC\",\r\n EventName == \"RejectVpcPeeringConnection\", \"VPC\",\r\n EventName == \"ReleaseAddress\", \"Elastic IP address\",\r\n EventName == \"ReleaseHosts\", \"Dedicated Host\",\r\n EventName == \"ReleaseIpamPoolAllocation\", \"IPAM Pool Allocation\",\r\n EventName == \"ReplaceIamInstanceProfileAssociation\", \"IAM Instance Profile Association\",\r\n EventName == \"ReplaceImageCriteriaInAllowedImagesSettings\", \"AMI\",\r\n EventName == \"ReplaceNetworkAclAssociation\", \"Network ACL\",\r\n EventName == \"ReplaceNetworkAclEntry\", \"Network ACL\",\r\n EventName == \"ReplaceRoute\", \"VPC Endpoint\",\r\n EventName == \"ReplaceRouteTableAssociation\", \"Subnet\",\r\n EventName == \"ReplaceTransitGatewayRoute\", \"Transit Gateway Route Table\",\r\n EventName == \"ReplaceVpnTunnel\", \"VPN Connection\",\r\n EventName == \"ReportInstanceStatus\", \"EC2 Instance\",\r\n EventName == \"RequestSpotFleet\", \"Spot Fleet Request\",\r\n EventName == \"RequestSpotInstances\", \"Spot Instance\",\r\n EventName == \"ResetAddressAttribute\", \"Elastic IP address\",\r\n EventName == \"ResetEbsDefaultKmsKeyId\", \"EBS KMS Key\",\r\n EventName == \"ResetFpgaImageAttribute\", \"FPGA Image\",\r\n EventName == \"ResetImageAttribute\", \"AMI\",\r\n EventName == \"ResetInstanceAttribute\", \"EC2 Instance\",\r\n EventName == \"ResetNetworkInterfaceAttribute\", \"Network Interface\",\r\n EventName == \"ResetSnapshotAttribute\", \"Snapshot\",\r\n EventName == \"RestoreAddressToClassic\", \"Elastic Ip Address\",\r\n EventName == \"RestoreImageFromRecycleBin\", \"Snapshot\",\r\n EventName == \"RestoreManagedPrefixListVersion\", \"Managed Prefix List\",\r\n EventName == \"RestoreSnapshotFromRecycleBin\", \"EBS Snapshot\",\r\n EventName == \"RestoreSnapshotTier\", \"EBS Snapshot\",\r\n EventName == \"RestoreVolumeFromRecycleBin\", \"EBS Volume\",\r\n EventName == \"RevokeClientVpnIngress\", \"VPN Connection\",\r\n EventName == \"RevokeSecurityGroupEgress\", \"Security Group\",\r\n EventName == \"RevokeSecurityGroupIngress\", \"Security Group\",\r\n EventName == \"RunInstances\", \"EC2 Instance\",\r\n EventName == \"RunScheduledInstances\", \"EC2 Instance\",\r\n EventName == \"SearchLocalGatewayRoutes\", \"Local Gateway Route Table\",\r\n EventName == \"SearchTransitGatewayMulticastGroups\", \"Transit Gateway Multicast Group\",\r\n EventName == \"SearchTransitGatewayRoutes\", \"Transit Gateway Route Table\",\r\n EventName == \"SendDiagnosticInterrupt\", \"EC2 Instance\",\r\n EventName == \"StartDeclarativePoliciesReport\", \"Policies Report\",\r\n EventName == \"StartInstances\", \"EC2 Instance\",\r\n EventName == \"StartNetworkInsightsAccessScopeAnalysis\", \"Network Insights Access Scope Analysis\",\r\n EventName == \"StartNetworkInsightsAnalysis\", \"Network Insights Analysis\",\r\n EventName == \"StartVpcEndpointServicePrivateDnsVerification\", \"DNS\",\r\n EventName == \"StopInstances\", \"EC2 Instance\",\r\n EventName == \"TerminateClientVpnConnections\", \"Client VPN Endpoint\",\r\n EventName == \"TerminateInstances\", \"EC2 Instance\",\r\n EventName == \"UnassignIpv6Addresses\", \"Network Interface\",\r\n EventName == \"UnassignPrivateIpAddresses\", \"Network Interface\",\r\n EventName == \"UnassignPrivateNatGatewayAddress\", \"NAT Gateway Address\",\r\n EventName == \"UnlockSnapshot\", \"EBS Snapshot\",\r\n EventName == \"UnmonitorInstances\", \"EC2 Instance\",\r\n EventName == \"UpdateCapacityManagerOrganizationsAccess\", \"Capacity Manager\",\r\n EventName == \"UpdateInterruptibleCapacityReservationAllocation\", \"Capacity Reservation\",\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsEgress\", \"Security Group\",\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsIngress\", \"Security Group\",\r\n EventName == \"WithdrawByoipCidr\", \"BYOIP CIDR\",\r\n \"\"\r\n )\r\n | extend ObjectId = case(\r\n EventName == \"AcceptAddressTransfer\", ResponseElements.addressTransfer,\r\n EventName == \"AcceptCapacityReservationBillingOwnership\", RequestParameters.CapacityReservationId,\r\n EventName == \"AcceptReservedInstancesExchangeQuote\", ResponseElements.exchangeId,\r\n EventName == \"AcceptTransitGatewayMulticastDomainAssociations\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"AcceptTransitGatewayPeeringAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"AcceptTransitGatewayVpcAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"AcceptVpcEndpointConnections\", RequestParameters.ServiceId,\r\n EventName == \"AcceptVpcPeeringConnection\", ResponseElements.vpcPeeringConnection.vpcPeeringConnectionId,\r\n EventName == \"AdvertiseByoipCidr\", ResponseElements.byoipCidr.cidr,\r\n EventName == \"AllocateAddress\", ResponseElements.allocationId,\r\n EventName == \"AllocateHosts\", ResponseElements.hostIdSet,\r\n EventName == \"AllocateIpamPoolCidr\", ResponseElements.ipamPoolAllocation.ipamPoolAllocationId,\r\n EventName == \"ApplySecurityGroupsToClientVpnTargetNetwork\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"AssignIpv6Addresses\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"AssignPrivateIpAddresses\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"AssignPrivateNatGatewayAddress\", RequestParameters.NatGatewayId,\r\n EventName == \"AssociateAddress\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"AssociateCapacityReservationBillingOwner\", RequestParameters.CapacityReservationId,\r\n EventName == \"AssociateClientVpnTargetNetwork\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"AssociateDhcpOptions\", RequestParameters.VpcId,\r\n EventName == \"AssociateEnclaveCertificateIamRole\", RequestParameters.CertificateArn,\r\n EventName == \"AssociateIamInstanceProfile\", RequestParameters.InstanceId,\r\n EventName == \"AssociateInstanceEventWindow\", RequestParameters.InstanceEventWindowId,\r\n EventName == \"AssociateIpamByoasn\", RequestParameters.Asn,\r\n EventName == \"AssociateIpamResourceDiscovery\", ResponseElements.ipamResourceDiscoveryAssociation.ipamResourceDiscoveryAssociationId,\r\n EventName == \"AssociateNatGatewayAddress\", ResponseElements.natGatewayId,\r\n EventName == \"AssociateRouteServer\", RequestParameters.RouteServerId,\r\n EventName == \"AssociateRouteTable\", ResponseElements.associationId,\r\n EventName == \"AssociateSecurityGroupVpc\", RequestParameters.VpcId,\r\n EventName == \"AssociateSubnetCidrBlock\", ResponseElements.subnetId,\r\n EventName == \"AssociateTransitGatewayMulticastDomain\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"AssociateTransitGatewayPolicyTable\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"AssociateTransitGatewayRouteTable\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"AssociateTrunkInterface\", RequestParameters.TrunkInterfaceId,\r\n EventName == \"AssociateVpcCidrBlock\", RequestParameters.VpcId,\r\n EventName == \"AttachClassicLinkVpc\", RequestParameters.VpcId,\r\n EventName == \"AttachInternetGateway\", RequestParameters.VpcId,\r\n EventName == \"AttachNetworkInterface\", RequestParameters.InstanceId,\r\n EventName == \"AttachVerifiedAccessTrustProvider\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"AttachVolume\", RequestParameters.InstanceId,\r\n EventName == \"AttachVpnGateway\", RequestParameters.VpcId,\r\n EventName == \"AuthorizeClientVpnIngress\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"AuthorizeSecurityGroupEgress\", RequestParameters.GroupId,\r\n EventName == \"AuthorizeSecurityGroupIngress\", RequestParameters.GroupId,\r\n EventName == \"BundleInstance\", RequestParameters.InstanceId,\r\n EventName == \"CancelBundleTask\", RequestParameters.BundleId,\r\n EventName == \"CancelCapacityReservation\", RequestParameters.CapacityReservationId,\r\n EventName == \"CancelCapacityReservationFleets\", RequestParameters.CapacityReservationFleetId,\r\n EventName == \"CancelConversionTask\", RequestParameters.ConversionTaskId,\r\n EventName == \"CancelDeclarativePoliciesReport\", RequestParameters.ReportId,\r\n EventName == \"CancelExportTask\", RequestParameters.ExportTaskId,\r\n EventName == \"CancelImageLaunchPermission\", RequestParameters.ImageId,\r\n EventName == \"CancelImportTask\", ResponseElements.importTaskId,\r\n EventName == \"CancelReservedInstancesListing\", RequestParameters.ReservedInstancesListingId,\r\n EventName == \"CancelSpotFleetRequests\", RequestParameters.SpotFleetRequestId,\r\n EventName == \"CancelSpotInstanceRequests\", RequestParameters.SpotInstanceRequestId,\r\n EventName == \"ConfirmProductInstance\", RequestParameters.InstanceId,\r\n EventName == \"CopyFpgaImage\", ResponseElements.fpgaImageId,\r\n EventName == \"CopyImage\", ResponseElements.imageId,\r\n EventName == \"CopySnapshot\", ResponseElements.snapshotId,\r\n EventName == \"CopyVolumes\", ResponseElements.volumeSet,\r\n EventName == \"CreateCapacityManagerDataExport\", ResponseElements.capacityManagerDataExportId,\r\n EventName == \"CreateCapacityReservation\", ResponseElements.capacityReservation.capacityReservationId,\r\n EventName == \"CreateCapacityReservationBySplitting\", ResponseElements.destinationCapacityReservation.destinationCapacitySplittingId,\r\n EventName == \"CreateCapacityReservationFleet\", ResponseElements.capacityReservationFleetId,\r\n EventName == \"CreateCarrierGateway\", ResponseElements.carrierGateway.carrierGatewayId,\r\n EventName == \"CreateClientVpnEndpoint\", ResponseElements.clientVpnEndpointId,\r\n EventName == \"CreateClientVpnRoute\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"CreateCoipCidr\", RequestParameters.CoipPoolId,\r\n EventName == \"CreateCoipPool\", ResponseElements.coipPool.poolId,\r\n EventName == \"CreateCustomerGateway\", ResponseElements.customerGateway.customerGatewayId,\r\n EventName == \"CreateDefaultSubnet\", ResponseElements.subnet.subnetId,\r\n EventName == \"CreateDefaultVpc\", ResponseElements.vpc.vpcId,\r\n EventName == \"CreateDelegateMacVolumeOwnershipTask\", ResponseElements.macModificationTask.macModificationTaskId,\r\n EventName == \"CreateDhcpOptions\", ResponseElements.dhcpOptions.dhcpOptionsId,\r\n EventName == \"CreateEgressOnlyInternetGateway\", ResponseElements.egressOnlyInternetGateway.vpcId,\r\n EventName == \"CreateFleet\", ResponseElements.fleetId,\r\n EventName == \"CreateFlowLogs\", ResponseElements.flowLogIdSet,\r\n EventName == \"CreateFpgaImage\", ResponseElements.fpgaImageGlobalId,\r\n EventName == \"CreateImage\", ResponseElements.imageId,\r\n EventName == \"CreateImageUsageReport\", ResponseElements.reportId,\r\n EventName == \"CreateInstanceConnectEndpoint\", ResponseElements.instanceConnectEndpoint.instanceConnectEndpointId,\r\n EventName == \"CreateInstanceEventWindow\", ResponseElements.instanceEventWindow.instanceEventWindowId,\r\n EventName == \"CreateInstanceExportTask\", ResponseElements.exportTask.exportTaskId,\r\n EventName == \"CreateInternetGateway\", ResponseElements.internetGateway.internetGatewayId,\r\n EventName == \"CreateInterruptibleCapacityReservationAllocation\", ResponseElements.sourceCapacityReservationId,\r\n EventName == \"CreateIpam\", ResponseElements.ipam.ipamId,\r\n EventName == \"CreateIpamExternalResourceVerificationToken\", ResponseElements.ipamExternalResourceVerificationToken.ipamExternalResourceVerificationTokenId,\r\n EventName == \"CreateIpamPolicy\", ResponseElements.ipamPolicy.ipamPolicyId,\r\n EventName == \"CreateIpamPool\", ResponseElements.ipamPool.ipamPoolId,\r\n EventName == \"CreateIpamPrefixListResolver\", ResponseElements.ipamPrefixListResolver.ipamPrefixListResolverId,\r\n EventName == \"CreateIpamPrefixListResolverTarget\", ResponseElements.ipamPrefixListResolverTarget.ipamPrefixListResolverTargetId,\r\n EventName == \"CreateIpamResourceDiscovery\", ResponseElements.ipamResourceDiscovery.ipamResourceDiscoveryId,\r\n EventName == \"CreateIpamScope\", ResponseElements.ipamScope.ipamScopeId,\r\n EventName == \"CreateKeyPair\", ResponseElements.keyPairId,\r\n EventName == \"CreateLaunchTemplate\", ResponseElements.launchTemplate.launchTemplateId,\r\n EventName == \"CreateLaunchTemplateVersion\", ResponseElements.launchTemplateVersion.imageId,\r\n EventName == \"CreateLocalGatewayRoute\", ResponseElements.route.localGatewayRouteTableId,\r\n EventName == \"CreateLocalGatewayRouteTable\", ResponseElements.localGatewayRouteTable.localGatewayRouteTableId,\r\n EventName == \"CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", ResponseElements.localGatewayRouteTableVirtualInterfaceGroupAssociation.localGatewayRouteTableVirtualInterfaceGroupAssociationId,\r\n EventName == \"CreateLocalGatewayRouteTableVpcAssociation\", ResponseElements.localGatewayRouteTableVpcAssociation.localGatewayRouteTableVpcAssociationId,\r\n EventName == \"CreateLocalGatewayVirtualInterface\", ResponseElements.localGatewayVirtualInterface.localGatewayVirtualInterfaceId,\r\n EventName == \"CreateLocalGatewayVirtualInterfaceGroup\", ResponseElements.localGatewayVirtualInterfaceGroup.localGatewayVirtualInterfaceGroupId,\r\n EventName == \"CreateMacSystemIntegrityProtectionModificationTask\", ResponseElements.macModificationTask.macModificationTaskId,\r\n EventName == \"CreateManagedPrefixList\", ResponseElements.prefixList.prefixListId,\r\n EventName == \"CreateNatGateway\", ResponseElements.natGateway.natGatewayId,\r\n EventName == \"CreateNetworkAcl\", ResponseElements.networkAcl.networkAclId,\r\n EventName == \"CreateNetworkAclEntry\", RequestParameters.NetworkAclId,\r\n EventName == \"CreateNetworkInsightsAccessScope\", ResponseElements.networkInsightsAccessScope.networkInsightsAccessScopeId,\r\n EventName == \"CreateNetworkInsightsPath\", ResponseElements.networkInsightsPath.networkInsightsPathId,\r\n EventName == \"CreateNetworkInterface\", ResponseElements.networkInterface.networkInterfaceId,\r\n EventName == \"CreateNetworkInterfacePermission\", ResponseElements.interfacePermission.interfacePermissionId,\r\n EventName == \"CreatePlacementGroup\", ResponseElements.placementGroup.placementGroupId,\r\n EventName == \"CreatePublicIpv4Pool\", ResponseElements.poolId,\r\n EventName == \"CreateReplaceRootVolumeTask\", ResponseElements.replaceRootVolumeTask.replaceRootVolumeTaskId,\r\n EventName == \"CreateReservedInstancesListing\", RequestParameters.ReservedInstancesId,\r\n EventName == \"CreateRestoreImageTask\", ResponseElements.imageId,\r\n EventName == \"CreateRoute\", RequestParameters.RouteTableId,\r\n EventName == \"CreateRouteServer\", ResponseElements.routeServer.routeServerId,\r\n EventName == \"CreateRouteServerEndpoint\", ResponseElements.routeServerEndpoint.routeServerEndpointId,\r\n EventName == \"CreateRouteServerPeer\", ResponseElements.routeServerPeer.routeServerPeerId,\r\n EventName == \"CreateRouteTable\", ResponseElements.routeTable.routeTableId,\r\n EventName == \"CreateSecondaryNetwork\", ResponseElements.secondaryNetwork.secondaryNetworkId,\r\n EventName == \"CreateSecondarySubnet\", ResponseElements.secondarySubnet.secondarySubnetId,\r\n EventName == \"CreateSecurityGroup\", ResponseElements.groupId,\r\n EventName == \"CreateSnapshot\", ResponseElements.snapshotId,\r\n EventName == \"CreateSnapshots\", ResponseElements.snapshotSet.snapshotId,\r\n EventName == \"CreateSpotDatafeedSubscription\", ResponseElements.spotDatafeedSubscription.spotDatafeedSubscriptionId,\r\n EventName == \"CreateStoreImageTask\", ResponseElements.objectKey,\r\n EventName == \"CreateSubnet\", ResponseElements.subnet.subnetId,\r\n EventName == \"CreateSubnetCidrReservation\", ResponseElements.subnetCidrReservation.subnetCidrReservationId,\r\n EventName == \"CreateTags\", RequestParameters.resourcesSet.items,\r\n EventName == \"CreateTrafficMirrorFilter\", ResponseElements.trafficMirrorFilter.trafficMirrorFilterId,\r\n EventName == \"CreateTrafficMirrorFilterRule\", ResponseElements.trafficMirrorFilterRule.trafficMirrorFilterRuleId,\r\n EventName == \"CreateTrafficMirrorSession\", ResponseElements.trafficMirrorSession.trafficMirrorSessionId,\r\n EventName == \"CreateTrafficMirrorTarget\", ResponseElements.trafficMirrorTarget.trafficMirrorTargetId,\r\n EventName == \"CreateTransitGateway\", ResponseElements.transitGateway.transitGatewayId,\r\n EventName == \"CreateTransitGatewayConnect\", ResponseElements.transitGatewayConnect.transitGatewayGonnectId,\r\n EventName == \"CreateTransitGatewayConnectPeer\", ResponseElements.transitGatewayConnectPeer.transitGatewayConnectPeerId,\r\n EventName == \"CreateTransitGatewayMeteringPolicy\", ResponseElements.transitGatewayMeteringPolicy.transitGatewayMeteringPolicyId,\r\n EventName == \"CreateTransitGatewayMeteringPolicyEntry\", ResponseElements.transitGatewayMeteringPolicyEntry.transitGatewayMeteringPolicyEntryId,\r\n EventName == \"CreateTransitGatewayMulticastDomain\", ResponseElements.transitGatewayMulticastDomain.transitGatewayId,\r\n EventName == \"CreateTransitGatewayPeeringAttachment\", ResponseElements.transitGatewayPeeringAttachment.transitGatewayPeeringAttachmentId,\r\n EventName == \"CreateTransitGatewayPolicyTable\", ResponseElements.transitGatewayPolicyTable.transitGatewayPolicyTableId,\r\n EventName == \"CreateTransitGatewayPrefixListReference\", ResponseElements.transitGatewayPrefixListReference.transitGatewayRouteTableId,\r\n EventName == \"CreateTransitGatewayRoute\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"CreateTransitGatewayRouteTable\", ResponseElements.transitGatewayRouteTable.transitGatewayRouteTableId,\r\n EventName == \"CreateTransitGatewayRouteTableAnnouncement\", ResponseElements.transitGatewayRouteTableAnnouncement.transitGatewayRouteTableAnnouncementId,\r\n EventName == \"CreateTransitGatewayVpcAttachment\", RequestParameters.TransitGatewayId,\r\n EventName == \"CreateVerifiedAccessEndpoint\", ResponseElements.verifiedAccessEndpoint.verifiedAccessEndpointId,\r\n EventName == \"CreateVerifiedAccessGroup\", ResponseElements.verifiedAccessGroup.verifiedAccessGroupId,\r\n EventName == \"CreateVerifiedAccessInstance\", ResponseElements.verifiedAccessInstance.verifiedAccessInstanceId,\r\n EventName == \"CreateVerifiedAccessTrustProvider\", ResponseElements.verifiedAccessTrustProvider.verifiedAccessTrustProviderId,\r\n EventName == \"CreateVolume\", ResponseElements.volumeId,\r\n EventName == \"CreateVpc\", ResponseElements.vpc.vpcId,\r\n EventName == \"CreateVpcBlockPublicAccessExclusion\", ResponseElements.vpcBlockPublicAccessExclusion.vpcBlockPublicAccessExclusionId,\r\n EventName == \"CreateVpcEncryptionControl\", ResponseElements.vpcEncryptionControl.vpcEncryptionControlId,\r\n EventName == \"CreateVpcEndpoint\", ResponseElements.vpcEndpoint.vpcEndpointId,\r\n EventName == \"CreateVpcEndpointConnectionNotification\", ResponseElements.connectionNotification.connectionNotificationId,\r\n EventName == \"CreateVpcEndpointServiceConfiguration\", ResponseElements.serviceConfiguration.serviceId,\r\n EventName == \"CreateVpcPeeringConnection\", ResponseElements.vpcPeeringConnection.vpcPeeringConnectionId,\r\n EventName == \"CreateVpnConcentrator\", ResponseElements.vpnConcentrator.vpnConcentratorId,\r\n EventName == \"CreateVpnConnection\", ResponseElements.vpnConnection.vpnConnectionId,\r\n EventName == \"CreateVpnConnectionRoute\", RequestParameters.VpnConnectionId,\r\n EventName == \"CreateVpnGateway\", ResponseElements.vpnGateway.vpnGatewayId,\r\n EventName == \"DeleteCapacityManagerDataExport\", ResponseElements.capacityManagerDataExportId,\r\n EventName == \"DeleteCarrierGateway\", RequestParameters.CarrierGatewayId,\r\n EventName == \"DeleteClientVpnEndpoint\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DeleteClientVpnRoute\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DeleteCoipCidr\", RequestParameters.CoipPoolId,\r\n EventName == \"DeleteCoipPool\", RequestParameters.CoipPoolId,\r\n EventName == \"DeleteCustomerGateway\", RequestParameters.CustomerGatewayId,\r\n EventName == \"DeleteDhcpOptions\", RequestParameters.DhcpOptionsId,\r\n EventName == \"DeleteEgressOnlyInternetGateway\", RequestParameters.EgressOnlyInternetGatewayId,\r\n EventName == \"DeleteFleets\", RequestParameters.FleetId,\r\n EventName == \"DeleteFlowLogs\", RequestParameters.FlowLogId,\r\n EventName == \"DeleteFpgaImage\", RequestParameters.FpgaImageId,\r\n EventName == \"DeleteImageUsageReport\", RequestParameters.ReportId,\r\n EventName == \"DeleteInstanceConnectEndpoint\", RequestParameters.InstanceConnectEndpointId,\r\n EventName == \"DeleteInstanceEventWindow\", RequestParameters.InstanceEventWindowId,\r\n EventName == \"DeleteInternetGateway\", RequestParameters.InternetGatewayId,\r\n EventName == \"DeleteIpam\", RequestParameters.IpamId,\r\n EventName == \"DeleteIpamExternalResourceVerificationToken\", RequestParameters.IpamExternalResourceVerificationTokenId,\r\n EventName == \"DeleteIpamPolicy\", RequestParameters.IpamPolicyId,\r\n EventName == \"DeleteIpamPool\", RequestParameters.IpamPoolId,\r\n EventName == \"DeleteIpamPrefixListResolver\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"DeleteIpamPrefixListResolverTarget\", RequestParameters.IpamPrefixListResolverTargetId,\r\n EventName == \"DeleteIpamResourceDiscovery\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"DeleteIpamScope\", RequestParameters.IpamScopeId,\r\n EventName == \"DeleteKeyPair\", ResponseElements.keyPairId,\r\n EventName == \"DeleteLaunchTemplate\", RequestParameters.LaunchTemplateId,\r\n EventName == \"DeleteLaunchTemplateVersions\", RequestParameters.LaunchTemplateId,\r\n EventName == \"DeleteLocalGatewayRoute\", RequestParameters.LocalGatewayRouteTableId,\r\n EventName == \"DeleteLocalGatewayRouteTable\", RequestParameters.LocalGatewayRouteTableId,\r\n EventName == \"DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", RequestParameters.LocalGatewayRouteTableVirtualInterfaceGroupAssociationId,\r\n EventName == \"DeleteLocalGatewayRouteTableVpcAssociation\", RequestParameters.LocalGatewayRouteTableVpcAssociationId,\r\n EventName == \"DeleteLocalGatewayVirtualInterface\", RequestParameters.LocalGatewayVirtualInterfaceId,\r\n EventName == \"DeleteLocalGatewayVirtualInterfaceGroup\", RequestParameters.LocalGatewayVirtualInterfaceGroupId,\r\n EventName == \"DeleteManagedPrefixList\", RequestParameters.PrefixListId,\r\n EventName == \"DeleteNatGateway\", RequestParameters.NatGatewayId,\r\n EventName == \"DeleteNetworkAcl\", RequestParameters.NetworkAclId,\r\n EventName == \"DeleteNetworkAclEntry\", RequestParameters.NetworkAclId,\r\n EventName == \"DeleteNetworkInsightsAccessScope\", ResponseElements.networkInsightsAccessScopeId,\r\n EventName == \"DeleteNetworkInsightsAccessScopeAnalysis\", ResponseElements.networkInsightsAccessScopeAnalysisId,\r\n EventName == \"DeleteNetworkInsightsAnalysis\", ResponseElements.networkInsightsAnalysisId,\r\n EventName == \"DeleteNetworkInsightsPath\", ResponseElements.networkInsightsPathId,\r\n EventName == \"DeleteNetworkInterface\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"DeleteNetworkInterfacePermission\", RequestParameters.NetworkInterfacePermissionId,\r\n EventName == \"DeletePlacementGroup\", RequestParameters.GroupName,\r\n EventName == \"DeletePublicIpv4Pool\", RequestParameters.PoolId,\r\n EventName == \"DeleteQueuedReservedInstances\", RequestParameters.ReservedInstancesId,\r\n EventName == \"DeleteRoute\", RequestParameters.RouteTableId,\r\n EventName == \"DeleteRouteServer\", RequestParameters.RouteServerId,\r\n EventName == \"DeleteRouteServerEndpoint\", RequestParameters.RouteServerEndpointId,\r\n EventName == \"DeleteRouteServerPeer\", RequestParameters.RouteServerPeerId,\r\n EventName == \"DeleteRouteTable\", RequestParameters.RouteTableId,\r\n EventName == \"DeleteSecondaryNetwork\", RequestParameters.SecondaryNetworkId,\r\n EventName == \"DeleteSecondarySubnet\", RequestParameters.SecondarySubnetId,\r\n EventName == \"DeleteSecurityGroup\", RequestParameters.GroupId,\r\n EventName == \"DeleteSnapshot\", RequestParameters.SnapshotId,\r\n EventName == \"DeleteSubnet\", RequestParameters.SubnetId,\r\n EventName == \"DeleteSubnetCidrReservation\", RequestParameters.SubnetCidrReservationId,\r\n EventName == \"DeleteTags\", RequestParameters.ResourceId,\r\n EventName == \"DeleteTrafficMirrorFilter\", RequestParameters.TrafficMirrorFilterId,\r\n EventName == \"DeleteTrafficMirrorFilterRule\", RequestParameters.TrafficMirrorFilterRuleId,\r\n EventName == \"DeleteTrafficMirrorSession\", RequestParameters.TrafficMirrorSessionId,\r\n EventName == \"DeleteTrafficMirrorTarget\", RequestParameters.TrafficMirrorTargetId,\r\n EventName == \"DeleteTransitGateway\", RequestParameters.TransitGatewayId,\r\n EventName == \"DeleteTransitGatewayConnect\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"DeleteTransitGatewayConnectPeer\", RequestParameters.TransitGatewayConnectPeerId,\r\n EventName == \"DeleteTransitGatewayMeteringPolicy\", RequestParameters.TransitGatewayMeteringPolicyId,\r\n EventName == \"DeleteTransitGatewayMeteringPolicyEntry\", RequestParameters.TransitGatewayMeteringPolicyId,\r\n EventName == \"DeleteTransitGatewayMulticastDomain\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"DeleteTransitGatewayPeeringAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"DeleteTransitGatewayPolicyTable\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"DeleteTransitGatewayPrefixListReference\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"DeleteTransitGatewayRoute\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"DeleteTransitGatewayRouteTable\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"DeleteTransitGatewayRouteTableAnnouncement\", RequestParameters.TransitGatewayRouteTableAnnouncementId,\r\n EventName == \"DeleteTransitGatewayVpcAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"DeleteVerifiedAccessEndpoint\", RequestParameters.VerifiedAccessEndpointId,\r\n EventName == \"DeleteVerifiedAccessGroup\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"DeleteVerifiedAccessInstance\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"DeleteVerifiedAccessTrustProvider\", RequestParameters.VerifiedAccessTrustProviderId,\r\n EventName == \"DeleteVolume\", RequestParameters.VolumeId,\r\n EventName == \"DeleteVpc\", RequestParameters.VpcId,\r\n EventName == \"DeleteVpcBlockPublicAccessExclusion\", RequestParameters.ExclusionId,\r\n EventName == \"DeleteVpcEncryptionControl\", RequestParameters.VpcEncryptionControlId,\r\n EventName == \"DeleteVpcEndpointConnectionNotifications\", RequestParameters.ConnectionNotificationId,\r\n EventName == \"DeleteVpcEndpoints\", RequestParameters.VpcEndpointId,\r\n EventName == \"DeleteVpcEndpointServiceConfigurations\", RequestParameters.ServiceId,\r\n EventName == \"DeleteVpcPeeringConnection\", RequestParameters.VpcPeeringConnectionId,\r\n EventName == \"DeleteVpnConcentrator\", RequestParameters.VpnConcentratorId,\r\n EventName == \"DeleteVpnConnection\", RequestParameters.VpnConnectionId,\r\n EventName == \"DeleteVpnConnectionRoute\", RequestParameters.VpnConnectionId,\r\n EventName == \"DeleteVpnGateway\", RequestParameters.VpnGatewayId,\r\n EventName == \"DeprovisionByoipCidr\", RequestParameters.Cidr,\r\n EventName == \"DeprovisionIpamByoasn\", RequestParameters.IpamId,\r\n EventName == \"DeprovisionIpamPoolCidr\", RequestParameters.IpamPoolId,\r\n EventName == \"DeprovisionPublicIpv4PoolCidr\", RequestParameters.PoolId,\r\n EventName == \"DeregisterImage\", RequestParameters.ImageId,\r\n EventName == \"DeregisterInstanceEventNotificationAttributes\", ResponseElements.instanceTagAttribute.instanceTagKeySet,\r\n EventName == \"DeregisterTransitGatewayMulticastGroupMembers\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"DeregisterTransitGatewayMulticastGroupSources\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"DescribeAccountAttributes\", RequestParameters.AttributeName,\r\n EventName == \"DescribeAddresses\", ResponseElements.addressesSet,\r\n EventName == \"DescribeAddressesAttribute\", ResponseElements.addressSet,\r\n EventName == \"DescribeAddressTransfers\", ResponseElements.addressTransferSet,\r\n EventName == \"DescribeAggregateIdFormat\", ResponseElements.statusSet,\r\n EventName == \"DescribeAvailabilityZones\", ResponseElements.availabilityZoneInfo,\r\n EventName == \"DescribeAwsNetworkPerformanceMetricSubscriptions\", ResponseElements.subscriptionSet,\r\n EventName == \"DescribeBundleTasks\", ResponseElements.bundleInstanceTasksSet,\r\n EventName == \"DescribeByoipCidrs\", ResponseElements.byoipCidrSet,\r\n EventName == \"DescribeCapacityBlockExtensionHistory\", RequestParameters.CapacityReservationId,\r\n EventName == \"DescribeCapacityBlockExtensionOfferings\", RequestParameters.CapacityReservationId,\r\n EventName == \"DescribeCapacityBlocks\", RequestParameters.CapacityBlockId,\r\n EventName == \"DescribeCapacityBlockStatus\", RequestParameters.CapacityBlockId,\r\n EventName == \"DescribeCapacityManagerDataExports\", RequestParameters.CapacityManagerDataExportId,\r\n EventName == \"DescribeCapacityReservationBillingRequests\", RequestParameters.CapacityReservationId,\r\n EventName == \"DescribeCapacityReservationFleets\", RequestParameters.CapacityReservationFleetId,\r\n EventName == \"DescribeCapacityReservations\", RequestParameters.CapacityReservationId,\r\n EventName == \"DescribeCapacityReservationTopology\", RequestParameters.CapacityReservationId,\r\n EventName == \"DescribeCarrierGateways\", RequestParameters.CarrierGatewayId,\r\n EventName == \"DescribeClassicLinkInstances\", RequestParameters.InstanceId,\r\n EventName == \"DescribeClientVpnAuthorizationRules\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DescribeClientVpnConnections\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DescribeClientVpnEndpoints\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DescribeClientVpnRoutes\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DescribeClientVpnTargetNetworks\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"DescribeCoipPools\", RequestParameters.PoolId,\r\n EventName == \"DescribeConversionTasks\", RequestParameters.ConversionTaskId,\r\n EventName == \"DescribeCustomerGateways\", RequestParameters.CustomerGatewayId,\r\n EventName == \"DescribeDeclarativePoliciesReports\", RequestParameters.ReportId,\r\n EventName == \"DescribeDhcpOptions\", RequestParameters.DhcpOptionsId,\r\n EventName == \"DescribeEgressOnlyInternetGateways\", RequestParameters.EgressOnlyInternetGatewayId,\r\n EventName == \"DescribeElasticGpus\", RequestParameters.ElasticGpuId,\r\n EventName == \"DescribeExportImageTasks\", RequestParameters.ExportImageTaskId,\r\n EventName == \"DescribeExportTasks\", RequestParameters.ExportTaskId,\r\n EventName == \"DescribeFastLaunchImages\", RequestParameters.ImageId,\r\n EventName == \"DescribeFleetHistory\", ResponseElements.fleetId,\r\n EventName == \"DescribeFleetInstances\", ResponseElements.fleetId,\r\n EventName == \"DescribeFleets\", RequestParameters.FleetId,\r\n EventName == \"DescribeFlowLogs\", RequestParameters.FlowLogId,\r\n EventName == \"DescribeFpgaImageAttribute\", RequestParameters.FpgaImageId,\r\n EventName == \"DescribeFpgaImages\", RequestParameters.FpgaImageId,\r\n EventName == \"DescribeHostReservationOfferings\", RequestParameters.OfferingId,\r\n EventName == \"DescribeHostReservations\", RequestParameters.HostReservationIdSet,\r\n EventName == \"DescribeHosts\", RequestParameters.HostId,\r\n EventName == \"DescribeIamInstanceProfileAssociations\", RequestParameters.AssociationId,\r\n EventName == \"DescribeImageAttribute\", RequestParameters.ImageId,\r\n EventName == \"DescribeImageReferences\", RequestParameters.ImageId.N,\r\n EventName == \"DescribeImages\", RequestParameters.ImageId.N,\r\n EventName == \"DescribeImageUsageReportEntries\", RequestParameters.ImageId.N,\r\n EventName == \"DescribeImageUsageReports\", RequestParameters.ImageId.N,\r\n EventName == \"DescribeImportImageTasks\", RequestParameters.ImportTaskId.N,\r\n EventName == \"DescribeImportSnapshotTasks\", RequestParameters.ImportTaskId.N,\r\n EventName == \"DescribeInstanceAttribute\", RequestParameters.InstanceId,\r\n EventName == \"DescribeInstanceConnectEndpoints\", RequestParameters.InstanceConnectEndpointId.N,\r\n EventName == \"DescribeInstanceCreditSpecifications\", RequestParameters.InstanceId,\r\n EventName == \"DescribeInstanceEventWindows\", RequestParameters.InstanceEventWindowId.N,\r\n EventName == \"DescribeInstanceImageMetadata\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInstances\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInstanceSqlHaHistoryStates\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInstanceSqlHaStates\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInstanceStatus\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInstanceTopology\", RequestParameters.InstanceId.N,\r\n EventName == \"DescribeInternetGateways\", RequestParameters.InternetGatewayId,\r\n EventName == \"DescribeIpamExternalResourceVerificationTokens\", RequestParameters.IpamExternalResourceVerificationTokenId,\r\n EventName == \"DescribeIpamPolicies\", RequestParameters.IpamPolicyId,\r\n EventName == \"DescribeIpamPools\", RequestParameters.IpamPoolId,\r\n EventName == \"DescribeIpamPrefixListResolvers\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"DescribeIpamPrefixListResolverTargets\", RequestParameters.IpamPrefixListResolverTargetId,\r\n EventName == \"DescribeIpamResourceDiscoveries\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"DescribeIpamResourceDiscoveryAssociations\", RequestParameters.IpamResourceDiscoveryAssociationId,\r\n EventName == \"DescribeIpams\", RequestParameters.IpamId,\r\n EventName == \"DescribeIpamScopes\", RequestParameters.IpamScopeId,\r\n EventName == \"DescribeIpv6Pools\", RequestParameters.PoolId,\r\n EventName == \"DescribeKeyPairs\", RequestParameters.KeyPairId,\r\n EventName == \"DescribeLaunchTemplates\", RequestParameters.LaunchTemplateId,\r\n EventName == \"DescribeLaunchTemplateVersions\", RequestParameters.LaunchTemplateId,\r\n EventName == \"DescribeLocalGatewayRouteTables\", RequestParameters.LocalGatewayRouteTableId,\r\n EventName == \"DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations\", RequestParameters.LocalGatewayRouteTableVirtualInterfaceGroupAssociationId,\r\n EventName == \"DescribeLocalGatewayRouteTableVpcAssociations\", RequestParameters.LocalGatewayRouteTableVpcAssociationId,\r\n EventName == \"DescribeLocalGateways\", RequestParameters.LocalGatewayId,\r\n EventName == \"DescribeLocalGatewayVirtualInterfaceGroups\", RequestParameters.LocalGatewayVirtualInterfaceGroupId,\r\n EventName == \"DescribeLocalGatewayVirtualInterfaces\", RequestParameters.LocalGatewayVirtualInterfaceId,\r\n EventName == \"DescribeLockedSnapshots\", RequestParameters.SnapshotId,\r\n EventName == \"DescribeMacHosts\", RequestParameters.HostId,\r\n EventName == \"DescribeMacModificationTasks\", RequestParameters.MacModificationTaskId,\r\n EventName == \"DescribeManagedPrefixLists\", RequestParameters.PrefixListId,\r\n EventName == \"DescribeNatGateways\", RequestParameters.NatGatewayId,\r\n EventName == \"DescribeNetworkAcls\", RequestParameters.NetworkAclId,\r\n EventName == \"DescribeNetworkInsightsAccessScopeAnalyses\", RequestParameters.NetworkInsightsAccessScopeAnalysisId,\r\n EventName == \"DescribeNetworkInsightsAccessScopes\", RequestParameters.NetworkInsightsAccessScopeId,\r\n EventName == \"DescribeNetworkInsightsAnalyses\", RequestParameters.NetworkInsightsAnalysisId,\r\n EventName == \"DescribeNetworkInsightsPaths\", RequestParameters.NetworkInsightsPathId,\r\n EventName == \"DescribeNetworkInterfaceAttribute\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"DescribeNetworkInterfacePermissions\", RequestParameters.NetworkInterfacePermissionId,\r\n EventName == \"DescribeNetworkInterfaces\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"DescribeOutpostLags\", RequestParameters.OutpostLagId,\r\n EventName == \"DescribePlacementGroups\", RequestParameters.GroupId,\r\n EventName == \"DescribePrefixLists\", RequestParameters.PrefixListId,\r\n EventName == \"DescribePublicIpv4Pools\", RequestParameters.PoolId,\r\n EventName == \"DescribeReplaceRootVolumeTasks\", RequestParameters.ReplaceRootVolumeTaskId,\r\n EventName == \"DescribeReservedInstances\", RequestParameters.ReservedInstancesId,\r\n EventName == \"DescribeReservedInstancesListings\", RequestParameters.ReservedInstancesId,\r\n EventName == \"DescribeReservedInstancesModifications\", RequestParameters.ReservedInstancesModificationId,\r\n EventName == \"DescribeReservedInstancesOfferings\", RequestParameters.ReservedInstancesOfferingId,\r\n EventName == \"DescribeRouteServerEndpoints\", RequestParameters.RouteServerEndpointId,\r\n EventName == \"DescribeRouteServerPeers\", RequestParameters.RouteServerPeerId,\r\n EventName == \"DescribeRouteServers\", RequestParameters.RouteServerId,\r\n EventName == \"DescribeRouteTables\", RequestParameters.RouteTableId,\r\n EventName == \"DescribeScheduledInstances\", RequestParameters.ScheduledInstanceId,\r\n EventName == \"DescribeSecondaryInterfaces\", RequestParameters.SecondaryInterfaceId,\r\n EventName == \"DescribeSecondaryNetworks\", RequestParameters.SecondaryNetworkId,\r\n EventName == \"DescribeSecurityGroupReferences\", RequestParameters.GroupId,\r\n EventName == \"DescribeSecurityGroupRules\", RequestParameters.SecurityGroupRuleId,\r\n EventName == \"DescribeSecurityGroups\", RequestParameters.GroupId,\r\n EventName == \"DescribeServiceLinkVirtualInterfaces\", RequestParameters.ServiceLinkVirtualInterfaceId,\r\n EventName == \"DescribeSnapshotAttribute\", RequestParameters.SnapshotId,\r\n EventName == \"DescribeSnapshots\", RequestParameters.SnapshotId,\r\n EventName == \"DescribeSpotDatafeedSubscription\", ResponseElements.spotDatafeedSubscription.ownerId,\r\n EventName == \"DescribeSpotFleetInstances\", RequestParameters.SpotFleetRequestId,\r\n EventName == \"DescribeSpotFleetRequestHistory\", RequestParameters.SpotFleetRequestId,\r\n EventName == \"DescribeSpotFleetRequests\", RequestParameters.SpotFleetRequestId,\r\n EventName == \"DescribeSpotInstanceRequests\", RequestParameters.SpotInstanceRequestId,\r\n EventName == \"DescribeStaleSecurityGroups\", RequestParameters.VpcId,\r\n EventName == \"DescribeStoreImageTasks\", RequestParameters.ImageId,\r\n EventName == \"DescribeSubnets\", RequestParameters.SubnetId,\r\n EventName == \"DescribeTrafficMirrorFilterRules\", RequestParameters.TrafficMirrorFilterRuleId,\r\n EventName == \"DescribeTrafficMirrorFilters\", RequestParameters.TrafficMirrorFilterId,\r\n EventName == \"DescribeTrafficMirrorSessions\", RequestParameters.TrafficMirrorSessionId,\r\n EventName == \"DescribeTrafficMirrorTargets\", RequestParameters.TrafficMirrorTargetId,\r\n EventName == \"DescribeTransitGatewayAttachments\", RequestParameters.TransitGatewayAttachmentIds,\r\n EventName == \"DescribeTransitGatewayConnectPeers\", RequestParameters.TransitGatewayConnectPeerIds,\r\n EventName == \"DescribeTransitGatewayConnects\", RequestParameters.TransitGatewayMeteringPolicyIds,\r\n EventName == \"DescribeTransitGatewayMeteringPolicies\", RequestParameters.TransitGatewayMulticastDomainIds,\r\n EventName == \"DescribeTransitGatewayMulticastDomains\", RequestParameters.TransitGatewayAttachmentIds,\r\n EventName == \"DescribeTransitGatewayPeeringAttachments\", RequestParameters.TransitGatewayAttachmentIds,\r\n EventName == \"DescribeTransitGatewayPolicyTables\", RequestParameters.TransitGatewayPolicyTableIds,\r\n EventName == \"DescribeTransitGatewayRouteTableAnnouncements\", RequestParameters.TransitGatewayRouteTableAnnouncementIds,\r\n EventName == \"DescribeTransitGatewayRouteTables\", RequestParameters.TransitGatewayRouteTableIds,\r\n EventName == \"DescribeTransitGateways\", RequestParameters.TransitGatewayIds,\r\n EventName == \"DescribeTransitGatewayVpcAttachments\", RequestParameters.TransitGatewayAttachmentIds,\r\n EventName == \"DescribeTrunkInterfaceAssociations\", RequestParameters.AssociationId,\r\n EventName == \"DescribeVerifiedAccessEndpoints\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"DescribeVerifiedAccessGroups\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"DescribeVerifiedAccessInstanceLoggingConfigurations\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"DescribeVerifiedAccessInstances\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"DescribeVerifiedAccessTrustProviders\", RequestParameters.VerifiedAccessTrustProviderId,\r\n EventName == \"DescribeVolumeAttribute\", RequestParameters.VolumeId,\r\n EventName == \"DescribeVolumes\", RequestParameters.VolumeId,\r\n EventName == \"DescribeVolumesModifications\", RequestParameters.VolumeId,\r\n EventName == \"DescribeVolumeStatus\", RequestParameters.VolumeId,\r\n EventName == \"DescribeVpcAttribute\", ResponseElements.vpcId,\r\n EventName == \"DescribeVpcBlockPublicAccessExclusions\", RequestParameters.ExclusionId,\r\n EventName == \"DescribeVpcBlockPublicAccessOptions\", RequestParameters.VpcIds,\r\n EventName == \"DescribeVpcClassicLink\", RequestParameters.VpcId,\r\n EventName == \"DescribeVpcClassicLinkDnsSupport\", RequestParameters.VpcIds,\r\n EventName == \"DescribeVpcEncryptionControls\", RequestParameters.VpcId,\r\n EventName == \"DescribeVpcEndpointAssociations\", RequestParameters.VpcEndpointId,\r\n EventName == \"DescribeVpcEndpointConnectionNotifications\", RequestParameters.ConnectionNotificationId,\r\n EventName == \"DescribeVpcEndpoints\", RequestParameters.VpcEndpointId,\r\n EventName == \"DescribeVpcEndpointServiceConfigurations\", RequestParameters.ServiceId,\r\n EventName == \"DescribeVpcEndpointServicePermissions\", RequestParameters.ServiceId,\r\n EventName == \"DescribeVpcPeeringConnections\", RequestParameters.VpcPeeringConnectionId,\r\n EventName == \"DescribeVpcs\", RequestParameters.VpcId,\r\n EventName == \"DescribeVpnConcentrators\", RequestParameters.VpnConcentratorId,\r\n EventName == \"DescribeVpnConnections\", RequestParameters.VpnConnectionId,\r\n EventName == \"DescribeVpnGateways\", RequestParameters.VpnGatewayId,\r\n EventName == \"DetachClassicLinkVpc\", RequestParameters.VpcId,\r\n EventName == \"DetachInternetGateway\", RequestParameters.VpcId,\r\n EventName == \"DetachNetworkInterface\", RequestParameters.AttachmentId,\r\n EventName == \"DetachVerifiedAccessTrustProvider\", RequestParameters.VerifiedAccessTrustProviderId,\r\n EventName == \"DetachVolume\", RequestParameters.InstanceId,\r\n EventName == \"DetachVpnGateway\", RequestParameters.VpcId,\r\n EventName == \"DisableAddressTransfer\", RequestParameters.AllocationId,\r\n EventName == \"DisableFastLaunch\", RequestParameters.ImageId,\r\n EventName == \"DisableFastSnapshotRestores\", RequestParameters.SourceSnapshotId,\r\n EventName == \"DisableImage\", RequestParameters.ImageId,\r\n EventName == \"DisableImageDeprecation\", RequestParameters.ImageId,\r\n EventName == \"DisableImageDeregistrationProtection\", RequestParameters.ImageId,\r\n EventName == \"DisableInstanceSqlHaStandbyDetections\", RequestParameters.InstanceId,\r\n EventName == \"DisableIpamOrganizationAdminAccount\", RequestParameters.DelegatedAdminAccountId,\r\n EventName == \"DisableIpamPolicy\", RequestParameters.IpamPolicyId,\r\n EventName == \"DisableRouteServerPropagation\", RequestParameters.RouteTableId,\r\n EventName == \"DisableTransitGatewayRouteTablePropagation\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"DisableVgwRoutePropagation\", RequestParameters.GatewayId,\r\n EventName == \"DisableVpcClassicLink\", RequestParameters.VpcId,\r\n EventName == \"DisableVpcClassicLinkDnsSupport\", RequestParameters.VpcId,\r\n EventName == \"DisassociateAddress\", RequestParameters.AssociationId,\r\n EventName == \"DisassociateCapacityReservationBillingOwner\", RequestParameters.CapacityReservationId,\r\n EventName == \"DisassociateClientVpnTargetNetwork\", ResponseElements.associationId,\r\n EventName == \"DisassociateEnclaveCertificateIamRole\", RequestParameters.RoleArn,\r\n EventName == \"DisassociateIamInstanceProfile\", RequestParameters.AssociationId,\r\n EventName == \"DisassociateInstanceEventWindow\", RequestParameters.InstanceEventWindowId,\r\n EventName == \"DisassociateIpamByoasn\", RequestParameters.Asn,\r\n EventName == \"DisassociateIpamResourceDiscovery\", RequestParameters.IpamResourceDiscoveryAssociationId,\r\n EventName == \"DisassociateNatGatewayAddress\", ResponseElements.natGatewayId,\r\n EventName == \"DisassociateRouteServer\", RequestParameters.VpcId,\r\n EventName == \"DisassociateRouteTable\", RequestParameters.AssociationId,\r\n EventName == \"DisassociateSecurityGroupVpc\", RequestParameters.VpcId,\r\n EventName == \"DisassociateSubnetCidrBlock\", ResponseElements.subnetId,\r\n EventName == \"DisassociateTransitGatewayMulticastDomain\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"DisassociateTransitGatewayPolicyTable\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"DisassociateTransitGatewayRouteTable\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"DisassociateTrunkInterface\", RequestParameters.AssociationId,\r\n EventName == \"DisassociateVpcCidrBlock\", ResponseElements.vpcId,\r\n EventName == \"EnableAddressTransfer\", RequestParameters.AllocationId,\r\n EventName == \"EnableFastLaunch\", RequestParameters.ImageId,\r\n EventName == \"EnableImage\", RequestParameters.ImageId,\r\n EventName == \"EnableImageDeprecation\", RequestParameters.ImageId,\r\n EventName == \"EnableImageDeregistrationProtection\", RequestParameters.ImageId,\r\n EventName == \"EnableInstanceSqlHaStandbyDetections\", RequestParameters.InstanceId,\r\n EventName == \"EnableIpamOrganizationAdminAccount\", RequestParameters.DelegatedAdminAccountId,\r\n EventName == \"EnableIpamPolicy\", RequestParameters.IpamPolicyId,\r\n EventName == \"EnableRouteServerPropagation\", RequestParameters.RouteServerId,\r\n EventName == \"EnableTransitGatewayRouteTablePropagation\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"EnableVgwRoutePropagation\", RequestParameters.GatewayId,\r\n EventName == \"EnableVolumeIO\", RequestParameters.VolumeId,\r\n EventName == \"EnableVpcClassicLink\", RequestParameters.VpcId,\r\n EventName == \"EnableVpcClassicLinkDnsSupport\", RequestParameters.VpcId,\r\n EventName == \"ExportClientVpnClientCertificateRevocationList\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"ExportClientVpnClientConfiguration\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"ExportImage\", RequestParameters.ImageId,\r\n EventName == \"ExportTransitGatewayRoutes\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"ExportVerifiedAccessInstanceClientConfiguration\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"GetActiveVpnTunnelStatus\", RequestParameters.VpnConnectionId,\r\n EventName == \"GetAssociatedIpv6PoolCidrs\", RequestParameters.PoolId,\r\n EventName == \"GetCapacityReservationUsage\", ResponseElements.capacityReservationId,\r\n EventName == \"GetCoipPoolUsage\", RequestParameters.PoolId,\r\n EventName == \"GetConsoleOutput\", ResponseElements.instanceId,\r\n EventName == \"GetConsoleScreenshot\", ResponseElements.instanceId,\r\n EventName == \"GetDeclarativePoliciesReportSummary\", ResponseElements.reportId,\r\n EventName == \"GetEbsDefaultKmsKeyId\", ResponseElements.kmsKeyId,\r\n EventName == \"GetEnabledIpamPolicy\", ResponseElements.ipamPolicyId,\r\n EventName == \"GetFlowLogsIntegrationTemplate\", RequestParameters.FlowLogId,\r\n EventName == \"GetGroupsForCapacityReservation\", RequestParameters.CapacityReservationId,\r\n EventName == \"GetHostReservationPurchasePreview\", RequestParameters.OfferingId,\r\n EventName == \"GetImageAncestry\", RequestParameters.ImageId,\r\n EventName == \"GetInstanceTpmEkPub\", RequestParameters.InstanceId,\r\n EventName == \"GetInstanceUefiData\", ResponseElements.instanceId,\r\n EventName == \"GetIpamAddressHistory\", RequestParameters.IpamScopeId,\r\n EventName == \"GetIpamDiscoveredAccounts\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"GetIpamDiscoveredPublicAddresses\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"GetIpamDiscoveredResourceCidrs\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"GetIpamPolicyAllocationRules\", RequestParameters.IpamPolicyId,\r\n EventName == \"GetIpamPolicyOrganizationTargets\", RequestParameters.IpamPolicyId,\r\n EventName == \"GetIpamPoolAllocations\", RequestParameters.IpamPoolId,\r\n EventName == \"GetIpamPoolCidrs\", RequestParameters.IpamPoolId,\r\n EventName == \"GetIpamPrefixListResolverRules\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"GetIpamPrefixListResolverVersionEntries\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"GetIpamPrefixListResolverVersions\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"GetIpamResourceCidrs\", RequestParameters.IpamPoolId,\r\n EventName == \"GetLaunchTemplateData\", RequestParameters.InstanceId,\r\n EventName == \"GetManagedPrefixListAssociations\", RequestParameters.PrefixListId,\r\n EventName == \"GetManagedPrefixListEntries\", RequestParameters.PrefixListId,\r\n EventName == \"GetNetworkInsightsAccessScopeAnalysisFindings\", ResponseElements.networkInsightsAccessScopeAnalysisId,\r\n EventName == \"GetNetworkInsightsAccessScopeContent\", RequestParameters.NetworkInsightsAccessScopeId,\r\n EventName == \"GetPasswordData\", ResponseElements.instanceId,\r\n EventName == \"GetReservedInstancesExchangeQuote\", RequestParameters.ReservedInstanceId,\r\n EventName == \"GetRouteServerAssociations\", RequestParameters.RouteServerId,\r\n EventName == \"GetRouteServerPropagations\", RequestParameters.RouteServerId,\r\n EventName == \"GetRouteServerRoutingDatabase\", RequestParameters.RouteServerId,\r\n EventName == \"GetSecurityGroupsForVpc\", RequestParameters.VpcId,\r\n EventName == \"GetSubnetCidrReservations\", RequestParameters.SubnetId,\r\n EventName == \"GetTransitGatewayAttachmentPropagations\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"GetTransitGatewayMeteringPolicyEntries\", RequestParameters.TransitGatewayMeteringPolicyId,\r\n EventName == \"GetTransitGatewayMulticastDomainAssociations\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"GetTransitGatewayPolicyTableAssociations\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"GetTransitGatewayPolicyTableEntries\", RequestParameters.TransitGatewayPolicyTableId,\r\n EventName == \"GetTransitGatewayPrefixListReferences\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"GetTransitGatewayRouteTableAssociations\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"GetTransitGatewayRouteTablePropagations\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"GetVerifiedAccessEndpointPolicy\", RequestParameters.VerifiedAccessEndpointId,\r\n EventName == \"GetVerifiedAccessEndpointTargets\", RequestParameters.VerifiedAccessEndpointId,\r\n EventName == \"GetVerifiedAccessGroupPolicy\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"GetVpcResourcesBlockingEncryptionEnforcement\", RequestParameters.VpcId,\r\n EventName == \"GetVpnConnectionDeviceSampleConfiguration\", RequestParameters.VpnConnectionId,\r\n EventName == \"GetVpnTunnelReplacementStatus\", RequestParameters.VpnConnectionId,\r\n EventName == \"ImportImage\", ResponseElements.imageId,\r\n EventName == \"ImportInstance\", ResponseElements.conversionTask.conversionTaskId,\r\n EventName == \"ImportKeyPair\", ResponseElements.keyPairId,\r\n EventName == \"ImportSnapshot\", ResponseElements.snapshotTaskDetail.snapshotTaskDetailId,\r\n EventName == \"ImportVolume\", ResponseElements.conversionTask.conversionTaskId,\r\n EventName == \"ListImagesInRecycleBin\", RequestParameters.ImageId,\r\n EventName == \"ListSnapshotsInRecycleBin\", RequestParameters.SnapshotId,\r\n EventName == \"ListVolumesInRecycleBin\", RequestParameters.VolumeId,\r\n EventName == \"LockSnapshot\", ResponseElements.snapshotId,\r\n EventName == \"ModifyAddressAttribute\", RequestParameters.AllocationId,\r\n EventName == \"ModifyAvailabilityZoneGroup\", RequestParameters.GroupName,\r\n EventName == \"ModifyCapacityReservation\", RequestParameters.CapacityReservationId,\r\n EventName == \"ModifyCapacityReservationFleet\", RequestParameters.CapacityReservationFleetId,\r\n EventName == \"ModifyClientVpnEndpoint\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"ModifyDefaultCreditSpecification\", ResponseElements.instanceFamilyCreditSpecification.instanceFamilyCreditSpecificationId,\r\n EventName == \"ModifyEbsDefaultKmsKeyId\", ResponseElements.kmsKeyId,\r\n EventName == \"ModifyFleet\", RequestParameters.FleetId,\r\n EventName == \"ModifyFpgaImageAttribute\", ResponseElements.fpgaImageAttribute.fpgaImageId,\r\n EventName == \"ModifyHosts\", RequestParameters.HostId,\r\n EventName == \"ModifyImageAttribute\", RequestParameters.ImageId,\r\n EventName == \"ModifyInstanceAttribute\", RequestParameters.InstanceId,\r\n EventName == \"ModifyInstanceCapacityReservationAttributes\", RequestParameters.InstanceId,\r\n EventName == \"ModifyInstanceConnectEndpoint\", RequestParameters.InstanceConnectEndpointId,\r\n EventName == \"ModifyInstanceCpuOptions\", ResponseElements.instanceId,\r\n EventName == \"ModifyInstanceCreditSpecification\", RequestParameters.InstanceCreditSpecification,\r\n EventName == \"ModifyInstanceEventStartTime\", RequestParameters.InstanceEventId,\r\n EventName == \"ModifyInstanceEventWindow\", RequestParameters.InstanceEventWindowId,\r\n EventName == \"ModifyInstanceMaintenanceOptions\", ResponseElements.instanceId,\r\n EventName == \"ModifyInstanceMetadataOptions\", ResponseElements.instanceId,\r\n EventName == \"ModifyInstanceNetworkPerformanceOptions\", ResponseElements.instanceId,\r\n EventName == \"ModifyInstancePlacement\", ResponseElements.instanceId,\r\n EventName == \"ModifyIpam\", RequestParameters.IpamId,\r\n EventName == \"ModifyIpamPolicyAllocationRules\", RequestParameters.IpamPolicyId,\r\n EventName == \"ModifyIpamPool\", RequestParameters.IpamPoolId,\r\n EventName == \"ModifyIpamPrefixListResolver\", RequestParameters.IpamPrefixListResolverId,\r\n EventName == \"ModifyIpamPrefixListResolverTarget\", RequestParameters.IpamPrefixListResolverTargetId,\r\n EventName == \"ModifyIpamResourceCidr\", RequestParameters.ResourceId,\r\n EventName == \"ModifyIpamResourceDiscovery\", RequestParameters.IpamResourceDiscoveryId,\r\n EventName == \"ModifyIpamScope\", RequestParameters.IpamScopeId,\r\n EventName == \"ModifyLaunchTemplate\", RequestParameters.LaunchTemplateId,\r\n EventName == \"ModifyLocalGatewayRoute\", RequestParameters.LocalGatewayRouteTableId,\r\n EventName == \"ModifyManagedPrefixList\", RequestParameters.PrefixListId,\r\n EventName == \"ModifyNetworkInterfaceAttribute\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"ModifyPrivateDnsNameOptions\", RequestParameters.InstanceId,\r\n EventName == \"ModifyPublicIpDnsNameOptions\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"ModifyReservedInstances\", RequestParameters.ReservedInstancesId,\r\n EventName == \"ModifyRouteServer\", RequestParameters.RouteServerId,\r\n EventName == \"ModifySecurityGroupRules\", RequestParameters.GroupId,\r\n EventName == \"ModifySnapshotAttribute\", RequestParameters.SnapshotId,\r\n EventName == \"ModifySnapshotTier\", RequestParameters.SnapshotId,\r\n EventName == \"ModifySpotFleetRequest\", RequestParameters.SpotFleetRequestId,\r\n EventName == \"ModifySubnetAttribute\", RequestParameters.SubnetId,\r\n EventName == \"ModifyTrafficMirrorFilterNetworkServices\", RequestParameters.TrafficMirrorFilterId,\r\n EventName == \"ModifyTrafficMirrorFilterRule\", RequestParameters.TrafficMirrorFilterRuleId,\r\n EventName == \"ModifyTrafficMirrorSession\", RequestParameters.TrafficMirrorSessionId,\r\n EventName == \"ModifyTransitGateway\", RequestParameters.TransitGatewayId,\r\n EventName == \"ModifyTransitGatewayMeteringPolicy\", RequestParameters.TransitGatewayMeteringPolicyId,\r\n EventName == \"ModifyTransitGatewayPrefixListReference\", ResponseElements.transitGatewayPrefixListReference.prefixListId,\r\n EventName == \"ModifyTransitGatewayVpcAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"ModifyVerifiedAccessEndpoint\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"ModifyVerifiedAccessEndpointPolicy\", RequestParameters.VerifiedAccessEndpointId,\r\n EventName == \"ModifyVerifiedAccessGroup\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"ModifyVerifiedAccessGroupPolicy\", RequestParameters.VerifiedAccessGroupId,\r\n EventName == \"ModifyVerifiedAccessInstance\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"ModifyVerifiedAccessInstanceLoggingConfiguration\", RequestParameters.VerifiedAccessInstanceId,\r\n EventName == \"ModifyVerifiedAccessTrustProvider\", RequestParameters.VerifiedAccessTrustProviderId,\r\n EventName == \"ModifyVolume\", ResponseElements.volumeModification.volumeId,\r\n EventName == \"ModifyVolumeAttribute\", RequestParameters.VolumeId,\r\n EventName == \"ModifyVpcAttribute\", RequestParameters.VpcId,\r\n EventName == \"ModifyVpcBlockPublicAccessExclusion\", RequestParameters.ExclusionId,\r\n EventName == \"ModifyVpcEncryptionControl\", RequestParameters.VpcEncryptionControlId,\r\n EventName == \"ModifyVpcEndpoint\", RequestParameters.RemoveRouteTableId.N,\r\n EventName == \"ModifyVpcEndpointConnectionNotification\", RequestParameters.ConnectionNotificationId,\r\n EventName == \"ModifyVpcEndpointServiceConfiguration\", RequestParameters.ServiceId,\r\n EventName == \"ModifyVpcEndpointServicePayerResponsibility\", RequestParameters.ServiceId,\r\n EventName == \"ModifyVpcEndpointServicePermissions\", RequestParameters.ServiceId,\r\n EventName == \"ModifyVpcPeeringConnectionOptions\", RequestParameters.VpcPeeringConnectionId,\r\n EventName == \"ModifyVpcTenancy\", RequestParameters.VpcId,\r\n EventName == \"ModifyVpnConnection\", RequestParameters.VpnConnectionId,\r\n EventName == \"ModifyVpnConnectionOptions\", RequestParameters.VpnConnectionId,\r\n EventName == \"ModifyVpnTunnelCertificate\", RequestParameters.VpnConnectionId,\r\n EventName == \"ModifyVpnTunnelOptions\", RequestParameters.VpnConnectionId,\r\n EventName == \"MonitorInstances\", RequestParameters.InstanceId,\r\n EventName == \"MoveAddressToVpc\", RequestParameters.PublicIp,\r\n EventName == \"MoveByoipCidrToIpam\", RequestParameters.Cidr,\r\n EventName == \"MoveCapacityReservationInstances\", RequestParameters.SourceCapacityReservationId,\r\n EventName == \"ProvisionByoipCidr\", RequestParameters.Cidr,\r\n EventName == \"ProvisionIpamByoasn\", RequestParameters.Asn,\r\n EventName == \"ProvisionIpamPoolCidr\", RequestParameters.IpamPoolId,\r\n EventName == \"ProvisionPublicIpv4PoolCidr\", ResponseElements.poolId,\r\n EventName == \"PurchaseCapacityBlock\", RequestParameters.CapacityBlockOfferingId,\r\n EventName == \"PurchaseCapacityBlockExtension\", RequestParameters.CapacityBlockOfferingId,\r\n EventName == \"PurchaseHostReservation\", RequestParameters.HostIdSet,\r\n EventName == \"PurchaseReservedInstancesOffering\", RequestParameters.ReservedInstancesOfferingId,\r\n EventName == \"PurchaseScheduledInstances\", RequestParameters.PurchaseRequest,\r\n EventName == \"RebootInstances\", RequestParameters.InstanceId,\r\n EventName == \"RegisterImage\", ResponseElements.imageId,\r\n EventName == \"RegisterTransitGatewayMulticastGroupMembers\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"RegisterTransitGatewayMulticastGroupSources\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"RejectCapacityReservationBillingOwnership\", RequestParameters.CapacityReservationId,\r\n EventName == \"RejectTransitGatewayMulticastDomainAssociations\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"RejectTransitGatewayPeeringAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"RejectTransitGatewayVpcAttachment\", RequestParameters.TransitGatewayAttachmentId,\r\n EventName == \"RejectVpcEndpointConnections\", RequestParameters.VpcEndpointId,\r\n EventName == \"RejectVpcPeeringConnection\", RequestParameters.VpcPeeringConnectionId,\r\n EventName == \"ReleaseAddress\", RequestParameters.AllocationId,\r\n EventName == \"ReleaseHosts\", RequestParameters.HostId,\r\n EventName == \"ReleaseIpamPoolAllocation\", RequestParameters.IpamPoolAllocationId,\r\n EventName == \"ReplaceIamInstanceProfileAssociation\", ResponseElements.iamInstanceProfileAssociation.associationId,\r\n EventName == \"ReplaceNetworkAclAssociation\", RequestParameters.NetworkAclId,\r\n EventName == \"ReplaceNetworkAclEntry\", RequestParameters.NetworkAclId,\r\n EventName == \"ReplaceRoute\", RequestParameters.VpcEndpointId,\r\n EventName == \"ReplaceRouteTableAssociation\", RequestParameters.RouteTableId,\r\n EventName == \"ReplaceTransitGatewayRoute\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"ReplaceVpnTunnel\", RequestParameters.VpnConnectionId,\r\n EventName == \"ReportInstanceStatus\", RequestParameters.InstanceId,\r\n EventName == \"RequestSpotFleet\", ResponseElements.spotFleetRequestId,\r\n EventName == \"ResetAddressAttribute\", RequestParameters.AllocationId,\r\n EventName == \"ResetEbsDefaultKmsKeyId\", ResponseElements.kmsKeyId,\r\n EventName == \"ResetFpgaImageAttribute\", RequestParameters.FpgaImageId,\r\n EventName == \"ResetImageAttribute\", RequestParameters.ImageId,\r\n EventName == \"ResetInstanceAttribute\", RequestParameters.InstanceId,\r\n EventName == \"ResetNetworkInterfaceAttribute\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"ResetSnapshotAttribute\", RequestParameters.SnapshotId,\r\n EventName == \"RestoreAddressToClassic\", RequestParameters.PublicIp,\r\n EventName == \"RestoreImageFromRecycleBin\", RequestParameters.ImageId,\r\n EventName == \"RestoreManagedPrefixListVersion\", RequestParameters.PrefixListId,\r\n EventName == \"RestoreSnapshotFromRecycleBin\", RequestParameters.SnapshotId,\r\n EventName == \"RestoreSnapshotTier\", RequestParameters.SnapshotId,\r\n EventName == \"RestoreVolumeFromRecycleBin\", RequestParameters.VolumeId,\r\n EventName == \"RevokeClientVpnIngress\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"RevokeSecurityGroupEgress\", RequestParameters.GroupId,\r\n EventName == \"RevokeSecurityGroupIngress\", RequestParameters.GroupId,\r\n EventName == \"RunInstances\", ResponseElements.requesterId,\r\n EventName == \"RunScheduledInstances\", RequestParameters.ScheduledInstanceId,\r\n EventName == \"SearchLocalGatewayRoutes\", RequestParameters.LocalGatewayRouteTableId,\r\n EventName == \"SearchTransitGatewayMulticastGroups\", RequestParameters.TransitGatewayMulticastDomainId,\r\n EventName == \"SearchTransitGatewayRoutes\", RequestParameters.TransitGatewayRouteTableId,\r\n EventName == \"SendDiagnosticInterrupt\", RequestParameters.InstanceId,\r\n EventName == \"StartDeclarativePoliciesReport\", ResponseElements.reportId,\r\n EventName == \"StartInstances\", RequestParameters.InstanceId,\r\n EventName == \"StartNetworkInsightsAccessScopeAnalysis\", RequestParameters.NetworkInsightsAccessScopeId,\r\n EventName == \"StartNetworkInsightsAnalysis\", RequestParameters.NetworkInsightsPathId,\r\n EventName == \"StartVpcEndpointServicePrivateDnsVerification\", RequestParameters.ServiceId,\r\n EventName == \"StopInstances\", RequestParameters.InstanceId,\r\n EventName == \"TerminateClientVpnConnections\", RequestParameters.ClientVpnEndpointId,\r\n EventName == \"TerminateInstances\", RequestParameters.InstanceId,\r\n EventName == \"UnassignIpv6Addresses\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"UnassignPrivateIpAddresses\", RequestParameters.NetworkInterfaceId,\r\n EventName == \"UnassignPrivateNatGatewayAddress\", RequestParameters.NatGatewayId,\r\n EventName == \"UnlockSnapshot\", RequestParameters.SnapshotId,\r\n EventName == \"UnmonitorInstances\", RequestParameters.InstanceId,\r\n EventName == \"UpdateInterruptibleCapacityReservationAllocation\", ResponseElements.sourceCapacityReservationId,\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsEgress\", RequestParameters.GroupId,\r\n EventName == \"UpdateSecurityGroupRuleDescriptionsIngress\", RequestParameters.GroupId,\r\n EventName == \"WithdrawByoipCidr\", RequestParameters.Cidr,\r\n \"\"\r\n )\r\n};\r\nlet ParseEC2Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic, ErrorCode: int, ErrorMessage: string)) {\r\n let EC2EventNameLookup = datatable(EventName: string, EventType: string)\r\n [ \r\n \"AcceptAddressTransfer\", \"Execute\",\r\n \"AcceptCapacityReservationBillingOwnership\", \"Execute\",\r\n \"AcceptReservedInstancesExchangeQuote\", \"Execute\",\r\n \"AcceptTransitGatewayMulticastDomainAssociations\", \"Execute\",\r\n \"AcceptTransitGatewayPeeringAttachment\", \"Execute\",\r\n \"AcceptTransitGatewayVpcAttachment\", \"Execute\",\r\n \"AcceptVpcEndpointConnections\", \"Execute\",\r\n \"AcceptVpcPeeringConnection\", \"Execute\",\r\n \"AdvertiseByoipCidr\", \"Execute\",\r\n \"AllocateAddress\", \"Create\",\r\n \"AllocateHosts\", \"Create\",\r\n \"AllocateIpamPoolCidr\", \"Create\",\r\n \"ApplySecurityGroupsToClientVpnTargetNetwork\", \"Set\",\r\n \"AssignIpv6Addresses\", \"Set\",\r\n \"AssignPrivateIpAddresses\", \"Set\",\r\n \"AssignPrivateNatGatewayAddress\", \"Set\",\r\n \"AssociateAddress\", \"Set\",\r\n \"AssociateCapacityReservationBillingOwner\", \"Set\",\r\n \"AssociateClientVpnTargetNetwork\", \"Set\",\r\n \"AssociateDhcpOptions\", \"Set\",\r\n \"AssociateEnclaveCertificateIamRole\", \"Set\",\r\n \"AssociateIamInstanceProfile\", \"Set\",\r\n \"AssociateInstanceEventWindow\", \"Set\",\r\n \"AssociateIpamByoasn\", \"Set\",\r\n \"AssociateIpamResourceDiscovery\", \"Set\",\r\n \"AssociateNatGatewayAddress\", \"Set\",\r\n \"AssociateRouteServer\", \"Set\",\r\n \"AssociateRouteTable\", \"Set\",\r\n \"AssociateSecurityGroupVpc\", \"Set\",\r\n \"AssociateSubnetCidrBlock\", \"Set\",\r\n \"AssociateTransitGatewayMulticastDomain\", \"Set\",\r\n \"AssociateTransitGatewayPolicyTable\", \"Set\",\r\n \"AssociateTransitGatewayRouteTable\", \"Set\",\r\n \"AssociateTrunkInterface\", \"Set\",\r\n \"AssociateVpcCidrBlock\", \"Set\",\r\n \"AttachClassicLinkVpc\", \"Set\",\r\n \"AttachInternetGateway\", \"Set\",\r\n \"AttachNetworkInterface\", \"Set\",\r\n \"AttachVerifiedAccessTrustProvider\", \"Set\",\r\n \"AttachVolume\", \"Set\",\r\n \"AttachVpnGateway\", \"Set\",\r\n \"AuthorizeClientVpnIngress\", \"Execute\",\r\n \"AuthorizeSecurityGroupEgress\", \"Execute\",\r\n \"AuthorizeSecurityGroupIngress\", \"Execute\",\r\n \"BundleInstance\", \"Execute\",\r\n \"CancelBundleTask\", \"Delete\",\r\n \"CancelCapacityReservation\", \"Delete\",\r\n \"CancelCapacityReservationFleets\", \"Delete\",\r\n \"CancelConversionTask\", \"Delete\",\r\n \"CancelDeclarativePoliciesReport\", \"Delete\",\r\n \"CancelExportTask\", \"Delete\",\r\n \"CancelImageLaunchPermission\", \"Delete\",\r\n \"CancelImportTask\", \"Delete\",\r\n \"CancelReservedInstancesListing\", \"Delete\",\r\n \"CancelSpotFleetRequests\", \"Delete\",\r\n \"CancelSpotInstanceRequests\", \"Delete\",\r\n \"ConfirmProductInstance\", \"Execute\",\r\n \"CopyFpgaImage\", \"Execute\",\r\n \"CopyImage\", \"Execute\",\r\n \"CopySnapshot\", \"Execute\",\r\n \"CopyVolumes\", \"Execute\",\r\n \"CreateCapacityManagerDataExport\", \"Create\",\r\n \"CreateCapacityReservation\", \"Create\",\r\n \"CreateCapacityReservationBySplitting\", \"Create\",\r\n \"CreateCapacityReservationFleet\", \"Create\",\r\n \"CreateCarrierGateway\", \"Create\",\r\n \"CreateClientVpnEndpoint\", \"Create\",\r\n \"CreateClientVpnRoute\", \"Create\",\r\n \"CreateCoipCidr\", \"Create\",\r\n \"CreateCoipPool\", \"Create\",\r\n \"CreateCustomerGateway\", \"Create\",\r\n \"CreateDefaultSubnet\", \"Create\",\r\n \"CreateDefaultVpc\", \"Create\",\r\n \"CreateDelegateMacVolumeOwnershipTask\", \"Create\",\r\n \"CreateDhcpOptions\", \"Create\",\r\n \"CreateEgressOnlyInternetGateway\", \"Create\",\r\n \"CreateFleet\", \"Create\",\r\n \"CreateFlowLogs\", \"Create\",\r\n \"CreateFpgaImage\", \"Create\",\r\n \"CreateImage\", \"Create\",\r\n \"CreateImageUsageReport\", \"Create\",\r\n \"CreateInstanceConnectEndpoint\", \"Create\",\r\n \"CreateInstanceEventWindow\", \"Create\",\r\n \"CreateInstanceExportTask\", \"Create\",\r\n \"CreateInternetGateway\", \"Create\",\r\n \"CreateInterruptibleCapacityReservationAllocation\", \"Create\",\r\n \"CreateIpam\", \"Create\",\r\n \"CreateIpamExternalResourceVerificationToken\", \"Create\",\r\n \"CreateIpamPolicy\", \"Create\",\r\n \"CreateIpamPool\", \"Create\",\r\n \"CreateIpamPrefixListResolver\", \"Create\",\r\n \"CreateIpamPrefixListResolverTarget\", \"Create\",\r\n \"CreateIpamResourceDiscovery\", \"Create\",\r\n \"CreateIpamScope\", \"Create\",\r\n \"CreateKeyPair\", \"Create\",\r\n \"CreateLaunchTemplate\", \"Create\",\r\n \"CreateLaunchTemplateVersion\", \"Create\",\r\n \"CreateLocalGatewayRoute\", \"Create\",\r\n \"CreateLocalGatewayRouteTable\", \"Create\",\r\n \"CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", \"Create\",\r\n \"CreateLocalGatewayRouteTableVpcAssociation\", \"Create\",\r\n \"CreateLocalGatewayVirtualInterface\", \"Create\",\r\n \"CreateLocalGatewayVirtualInterfaceGroup\", \"Create\",\r\n \"CreateMacSystemIntegrityProtectionModificationTask\", \"Create\",\r\n \"CreateManagedPrefixList\", \"Create\",\r\n \"CreateNatGateway\", \"Create\",\r\n \"CreateNetworkAcl\", \"Create\",\r\n \"CreateNetworkAclEntry\", \"Create\",\r\n \"CreateNetworkInsightsAccessScope\", \"Create\",\r\n \"CreateNetworkInsightsPath\", \"Create\",\r\n \"CreateNetworkInterface\", \"Create\",\r\n \"CreateNetworkInterfacePermission\", \"Create\",\r\n \"CreatePlacementGroup\", \"Create\",\r\n \"CreatePublicIpv4Pool\", \"Create\",\r\n \"CreateReplaceRootVolumeTask\", \"Create\",\r\n \"CreateReservedInstancesListing\", \"Create\",\r\n \"CreateRestoreImageTask\", \"Create\",\r\n \"CreateRoute\", \"Create\",\r\n \"CreateRouteServer\", \"Create\",\r\n \"CreateRouteServerEndpoint\", \"Create\",\r\n \"CreateRouteServerPeer\", \"Create\",\r\n \"CreateRouteTable\", \"Create\",\r\n \"CreateSecondaryNetwork\", \"Create\",\r\n \"CreateSecondarySubnet\", \"Create\",\r\n \"CreateSecurityGroup\", \"Create\",\r\n \"CreateSnapshot\", \"Create\",\r\n \"CreateSnapshots\", \"Create\",\r\n \"CreateSpotDatafeedSubscription\", \"Create\",\r\n \"CreateStoreImageTask\", \"Create\",\r\n \"CreateSubnet\", \"Create\",\r\n \"CreateSubnetCidrReservation\", \"Create\",\r\n \"CreateTags\", \"Create\",\r\n \"CreateTrafficMirrorFilter\", \"Create\",\r\n \"CreateTrafficMirrorFilterRule\", \"Create\",\r\n \"CreateTrafficMirrorSession\", \"Create\",\r\n \"CreateTrafficMirrorTarget\", \"Create\",\r\n \"CreateTransitGateway\", \"Create\",\r\n \"CreateTransitGatewayConnect\", \"Create\",\r\n \"CreateTransitGatewayConnectPeer\", \"Create\",\r\n \"CreateTransitGatewayMeteringPolicy\", \"Create\",\r\n \"CreateTransitGatewayMeteringPolicyEntry\", \"Create\",\r\n \"CreateTransitGatewayMulticastDomain\", \"Create\",\r\n \"CreateTransitGatewayPeeringAttachment\", \"Create\",\r\n \"CreateTransitGatewayPolicyTable\", \"Create\",\r\n \"CreateTransitGatewayPrefixListReference\", \"Create\",\r\n \"CreateTransitGatewayRoute\", \"Create\",\r\n \"CreateTransitGatewayRouteTable\", \"Create\",\r\n \"CreateTransitGatewayRouteTableAnnouncement\", \"Create\",\r\n \"CreateTransitGatewayVpcAttachment\", \"Create\",\r\n \"CreateVerifiedAccessEndpoint\", \"Create\",\r\n \"CreateVerifiedAccessGroup\", \"Create\",\r\n \"CreateVerifiedAccessInstance\", \"Create\",\r\n \"CreateVerifiedAccessTrustProvider\", \"Create\",\r\n \"CreateVolume\", \"Create\",\r\n \"CreateVpc\", \"Create\",\r\n \"CreateVpcBlockPublicAccessExclusion\", \"Create\",\r\n \"CreateVpcEncryptionControl\", \"Create\",\r\n \"CreateVpcEndpoint\", \"Create\",\r\n \"CreateVpcEndpointConnectionNotification\", \"Create\",\r\n \"CreateVpcEndpointServiceConfiguration\", \"Create\",\r\n \"CreateVpcPeeringConnection\", \"Create\",\r\n \"CreateVpnConcentrator\", \"Create\",\r\n \"CreateVpnConnection\", \"Create\",\r\n \"CreateVpnConnectionRoute\", \"Set\",\r\n \"CreateVpnGateway\", \"Create\",\r\n \"DeleteCapacityManagerDataExport\", \"Delete\",\r\n \"DeleteCarrierGateway\", \"Delete\",\r\n \"DeleteClientVpnEndpoint\", \"Delete\",\r\n \"DeleteClientVpnRoute\", \"Set\",\r\n \"DeleteCoipCidr\", \"Set\",\r\n \"DeleteCoipPool\", \"Delete\",\r\n \"DeleteCustomerGateway\", \"Delete\",\r\n \"DeleteDhcpOptions\", \"Delete\",\r\n \"DeleteEgressOnlyInternetGateway\", \"Delete\",\r\n \"DeleteFleets\", \"Delete\",\r\n \"DeleteFlowLogs\", \"Delete\",\r\n \"DeleteFpgaImage\", \"Delete\",\r\n \"DeleteImageUsageReport\", \"Delete\",\r\n \"DeleteInstanceConnectEndpoint\", \"Delete\",\r\n \"DeleteInstanceEventWindow\", \"Delete\",\r\n \"DeleteInternetGateway\", \"Delete\",\r\n \"DeleteIpam\", \"Delete\",\r\n \"DeleteIpamExternalResourceVerificationToken\", \"Delete\",\r\n \"DeleteIpamPolicy\", \"Delete\",\r\n \"DeleteIpamPool\", \"Delete\",\r\n \"DeleteIpamPrefixListResolver\", \"Delete\",\r\n \"DeleteIpamPrefixListResolverTarget\", \"Delete\",\r\n \"DeleteIpamResourceDiscovery\", \"Delete\",\r\n \"DeleteIpamScope\", \"Delete\",\r\n \"DeleteKeyPair\", \"Delete\",\r\n \"DeleteLaunchTemplate\", \"Delete\",\r\n \"DeleteLaunchTemplateVersions\", \"Delete\",\r\n \"DeleteLocalGatewayRoute\", \"Set\",\r\n \"DeleteLocalGatewayRouteTable\", \"Delete\",\r\n \"DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation\", \"Delete\",\r\n \"DeleteLocalGatewayRouteTableVpcAssociation\", \"Delete\",\r\n \"DeleteLocalGatewayVirtualInterface\", \"Delete\",\r\n \"DeleteLocalGatewayVirtualInterfaceGroup\", \"Delete\",\r\n \"DeleteManagedPrefixList\", \"Delete\",\r\n \"DeleteNatGateway\", \"Delete\",\r\n \"DeleteNetworkAcl\", \"Delete\",\r\n \"DeleteNetworkAclEntry\", \"Set\",\r\n \"DeleteNetworkInsightsAccessScope\", \"Delete\",\r\n \"DeleteNetworkInsightsAccessScopeAnalysis\", \"Delete\",\r\n \"DeleteNetworkInsightsAnalysis\", \"Delete\",\r\n \"DeleteNetworkInsightsPath\", \"Delete\",\r\n \"DeleteNetworkInterface\", \"Delete\",\r\n \"DeleteNetworkInterfacePermission\", \"Delete\",\r\n \"DeletePlacementGroup\", \"Delete\",\r\n \"DeletePublicIpv4Pool\", \"Delete\",\r\n \"DeleteQueuedReservedInstances\", \"Delete\",\r\n \"DeleteRoute\", \"Delete\",\r\n \"DeleteRouteServer\", \"Delete\",\r\n \"DeleteRouteServerEndpoint\", \"Delete\",\r\n \"DeleteRouteServerPeer\", \"Delete\",\r\n \"DeleteRouteTable\", \"Delete\",\r\n \"DeleteSecondaryNetwork\", \"Delete\",\r\n \"DeleteSecondarySubnet\", \"Delete\",\r\n \"DeleteSecurityGroup\", \"Delete\",\r\n \"DeleteSnapshot\", \"Delete\",\r\n \"DeleteSpotDatafeedSubscription\", \"Delete\",\r\n \"DeleteSubnet\", \"Delete\",\r\n \"DeleteSubnetCidrReservation\", \"Delete\",\r\n \"DeleteTags\", \"Delete\",\r\n \"DeleteTrafficMirrorFilter\", \"Delete\",\r\n \"DeleteTrafficMirrorFilterRule\", \"Delete\",\r\n \"DeleteTrafficMirrorSession\", \"Delete\",\r\n \"DeleteTrafficMirrorTarget\", \"Delete\",\r\n \"DeleteTransitGateway\", \"Delete\",\r\n \"DeleteTransitGatewayConnect\", \"Delete\",\r\n \"DeleteTransitGatewayConnectPeer\", \"Delete\",\r\n \"DeleteTransitGatewayMeteringPolicy\", \"Delete\",\r\n \"DeleteTransitGatewayMeteringPolicyEntry\", \"Set\",\r\n \"DeleteTransitGatewayMulticastDomain\", \"Delete\",\r\n \"DeleteTransitGatewayPeeringAttachment\", \"Delete\",\r\n \"DeleteTransitGatewayPolicyTable\", \"Delete\",\r\n \"DeleteTransitGatewayPrefixListReference\", \"Set\",\r\n \"DeleteTransitGatewayRoute\", \"Set\",\r\n \"DeleteTransitGatewayRouteTable\", \"Delete\",\r\n \"DeleteTransitGatewayRouteTableAnnouncement\", \"Execute\",\r\n \"DeleteTransitGatewayVpcAttachment\", \"Delete\",\r\n \"DeleteVerifiedAccessEndpoint\", \"Delete\",\r\n \"DeleteVerifiedAccessGroup\", \"Delete\",\r\n \"DeleteVerifiedAccessInstance\", \"Delete\",\r\n \"DeleteVerifiedAccessTrustProvider\", \"Delete\",\r\n \"DeleteVolume\", \"Delete\",\r\n \"DeleteVpc\", \"Delete\",\r\n \"DeleteVpcBlockPublicAccessExclusion\", \"Delete\",\r\n \"DeleteVpcEncryptionControl\", \"Delete\",\r\n \"DeleteVpcEndpointConnectionNotifications\", \"Delete\",\r\n \"DeleteVpcEndpoints\", \"Delete\",\r\n \"DeleteVpcEndpointServiceConfigurations\", \"Delete\",\r\n \"DeleteVpcPeeringConnection\", \"Delete\",\r\n \"DeleteVpnConcentrator\", \"Delete\",\r\n \"DeleteVpnConnection\", \"Delete\",\r\n \"DeleteVpnConnectionRoute\", \"Set\",\r\n \"DeleteVpnGateway\", \"Delete\",\r\n \"DeprovisionByoipCidr\", \"Execute\",\r\n \"DeprovisionIpamByoasn\", \"Execute\",\r\n \"DeprovisionIpamPoolCidr\", \"Execute\",\r\n \"DeprovisionPublicIpv4PoolCidr\", \"Execute\",\r\n \"DeregisterImage\", \"Delete\",\r\n \"DeregisterInstanceEventNotificationAttributes\", \"Delete\",\r\n \"DeregisterTransitGatewayMulticastGroupMembers\", \"Delete\",\r\n \"DeregisterTransitGatewayMulticastGroupSources\", \"Delete\",\r\n \"DescribeAccountAttributes\", \"Read\",\r\n \"DescribeAddresses\", \"Read\",\r\n \"DescribeAddressesAttribute\", \"Read\",\r\n \"DescribeAddressTransfers\", \"Read\",\r\n \"DescribeAggregateIdFormat\", \"Read\",\r\n \"DescribeAvailabilityZones\", \"Read\",\r\n \"DescribeAwsNetworkPerformanceMetricSubscriptions\", \"Read\",\r\n \"DescribeBundleTasks\", \"Read\",\r\n \"DescribeByoipCidrs\", \"Read\",\r\n \"DescribeCapacityBlockExtensionHistory\", \"Read\",\r\n \"DescribeCapacityBlockExtensionOfferings\", \"Read\",\r\n \"DescribeCapacityBlockOfferings\", \"Read\",\r\n \"DescribeCapacityBlocks\", \"Read\",\r\n \"DescribeCapacityBlockStatus\", \"Read\",\r\n \"DescribeCapacityManagerDataExports\", \"Read\",\r\n \"DescribeCapacityReservationBillingRequests\", \"Read\",\r\n \"DescribeCapacityReservationFleets\", \"Read\",\r\n \"DescribeCapacityReservations\", \"Read\",\r\n \"DescribeCapacityReservationTopology\", \"Read\",\r\n \"DescribeCarrierGateways\", \"Read\",\r\n \"DescribeClassicLinkInstances\", \"Read\",\r\n \"DescribeClientVpnAuthorizationRules\", \"Read\",\r\n \"DescribeClientVpnConnections\", \"Read\",\r\n \"DescribeClientVpnEndpoints\", \"Read\",\r\n \"DescribeClientVpnRoutes\", \"Read\",\r\n \"DescribeClientVpnTargetNetworks\", \"Read\",\r\n \"DescribeCoipPools\", \"Read\",\r\n \"DescribeConversionTasks\", \"Read\",\r\n \"DescribeCustomerGateways\", \"Read\",\r\n \"DescribeDeclarativePoliciesReports\", \"Read\",\r\n \"DescribeDhcpOptions\", \"Read\",\r\n \"DescribeEgressOnlyInternetGateways\", \"Read\",\r\n \"DescribeElasticGpus\", \"Read\",\r\n \"DescribeExportImageTasks\", \"Read\",\r\n \"DescribeExportTasks\", \"Read\",\r\n \"DescribeFastLaunchImages\", \"Read\",\r\n \"DescribeFastSnapshotRestores\", \"Read\",\r\n \"DescribeFleetHistory\", \"Read\",\r\n \"DescribeFleetInstances\", \"Read\",\r\n \"DescribeFleets\", \"Read\",\r\n \"DescribeFlowLogs\", \"Read\",\r\n \"DescribeFpgaImageAttribute\", \"Read\",\r\n \"DescribeFpgaImages\", \"Read\",\r\n \"DescribeHostReservationOfferings\", \"Read\",\r\n \"DescribeHostReservations\", \"Read\",\r\n \"DescribeHosts\", \"Read\",\r\n \"DescribeIamInstanceProfileAssociations\", \"Read\",\r\n \"DescribeIdentityIdFormat\", \"Read\",\r\n \"DescribeIdFormat\", \"Read\",\r\n \"DescribeImageAttribute\", \"Read\",\r\n \"DescribeImageReferences\", \"Read\",\r\n \"DescribeImages\", \"Read\",\r\n \"DescribeImageUsageReportEntries\", \"Read\",\r\n \"DescribeImageUsageReports\", \"Read\",\r\n \"DescribeImportImageTasks\", \"Read\",\r\n \"DescribeImportSnapshotTasks\", \"Read\",\r\n \"DescribeInstanceAttribute\", \"Read\",\r\n \"DescribeInstanceConnectEndpoints\", \"Read\",\r\n \"DescribeInstanceCreditSpecifications\", \"Read\",\r\n \"DescribeInstanceEventNotificationAttributes\", \"Read\",\r\n \"DescribeInstanceEventWindows\", \"Read\",\r\n \"DescribeInstanceImageMetadata\", \"Read\",\r\n \"DescribeInstances\", \"Read\",\r\n \"DescribeInstanceSqlHaHistoryStates\", \"Read\",\r\n \"DescribeInstanceSqlHaStates\", \"Read\",\r\n \"DescribeInstanceStatus\", \"Read\",\r\n \"DescribeInstanceTopology\", \"Read\",\r\n \"DescribeInstanceTypeOfferings\", \"Read\",\r\n \"DescribeInstanceTypes\", \"Read\",\r\n \"DescribeInternetGateways\", \"Read\",\r\n \"DescribeIpamByoasn\", \"Read\",\r\n \"DescribeIpamExternalResourceVerificationTokens\", \"Read\",\r\n \"DescribeIpamPolicies\", \"Read\",\r\n \"DescribeIpamPools\", \"Read\",\r\n \"DescribeIpamPrefixListResolvers\", \"Read\",\r\n \"DescribeIpamPrefixListResolverTargets\", \"Read\",\r\n \"DescribeIpamResourceDiscoveries\", \"Read\",\r\n \"DescribeIpamResourceDiscoveryAssociations\", \"Read\",\r\n \"DescribeIpams\", \"Read\",\r\n \"DescribeIpamScopes\", \"Read\",\r\n \"DescribeIpv6Pools\", \"Read\",\r\n \"DescribeKeyPairs\", \"Read\",\r\n \"DescribeLaunchTemplates\", \"Read\",\r\n \"DescribeLaunchTemplateVersions\", \"Read\",\r\n \"DescribeLocalGatewayRouteTables\", \"Read\",\r\n \"DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations\", \"Read\",\r\n \"DescribeLocalGatewayRouteTableVpcAssociations\", \"Read\",\r\n \"DescribeLocalGateways\", \"Read\",\r\n \"DescribeLocalGatewayVirtualInterfaceGroups\", \"Read\",\r\n \"DescribeLocalGatewayVirtualInterfaces\", \"Read\",\r\n \"DescribeLockedSnapshots\", \"Read\",\r\n \"DescribeMacHosts\", \"Read\",\r\n \"DescribeMacModificationTasks\", \"Read\",\r\n \"DescribeManagedPrefixLists\", \"Read\",\r\n \"DescribeMovingAddresses\", \"Read\",\r\n \"DescribeNatGateways\", \"Read\",\r\n \"DescribeNetworkAcls\", \"Read\",\r\n \"DescribeNetworkInsightsAccessScopeAnalyses\", \"Read\",\r\n \"DescribeNetworkInsightsAccessScopes\", \"Read\",\r\n \"DescribeNetworkInsightsAnalyses\", \"Read\",\r\n \"DescribeNetworkInsightsPaths\", \"Read\",\r\n \"DescribeNetworkInterfaceAttribute\", \"Read\",\r\n \"DescribeNetworkInterfacePermissions\", \"Read\",\r\n \"DescribeNetworkInterfaces\", \"Read\",\r\n \"DescribeOutpostLags\", \"Read\",\r\n \"DescribePlacementGroups\", \"Read\",\r\n \"DescribePrefixLists\", \"Read\",\r\n \"DescribePrincipalIdFormat\", \"Read\",\r\n \"DescribePublicIpv4Pools\", \"Read\",\r\n \"DescribeRegions\", \"Read\",\r\n \"DescribeReplaceRootVolumeTasks\", \"Read\",\r\n \"DescribeReservedInstances\", \"Read\",\r\n \"DescribeReservedInstancesListings\", \"Read\",\r\n \"DescribeReservedInstancesModifications\", \"Read\",\r\n \"DescribeReservedInstancesOfferings\", \"Read\",\r\n \"DescribeRouteServerEndpoints\", \"Read\",\r\n \"DescribeRouteServerPeers\", \"Read\",\r\n \"DescribeRouteServers\", \"Read\",\r\n \"DescribeRouteTables\", \"Read\",\r\n \"DescribeScheduledInstanceAvailability\", \"Read\",\r\n \"DescribeScheduledInstances\", \"Read\",\r\n \"DescribeSecondaryInterfaces\", \"Read\",\r\n \"DescribeSecondaryNetworks\", \"Read\",\r\n \"DescribeSecondarySubnets\", \"Read\",\r\n \"DescribeSecurityGroupReferences\", \"Read\",\r\n \"DescribeSecurityGroupRules\", \"Read\",\r\n \"DescribeSecurityGroups\", \"Read\",\r\n \"DescribeSecurityGroupVpcAssociations\", \"Read\",\r\n \"DescribeServiceLinkVirtualInterfaces\", \"Read\",\r\n \"DescribeSnapshotAttribute\", \"Read\",\r\n \"DescribeSnapshots\", \"Read\",\r\n \"DescribeSnapshotTierStatus\", \"Read\",\r\n \"DescribeSpotDatafeedSubscription\", \"Read\",\r\n \"DescribeSpotFleetInstances\", \"Read\",\r\n \"DescribeSpotFleetRequestHistory\", \"Read\",\r\n \"DescribeSpotFleetRequests\", \"Read\",\r\n \"DescribeSpotInstanceRequests\", \"Read\",\r\n \"DescribeSpotPriceHistory\", \"Read\",\r\n \"DescribeStaleSecurityGroups\", \"Read\",\r\n \"DescribeStoreImageTasks\", \"Read\",\r\n \"DescribeSubnets\", \"Read\",\r\n \"DescribeTags\", \"Read\",\r\n \"DescribeTrafficMirrorFilterRules\", \"Read\",\r\n \"DescribeTrafficMirrorFilters\", \"Read\",\r\n \"DescribeTrafficMirrorSessions\", \"Read\",\r\n \"DescribeTrafficMirrorTargets\", \"Read\",\r\n \"DescribeTransitGatewayAttachments\", \"Read\",\r\n \"DescribeTransitGatewayConnectPeers\", \"Read\",\r\n \"DescribeTransitGatewayConnects\", \"Read\",\r\n \"DescribeTransitGatewayMeteringPolicies\", \"Read\",\r\n \"DescribeTransitGatewayMulticastDomains\", \"Read\",\r\n \"DescribeTransitGatewayPeeringAttachments\", \"Read\",\r\n \"DescribeTransitGatewayPolicyTables\", \"Read\",\r\n \"DescribeTransitGatewayRouteTableAnnouncements\", \"Read\",\r\n \"DescribeTransitGatewayRouteTables\", \"Read\",\r\n \"DescribeTransitGateways\", \"Read\",\r\n \"DescribeTransitGatewayVpcAttachments\", \"Read\",\r\n \"DescribeTrunkInterfaceAssociations\", \"Read\",\r\n \"DescribeVerifiedAccessEndpoints\", \"Read\",\r\n \"DescribeVerifiedAccessGroups\", \"Read\",\r\n \"DescribeVerifiedAccessInstanceLoggingConfigurations\", \"Read\",\r\n \"DescribeVerifiedAccessInstances\", \"Read\",\r\n \"DescribeVerifiedAccessTrustProviders\", \"Read\",\r\n \"DescribeVolumeAttribute\", \"Read\",\r\n \"DescribeVolumes\", \"Read\",\r\n \"DescribeVolumesModifications\", \"Read\",\r\n \"DescribeVolumeStatus\", \"Read\",\r\n \"DescribeVpcAttribute\", \"Read\",\r\n \"DescribeVpcBlockPublicAccessExclusions\", \"Read\",\r\n \"DescribeVpcBlockPublicAccessOptions\", \"Read\",\r\n \"DescribeVpcClassicLink\", \"Read\",\r\n \"DescribeVpcClassicLinkDnsSupport\", \"Read\",\r\n \"DescribeVpcEncryptionControls\", \"Read\",\r\n \"DescribeVpcEndpointAssociations\", \"Read\",\r\n \"DescribeVpcEndpointConnectionNotifications\", \"Read\",\r\n \"DescribeVpcEndpointConnections\", \"Read\",\r\n \"DescribeVpcEndpoints\", \"Read\",\r\n \"DescribeVpcEndpointServiceConfigurations\", \"Read\",\r\n \"DescribeVpcEndpointServicePermissions\", \"Read\",\r\n \"DescribeVpcEndpointServices\", \"Read\",\r\n \"DescribeVpcPeeringConnections\", \"Read\",\r\n \"DescribeVpcs\", \"Read\",\r\n \"DescribeVpnConcentrators\", \"Read\",\r\n \"DescribeVpnConnections\", \"Read\",\r\n \"DescribeVpnGateways\", \"Read\",\r\n \"DetachClassicLinkVpc\", \"Set\",\r\n \"DetachInternetGateway\", \"Set\",\r\n \"DetachNetworkInterface\", \"Set\",\r\n \"DetachVerifiedAccessTrustProvider\", \"Set\",\r\n \"DetachVolume\", \"Set\",\r\n \"DetachVpnGateway\", \"Set\",\r\n \"DisableAddressTransfer\", \"Disable\",\r\n \"DisableAllowedImagesSettings\", \"Disable\",\r\n \"DisableAwsNetworkPerformanceMetricSubscription\", \"Disable\",\r\n \"DisableCapacityManager\", \"Disable\",\r\n \"DisableEbsEncryptionByDefault\", \"Disable\",\r\n \"DisableFastLaunch\", \"Disable\",\r\n \"DisableFastSnapshotRestores\", \"Disable\",\r\n \"DisableImage\", \"Disable\",\r\n \"DisableImageBlockPublicAccess\", \"Disable\",\r\n \"DisableImageDeprecation\", \"Disable\",\r\n \"DisableImageDeregistrationProtection\", \"Disable\",\r\n \"DisableInstanceSqlHaStandbyDetections\", \"Disable\",\r\n \"DisableIpamOrganizationAdminAccount\", \"Disable\",\r\n \"DisableIpamPolicy\", \"Disable\",\r\n \"DisableRouteServerPropagation\", \"Disable\",\r\n \"DisableSerialConsoleAccess\", \"Disable\",\r\n \"DisableSnapshotBlockPublicAccess\", \"Disable\",\r\n \"DisableTransitGatewayRouteTablePropagation\", \"Disable\",\r\n \"DisableVgwRoutePropagation\", \"Disable\",\r\n \"DisableVpcClassicLink\", \"Disable\",\r\n \"DisableVpcClassicLinkDnsSupport\", \"Disable\",\r\n \"DisassociateAddress\", \"Delete\",\r\n \"DisassociateCapacityReservationBillingOwner\", \"Delete\",\r\n \"DisassociateClientVpnTargetNetwork\", \"Delete\",\r\n \"DisassociateEnclaveCertificateIamRole\", \"Delete\",\r\n \"DisassociateIamInstanceProfile\", \"Delete\",\r\n \"DisassociateInstanceEventWindow\", \"Set\",\r\n \"DisassociateIpamByoasn\", \"Set\",\r\n \"DisassociateIpamResourceDiscovery\", \"Delete\",\r\n \"DisassociateNatGatewayAddress\", \"Set\",\r\n \"DisassociateRouteServer\", \"Set\",\r\n \"DisassociateRouteTable\", \"Set\",\r\n \"DisassociateSecurityGroupVpc\", \"Set\",\r\n \"DisassociateSubnetCidrBlock\", \"Set\",\r\n \"DisassociateTransitGatewayMulticastDomain\", \"Set\",\r\n \"DisassociateTransitGatewayPolicyTable\", \"Delete\",\r\n \"DisassociateTransitGatewayRouteTable\", \"Delete\",\r\n \"DisassociateTrunkInterface\", \"Delete\",\r\n \"DisassociateVpcCidrBlock\", \"Set\",\r\n \"EnableAddressTransfer\", \"Enable\",\r\n \"EnableAllowedImagesSettings\", \"Enable\",\r\n \"EnableAwsNetworkPerformanceMetricSubscription\", \"Enable\",\r\n \"EnableCapacityManager\", \"Enable\",\r\n \"EnableEbsEncryptionByDefault\", \"Enable\",\r\n \"EnableFastLaunch\", \"Enable\",\r\n \"EnableFastSnapshotRestores\", \"Enable\",\r\n \"EnableImage\", \"Enable\",\r\n \"EnableImageBlockPublicAccess\", \"Enable\",\r\n \"EnableImageDeprecation\", \"Enable\",\r\n \"EnableImageDeregistrationProtection\", \"Enable\",\r\n \"EnableInstanceSqlHaStandbyDetections\", \"Enable\",\r\n \"EnableIpamOrganizationAdminAccount\", \"Enable\",\r\n \"EnableIpamPolicy\", \"Enable\",\r\n \"EnableReachabilityAnalyzerOrganizationSharing\", \"Enable\",\r\n \"EnableRouteServerPropagation\", \"Enable\",\r\n \"EnableSerialConsoleAccess\", \"Enable\",\r\n \"EnableSnapshotBlockPublicAccess\", \"Enable\",\r\n \"EnableTransitGatewayRouteTablePropagation\", \"Enable\",\r\n \"EnableVgwRoutePropagation\", \"Enable\",\r\n \"EnableVolumeIO\", \"Enable\",\r\n \"EnableVpcClassicLink\", \"Enable\",\r\n \"EnableVpcClassicLinkDnsSupport\", \"Enable\",\r\n \"ExportClientVpnClientCertificateRevocationList\", \"Execute\",\r\n \"ExportClientVpnClientConfiguration\", \"Execute\",\r\n \"ExportImage\", \"Execute\",\r\n \"ExportTransitGatewayRoutes\", \"Execute\",\r\n \"ExportVerifiedAccessInstanceClientConfiguration\", \"Execute\",\r\n \"GetActiveVpnTunnelStatus\", \"Read\",\r\n \"GetAllowedImagesSettings\", \"Read\",\r\n \"GetAssociatedEnclaveCertificateIamRoles\", \"Read\",\r\n \"GetAssociatedIpv6PoolCidrs\", \"Read\",\r\n \"GetAwsNetworkPerformanceData\", \"Read\",\r\n \"GetCapacityManagerAttributes\", \"Read\",\r\n \"GetCapacityManagerMetricData\", \"Read\",\r\n \"GetCapacityManagerMetricDimensions\", \"Read\",\r\n \"GetCapacityReservationUsage\", \"Read\",\r\n \"GetCoipPoolUsage\", \"Read\",\r\n \"GetConsoleOutput\", \"Read\",\r\n \"GetConsoleScreenshot\", \"Read\",\r\n \"GetDeclarativePoliciesReportSummary\", \"Read\",\r\n \"GetDefaultCreditSpecification\", \"Read\",\r\n \"GetEbsDefaultKmsKeyId\", \"Read\",\r\n \"GetEbsEncryptionByDefault\", \"Read\",\r\n \"GetEnabledIpamPolicy\", \"Read\",\r\n \"GetFlowLogsIntegrationTemplate\", \"Read\",\r\n \"GetGroupsForCapacityReservation\", \"Read\",\r\n \"GetHostReservationPurchasePreview\", \"Read\",\r\n \"GetImageAncestry\", \"Read\",\r\n \"GetImageBlockPublicAccessState\", \"Read\",\r\n \"GetInstanceMetadataDefaults\", \"Read\",\r\n \"GetInstanceTpmEkPub\", \"Read\",\r\n \"GetInstanceTypesFromInstanceRequirements\", \"Read\",\r\n \"GetInstanceUefiData\", \"Read\",\r\n \"GetIpamAddressHistory\", \"Read\",\r\n \"GetIpamDiscoveredAccounts\", \"Read\",\r\n \"GetIpamDiscoveredPublicAddresses\", \"Read\",\r\n \"GetIpamDiscoveredResourceCidrs\", \"Read\",\r\n \"GetIpamPolicyAllocationRules\", \"Read\",\r\n \"GetIpamPolicyOrganizationTargets\", \"Read\",\r\n \"GetIpamPoolAllocations\", \"Read\",\r\n \"GetIpamPoolCidrs\", \"Read\",\r\n \"GetIpamPrefixListResolverRules\", \"Read\",\r\n \"GetIpamPrefixListResolverVersionEntries\", \"Read\",\r\n \"GetIpamPrefixListResolverVersions\", \"Read\",\r\n \"GetIpamResourceCidrs\", \"Read\",\r\n \"GetLaunchTemplateData\", \"Read\",\r\n \"GetManagedPrefixListAssociations\", \"Read\",\r\n \"GetManagedPrefixListEntries\", \"Read\",\r\n \"GetNetworkInsightsAccessScopeAnalysisFindings\", \"Read\",\r\n \"GetNetworkInsightsAccessScopeContent\", \"Read\",\r\n \"GetPasswordData\", \"Read\",\r\n \"GetReservedInstancesExchangeQuote\", \"Read\",\r\n \"GetRouteServerAssociations\", \"Read\",\r\n \"GetRouteServerPropagations\", \"Read\",\r\n \"GetRouteServerRoutingDatabase\", \"Read\",\r\n \"GetSecurityGroupsForVpc\", \"Read\",\r\n \"GetSerialConsoleAccessStatus\", \"Read\",\r\n \"GetSnapshotBlockPublicAccessState\", \"Read\",\r\n \"GetSpotPlacementScores\", \"Read\",\r\n \"GetSubnetCidrReservations\", \"Read\",\r\n \"GetTransitGatewayAttachmentPropagations\", \"Read\",\r\n \"GetTransitGatewayMeteringPolicyEntries\", \"Read\",\r\n \"GetTransitGatewayMulticastDomainAssociations\", \"Read\",\r\n \"GetTransitGatewayPolicyTableAssociations\", \"Read\",\r\n \"GetTransitGatewayPolicyTableEntries\", \"Read\",\r\n \"GetTransitGatewayPrefixListReferences\", \"Read\",\r\n \"GetTransitGatewayRouteTableAssociations\", \"Read\",\r\n \"GetTransitGatewayRouteTablePropagations\", \"Read\",\r\n \"GetVerifiedAccessEndpointPolicy\", \"Read\",\r\n \"GetVerifiedAccessEndpointTargets\", \"Read\",\r\n \"GetVerifiedAccessGroupPolicy\", \"Read\",\r\n \"GetVpcResourcesBlockingEncryptionEnforcement\", \"Read\",\r\n \"GetVpnConnectionDeviceSampleConfiguration\", \"Read\",\r\n \"GetVpnConnectionDeviceTypes\", \"Read\",\r\n \"GetVpnTunnelReplacementStatus\", \"Read\",\r\n \"ImportClientVpnClientCertificateRevocationList\", \"Create\",\r\n \"ImportImage\", \"Create\",\r\n \"ImportInstance\", \"Create\",\r\n \"ImportKeyPair\", \"Create\",\r\n \"ImportSnapshot\", \"Create\",\r\n \"ImportVolume\", \"Create\",\r\n \"ListImagesInRecycleBin\", \"Read\",\r\n \"ListSnapshotsInRecycleBin\", \"Read\",\r\n \"ListVolumesInRecycleBin\", \"Read\",\r\n \"LockSnapshot\", \"Execute\",\r\n \"ModifyAddressAttribute\", \"Set\",\r\n \"ModifyAvailabilityZoneGroup\", \"Set\",\r\n \"ModifyCapacityReservation\", \"Set\",\r\n \"ModifyCapacityReservationFleet\", \"Set\",\r\n \"ModifyClientVpnEndpoint\", \"Set\",\r\n \"ModifyDefaultCreditSpecification\", \"Set\",\r\n \"ModifyEbsDefaultKmsKeyId\", \"Set\",\r\n \"ModifyFleet\", \"Set\",\r\n \"ModifyFpgaImageAttribute\", \"Set\",\r\n \"ModifyHosts\", \"Set\",\r\n \"ModifyIdentityIdFormat\", \"Set\",\r\n \"ModifyIdFormat\", \"Set\",\r\n \"ModifyImageAttribute\", \"Set\",\r\n \"ModifyInstanceAttribute\", \"Set\",\r\n \"ModifyInstanceCapacityReservationAttributes\", \"Set\",\r\n \"ModifyInstanceConnectEndpoint\", \"Set\",\r\n \"ModifyInstanceCpuOptions\", \"Set\",\r\n \"ModifyInstanceCreditSpecification\", \"Set\",\r\n \"ModifyInstanceEventStartTime\", \"Set\",\r\n \"ModifyInstanceEventWindow\", \"Set\",\r\n \"ModifyInstanceMaintenanceOptions\", \"Set\",\r\n \"ModifyInstanceMetadataDefaults\", \"Set\",\r\n \"ModifyInstanceMetadataOptions\", \"Set\",\r\n \"ModifyInstanceNetworkPerformanceOptions\", \"Set\",\r\n \"ModifyInstancePlacement\", \"Set\",\r\n \"ModifyIpam\", \"Set\",\r\n \"ModifyIpamPolicyAllocationRules\", \"Set\",\r\n \"ModifyIpamPool\", \"Set\",\r\n \"ModifyIpamPrefixListResolver\", \"Set\",\r\n \"ModifyIpamPrefixListResolverTarget\", \"Set\",\r\n \"ModifyIpamResourceCidr\", \"Set\",\r\n \"ModifyIpamResourceDiscovery\", \"Set\",\r\n \"ModifyIpamScope\", \"Set\",\r\n \"ModifyLaunchTemplate\", \"Set\",\r\n \"ModifyLocalGatewayRoute\", \"Set\",\r\n \"ModifyManagedPrefixList\", \"Set\",\r\n \"ModifyNetworkInterfaceAttribute\", \"Set\",\r\n \"ModifyPrivateDnsNameOptions\", \"Set\",\r\n \"ModifyPublicIpDnsNameOptions\", \"Set\",\r\n \"ModifyReservedInstances\", \"Set\",\r\n \"ModifyRouteServer\", \"Set\",\r\n \"ModifySecurityGroupRules\", \"Set\",\r\n \"ModifySnapshotAttribute\", \"Set\",\r\n \"ModifySnapshotTier\", \"Set\",\r\n \"ModifySpotFleetRequest\", \"Set\",\r\n \"ModifySubnetAttribute\", \"Set\",\r\n \"ModifyTrafficMirrorFilterNetworkServices\", \"Set\",\r\n \"ModifyTrafficMirrorFilterRule\", \"Set\",\r\n \"ModifyTrafficMirrorSession\", \"Set\",\r\n \"ModifyTransitGateway\", \"Set\",\r\n \"ModifyTransitGatewayMeteringPolicy\", \"Set\",\r\n \"ModifyTransitGatewayPrefixListReference\", \"Set\",\r\n \"ModifyTransitGatewayVpcAttachment\", \"Set\",\r\n \"ModifyVerifiedAccessEndpoint\", \"Set\",\r\n \"ModifyVerifiedAccessEndpointPolicy\", \"Set\",\r\n \"ModifyVerifiedAccessGroup\", \"Set\",\r\n \"ModifyVerifiedAccessGroupPolicy\", \"Set\",\r\n \"ModifyVerifiedAccessInstance\", \"Set\",\r\n \"ModifyVerifiedAccessInstanceLoggingConfiguration\", \"Set\",\r\n \"ModifyVerifiedAccessTrustProvider\", \"Set\",\r\n \"ModifyVolume\", \"Set\",\r\n \"ModifyVolumeAttribute\", \"Set\",\r\n \"ModifyVpcAttribute\", \"Set\",\r\n \"ModifyVpcBlockPublicAccessExclusion\", \"Set\",\r\n \"ModifyVpcBlockPublicAccessOptions\", \"Set\",\r\n \"ModifyVpcEncryptionControl\", \"Set\",\r\n \"ModifyVpcEndpoint\", \"Set\",\r\n \"ModifyVpcEndpointConnectionNotification\", \"Set\",\r\n \"ModifyVpcEndpointServiceConfiguration\", \"Set\",\r\n \"ModifyVpcEndpointServicePayerResponsibility\", \"Set\",\r\n \"ModifyVpcEndpointServicePermissions\", \"Set\",\r\n \"ModifyVpcPeeringConnectionOptions\", \"Set\",\r\n \"ModifyVpcTenancy\", \"Set\",\r\n \"ModifyVpnConnection\", \"Set\",\r\n \"ModifyVpnConnectionOptions\", \"Set\",\r\n \"ModifyVpnTunnelCertificate\", \"Set\",\r\n \"ModifyVpnTunnelOptions\", \"Set\",\r\n \"MonitorInstances\", \"Execute\",\r\n \"MoveAddressToVpc\", \"Execute\",\r\n \"MoveByoipCidrToIpam\", \"Execute\",\r\n \"MoveCapacityReservationInstances\", \"Execute\",\r\n \"ProvisionByoipCidr\", \"Execute\",\r\n \"ProvisionIpamByoasn\", \"Execute\",\r\n \"ProvisionIpamPoolCidr\", \"Execute\",\r\n \"ProvisionPublicIpv4PoolCidr\", \"Execute\",\r\n \"PurchaseCapacityBlock\", \"Create\",\r\n \"PurchaseCapacityBlockExtension\", \"Create\",\r\n \"PurchaseHostReservation\", \"Create\",\r\n \"PurchaseReservedInstancesOffering\", \"Create\",\r\n \"PurchaseScheduledInstances\", \"Create\",\r\n \"RebootInstances\", \"Execute\",\r\n \"RegisterImage\", \"Create\",\r\n \"RegisterInstanceEventNotificationAttributes\", \"Create\",\r\n \"RegisterTransitGatewayMulticastGroupMembers\", \"Set\",\r\n \"RegisterTransitGatewayMulticastGroupSources\", \"Create\",\r\n \"RejectCapacityReservationBillingOwnership\", \"Execute\",\r\n \"RejectTransitGatewayMulticastDomainAssociations\", \"Execute\",\r\n \"RejectTransitGatewayPeeringAttachment\", \"Execute\",\r\n \"RejectTransitGatewayVpcAttachment\", \"Execute\",\r\n \"RejectVpcEndpointConnections\", \"Execute\",\r\n \"RejectVpcPeeringConnection\", \"Execute\",\r\n \"ReleaseAddress\", \"Delete\",\r\n \"ReleaseHosts\", \"Delete\",\r\n \"ReleaseIpamPoolAllocation\", \"Delete\",\r\n \"ReplaceIamInstanceProfileAssociation\", \"Set\",\r\n \"ReplaceImageCriteriaInAllowedImagesSettings\", \"Set\",\r\n \"ReplaceNetworkAclAssociation\", \"Set\",\r\n \"ReplaceNetworkAclEntry\", \"Set\",\r\n \"ReplaceRoute\", \"Set\",\r\n \"ReplaceRouteTableAssociation\", \"Set\",\r\n \"ReplaceTransitGatewayRoute\", \"Set\",\r\n \"ReplaceVpnTunnel\", \"Set\",\r\n \"ReportInstanceStatus\", \"Other\",\r\n \"RequestSpotFleet\", \"Create\",\r\n \"RequestSpotInstances\", \"Create\",\r\n \"ResetAddressAttribute\", \"Execute\",\r\n \"ResetEbsDefaultKmsKeyId\", \"Execute\",\r\n \"ResetFpgaImageAttribute\", \"Execute\",\r\n \"ResetImageAttribute\", \"Execute\",\r\n \"ResetInstanceAttribute\", \"Execute\",\r\n \"ResetNetworkInterfaceAttribute\", \"Execute\",\r\n \"ResetSnapshotAttribute\", \"Execute\",\r\n \"RestoreAddressToClassic\", \"Set\",\r\n \"RestoreImageFromRecycleBin\", \"Set\",\r\n \"RestoreManagedPrefixListVersion\", \"Set\",\r\n \"RestoreSnapshotFromRecycleBin\", \"Set\",\r\n \"RestoreSnapshotTier\", \"Set\",\r\n \"RestoreVolumeFromRecycleBin\", \"Set\",\r\n \"RevokeClientVpnIngress\", \"Disable\",\r\n \"RevokeSecurityGroupEgress\", \"Disable\",\r\n \"RevokeSecurityGroupIngress\", \"Disable\",\r\n \"RunInstances\", \"Start\",\r\n \"RunScheduledInstances\", \"Create\",\r\n \"SearchLocalGatewayRoutes\", \"Read\",\r\n \"SearchTransitGatewayMulticastGroups\", \"Read\",\r\n \"SearchTransitGatewayRoutes\", \"Read\",\r\n \"SendDiagnosticInterrupt\", \"Execute\",\r\n \"StartDeclarativePoliciesReport\", \"Start\",\r\n \"StartInstances\", \"Start\",\r\n \"StartNetworkInsightsAccessScopeAnalysis\", \"Start\",\r\n \"StartNetworkInsightsAnalysis\", \"Start\",\r\n \"StartVpcEndpointServicePrivateDnsVerification\", \"Start\",\r\n \"StopInstances\", \"Stop\",\r\n \"TerminateClientVpnConnections\", \"Stop\",\r\n \"TerminateInstances\", \"Stop\",\r\n \"UnassignIpv6Addresses\", \"Delete\",\r\n \"UnassignPrivateIpAddresses\", \"Delete\",\r\n \"UnassignPrivateNatGatewayAddress\", \"Delete\",\r\n \"UnlockSnapshot\", \"Execute\",\r\n \"UnmonitorInstances\", \"Execute\",\r\n \"UpdateCapacityManagerOrganizationsAccess\", \"Set\",\r\n \"UpdateInterruptibleCapacityReservationAllocation\", \"Set\",\r\n \"UpdateSecurityGroupRuleDescriptionsEgress\", \"Set\",\r\n \"UpdateSecurityGroupRuleDescriptionsIngress\", \"Set\",\r\n \"WithdrawByoipCidr\", \"Delete\"\r\n ];\r\n T\r\n | where EventSource == \"ec2.amazonaws.com\"\r\n | lookup EC2EventNameLookup on EventName\r\n | where isnotempty(EventType)\r\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\r\n | extend\r\n EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), \"Success\", \"Failure\"),\r\n ObjectType = \"Cloud Resource\",\r\n TargetAppType = \"Service\"\r\n | where eventresult == \"*\" or (EventResult == eventresult)\r\n | invoke DetermineEC2Object()\r\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\r\n | invoke DetermineEC2NewValue()\r\n // Post Filtering NewValue\r\n | where (array_length(newvalue_has_any) == 0) or NewValue has_any (newvalue_has_any)\r\n | extend AdditionalData = iff(pack, bag_pack(\r\n \"Test\", \"Test\"\r\n ), dynamic([]))\r\n};\r\nlet parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n eventresult:string='*',\r\n actorusername_has_any:dynamic=dynamic([]),\r\n eventtype_in:dynamic=dynamic([]),\r\n operation_has_any:dynamic=dynamic([]),\r\n object_has_any:dynamic=dynamic([]),\r\n newvalue_has_any:dynamic=dynamic([]),\r\n disabled:bool = false,\r\n pack: bool = false) {\r\nlet SupportedEventSources = dynamic([\r\n \"ec2.amazonaws.com\"\r\n]);\r\nlet EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string)\r\n[\r\n \"ec2.amazonaws.com\", \"Amazon Elastic Compute Cloud\"\r\n];\r\nlet SupportedEvents = AWSCloudTrail\r\n | where not(disabled)\r\n | where EventSource in (SupportedEventSources)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\",\r\n \"NA\"\r\n )\r\n | where (eventresult == \"*\" or EventResult =~ eventresult)\r\n | extend EventResultDetails = case(\r\n HttpStatusCode == 200, \"\",\r\n HttpStatusCode == 201, \"Created\",\r\n HttpStatusCode == 202, \"Accepted\",\r\n HttpStatusCode == 204, \"No content\",\r\n HttpStatusCode == 400, \"Bad request\",\r\n HttpStatusCode == 401, \"Unauthorized\",\r\n HttpStatusCode == 403, \"Unauthorized\",\r\n HttpStatusCode == 404, \"Not found\",\r\n HttpStatusCode == 409, \"Conflict\",\r\n HttpStatusCode == 429, \"Throttled\",\r\n HttpStatusCode >= 500, \"Internal error\",\r\n \"\"\r\n ),\r\n EventOriginalResultDetails = strcat(\"HTTP status code: \", tostring(HttpStatusCode), iff(ResultDescription != \"\", strcat(\", \", ResultDescription), \"\")) \r\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventType,\r\n EventResult,\r\n EventResultDetails,\r\n EventOriginalResultDetails,\r\n EventSeverity,\r\n EventProduct,\r\n EventVendor,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventOriginalUid,\r\n Operation,\r\n Object,\r\n ObjectType,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActorUserIdType,\r\n ActorUserId,\r\n TargetAppName,\r\n TargetAppType,\r\n SrcIpAddr,\r\n DvcId,\r\n DvcIdType,\r\n IpAddr,\r\n User,\r\n Application,\r\n EventUid,\r\n Dst,\r\n Src,\r\n Dvc\r\n};\r\nCombined (\r\n disabled=disabled, \r\n starttime=starttime, \r\n endtime=endtime, \r\n eventresult=eventresult, \r\n operation_has_any=operation_has_any, \r\n eventtype_in=eventtype_in, \r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\n actorusername_has_any=actorusername_has_any, \r\n object_has_any=object_has_any, \r\n newvalue_has_any=newvalue_has_any)","parameters":"disabled:bool = false, starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', actorusername_has_any:dynamic = dynamic([]), object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([])","description":"Audit Event ASIM filtering parser for Azure Key Vault.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"89f5221e-bf52-5de4-b682-31c555f3b899","name":"_Im_AuditEvent_BarracudaCEFV02","body":"let EventTypeLookup = datatable (\r\n ChangeType_s: string,\r\n EventType_lookup: string\r\n)\r\n [\r\n \"SET\", \"Set\",\r\n \"ADD\", \"Create\",\r\n \"DEL\", \"Delete\",\r\n \"NONE\", \"Other\",\r\n \"\", \"Other\"\r\n];\r\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\r\n [\r\n 0, \"High\", \r\n 1, \"High\", \r\n 2, \"High\", \r\n 3, \"Medium\",\r\n 4, \"Low\",\r\n 5, \"Low\", \r\n 6, \"Informational\",\r\n 7, \"Informational\" \r\n];\r\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\r\n \"global\", \"Other\",\r\n \"Services\", \"Service\",\r\n \"web_firewall_policy\", \"Policy Rule\",\r\n \"service\", \"Service\",\r\n \"json_url_profile\", \"Other\",\r\n \"server\", \"Service\",\r\n \"header_acl\", \"Directory Service Object\",\r\n \"virtual_ip_config_address\", \"Configuration Atom\",\r\n \"aps_req_rewrite_policy\", \"Policy Rule\",\r\n \"aps_url_acl\", \"Directory Service Object\",\r\n \"websocket_security_policy\", \"Policy Rule\",\r\n \"aps_ftp_acl\", \"Directory Service Object\",\r\n \"user_system_ip\", \"Configuration Atom\",\r\n \"syslog_server\", \"Service\",\r\n \"attack_action\", \"Configuration Atom\",\r\n \"global_adr\", \"Configuration Atom\",\r\n \"aps_content_protection\", \"Other\"\r\n];\r\nlet parser = (\r\n disabled: bool=false,\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n eventtype_in: dynamic=dynamic([]),\r\n eventresult: string='*',\r\n newvalue_has_any: dynamic=dynamic([]),\r\n operation_has_any: dynamic=dynamic([]))\r\n {\r\n let BarracudaCEF = \r\n CommonSecurityLog\r\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\r\n | where DeviceEventCategory == \"AUDIT\" \r\n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\r\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated **************************\r\n| where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated *************************\r\n| where ProcessName has_any (\"CISE\", \"CSCO\")\r\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\r\n| where EventOriginalType in (EventOriginalTypeList)\r\n| where \r\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\r\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\r\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\r\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\r\n| project\r\n TimeGenerated,\r\n EventTime,\r\n EventOriginalType,\r\n Computer,\r\n HostName,\r\n HostIP,\r\n SyslogMessage\r\n| lookup EventFieldsLookup on EventOriginalType\r\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n| project-rename\r\n SrcIpAddr=['Remote-Address']\r\n , TargetIpAddr =['Device IP Address']\r\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\r\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \r\n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\r\n| extend \r\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \r\n , EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n , EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"AuditEvent\"\r\n , EventSchemaVersion = \"0.1.0\"\r\n , ObjectType = \"Configuration Atom\"\r\n , TargetAppName = \"ISE\"\r\n , TargetAppType = \"Service\"\r\n// ***************** ********************\r\n| extend \r\n Dvc = coalesce(DvcIpAddr, DvcHostname)\r\n , Application = TargetAppName\r\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\r\n , Dst = TargetIpAddr\r\n , Src = SrcIpAddr\r\n , User = ActorUsername\r\n// ***************** *******************\r\n| project-away\r\n EventTime,\r\n Computer,\r\n HostName,\r\n SyslogMessage,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName\r\n};\r\nCiscoISEAuditParser(\r\n starttime = starttime,\r\n endtime = endtime,\r\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\r\n actorusername_has_any = actorusername_has_any,\r\n eventtype_in = eventtype_in,\r\n eventresult = eventresult,\r\n operation_has_any = operation_has_any,\r\n object_has_any=object_has_any,\r\n newvalue_has_any=newvalue_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Audit Event ASIM filtering parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"a14dc84f-df91-5a5e-8dfb-0163a6f6c5e1","name":"_Im_AuditEvent_CiscoMerakiSyslogV02","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\r\nlet allData = union isfuzzy=true\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | lookup EventFieldsLookup on TempOperation\r\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | where (eventresult == \"*\" or EventResult =~ eventresult)\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | extend\r\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\r\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | extend Device = tostring(Parser[1])\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName,CollectorHostName\r\n};\r\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)","parameters":"disabled:bool = false, starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', actorusername_has_any:dynamic = dynamic([]), object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([])","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"cca20c2b-be0c-5a07-88d3-7fb44877fe15","name":"_Im_AuditEvent_CiscoMerakiV01","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\r\nlet allData = union isfuzzy=true\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n ),\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | lookup EventFieldsLookup on TempOperation\r\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | where (eventresult == \"*\" or EventResult =~ eventresult)\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | extend\r\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\r\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | extend Device = tostring(Parser[1])\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName\r\n};\r\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)","parameters":"disabled:bool = false, starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', actorusername_has_any:dynamic = dynamic([]), object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([])","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"90f5395e-b33b-589d-aaf0-3aba1a47cbad","name":"_Im_AuditEvent_CiscoMerakiV02","body":"let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\r\n[\r\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\r\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\r\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\r\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\r\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\r\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\r\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\r\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\r\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\r\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\r\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\r\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\r\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\r\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\r\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\r\n \"port status change\", \"Port status change\", \"\", \"\"\r\n];\r\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\r\n \"Success\", \"Informational\",\r\n \"Partial\", \"Informational\",\r\n \"Failure\", \"Low\"\r\n];\r\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\r\nlet allData = union isfuzzy=true\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n );\r\nlet PreFilteredData = allData\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \" temp_negotiationTargetIp:string\r\n | extend temp_srcipport = temp_negotiationSrcIp,\r\n temp_targetipport = temp_negotiationTargetIp;\r\nlet SiteToSite_ESP = SiteToSiteData\r\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\r\n | extend temp_srcipport = temp_espSrcIp,\r\n temp_targetipport = temp_espTargetIp;\r\nlet SiteToSite_tunnel = SiteToSiteData\r\n | where Substring has \"IPsec-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\r\n | extend temp_srcipport = temp_tunnelSrcIp,\r\n temp_targetipport = temp_tunnelTargetIp;\r\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\r\n | where Substring has \"ISAKMP-SA established\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\r\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\r\n temp_srcipport = temp_estSrcIp,\r\n temp_targetipport = temp_estTargetIp;\r\nlet SiteToSite_IPsecSArequest = SiteToSiteData\r\n | where Substring has \"IPsec-SA request\"\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\r\n | extend temp_targetipport = temp_forTaregtSrcIp;\r\nlet SiteToSite_purging = SiteToSiteData\r\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\r\nlet SiteToSite_failed = SiteToSiteData\r\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\r\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\r\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\r\nlet VPNConnectivityChangeData = PreFilteredData\r\n | where Substring has \"vpn_connectivity_change\"\r\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend type = trim('\"', type),\r\n connectivity = trim('\"', connectivity)\r\n | extend TempOperation = type,\r\n temp_srcipport = peer_contact;\r\nlet StatusChangedData = PreFilteredData\r\n | where Substring has \"status changed\"\r\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\r\n | extend TempOperation = \"port status change\";\r\nlet PortData = PreFilteredData\r\n | where Substring has_cs \"Port\"\r\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\r\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\r\n | extend Port = coalesce(Port1,Port2)\r\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\r\nlet VRRPData = PreFilteredData\r\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\r\n | extend TempOperation = \"VRRP transition\";\r\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\r\n | lookup EventFieldsLookup on TempOperation\r\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\r\n | extend EventResult = case(\r\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\r\n \"Success\",\r\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\r\n \"Failure\",\r\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\r\n \"Partial\",\r\n EventResult\r\n )\r\n | where (eventresult == \"*\" or EventResult =~ eventresult)\r\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\r\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\r\n EventType\r\n )\r\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\r\n | extend \r\n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\r\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\r\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\r\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\r\n | extend\r\n temp_srcipport = trim(\"'\", temp_srcipport),\r\n temp_targetipport = trim(\"'\", temp_targetipport)\r\n | extend \r\n temp_srcipport = trim('\"', temp_srcipport),\r\n temp_targetipport = trim('\"', temp_targetipport)\r\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\r\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\r\n | extend\r\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\r\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\r\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\r\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\r\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\r\n | extend SrcPortNumber = case(\r\n isnotempty(temp_srcipport),\r\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\r\n Substring has_cs \"Port\",\r\n toint(Port),\r\n Operation == \"Port status change\",\r\n toint(port),\r\n int(null)\r\n )\r\n | lookup EventSeverityLookup on EventResult\r\n | extend\r\n EventResultDetails = case(\r\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\r\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \r\n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\r\n Substring\r\n ),\r\n EventMessage = Substring,\r\n EventOriginalType = LogType,\r\n EventUid = _ResourceId\r\n | extend Device = tostring(Parser[1])\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | extend\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n EventEndTime = EventStartTime, \r\n EventCount = int(1),\r\n EventProduct = \"Meraki\",\r\n EventVendor = \"Cisco\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n TempOperation*,\r\n temp*,\r\n STPMac,\r\n peer_contact,\r\n connectivity,\r\n Port*,\r\n port,\r\n portnextpart,\r\n LogType,\r\n type,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n ManagementGroupName,\r\n RawData\r\n};\r\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)","parameters":"disabled:bool = false, starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', actorusername_has_any:dynamic = dynamic([]), object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([])","description":"Audit Event ASIM parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"c7ad76a3-09e5-52e3-9850-500243ec2f83","name":"_Im_AuditEvent_CrowdStrikeFalconHostV01","body":"let EventFieldsLookup = datatable(\r\n Activity: string,\r\n Operation: string,\r\n EventType_lookup: string,\r\n EventSubType: string,\r\n Object: string,\r\n ObjectType: string\r\n) \r\n [\r\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\r\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\r\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\r\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\r\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\r\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\r\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\r\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\r\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\r\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\r\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\r\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\r\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\r\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\r\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\r\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\r\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\r\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\r\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\r\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\r\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\r\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\r\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\r\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\r\n];\r\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n [\r\n \"0\", \"Informational\",\r\n \"1\", \"Informational\",\r\n \"2\", \"Low\",\r\n \"3\", \"Medium\",\r\n \"4\", \"High\",\r\n \"5\", \"High\"\r\n];\r\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\r\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n eventtype_in: dynamic=dynamic([]), \r\n eventresult: string='*', \r\n actorusername_has_any: dynamic=dynamic([]), \r\n operation_has_any: dynamic=dynamic([]), \r\n object_has_any: dynamic=dynamic([]), \r\n newvalue_has_any: dynamic=dynamic([]), \r\n disabled: bool = false\r\n ) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where \r\n array_length(actorusername_has_any) == 0 \r\n or SubjectUserName has_any (actorusername_has_any) \r\n or SubjectDomainName has_any (actorusername_has_any)\r\n | project-away EventData\r\n )\r\n | lookup EventIDLookup on EventID\r\n ;\r\n // Parse EventLog\r\n let EventLog = ParsedEvents\r\n | where EventID in(EventlogEventIds)\r\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\r\n // Parse Scheduled Task\r\n let ScheduledTask = ParsedEvents\r\n | where EventID in(ScheduledTaskEventIds)\r\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\r\n | extend \r\n Object = TaskName,\r\n NewValue = coalesce(\r\n TaskContent,\r\n TaskContentNew\r\n )\r\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\r\n | extend \r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ADR\r\n let ActiveDirectoryReplica = ParsedEvents\r\n | where EventID in(ActiveDirectoryReplicaIds)\r\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\r\n | extend \r\n NewValue = SourceDRA,\r\n OldValue = DestinationDRA,\r\n SrcFQDN = SourceAddr\r\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\r\n | extend \r\n Value = NewValue,\r\n Object = OldValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse WindowsFirewall\r\n let WindowsFirewall = ParsedEvents\r\n | where EventID in(FirewallEventIds)\r\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse ServiceEvent\r\n let ServiceEvent = ParsedEvents\r\n | where EventID in(ServiceEventIds)\r\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\r\n ;\r\n // Parse DirectoryService\r\n let DirectoryService = ParsedEvents\r\n | where EventID in(DirectoryServiceIds)\r\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\r\n | extend\r\n Object = ObjectDN\r\n | project-rename \r\n NewValue = AttributeValue\r\n | extend\r\n Value = NewValue\r\n | project-away Task*, *DRA, SourceAddr, ObjectDN\r\n ;\r\n // Union Events\r\n union\r\n EventLog,\r\n ScheduledTask,\r\n ActiveDirectoryReplica,\r\n WindowsFirewall,\r\n ServiceEvent,\r\n DirectoryService\r\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\r\n | project-rename \r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n DvcId = _ResourceId,\r\n ActingAppId = ClientProcessId,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated, \r\n EventEndTime= TimeGenerated,\r\n EventProduct = 'Security Events',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'AuditEvent',\r\n EventOriginalType = tostring(EventID),\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\r\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\r\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\r\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\r\n ActingAppType = \"Process\"\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcFQDN\r\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\r\n};\r\n parser (\r\n starttime = starttime,\r\n endtime = endtime,\r\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\r\n actorusername_has_any = actorusername_has_any,\r\n eventtype_in = eventtype_in,\r\n eventresult = eventresult,\r\n operation_has_any = operation_has_any,\r\n object_has_any=object_has_any,\r\n newvalue_has_any=newvalue_has_any,\r\n disabled=disabled\r\n )","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), actorusername_has_any:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Audit Event ASIM filtering parser for Microsoft Windows Events audit events.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"216c9995-fad4-5d6b-9ec2-0d5887731a81","name":"_Im_AuditEvent_MicrosoftExchangeAdmin365V01","body":"let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\r\n[\r\n // Regular, Regular\r\n \"Admin\", \"Admin\"\r\n , \"DcAdmin\", \"Admin\"\r\n , \"System\", \"System\"\r\n , \"Application\", \"Application\"\r\n , \"ServicePrincipal\", \"Service Principal\"\r\n , \"CustomPolicy\", \"Other\"\r\n , \"SystemPolicy\", \"Other\"\r\n , \"Reserved\", \"Other\"\r\n];\r\nlet eventtypes=datatable (op:string, EventType:string)\r\n[\r\n \"Remove\", \"Delete\",\r\n \"New\", \"Create\",\r\n \"Add\", \"Create\",\r\n \"Enable\", \"Enable\",\r\n \"Install\", \"Install\",\r\n \"Set\", \"Set\",\r\n \"Disable\", \"Disable\",\r\n \"disable\", \"Disable\"\r\n];\r\n let parser= (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n eventresult:string='*',\r\n actorusername_has_any:dynamic=dynamic([]),\r\n eventtype_in:dynamic=dynamic([]),\r\n operation_has_any:dynamic=dynamic([]),\r\n object_has_any:dynamic=dynamic([]),\r\n newvalue_has_any:dynamic=dynamic([]),\r\n disabled:bool = false\r\n ){\r\n OfficeActivity\r\n | where not(disabled)\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where \r\n array_length(actorusername_has_any) == 0 \r\n or SubjectUserName has_any (actorusername_has_any) \r\n or SubjectDomainName has_any (actorusername_has_any)\r\n | project-away EventData\r\n ),\r\n //Section for SecurityEvent(1102)\r\n (\r\n SecurityEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | where \r\n array_length(actorusername_has_any) == 0 \r\n or SubjectUserName has_any (actorusername_has_any) \r\n or SubjectDomainName has_any (actorusername_has_any)\r\n | project-away EventData\r\n ),\r\n // WindowsEvents\r\n (\r\n WindowsEvent\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = TimeGenerated\r\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\r\n let undefineddata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"Undefined\"\r\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\r\n let suspiciousdata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\r\n let maliciousdata = UnParsedActivitydatawithThreat\r\n | where threatInfo_confidenceLevel_s == \"malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\r\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\r\n | extend\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\r\n AdditionalFields = bag_pack(\r\n \"threatUpdatedAt\",\r\n threatInfo_updatedAt_t,\r\n \"threatAnalystVerdict\",\r\n threatInfo_analystVerdict_s,\r\n \"threatIncidentStatus\",\r\n threatInfo_incidentStatus_s,\r\n \"mitigationStatus\",\r\n mitigationStatus_s\r\n )\r\n | project-rename\r\n ThreatId = threatId_s,\r\n ThreatName = threatInfo_threatName_s,\r\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\r\n ThreatCategory_threats = threatInfo_classification_s,\r\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\r\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\r\n | where isempty(threatId_s);\r\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\r\n | extend \r\n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\r\n EventProduct = \"SentinelOne\",\r\n EventVendor = \"SentinelOne\",\r\n EventSchema = \"AuditEvent\",\r\n EventSchemaVersion = \"0.1\",\r\n EventCount = toint(1),\r\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\r\n EventOriginalType = tostring(toint(activityType_d)),\r\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\r\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\r\n | project-rename\r\n EventStartTime = createdAt_t,\r\n EventUid = _ItemId,\r\n EventMessage = primaryDescription_s,\r\n ActorUserId = userId_s,\r\n DvcId = agentId_s,\r\n EventOriginalUid = activityUuid_g\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\r\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\r\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\r\n | extend\r\n EventEndTime = EventStartTime,\r\n User = ActorUsername,\r\n IpAddr = SrcIpAddr,\r\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\r\n Dst = coalesce(TargetHostname, TargetIpAddr),\r\n Src = SrcIpAddr,\r\n Rule = RuleName,\r\n Value = NewValue\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_t,\r\n *_g,\r\n *_b,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n username,\r\n userName,\r\n userFullName,\r\n newValue,\r\n policyEnabled,\r\n siteName,\r\n oldValue,\r\n computerName,\r\n accountName,\r\n cloudProviderAccountName,\r\n email,\r\n globalTwoFaEnabled,\r\n cloudIntelligenceOn,\r\n fileDisplayName,\r\n roleName,\r\n oldIncidentStatusTitle,\r\n oldTicketId,\r\n oldAnalystVerdictTitle,\r\n oldConfidenceLevel,\r\n previous,\r\n oldStatus,\r\n oldTagName,\r\n oldTagDescription,\r\n newIncidentStatusTitle,\r\n newTicketId,\r\n newAnalystVerdictTitle,\r\n newConfidenceLevel,\r\n newStatus,\r\n current,\r\n Status,\r\n newTagName,\r\n newTagDescription,\r\n value,\r\n rulesAdded,\r\n rulesRemoved,\r\n tagsAdded,\r\n tagsRemoved,\r\n incidentName,\r\n ruleName,\r\n deviceId,\r\n ip,\r\n externalIp,\r\n affectedDevices,\r\n featureValue,\r\n featureName,\r\n recoveryEmail,\r\n policyName,\r\n policy,\r\n tagName,\r\n gatewayExternalIp,\r\n gatewayMac,\r\n threatClassification,\r\n applicationPath,\r\n externalId,\r\n groupName,\r\n oldSiteName,\r\n targetGroupName,\r\n ipAddress,\r\n EventType_*,\r\n EventSubType_*,\r\n EventSeverity_*,\r\n NewValue_*,\r\n _ResourceId,\r\n TimeGenerated1,\r\n ThreatCategory_*,\r\n ThreatConfidence_*,\r\n accountId,\r\n policyId,\r\n ruleId,\r\n byUser\r\n };\r\n parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)","parameters":"disabled:bool = false, starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), operation_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresult:string = '*', actorusername_has_any:dynamic = dynamic([]), object_has_any:dynamic = dynamic([]), newvalue_has_any:dynamic = dynamic([])","description":"Audit Event ASIM parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"cb0dcbc7-0d55-5ec6-8067-b9e2fcd531a1","name":"_Im_AuditEvent_VMwareCarbonBlackCloudV02","body":"let EventTypeLookup = datatable(temp_type: string, EventType: string)[\r\n \"created\", \"Create\",\r\n \"updated\", \"Set\",\r\n \"deleted\", \"Delete\",\r\n \"added\", \"Create\",\r\n \"modified\", \"Set\"\r\n];\r\nlet parser=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n eventtype_in: dynamic=dynamic([]), \r\n eventresult: string='*', \r\n actorusername_has_any: dynamic=dynamic([]), \r\n operation_has_any: dynamic=dynamic([]), \r\n object_has_any: dynamic=dynamic([]), \r\n newvalue_has_any: dynamic=dynamic([]), \r\n disabled: bool = false\r\n ) {\r\n let allData = CarbonBlackAuditLogs_CL\r\n | where not(disabled)\r\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or event_timestamp_t User IP \" *\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 315011\r\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\r\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 113010\r\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 113006\r\n | parse Message with * 'User ' TargetUsername ' locked' *\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 716040\r\n | parse Message with * 'Denied ' TargetUsername ' login' *\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 713198\r\n | parse Message with * 'Failed: ' TargetUsername ' User' *\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 716038\r\n | parse Message with * 'User IP Authentication'*\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772002)\r\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772003,772004)\r\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\r\n | project-away Message\r\n ), \r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772005)\r\n | parse Message with * 'user ' TargetUsername ' passed'\r\n | project-away Message\r\n ), \r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772006)\r\n | parse Message with * 'user ' TargetUsername ' failed'\r\n | project-away Message\r\n ) \r\n | project-rename \r\n DvcHostname = Computer,\r\n EventUid = _ItemId,\r\n EventOriginalType = DeviceEventClassID,\r\n DvcIpAddr = DeviceAddress\r\n | extend \r\n EventSchemaVersion = \"0.1.3\",\r\n EventSchema = \"Authentication\",\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n Dvc = DvcHostname,\r\n User = TargetUsername,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Dst = TargetIpAddr,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Cisco Device Logon Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"3d808d88-0cb7-5b96-9a3f-065416db0095","name":"_ASim_Authentication_CiscoDNACV01","body":"let parser = (disabled: bool = false) {\r\nlet DNACEvents = Syslog\r\n| where not(disabled)\r\n| where ProcessName == \"DNAC\";\r\nlet LogonEvents = (T: (SyslogMessage: string)) {\r\n T\r\n | where SyslogMessage has \"LOGIN_USER_EVENT\"\r\n | extend EventType = \"Logon\"\r\n};\r\nlet LogoffEvents = (T: (SyslogMessage: string)) {\r\n T\r\n | where SyslogMessage has \"LOGOFF_USER_EVENT\"\r\n | extend EventType = \"Logoff\"\r\n};\r\nunion LogonEvents(DNACEvents), LogoffEvents(DNACEvents)\r\n| extend \r\n EventVendor = \"Cisco\",\r\n EventProduct = \"DNAC\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventCount = int(1),\r\n Type = \"Syslog\"\r\n| extend SyslogJson = parse_json(SyslogMessage)\r\n| extend \r\n SrcIpAddr = tostring(SyslogJson.source),\r\n EventOriginalType = tostring(SyslogJson.name),\r\n EventOriginalSubType = tostring(SyslogJson.type),\r\n TargetUsername = tostring(SyslogJson.userId),\r\n TargetUsernameType = \"Simple\",\r\n EventMessage = tostring(SyslogJson.message),\r\n EventOriginalUid = tostring(SyslogJson.correlationId),\r\n DvcId = tostring(SyslogJson.instanceId),\r\n DvcIdType = \"Other\"\r\n| extend EventResult = iff(EventMessage has \"successfully\", \"Success\", \"Failure\")\r\n| extend EventSeverity = _ASIM_LookupSyslogSeverityLevel(SeverityLevel)\r\n| project-rename\r\n TargetIpAddr = HostIP,\r\n EventOriginalSeverity = SeverityLevel\r\n| extend\r\n User = TargetUsername,\r\n Dvc = DvcId,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr\r\n| project\r\n TimeGenerated,\r\n Type,\r\n EventType,\r\n EventVendor,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventStartTime,\r\n EventEndTime,\r\n EventCount,\r\n SrcIpAddr,\r\n EventOriginalType,\r\n EventOriginalSubType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n EventMessage,\r\n EventOriginalUid,\r\n DvcId,\r\n DvcIdType,\r\n EventResult,\r\n EventSeverity,\r\n TargetIpAddr,\r\n EventOriginalSeverity,\r\n User,\r\n Dvc,\r\n IpAddr,\r\n Src\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Cisco DNAC Syslog Message.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"8e9089e8-76a0-5b58-8ebd-5266f7f06868","name":"_ASim_Authentication_CiscoIOSV01","body":"let parser = (disabled: bool = false) {\r\n let EventResultDetailsLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\r\n [\r\n \"Login Authentication Failed - BadUser\", \"No such user or password\",\r\n \"Login Authentication Failed\", \"Incorrect password\"\r\n ];\r\n let LoginSuccessIOS = (T: (SyslogMessage: string)) {\r\n T\r\n | where SyslogMessage has \"%SEC_LOGIN-5-LOGIN_SUCCESS\"\r\n | parse SyslogMessage with * \"%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:\" TargetUsername: string \"] [Source:\" SrcIpAddr: string \"] [localport: \" SrcPortNumber: string \"]\" *\r\n | extend EventType = \"Logon\", EventResult = \"Success\"\r\n };\r\n let LoginFailureIOS = (T: (SyslogMessage: string)) {\r\n T\r\n | where SyslogMessage has \"%SEC_LOGIN-4-LOGIN_FAILED\"\r\n | parse SyslogMessage with * \"%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user:\" TargetUsername: string \"] [Source:\" SrcIpAddr: string \"] [localport: \" SrcPortNumber: string \"] [Reason: \" EventOriginalResultDetails: string \"]\" *\r\n | extend EventType = \"Logon\", EventResult = \"Failure\"\r\n };\r\n let LogoutIOS = (T: (SyslogMessage: string)) {\r\n T\r\n | where SyslogMessage has \"%SYS-6-LOGOUT\"\r\n | parse SyslogMessage with * \"%SYS-6-LOGOUT: User \" TargetUsername: string \" \" * \"(\" SrcIpAddr: string \")\"\r\n | extend EventType = \"Logoff\", EventResult = \"Success\"\r\n };\r\n let SyslogLogs = Syslog\r\n | where not(disabled);\r\n union\r\n LoginSuccessIOS(SyslogLogs),\r\n LoginFailureIOS(SyslogLogs),\r\n LogoutIOS(SyslogLogs)\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"IOS\",\r\n EventCount = int(1),\r\n EventStartTime = EventTime,\r\n EventEndTime = EventTime,\r\n Type = \"Syslog\"\r\n | project-rename\r\n DvcIpAddr = HostIP,\r\n EventOriginalSeverity = SeverityLevel,\r\n EventMessage = SyslogMessage\r\n | lookup EventResultDetailsLookup on EventOriginalResultDetails\r\n | extend\r\n EventSeverity = _ASIM_LookupSyslogSeverityLevel(EventOriginalSeverity),\r\n SrcPortNumber = toint(SrcPortNumber),\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\r\n TargetIpAddr = iff(ipv4_is_in_range(HostName, \"0.0.0.0/0\"), HostName, \"\")\r\n | extend\r\n Dvc = DvcIpAddr,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventType,\r\n EventResult,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventVendor,\r\n EventProduct,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n DvcIpAddr,\r\n EventOriginalSeverity,\r\n EventSeverity,\r\n EventOriginalResultDetails,\r\n EventResultDetails,\r\n TargetUsername,\r\n TargetUsernameType,\r\n SrcIpAddr,\r\n SrcPortNumber,\r\n TargetIpAddr,\r\n Dvc,\r\n Src,\r\n IpAddr,\r\n User\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Cisco IOS Syslog Message.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"79308517-f1d5-5954-8d16-4260c90dd272","name":"_ASim_Authentication_CiscoISEAdministratorV01","body":"let parser = (disabled: bool = false, pack: bool = false) {\r\nSyslog\r\n| where not(disabled) and ProcessName has \"CISE_Administrative_and_Operational_Audit\"\r\n| where SyslogMessage has \"Administrator-Login\"\r\n| extend\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ISE\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType = \"Logon\",\r\n Type = \"Syslog\"\r\n| project-rename\r\n TargetIpAddr = HostIP,\r\n SrcDvcId = HostName\r\n| extend\r\n SrcDvcIdType = \"Other\"\r\n| parse SyslogMessage with * \"Administrator-Login:\" * \", \" KeyValuePairs\r\n| parse-kv KeyValuePairs as (ConfigVersionId: string, AdminInterface: string, AdminIPAddress: string, OperationMessageText: string, Port: int, AcsInstance: string, AdminName: string) with (pair_delimiter=\",\", kv_delimiter=\"=\")\r\n| extend\r\n EventResult = iff(isnotempty(AdminName), \"Success\", \"Failure\"), // AdminName exists in Syslog if authentication was successful\r\n EventResultDetails = iff(isempty(AdminName), case(\r\n OperationMessageText has \"Failed password\", \"Incorrect password\",\r\n OperationMessageText has \"User unknown\", \"No such user\",\r\n \"Other\"\r\n ), \"\"),\r\n TargetUsername = coalesce(AdminName, \"\"),\r\n TargetUsernameType = iff(isnotempty(AdminName), \"Simple\", \"\")\r\n| project-rename\r\n SrcIpAddr = AdminIPAddress,\r\n EventOriginalResultDetails = OperationMessageText,\r\n TargetPortNumber = Port,\r\n EventOriginalSeverity = SeverityLevel\r\n| extend EventSeverity = _ASIM_LookupSyslogSeverityLevel(EventOriginalSeverity)\r\n| extend AdditionalFields = iff(pack, bag_pack(\r\n \"AdminInterface\", AdminInterface,\r\n \"ConfigVersionId\", ConfigVersionId,\r\n \"AcsInstance\", AcsInstance,\r\n \"CollectorHostName\", CollectorHostName\r\n), dynamic([]))\r\n| extend\r\n IpAddr = SrcIpAddr,\r\n Dvc = SrcDvcId,\r\n User = TargetUsername\r\n| project\r\n TimeGenerated,\r\n Type,\r\n EventVendor,\r\n EventProduct,\r\n EventCount,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventStartTime,\r\n EventEndTime,\r\n EventSeverity,\r\n EventOriginalSeverity,\r\n EventType,\r\n SrcIpAddr,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n EventResult,\r\n EventResultDetails,\r\n TargetUsername,\r\n TargetUsernameType,\r\n TargetIpAddr,\r\n EventOriginalResultDetails,\r\n TargetPortNumber,\r\n AdditionalFields,\r\n IpAddr,\r\n Dvc,\r\n User\r\n};\r\nparser(disabled=disabled, pack=pack)","parameters":"disabled:bool = false, pack:bool = false","description":"Authentication ASIM parser for Cisco ISE Administrator events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"1fcfe820-c75e-5952-bc58-8f3e80f842c2","name":"_ASim_Authentication_CiscoISEV01","body":"let EventFieldsLookup=datatable(\r\n EventOriginalType: string,\r\n EventType: string,\r\n EventOriginalSeverity: string,\r\n EventResult: string,\r\n EventSeverity: string,\r\n EventResultDetails: string,\r\n EventMessage: string,\r\n EventOriginalResultDetails: string\r\n)[\r\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\r\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\r\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\r\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\r\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\r\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\r\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\r\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\r\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\r\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\r\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\r\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\r\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\r\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\r\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\r\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\r\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\r\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\r\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\r\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\r\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\r\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\r\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\r\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\r\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\r\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\r\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\r\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\r\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\r\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\r\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\r\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\r\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\r\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\r\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\r\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\r\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\r\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\r\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\r\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\r\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\r\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\r\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\r\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\r\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\r\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\r\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\r\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\r\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\r\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\r\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\r\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\r\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\r\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\r\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\r\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\r\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\r\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\r\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\r\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\r\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\r\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\r\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\r\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\r\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\r\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\r\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\r\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\r\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\r\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\r\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\r\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\r\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\r\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\r\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\r\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\r\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\r\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\r\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\r\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\r\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\r\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\r\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\r\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\r\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\r\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\r\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\r\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\r\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\r\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\r\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\r\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\r\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\r\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\r\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\r\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\r\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\r\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\r\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\r\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\r\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\r\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\r\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\r\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\r\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\r\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\r\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\r\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\r\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\r\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\r\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\r\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\r\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\r\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\r\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\r\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\r\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\r\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\r\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\r\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\r\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\r\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\r\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\r\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\r\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\r\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\r\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\r\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\r\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\r\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\r\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\r\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\r\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\r\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\r\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\r\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\r\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\r\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\r\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\r\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\r\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\r\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\r\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\r\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\r\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\r\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\r\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\r\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\r\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\r\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\r\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\r\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\r\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\r\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\r\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\r\n ];\r\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \r\n | summarize make_set(EventOriginalType));\r\nlet CiscoISEAuthParser=(disabled: bool=false) {\r\n Syslog\r\n | where not(disabled)\r\n | where ProcessName has_any (\"CISE\", \"CSCO\")\r\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\r\n | where EventOriginalType in (EventOriginalTypeList)\r\n | lookup EventFieldsLookup on EventOriginalType \r\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n | project-rename\r\n LogonProtocol=Protocol\r\n , TargetIpAddr=DestinationIPAddress\r\n , TargetPortNumber=DestinationPort\r\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\r\n , SrcPortNumber=['Device Port']\r\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\r\n | extend\r\n EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\r\n | extend\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\r\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\r\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n | extend \r\n EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"Authentication\"\r\n , EventSchemaVersion = \"0.1.3\"\r\n // **************** *****************\r\n | extend \r\n Dvc = coalesce(DvcIpAddr, DvcHostname)\r\n , IpAddr = SrcIpAddr\r\n , Dst = TargetIpAddr\r\n , Src = SrcIpAddr\r\n , User = TargetUsername\r\n // **************** ****************\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n FailureReason,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName,\r\n User,\r\n ['Remote-Address'],\r\n ['Device IP Address'],\r\n ['Caller-Station-ID']\r\n};\r\nCiscoISEAuthParser(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"3aefb468-db13-5f6b-bbdb-3ffde1bd1317","name":"_ASim_Authentication_CiscoMerakiSyslogV02","body":"let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\r\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\r\n [\r\n \"0\", \"Other\",\r\n \"1\", \"Other\",\r\n \"2\", \"Password expired\",\r\n \"3\", \"Other\",\r\n \"4\", \"Session expired\",\r\n \"5\", \"Other\",\r\n \"6\", \"Other\",\r\n \"7\", \"Other\",\r\n \"8\", \"Other\",\r\n \"9\", \"Other\",\r\n \"10\", \"Logon violates policy\",\r\n \"11\", \"Logon violates policy\",\r\n \"12\", \"Other\",\r\n \"13\", \"Logon violates policy\",\r\n \"14\", \"Other\",\r\n \"15\", \"Other\",\r\n \"16\", \"Other\",\r\n \"17\", \"Other\",\r\n \"18\", \"Incorrect key\",\r\n \"19\", \"Incorrect key\",\r\n \"20\", \"Incorrect key\",\r\n \"21\", \"Other\",\r\n \"22\", \"Other\",\r\n \"23\", \"Other\",\r\n \"24\", \"Logon violates policy\",\r\n];\r\nlet EventFieldsLookup = datatable (\r\n LogSubType: string,\r\n EventResult: string,\r\n EventType: string,\r\n EventSeverity: string\r\n)\r\n [\r\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\r\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\r\n];\r\nlet parser = (disabled: bool=false) {\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n )\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1]),\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\"\r\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\r\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | extend EventEndTime = EventStartTime\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend Dvc = DvcHostname, \r\n aid = trim('\"', aid)\r\n | extend\r\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\r\n DvcMacAddr = client_mac,\r\n TargetUsername = identity,\r\n AdditionalFields = bag_pack(\"aid\", aid),\r\n EventOriginalType = LogType,\r\n EventOriginalSubType = LogSubType,\r\n EventUid = _ResourceId\r\n | extend\r\n SrcIpAddr = trim('\"', SrcIpAddr),\r\n DvcMacAddr = trim('\"', DvcMacAddr),\r\n TargetUsername = trim('\"', TargetUsername),\r\n reason = trim('\"', reason)\r\n | extend\r\n DvcIpAddr = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername,\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\r\n | lookup EventFieldsLookup on LogSubType\r\n | lookup EventResultDetailsLookup on reason\r\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\r\n | extend\r\n EventCount=int(1),\r\n EventProduct=\"Meraki\",\r\n EventVendor=\"Cisco\",\r\n EventSchema=\"Authentication\",\r\n EventSchemaVersion=\"0.1.3\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n LogType,\r\n LogSubType,\r\n restOfMessage,\r\n reason,\r\n last_known_client_ip,\r\n client_ip,\r\n ip,\r\n client_mac,\r\n identity,\r\n aid,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName,\r\n CollectorHostName\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"bab57609-83c6-5faf-97a6-905beae9323b","name":"_ASim_Authentication_CiscoMerakiV01","body":"let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\r\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\r\n [\r\n \"0\", \"Other\",\r\n \"1\", \"Other\",\r\n \"2\", \"Password expired\",\r\n \"3\", \"Other\",\r\n \"4\", \"Session expired\",\r\n \"5\", \"Other\",\r\n \"6\", \"Other\",\r\n \"7\", \"Other\",\r\n \"8\", \"Other\",\r\n \"9\", \"Other\",\r\n \"10\", \"Logon violates policy\",\r\n \"11\", \"Logon violates policy\",\r\n \"12\", \"Other\",\r\n \"13\", \"Logon violates policy\",\r\n \"14\", \"Other\",\r\n \"15\", \"Other\",\r\n \"16\", \"Other\",\r\n \"17\", \"Other\",\r\n \"18\", \"Incorrect key\",\r\n \"19\", \"Incorrect key\",\r\n \"20\", \"Incorrect key\",\r\n \"21\", \"Other\",\r\n \"22\", \"Other\",\r\n \"23\", \"Other\",\r\n \"24\", \"Logon violates policy\",\r\n];\r\nlet EventFieldsLookup = datatable (\r\n LogSubType: string,\r\n EventResult: string,\r\n EventType: string,\r\n EventSeverity: string\r\n)\r\n [\r\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\r\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\r\n];\r\nlet parser = (disabled: bool=false) {\r\n union isfuzzy=true\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n ),\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n )\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1]),\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\"\r\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\r\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | extend EventEndTime = EventStartTime\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend Dvc = DvcHostname, \r\n aid = trim('\"', aid)\r\n | extend\r\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\r\n DvcMacAddr = client_mac,\r\n TargetUsername = identity,\r\n AdditionalFields = bag_pack(\"aid\", aid),\r\n EventOriginalType = LogType,\r\n EventOriginalSubType = LogSubType,\r\n EventUid = _ResourceId\r\n | extend\r\n SrcIpAddr = trim('\"', SrcIpAddr),\r\n DvcMacAddr = trim('\"', DvcMacAddr),\r\n TargetUsername = trim('\"', TargetUsername),\r\n reason = trim('\"', reason)\r\n | extend\r\n DvcIpAddr = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername,\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\r\n | lookup EventFieldsLookup on LogSubType\r\n | lookup EventResultDetailsLookup on reason\r\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\r\n | extend\r\n EventCount=int(1),\r\n EventProduct=\"Meraki\",\r\n EventVendor=\"Cisco\",\r\n EventSchema=\"Authentication\",\r\n EventSchemaVersion=\"0.1.3\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n LogType,\r\n LogSubType,\r\n restOfMessage,\r\n reason,\r\n last_known_client_ip,\r\n client_ip,\r\n ip,\r\n client_mac,\r\n identity,\r\n aid,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId,\r\n MG,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n ProcessID,\r\n HostIP,\r\n ProcessName\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"ASIM Authentication parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"56288712-29ec-5df6-9a3f-81efe80ea649","name":"_ASim_Authentication_CiscoMerakiV02","body":"let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\r\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\r\n [\r\n \"0\", \"Other\",\r\n \"1\", \"Other\",\r\n \"2\", \"Password expired\",\r\n \"3\", \"Other\",\r\n \"4\", \"Session expired\",\r\n \"5\", \"Other\",\r\n \"6\", \"Other\",\r\n \"7\", \"Other\",\r\n \"8\", \"Other\",\r\n \"9\", \"Other\",\r\n \"10\", \"Logon violates policy\",\r\n \"11\", \"Logon violates policy\",\r\n \"12\", \"Other\",\r\n \"13\", \"Logon violates policy\",\r\n \"14\", \"Other\",\r\n \"15\", \"Other\",\r\n \"16\", \"Other\",\r\n \"17\", \"Other\",\r\n \"18\", \"Incorrect key\",\r\n \"19\", \"Incorrect key\",\r\n \"20\", \"Incorrect key\",\r\n \"21\", \"Other\",\r\n \"22\", \"Other\",\r\n \"23\", \"Other\",\r\n \"24\", \"Logon violates policy\",\r\n];\r\nlet EventFieldsLookup = datatable (\r\n LogSubType: string,\r\n EventResult: string,\r\n EventType: string,\r\n EventSeverity: string\r\n)\r\n [\r\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\r\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\r\n];\r\nlet parser = (disabled: bool=false) {\r\n (\r\n meraki_CL\r\n | project-rename LogMessage = Message\r\n )\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n Epoch = tostring(Parser[0]),\r\n Device = tostring(Parser[1]),\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3])\r\n | where LogType == \"events\"\r\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\r\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\r\n | extend EpochTimestamp = split(Epoch, \".\")\r\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\r\n | extend EventEndTime = EventStartTime\r\n | invoke _ASIM_ResolveDvcFQDN('Device')\r\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend Dvc = DvcHostname, \r\n aid = trim('\"', aid)\r\n | extend\r\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\r\n DvcMacAddr = client_mac,\r\n TargetUsername = identity,\r\n AdditionalFields = bag_pack(\"aid\", aid),\r\n EventOriginalType = LogType,\r\n EventOriginalSubType = LogSubType,\r\n EventUid = _ResourceId\r\n | extend\r\n SrcIpAddr = trim('\"', SrcIpAddr),\r\n DvcMacAddr = trim('\"', DvcMacAddr),\r\n TargetUsername = trim('\"', TargetUsername),\r\n reason = trim('\"', reason)\r\n | extend\r\n DvcIpAddr = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername,\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\r\n | lookup EventFieldsLookup on LogSubType\r\n | lookup EventResultDetailsLookup on reason\r\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\r\n | extend\r\n EventCount=int(1),\r\n EventProduct=\"Meraki\",\r\n EventVendor=\"Cisco\",\r\n EventSchema=\"Authentication\",\r\n EventSchemaVersion=\"0.1.3\"\r\n | project-away\r\n LogMessage,\r\n Parser,\r\n Epoch,\r\n EpochTimestamp,\r\n Device,\r\n Substring,\r\n LogType,\r\n LogSubType,\r\n restOfMessage,\r\n reason,\r\n last_known_client_ip,\r\n client_ip,\r\n ip,\r\n client_mac,\r\n identity,\r\n aid,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n _ResourceId\r\n};\r\n parser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"ASIM Authentication parser for Cisco Meraki.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"7eb6a2df-9e8f-53bc-aacd-234841774da4","name":"_ASim_Authentication_CrowdStrikeFalconHostV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n [\r\n \"0\", \"Informational\",\r\n \"1\", \"Informational\",\r\n \"2\", \"Low\",\r\n \"3\", \"Medium\",\r\n \"4\", \"High\",\r\n \"5\", \"High\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\r\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\r\n EventStartTime = todatetime(DeviceCustomDate1),\r\n EventCount = int(1),\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventType = \"Logon\",\r\n EventProduct = \"FalconHost\",\r\n EventVendor = \"CrowdStrike\"\r\n | project-rename\r\n TargetIpAddr = DestinationTranslatedAddress,\r\n EventUid = _ItemId,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalSubType = DeviceEventClassID,\r\n EventOriginalType = DeviceEventCategory,\r\n EventProductVersion = DeviceVersion,\r\n EventOriginalResultDetails = EventOutcome,\r\n TargetUsername = DestinationUserName,\r\n TargetAppName = ProcessName\r\n | extend\r\n EventEndTime = EventStartTime,\r\n DvcIpAddr = TargetIpAddr,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\r\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\r\n | extend\r\n User = TargetUsername,\r\n Dst = TargetIpAddr,\r\n Dvc = coalesce(DvcIpAddr, EventProduct),\r\n Application = TargetAppName\r\n | project-away \r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n Computer,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n Activity,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n Threat*,\r\n IndicatorThreatType,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Reason,\r\n ApplicationProtocol,\r\n _ResourceId,\r\n ExtID,\r\n Message\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"4d58d107-a6ab-5bc5-90dd-2b0087cf4f50","name":"_ASim_Authentication_CrowdStrikeFalconHostV02","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n [\r\n \"0\", \"Informational\",\r\n \"1\", \"Informational\",\r\n \"2\", \"Low\",\r\n \"3\", \"Medium\",\r\n \"4\", \"High\",\r\n \"5\", \"High\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\r\n | where DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\r\n EventStartTime = todatetime(DeviceCustomDate1),\r\n EventCount = int(1),\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventType = \"Logon\",\r\n EventProduct = \"FalconHost\",\r\n EventVendor = \"CrowdStrike\",\r\n Type = \"CommonSecurityLog\"\r\n | project-rename\r\n TargetIpAddr = DestinationTranslatedAddress,\r\n EventUid = _ItemId,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalSubType = DeviceEventClassID,\r\n EventOriginalType = DeviceEventCategory,\r\n EventProductVersion = DeviceVersion,\r\n EventOriginalResultDetails = EventOutcome,\r\n TargetUsername = DestinationUserName,\r\n TargetAppName = ProcessName\r\n | extend\r\n EventEndTime = EventStartTime,\r\n DvcIpAddr = TargetIpAddr,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\r\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username & Password\", \"Multi factor authentication\")\r\n | extend\r\n User = TargetUsername,\r\n Dst = TargetIpAddr,\r\n Dvc = coalesce(DvcIpAddr, EventProduct),\r\n Application = TargetAppName\r\n | project\r\n TimeGenerated,\r\n EventResult,\r\n EventStartTime,\r\n EventCount,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventProduct,\r\n EventVendor,\r\n Type,\r\n TargetIpAddr,\r\n EventUid,\r\n EventSeverity,\r\n EventOriginalSeverity,\r\n EventOriginalSubType,\r\n EventOriginalType,\r\n EventProductVersion,\r\n EventOriginalResultDetails,\r\n TargetUsername,\r\n TargetAppName,\r\n EventEndTime,\r\n DvcIpAddr,\r\n TargetUsernameType,\r\n TargetUserType,\r\n TargetAppType,\r\n LogonMethod,\r\n User,\r\n Dst,\r\n Dvc,\r\n Application\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"b0bf4756-4723-592f-9b7f-232c93628cf7","name":"_ASim_Authentication_FortinetFortigateV01","body":"let EventSeverityLookup = datatable(EventOriginalSeverity: string, EventSeverity: string)\r\n[\r\n \"information\", \"Informational\",\r\n \"notice\", \"Informational\",\r\n \"warning\", \"Low\",\r\n \"error\", \"Low\",\r\n \"alert\", \"Medium\",\r\n \"critical\", \"High\",\r\n \"emergency\", \"High\",\r\n \"0\", \"Informational\",\r\n \"1\", \"Informational\",\r\n \"2\", \"Informational\",\r\n \"3\", \"Informational\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Low\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet parser = (disabled: bool) {\r\n let FortigateLogs = CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Fortinet\"\r\n | where DeviceProduct has \"Fortigate\"\r\n | where DeviceEventClassID !in (\"0100022949\", \"0100022952\"); // Omit \"Attempted to join FortiCloud\" and \"service activation failed\"\r\n let LogoutEvents = FortigateLogs\r\n | where Activity == \"system event logout\"\r\n | extend EventType = \"Logoff\";\r\n let LoginEvents = FortigateLogs\r\n | where Activity == \"system event login\"\r\n | extend EventType = \"Logon\"\r\n | extend EventResultDetails = case(\r\n Message has \"invalid password\", \"Incorrect password\",\r\n Message has \"invalid\", \"No such user or password\",\r\n Message has \"disabled\", \"User disabled\",\r\n Message has \"no valid user certificate\", \"Incorrect key\",\r\n Message has \"blocked IP\", \"Logon violates policy\",\r\n Message has \"max login failures\", \"Logon violates policy\",\r\n Message has \"declined disclaimer\", \"Logon violates policy\",\r\n Message has \"password renewal\", \"Logon violates policy\",\r\n Message has \"internal error\", \"Other\",\r\n Message has \"connection timeout\", \"Other\",\r\n \"\"\r\n );\r\n union\r\n LogoutEvents,\r\n LoginEvents\r\n | extend \r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventCount = int(1),\r\n Type = \"CommonSecurityLog\"\r\n | project-rename\r\n EventProductVersion = DeviceVersion,\r\n EventProduct = DeviceProduct,\r\n EventVendor = DeviceVendor,\r\n TargetIpAddr = DestinationIP,\r\n TargetHostname = Computer,\r\n TargetFQDN = DeviceName,\r\n EventOriginalType = Activity,\r\n EventOriginalSubType = DeviceEventClassID,\r\n TargetUsername = DestinationUserName,\r\n TargetDvcId = DeviceExternalID,\r\n SrcIpAddr = SourceIP,\r\n ActingAppName = SourceProcessName,\r\n EventMessage = Message\r\n | extend\r\n TargetUsernameType = \"Simple\",\r\n TargetDvcIdType = \"Other\"\r\n | parse-kv AdditionalExtensions as (deviceSeverity: string, status: string, [\"ad.status\"]: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | extend EventResult = case(\r\n [\"ad.status\"] == \"success\" or status == \"success\", \"Success\",\r\n [\"ad.status\"] == \"failed\" or status == \"failed\", \"Failure\",\r\n EventMessage has \"login failed\", \"Failure\",\r\n EventMessage has \"Login disabled\", \"Failure\",\r\n EventMessage has \"logged out\", \"Success\",\r\n EventMessage has \"logged in successfully\", \"Success\",\r\n \"NA\"\r\n )\r\n | extend\r\n EventOriginalSeverity = coalesce(deviceSeverity, LogSeverity, \"\")\r\n | lookup EventSeverityLookup on EventOriginalSeverity\r\n | extend\r\n Dvc = TargetDvcId,\r\n IpAddr = SrcIpAddr\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventResultDetails,\r\n EventType,\r\n EventStartTime,\r\n EventEndTime,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventCount,\r\n EventProductVersion,\r\n EventProduct,\r\n EventVendor,\r\n TargetIpAddr,\r\n TargetHostname,\r\n TargetFQDN,\r\n EventOriginalType,\r\n EventOriginalSeverity,\r\n EventOriginalSubType,\r\n TargetUsername,\r\n TargetDvcId,\r\n SrcIpAddr,\r\n ActingAppName,\r\n EventMessage,\r\n TargetUsernameType,\r\n TargetDvcIdType,\r\n EventResult,\r\n EventSeverity,\r\n Dvc,\r\n IpAddr\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for Fortinet - Fortigate.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"776c6a6c-6923-59a4-9618-2abd13114785","name":"_ASim_Authentication_GoogleWorkspaceV01","body":"let parser = (\r\n disabled: bool = false\r\n ) {\r\n let GoogleWorkspaceSchema = datatable (\r\n event_name_s: string,\r\n event_type_s: string,\r\n id_uniqueQualifier_s: string,\r\n actor_email_s: string,\r\n actor_profileId_s: string,\r\n IPAddress: string,\r\n login_challenge_method_s: string,\r\n id_applicationName_s: string,\r\n affected_email_address_s: string,\r\n is_suspicious_b: bool,\r\n is_second_factor_b: bool,\r\n login_type_s: string,\r\n sensitive_action_name_s: string,\r\n login_challenge_status_s: string,\r\n TimeGenerated: datetime,\r\n _ItemId: string,\r\n _ResourceId: string,\r\n Computer: string,\r\n MG: string,\r\n ManagementGroupName: string,\r\n RawData: string,\r\n SourceSystem: string,\r\n TenantId: string\r\n)[];\r\n let EventFieldsLookup = datatable (\r\n EventOriginalSubType: string,\r\n EventType: string,\r\n EventResult: string,\r\n DvcAction: string\r\n)\r\n [\r\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\r\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\r\n \"login_challenge\", \"Logon\", \"\", \"\",\r\n \"login_verification\", \"Logon\", \"\", \"\",\r\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\r\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\r\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\r\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\r\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\r\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\r\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\r\n];\r\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\r\n let SupportedEventNames = EventFieldsLookup\r\n | project EventOriginalSubType;\r\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\r\n | where not(disabled)\r\n | where event_name_s in (SupportedEventNames)\r\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\r\n | project-rename\r\n TargetUsername = actor_email_s,\r\n TargetUserId = actor_profileId_s,\r\n SrcIpAddr = IPAddress,\r\n LogonMethod = login_challenge_method_s,\r\n EventOriginalType = event_type_s,\r\n EventOriginalUid = id_uniqueQualifier_s\r\n | extend\r\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\r\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\r\n | extend \r\n AdditionalFields = bag_pack(\r\n \"Is_Suspicious\",\r\n is_suspicious_b,\r\n \"Is_Second_Factor_b\",\r\n is_second_factor_b,\r\n \"Logon_Type\",\r\n login_type_s,\r\n \"Sensitive_Action_Name\",\r\n sensitive_action_name_s\r\n ),\r\n EventResult = case(\r\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\r\n \"Success\",\r\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\r\n \"Failure\",\r\n EventResult\r\n ),\r\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\r\n RuleName = case(\r\n event_name_s == 'suspicious_login',\r\n \"Google has detected a suspicious login for TargetUSerName\",\r\n event_name_s == 'suspicious_login_less_secure_app',\r\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\r\n event_name_s == 'suspicious_programmatic_login',\r\n \"Google has detected a suspicious programmatic login for TargetUserName\",\r\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\r\n \"Suspicious session cookie detected for user TargetUserName\",\r\n \"\"\r\n ),\r\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\r\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\r\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\r\n | extend\r\n EventOriginalSubType = event_name_s,\r\n TargetAppName = \"Google Workspace - login\",\r\n Dst = \"Google Workspace\",\r\n Application = \"Google Workspace\",\r\n TargetAppType = \"SaaS application\",\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername,\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventProduct = \"Workspace\",\r\n EventVendor = \"Google\",\r\n Dvc=\"Workspace\",\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventUid = _ItemId\r\n | project-away \r\n *_s,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId\r\n};\r\nparser (disabled = disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for Google Workspace.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"6b75cb62-2433-589d-b618-44eda2b07f9b","name":"_ASim_Authentication_IllumioSaaSCoreV03","body":"let EventTypeLookup = datatable(\r\n event_type: string, // what Illumio sends\r\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\r\n EventResultDetails: string,\r\n EventResult: string\r\n)\r\n[\r\n 'user.authenticate', 'Logon', 'Other', 'Success',\r\n 'user.login', 'Logon', 'Other', 'Success',\r\n 'user.logout', 'Logoff', 'Other', 'Success',\r\n 'user.sign_in', 'Logon', 'Other', 'Success',\r\n 'user.sign_out', 'Logoff', 'Other', 'Success',\r\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\r\n];\r\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);\r\nlet parser=(disabled: bool=false) {\r\n Illumio_Auditable_Events_CL\r\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\r\n | extend \r\n EventProduct='Core'\r\n ,\r\n EventVendor='Illumio'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.3'\r\n , \r\n EventOriginalUid = href\r\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\r\n | extend \r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n , \r\n TargetUsername = case( \r\n isnotnull(created_by.user), created_by.user.username, \r\n \"Unknown\"\r\n ),\r\n TargetUsernameType = \"Simple\",\r\n EventUid = _ItemId,\r\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\r\n // ** Aliases\r\n | extend \r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n ,\r\n User = TargetUsername\r\n | project-away \r\n TenantId,\r\n href,\r\n pce_fqdn,\r\n created_by,\r\n event_type,\r\n status,\r\n severity,\r\n action,\r\n resource_changes,\r\n notifications,\r\n version \r\n };\r\n parser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Illumio SaaS Core.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"ba94da36-305b-5ad0-8bd0-1edfda438da9","name":"_ASim_Authentication_M365DefenderV01","body":"let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\r\n 'InvalidUserNameOrPassword','No such user or password'\r\n];\r\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \r\n 'Batch', 'Service',\r\n 'CachedInteractive', 'Interactive',\r\n 'Interactive', 'Interactive',\r\n 'Network', 'Remote',\r\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\r\n 'RemoteInteractive', 'RemoteInteractive',\r\n 'Service', 'Service',\r\n 'Unknown', ''\r\n];\r\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \r\n 'LogonAttempted', 'NA',\r\n 'LogonFailed', 'Failure',\r\n 'LogonSuccess', 'Success'\r\n];\r\nlet parser = (\r\n disabled:bool=false\r\n){\r\n let UnixDeviceLogonEvents = (disabled:bool=false) {\r\n DeviceLogonEvents \r\n | where not(disabled)\r\n | where InitiatingProcessFolderPath startswith \"/\"\r\n | extend \r\n ActorUsernameType = \"Simple\",\r\n TargetDvcOs = \"Linux\",\r\n TargetUsernameType = \"Simple\"\r\n | project-rename \r\n ActingProcessName = InitiatingProcessFolderPath,\r\n ActorUsername = InitiatingProcessAccountName,\r\n TargetUsername = AccountName\r\n | project-away \r\n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\r\n };\r\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\r\n DeviceLogonEvents \r\n | where not(disabled)\r\n | where InitiatingProcessFolderPath !startswith \"/\"\r\n | extend \r\n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\r\n ActorUserIdType = 'SID',\r\n ActorUsername = case (\r\n isempty(InitiatingProcessAccountName), \"\",\r\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\r\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\r\n ),\r\n ActorUsernameType = iff (\r\n InitiatingProcessAccountDomain == '','Simple',\r\n 'Windows'\r\n ),\r\n TargetDvcOs = \"Windows\",\r\n TargetUserIdType = 'SID',\r\n TargetUsername = iff (\r\n isempty(AccountDomain), AccountName,\r\n strcat(AccountDomain, '\\\\', AccountName)\r\n ),\r\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\r\n | project-rename \r\n ActorUserId = InitiatingProcessAccountSid,\r\n TargetUserId = AccountSid\r\n // -- Specific identifiers aliases\r\n | extend \r\n TargetUserSid = TargetUserId,\r\n ActorUserSid = ActorUserId,\r\n TargetWindowsUsername = TargetUsername,\r\n ActorWindowsUsername = ActorUsername,\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\r\n | extend \r\n TargetUserType = iff(IsLocalAdmin, \r\n 'Admin',\r\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\r\n )\r\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\r\n };\r\n union \r\n WindowsDeviceLogonEvents (disabled=disabled),\r\n UnixDeviceLogonEvents (disabled=disabled)\r\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\r\n | extend ItemId = columnifexists('_ItemId', \"\")\r\n | project-rename \r\n ActingProcessCommandLine = InitiatingProcessCommandLine,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime,\r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n ActingProcessMD5 = InitiatingProcessMD5,\r\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\r\n ActingProcessSHA256 = InitiatingProcessSHA256,\r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn,\r\n EventOriginalResultDetails = FailureReason,\r\n EventOriginalType = LogonType,\r\n EventUid = ItemId,\r\n LogonProtocol = Protocol,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n SrcHostname = RemoteDeviceName,\r\n SrcPortNumber = RemotePort,\r\n TargetDvcId = DeviceId\r\n | extend \r\n ActingProcessId = tostring (InitiatingProcessId),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalUid = tostring (ReportId),\r\n EventProduct = 'M365 Defender for EndPoint',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'Microsoft',\r\n ParentProcessId = tostring (InitiatingProcessParentId),\r\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\r\n TargetDvcIdType = 'MDEid',\r\n TargetSessionId = tostring (LogonId)\r\n | extend\r\n Hash = coalesce(\r\n ActingProcessMD5,\r\n ActingProcessSHA1,\r\n ActingProcessSHA256\r\n )\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \r\n | invoke _ASIM_ResolveFQDN('DeviceName')\r\n | project-rename \r\n TargetDomain = Domain, \r\n TargetDomainType = DomainType,\r\n TargetFQDN = FQDN,\r\n TargetHostname = ExtractedHostname\r\n | project-away DeviceName\r\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \r\n | lookup EventSubTypeLookup on EventOriginalType\r\n | lookup EventResultLookup on ActionType\r\n | extend\r\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\r\n // -- Specific identifiers aliases\r\n | extend\r\n DvcMDEid = TargetDvcId,\r\n TargetDvcMDEid = TargetDvcId\r\n // -- Aliases\r\n | extend \r\n ActingAppName = ActingProcessName,\r\n ActingAppType = \"Process\",\r\n Dvc = coalesce (TargetFQDN, TargetHostname),\r\n IpAddr = SrcIpAddr,\r\n Prcess = ActingProcessName,\r\n Src = coalesce (SrcIpAddr, SrcHostname),\r\n User = TargetUsername,\r\n // -- Alias Dvc to Target,\r\n DvcDomain = TargetDomain,\r\n DvcDomainType = TargetDomainType,\r\n DvcFQDN = TargetFQDN,\r\n DvcHostname = TargetHostname,\r\n DvcId = TargetDvcId,\r\n DvcIdType = TargetDvcIdType,\r\n DvcOs = TargetDvcOs\r\n | extend \r\n Dst = Dvc,\r\n LogonTarget = Dvc\r\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for M365 Defender Device Logon Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"91783af5-c270-5b96-b955-910c3ee5b681","name":"_ASim_Authentication_M365DefenderV02","body":"let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)\r\n[\r\n 'InvalidUserNameOrPassword','No such user or password'\r\n];\r\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string)\r\n[ \r\n 'Batch', 'Service',\r\n 'CachedInteractive', 'Interactive',\r\n 'Interactive', 'Interactive',\r\n 'Network', 'Remote',\r\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\r\n 'RemoteInteractive', 'RemoteInteractive',\r\n 'Service', 'Service',\r\n 'Unknown', ''\r\n];\r\nlet EventResultLookup = datatable (ActionType:string, EventResult:string)\r\n[ \r\n 'LogonAttempted', 'NA',\r\n 'LogonFailed', 'Failure',\r\n 'LogonSuccess', 'Success'\r\n];\r\nlet parser = (\r\n disabled:bool=false) {\r\nlet UnixDeviceLogonEvents = (disabled:bool=false) {\r\n DeviceLogonEvents\r\n | where not(disabled)\r\n | where InitiatingProcessFolderPath startswith \"/\"\r\n | extend \r\n ActorUsernameType = \"Simple\",\r\n TargetDvcOs = \"Linux\",\r\n TargetUsernameType = \"Simple\"\r\n | project-rename \r\n ActingProcessName = InitiatingProcessFolderPath,\r\n ActorUsername = InitiatingProcessAccountName,\r\n TargetUsername = AccountName\r\n | project-away \r\n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\r\n};\r\nlet WindowsDeviceLogonEvents = (disabled:bool=false) {\r\n DeviceLogonEvents\r\n | where not(disabled)\r\n | where InitiatingProcessFolderPath !startswith \"/\"\r\n | extend \r\n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\r\n ActorUserIdType = 'SID',\r\n ActorUsername = case (\r\n isempty(InitiatingProcessAccountName), \"\",\r\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\r\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\r\n ),\r\n ActorUsernameType = iff (\r\n InitiatingProcessAccountDomain == '','Simple',\r\n 'Windows'\r\n ),\r\n TargetDvcOs = \"Windows\",\r\n TargetUserIdType = 'SID',\r\n TargetUsername = iff (\r\n isempty(AccountDomain), AccountName,\r\n strcat(AccountDomain, '\\\\', AccountName)\r\n ),\r\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\r\n | project-rename \r\n ActorUserId = InitiatingProcessAccountSid,\r\n TargetUserId = AccountSid\r\n // -- Specific identifiers aliases\r\n | extend \r\n TargetUserSid = TargetUserId,\r\n ActorUserSid = ActorUserId,\r\n TargetWindowsUsername = TargetUsername,\r\n ActorWindowsUsername = ActorUsername,\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\r\n | extend \r\n TargetUserType = iff(IsLocalAdmin, \r\n 'Admin',\r\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\r\n )\r\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\r\n};\r\nunion \r\n WindowsDeviceLogonEvents (disabled=disabled),\r\n UnixDeviceLogonEvents (disabled=disabled)\r\n| extend EventUid = columnifexists('_ItemId', \"\")\r\n| project-rename \r\n ActingProcessCommandLine = InitiatingProcessCommandLine,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime,\r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n ActingProcessMD5 = InitiatingProcessMD5,\r\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\r\n ActingProcessSHA256 = InitiatingProcessSHA256,\r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn,\r\n EventOriginalResultDetails = FailureReason,\r\n EventOriginalType = LogonType,\r\n LogonProtocol = Protocol,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n SrcHostname = RemoteDeviceName,\r\n SrcPortNumber = RemotePort,\r\n TargetDvcId = DeviceId\r\n| extend \r\n ActingProcessId = tostring (InitiatingProcessId),\r\n EventCount = int(1),\r\n EventEndTime = Timestamp,\r\n EventOriginalUid = tostring (ReportId),\r\n EventProduct = 'M365 Defender for EndPoint',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventStartTime = Timestamp,\r\n EventType = 'Logon',\r\n EventVendor = 'Microsoft',\r\n ParentProcessId = tostring (InitiatingProcessParentId),\r\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\r\n TargetDvcIdType = 'MDEid',\r\n TargetSessionId = tostring (LogonId),\r\n AdditionalFields = todynamic(AdditionalFields),\r\n Type = \"DeviceLogonEvents\"\r\n| extend\r\n Hash = coalesce(\r\n ActingProcessMD5,\r\n ActingProcessSHA1,\r\n ActingProcessSHA256\r\n )\r\n| extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \r\n| invoke _ASIM_ResolveFQDN('DeviceName')\r\n| project-rename \r\n TargetDomain = Domain, \r\n TargetDomainType = DomainType,\r\n TargetFQDN = FQDN,\r\n TargetHostname = ExtractedHostname\r\n| project-away DeviceName\r\n| lookup EventResultDetailsLookup on EventOriginalResultDetails\r\n| lookup EventSubTypeLookup on EventOriginalType\r\n| lookup EventResultLookup on ActionType\r\n| extend\r\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\r\n| extend\r\n UnnormalizedFields = bag_pack(\r\n \"ActingProcessCommandLine\", ActingProcessCommandLine,\r\n \"ActingProcessCreationTime\", ActingProcessCreationTime,\r\n \"ActingProcessIntegrityLevel\", ActingProcessIntegrityLevel,\r\n \"ActingProcessMD5\", ActingProcessMD5,\r\n \"ActingProcessSHA1\", ActingProcessSHA1,\r\n \"ActingProcessSHA256\", ActingProcessSHA256,\r\n \"ActingProcessTokenElevation\", ActingProcessTokenElevation,\r\n \"Hash\", Hash,\r\n \"HashType\", HashType,\r\n \"ParentProcessId\", ParentProcessId,\r\n \"ParentProcessCreationTime\", ParentProcessCreationTime,\r\n \"ParentProcessName\", ParentProcessName,\r\n \"ActingProcessId\", ActingProcessId\r\n )\r\n| extend\r\n AdditionalFields = bag_merge(AdditionalFields, UnnormalizedFields)\r\n// -- Aliases\r\n| extend \r\n ActingAppName = ActingProcessName,\r\n ActingAppType = \"Process\",\r\n Dvc = coalesce (TargetFQDN, TargetHostname),\r\n IpAddr = SrcIpAddr,\r\n Src = coalesce (SrcIpAddr, SrcHostname),\r\n User = TargetUsername,\r\n// -- Alias Dvc to Target,\r\n DvcDomain = TargetDomain,\r\n DvcDomainType = TargetDomainType,\r\n DvcFQDN = TargetFQDN,\r\n DvcHostname = TargetHostname,\r\n DvcId = TargetDvcId,\r\n DvcIdType = TargetDvcIdType,\r\n DvcOs = TargetDvcOs\r\n| extend \r\n Dst = Dvc,\r\n LogonTarget = Dvc\r\n| project\r\n TimeGenerated,\r\n Type,\r\n AdditionalFields,\r\n ActorUsernameType,\r\n TargetDvcOs,\r\n TargetUsernameType,\r\n ActingProcessName,\r\n ActorUsername,\r\n TargetUsername,\r\n ActorUserIdType,\r\n TargetUserIdType,\r\n ActorUserId,\r\n TargetUserId,\r\n TargetUserSid,\r\n ActorUserType,\r\n ActorUserAadId,\r\n ActorUserUpn,\r\n EventOriginalResultDetails,\r\n EventOriginalType,\r\n EventUid,\r\n LogonProtocol,\r\n SrcHostname,\r\n SrcPortNumber,\r\n TargetDvcId,\r\n EventCount,\r\n EventEndTime,\r\n EventOriginalUid,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventStartTime,\r\n EventType,\r\n EventVendor,\r\n SrcIpAddr,\r\n TargetDvcIdType,\r\n TargetSessionId,\r\n TargetDomain,\r\n TargetDomainType,\r\n TargetFQDN,\r\n TargetHostname,\r\n EventResultDetails,\r\n EventSubType,\r\n EventResult,\r\n EventSeverity,\r\n ActingAppName,\r\n ActingAppType,\r\n Dvc,\r\n IpAddr,\r\n Src,\r\n User,\r\n DvcDomain,\r\n DvcDomainType,\r\n DvcFQDN,\r\n DvcHostname,\r\n DvcId,\r\n DvcIdType,\r\n DvcOs,\r\n Dst,\r\n LogonTarget\r\n};\r\nparser (\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for M365 Defender Device Logon Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"068cd71c-44ec-5d95-9288-6d7b7b94a4cf","name":"_ASim_Authentication_MD4IoTV01","body":"let parser=(disabled:bool=false)\r\n{\r\n SecurityIoTRawEvent | where not(disabled)\r\n | where RawEventName == \"Login\" \r\n | project-rename EventUid = _ItemId\r\n | extend\r\n EventDetails = todynamic(EventDetails)\r\n | extend\r\n EventCount = int(1),\r\n EventEndTime = todatetime(TimeGenerated), \r\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \r\n EventProduct = 'Microsoft Defender for IoT',\r\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \r\n EventSchemaVersion = '0.1.0', \r\n EventStartTime = todatetime(EventDetails.TimestampUTC), \r\n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \r\n EventVendor = 'Microsoft'\r\n | extend\r\n ActingProcessId = tostring(EventDetails.ProcessId), \r\n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \r\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\r\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \r\n TargetUsername = tostring(EventDetails.UserName),\r\n TargetUsernameType = \"Simple\"\r\n | project-rename\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId, \r\n DvcHostname = DeviceId, \r\n EventProductVersion = AgentVersion // -- Not available in Windows\r\n // -- aliases\r\n | extend \r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Process = ActingProcessName, \r\n SrcDvcIpAddr = SrcIpAddr,\r\n User = TargetUsername\r\n };\r\n parser (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Microsoft Defender for IoT endpoint logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"127348e8-cc78-556e-b503-a764a1f5e862","name":"_ASim_Authentication_MicrosoftWindowsEventV02","body":"let LogonEvents=dynamic([4624, 4625]);\r\nlet LogoffEvents=dynamic([4634, 4647]);\r\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\r\n 2, 'Interactive',\r\n 3, 'Remote',\r\n 4, 'System',\r\n 5, 'Service',\r\n 7, 'Interactive',\r\n 8, 'NetworkCleartext',\r\n 9, 'AssumeRole',\r\n 10, 'RemoteInteractive',\r\n 11, 'Interactive'\r\n];\r\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\r\nlet LogonStatus=datatable \r\n (\r\n EventStatus: string,\r\n EventOriginalResultDetails: string,\r\n EventResultDetails: string\r\n)[\r\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\r\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\r\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\r\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\r\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\r\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\r\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\r\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\r\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\r\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\r\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\r\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\r\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\r\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\r\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\r\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\r\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\r\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\r\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\r\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\r\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\r\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\r\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\r\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\r\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\r\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\r\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\r\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\r\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\r\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\r\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\r\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\r\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\r\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\r\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\r\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\r\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\r\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\r\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\r\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\r\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\r\n];\r\nlet WinLogon=(disabled: bool=false) { \r\n WindowsEvent \r\n | where not(disabled)\r\n | where Provider == 'Microsoft-Windows-Security-Auditing'\r\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\r\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\r\n | extend \r\n ActingProcessCreationTime = EventData.ProcessCreationTime,\r\n ActingProcessId = tostring(toint(EventData.ProcessId)),\r\n ActingProcessName = tostring(EventData.ProcessName),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\r\n EventProduct = \"Security Events\",\r\n LogonGuid = tostring(EventData.LogonGuid),\r\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\r\n LogonType = toint(EventData.LogonType),\r\n SrcHostname = tostring(iff(EventData.WorkstationName in ('-', ''), Computer, EventData.WorkstationName)),\r\n SrcIpAddr = tostring(EventData.IpAddress),\r\n Status = tostring(EventData.Status),\r\n SubStatus = tostring(EventData.SubStatus),\r\n TargetDomainName = tostring(EventData.TargetDomainName),\r\n TargetPortNumber = toint(EventData.IpPort),\r\n TargetSessionId = tostring(EventData.TargetLogonId),\r\n TargetUserId = tostring(EventData.TargetUserSid),\r\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\r\n | extend \r\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\r\n // -- creating EventMessage matching EventMessage in SecurityEvent table\r\n | extend \r\n EventMessage = case(\r\n EventID == 4624,\r\n \"4624 - An account was successfully logged on.\",\r\n EventID == 4625,\r\n \"4625 - An account failed to log on.\",\r\n EventID == 4634,\r\n \"4634 - An account was logged off.\", \r\n \"4647 - User initiated logoff.\"\r\n ),\r\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\r\n | project-rename \r\n EventOriginalType = EventID,\r\n EventOriginalUid = EventOriginId, \r\n EventUid = _ItemId, \r\n TargetDvcHostname = Computer\r\n | extend \r\n ActorUserIdType = 'SID',\r\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventStartTime = TimeGenerated,\r\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\r\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\r\n EventVendor = 'Microsoft',\r\n SrcDvcOs = 'Windows',\r\n TargetUserIdType = 'SID',\r\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\r\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\r\n EventOriginalType = tostring(EventOriginalType)\r\n | lookup LogonStatus on EventStatus\r\n | lookup LogonTypes on LogonType\r\n /// ** Aliases \r\n | extend\r\n Dvc = SrcHostname,\r\n DvcHostName = SrcHostname,\r\n LogonTarget = TargetDvcHostname,\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr\r\n | project-away\r\n EventData,\r\n LogonGuid,\r\n EventStatus,\r\n LogonType,\r\n Status,\r\n SubStatus,\r\n TargetDomainName,\r\n TargetDvcHostname\r\n};\r\nlet SecEventLogon=(disabled: bool=false) {\r\n SecurityEvent \r\n | where not(disabled)\r\n | where EventID in (LogonEvents) or \r\n EventID in (LogoffEvents)\r\n | project\r\n SubjectLogonId,\r\n SubjectUserSid,\r\n Activity,\r\n EventID,\r\n EventOriginId,\r\n AuthenticationPackageName,\r\n WorkstationName,\r\n IpAddress,\r\n Computer,\r\n TargetLogonId,\r\n TargetUserSid,\r\n SubjectDomainName,\r\n SubjectUserName,\r\n SubjectAccount,\r\n TimeGenerated,\r\n SubStatus,\r\n TargetDomainName,\r\n TargetUserName,\r\n AccountType,\r\n TargetAccount,\r\n Status,\r\n LogonType,\r\n Type\r\n | project-rename \r\n ActorSessionId = SubjectLogonId,\r\n ActorUserId = SubjectUserSid,\r\n EventMessage = Activity,\r\n EventOriginalType = EventID,\r\n EventOriginalUid = EventOriginId,\r\n LogonProtocol = AuthenticationPackageName,\r\n SrcIpAddr = IpAddress,\r\n TargetDvcHostname = Computer,\r\n TargetSessionId = TargetLogonId,\r\n TargetUserId = TargetUserSid\r\n | extend \r\n ActorUserIdType = 'SID',\r\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\r\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = \"Security Events\",\r\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.0',\r\n EventStartTime = TimeGenerated,\r\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\r\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\r\n EventVendor = 'Microsoft',\r\n SrcDvcOs = 'Windows',\r\n SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName),\r\n TargetUserIdType = 'SID',\r\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\r\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\r\n | project-away TargetUserName, AccountType\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\r\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\r\n EventOriginalType = tostring(EventOriginalType)\r\n | lookup LogonStatus on EventStatus\r\n | lookup LogonTypes on LogonType\r\n /// ** Aliases \r\n | extend\r\n Dvc = SrcHostname,\r\n DvcHostName = SrcHostname,\r\n LogonTarget = TargetDvcHostname,\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr\r\n | project-away\r\n EventStatus,\r\n LogonType,\r\n Status,\r\n SubStatus,\r\n SubjectAccount,\r\n SubjectDomainName,\r\n SubjectUserName,\r\n EventStatus,\r\n TargetAccount,\r\n TargetDomainName,\r\n TargetDvcHostname\r\n};\r\nunion isfuzzy=true \r\n SecEventLogon(disabled=disabled), \r\n WinLogon(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"a0a3d98c-e4c7-596a-a832-ca57ac301fd2","name":"_ASim_Authentication_NativeV01","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimAuthenticationEventLogs | where not(disabled)\r\n | extend\r\n User = TargetUsername,\r\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\r\n IpAddr=SrcIpAddr,\r\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\r\n Dvc=EventVendor,\r\n Application=TargetAppName,\r\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSchema = \"Authentication\"\r\n | project-rename\r\n EventUid = _ItemId\r\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Authentication Event ASIM parser for Microsoft Sentinel native Authentication table.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"601063a8-2ad6-51b2-8269-a9bf88793338","name":"_ASim_Authentication_OktaSSOV02","body":"let parser=(disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\r\n let emptyOctaV2Table = datatable(\r\n TimeGenerated: datetime,\r\n ActorDetailEntry: dynamic,\r\n ActorDisplayName: string,\r\n AuthenticationContext: string,\r\n AuthenticationProvider: string,\r\n AuthenticationStep: string,\r\n AuthenticationContextAuthenticationProvider: string,\r\n AuthenticationContextAuthenticationStep: int,\r\n AuthenticationContextCredentialProvider: string,\r\n AuthenticationContextInterface: string,\r\n AuthenticationContextIssuerId: string,\r\n AuthenticationContextIssuerType: string,\r\n DebugData: dynamic,\r\n DvcAction: string,\r\n EventResult:string,\r\n OriginalActorAlternateId: string,\r\n OriginalClientDevice: string,\r\n OriginalOutcomeResult: string,\r\n OriginalSeverity: string,\r\n OriginalTarget: dynamic,\r\n OriginalUserId: string,\r\n OriginalUserType: string,\r\n Request: dynamic,\r\n SecurityContextAsNumber: int,\r\n SecurityContextAsOrg: string,\r\n SecurityContextDomain: string,\r\n SecurityContextIsProxy: bool,\r\n TransactionDetail: dynamic,\r\n TransactionId: string,\r\n TransactionType: string\r\n)[];\r\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\r\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \r\n | where not(disabled)\r\n | extend\r\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\r\n ,\r\n eventType_s=column_ifexists('eventType_s', \"\")\r\n ,\r\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\r\n ,\r\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\r\n ,\r\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\r\n | where eventType_s in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\r\n ,\r\n EventSubType=legacyEventType_s\r\n ,\r\n EventMessage=column_ifexists('displayMessage_s', \"\")\r\n ,\r\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\r\n ,\r\n EventOriginalUid = column_ifexists('uuid_g', \"\")\r\n ,\r\n TargetUserIdType='OktaId'\r\n ,\r\n TargetUsernameType='UPN'\r\n ,\r\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\r\n ,\r\n TargetUserId=column_ifexists('actor_id_s', \"\")\r\n ,\r\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\r\n ,\r\n TargetUserType=column_ifexists('actor_type_s', \"\")\r\n ,\r\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\r\n ,\r\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\r\n ,\r\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\r\n ,\r\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\r\n ,\r\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\r\n ,\r\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\r\n ,\r\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\r\n ,\r\n ActingAppType=\"Browser\"\r\n ,\r\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\r\n ,\r\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away *_s, *_d, *_b, *_g, *_t;\r\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\r\n | where not(disabled) \r\n | extend EventOriginalType=column_ifexists('EventOriginalType', \"\") \r\n | where EventOriginalType in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \r\n ,\r\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\r\n ,\r\n TargetUserId= column_ifexists('ActorUserId', \"\")\r\n ,\r\n TargetUsername=column_ifexists('ActorUsername', \"\")\r\n ,\r\n TargetUserType=column_ifexists('ActorUserType', \"\")\r\n ,\r\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\r\n ,\r\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\r\n //** extend non-normalized fields to be projected-away \r\n ,\r\n ActorDetailEntry,\r\n ActorDisplayName,\r\n AuthenticationContextAuthenticationProvider,\r\n AuthenticationContextAuthenticationStep\r\n ,\r\n AuthenticationContextCredentialProvider,\r\n AuthenticationContextInterface,\r\n AuthenticationContextIssuerId,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData,\r\n DvcAction,\r\n OriginalActorAlternateId,\r\n OriginalClientDevice,\r\n OriginalOutcomeResult,\r\n OriginalSeverity,\r\n OriginalTarget\r\n ,\r\n OriginalUserId,\r\n OriginalUserType,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg,\r\n SecurityContextDomain,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail,\r\n TransactionId,\r\n TransactionType\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n ActorDetailEntry,\r\n ActorDisplayName,\r\n AuthenticationContextAuthenticationProvider,\r\n AuthenticationContextAuthenticationStep\r\n ,\r\n AuthenticationContextCredentialProvider,\r\n AuthenticationContextInterface,\r\n AuthenticationContextIssuerId,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData,\r\n DvcAction,\r\n OriginalActorAlternateId,\r\n OriginalClientDevice,\r\n OriginalOutcomeResult,\r\n OriginalSeverity,\r\n OriginalTarget\r\n ,\r\n OriginalUserId,\r\n OriginalUserType,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg,\r\n SecurityContextDomain,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail,\r\n TransactionId,\r\n TransactionType;\r\n union isfuzzy=true OktaV1, OktaV2\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"9b17aa5d-f557-5cce-b0d3-ca069f133bcc","name":"_ASim_Authentication_OktaSSOV03","body":"let parser=(disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\r\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\r\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \r\n | where not(disabled)\r\n | extend\r\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\r\n ,\r\n eventType_s=column_ifexists('eventType_s', \"\")\r\n ,\r\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\r\n ,\r\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\r\n ,\r\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\r\n | where eventType_s in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\r\n ,\r\n EventSubType=legacyEventType_s\r\n ,\r\n EventMessage=column_ifexists('displayMessage_s', \"\")\r\n ,\r\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\r\n ,\r\n EventOriginalUid = column_ifexists('uuid_g', \"\")\r\n ,\r\n TargetUserIdType='OktaId'\r\n ,\r\n TargetUsernameType='UPN'\r\n ,\r\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\r\n ,\r\n TargetUserId=column_ifexists('actor_id_s', \"\")\r\n ,\r\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\r\n ,\r\n TargetUserType=column_ifexists('actor_type_s', \"\")\r\n ,\r\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\r\n ,\r\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\r\n ,\r\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\r\n ,\r\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\r\n ,\r\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\r\n ,\r\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\r\n ,\r\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\r\n ,\r\n ActingAppType=\"Browser\"\r\n ,\r\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\r\n ,\r\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away *_s, *_d, *_b, *_g, *_t;\r\n OktaV1\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"89348ee3-6aeb-5a04-ad1d-d48b1a7ba686","name":"_ASim_Authentication_OktaSSOV04","body":"let parser=(disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string)\r\n [\r\n \"LOCKED_OUT\", \"User locked\",\r\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\r\n \"UNKNOWN_USER\", \"No such user\",\r\n \"VERIFICATION_ERROR\", \"Incorrect key\",\r\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\r\n \"PASSWORD_EXPIRED\", \"Password expired\",\r\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\r\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\r\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\r\n ];\r\n let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string)\r\n [\r\n \"Computer\", \"Computer\",\r\n \"Mobile\", \"Mobile Device\",\r\n \"Tablet\", \"Mobile Device\"\r\n ];\r\n let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string)\r\n [\r\n \"User\", \"Regular\",\r\n \"SystemPrincipal\", \"System\"\r\n ];\r\n let emptyOktaTable = datatable(\r\n TimeGenerated: datetime,\r\n outcome_result_s: string,\r\n eventType_s: string,\r\n legacyEventType_s: string,\r\n client_geographicalContext_geolocation_lat_d: double,\r\n client_geographicalContext_geolocation_lon_d: double,\r\n displayMessage_s: string,\r\n outcome_reason_s: string,\r\n uuid_g: string,\r\n actor_id_s: string,\r\n actor_alternateId_s: string,\r\n authenticationContext_externalSessionId_s: string,\r\n actor_type_s: string,\r\n client_userAgent_os_s: string,\r\n securityContext_isp_s: string,\r\n client_geographicalContext_city_s: string,\r\n client_geographicalContext_country_s: string,\r\n client_ipAddress_s: string,\r\n client_userAgent_browser_s: string,\r\n authenticationContext_credentialType_s: string,\r\n client_userAgent_rawUserAgent_s: string,\r\n client_geographicalContext_state_s: string,\r\n client_device_s: string\r\n )[];\r\n let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL;\r\n OktaTable\r\n | where not(disabled)\r\n | lookup OutcomeReasonLookup on outcome_reason_s\r\n | extend EventResultDetails = iif(outcome_result_s in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\r\n | extend\r\n Type = \"Okta_CL\",\r\n EventProduct='Okta',\r\n EventVendor='Okta',\r\n EventSchema = 'Authentication',\r\n EventCount=int(1),\r\n EventSchemaVersion='0.1.3',\r\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial'),\r\n EventStartTime=TimeGenerated,\r\n EventEndTime=TimeGenerated,\r\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\r\n TargetUserIdType = \"OktaId\",\r\n ActingAppType = \"Browser\"\r\n | project-rename\r\n EventOriginalSubType=legacyEventType_s,\r\n EventMessage=displayMessage_s,\r\n EventOriginalResultDetails=outcome_reason_s,\r\n EventOriginalUid=uuid_g,\r\n TargetUserId = actor_id_s,\r\n TargetUsername = actor_alternateId_s,\r\n TargetSessionId = authenticationContext_externalSessionId_s,\r\n ActorOriginalUserType = actor_type_s,\r\n SrcGeoLatitude = client_geographicalContext_geolocation_lat_d,\r\n SrcGeoLongitude = client_geographicalContext_geolocation_lon_d,\r\n SrcDvcOs = client_userAgent_os_s,\r\n SrcIsp = securityContext_isp_s,\r\n SrcGeoCity = client_geographicalContext_city_s,\r\n SrcGeoCountry = client_geographicalContext_country_s,\r\n SrcIpAddr = client_ipAddress_s,\r\n ActingAppName = client_userAgent_browser_s,\r\n LogonMethod = authenticationContext_credentialType_s,\r\n HttpUserAgent = client_userAgent_rawUserAgent_s,\r\n SrcGeoRegion = client_geographicalContext_state_s\r\n | extend\r\n ActorUserId = TargetUserId,\r\n ActorUsername = TargetUsername,\r\n ActorUserIdType = TargetUserIdType\r\n | lookup ActorUserTypeLookup on ActorOriginalUserType\r\n | extend\r\n TargetUserType = ActorUserType,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\r\n | lookup SrcDeviceTypeLookup on client_device_s\r\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\r\n | extend \r\n User=TargetUsername,\r\n Dvc=EventVendor,\r\n IpAddr=SrcIpAddr\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventResultDetails,\r\n EventProduct,\r\n EventVendor,\r\n EventSchema,\r\n EventCount,\r\n EventSchemaVersion,\r\n EventResult,\r\n EventStartTime,\r\n EventEndTime,\r\n EventType,\r\n EventOriginalSubType,\r\n EventMessage,\r\n EventOriginalResultDetails,\r\n EventOriginalUid,\r\n TargetUserIdType,\r\n TargetUserId,\r\n TargetUsername,\r\n TargetSessionId,\r\n ActorOriginalUserType,\r\n SrcGeoLatitude,\r\n SrcGeoLongitude,\r\n SrcDvcOs,\r\n SrcIsp,\r\n SrcGeoCity,\r\n SrcGeoCountry,\r\n SrcIpAddr,\r\n ActingAppType,\r\n LogonMethod,\r\n HttpUserAgent,\r\n ActorUserId,\r\n ActorUsername,\r\n ActorUserIdType,\r\n ActorUserType,\r\n TargetUserType,\r\n TargetUsernameType,\r\n ActorUsernameType,\r\n SrcDeviceType,\r\n User,\r\n Dvc,\r\n IpAddr\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"446d84be-f8c7-55b1-89d5-a41d63796936","name":"_ASim_Authentication_OktaSystemLogsV01","body":"let OktaSignInEvents= dynamic([\"user.session.start\", \"user.session.end\"]);\r\nlet OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)[\r\n \"LOCKED_OUT\", \"User locked\",\r\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\r\n \"UNKNOWN_USER\", \"No such user\",\r\n \"VERIFICATION_ERROR\", \"Incorrect key\",\r\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\r\n \"PASSWORD_EXPIRED\", \"Password expired\",\r\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\r\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\r\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\r\n];\r\nlet SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceTypeMapped: string)\r\n[\r\n \"Computer\", \"Computer\",\r\n \"Mobile\", \"Mobile Device\",\r\n \"Tablet\", \"Mobile Device\"\r\n];\r\nlet parser = (disabled: bool) {\r\n OktaSystemLogs\r\n | where not(disabled)\r\n | where EventOriginalType in (OktaSignInEvents)\r\n | extend\r\n Type = \"OktaSystemLogs\",\r\n EventVendor = \"Okta\",\r\n EventProduct = \"Okta\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated\r\n | lookup OutcomeReasonLookup on EventOriginalResultDetails\r\n | extend EventResultDetails = iff(EventResult == \"Failure\", coalesce(EventResultDetails, \"Other\"), \"\")\r\n | lookup SrcDeviceTypeLookup on OriginalClientDevice\r\n | extend\r\n EventType = iff(EventOriginalType hassuffix 'start', \"Logon\", \"Logoff\"),\r\n ActingAppName,\r\n ActingAppType,\r\n TargetSessionId = ActorSessionId,\r\n TargetUserId = ActorUserId,\r\n TargetUserIdType = ActorUserIdType,\r\n ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId),\r\n ActorUsernameType,\r\n TargetUsername = ActorUsername,\r\n TargetUsernameType = ActorUsernameType,\r\n TargetUserType = ActorUserType,\r\n EventResult,\r\n EventSeverity,\r\n HttpUserAgent,\r\n DvcAction,\r\n EventMessage,\r\n EventOriginalResultDetails,\r\n EventOriginalType,\r\n EventOriginalUid,\r\n LogonMethod,\r\n EventOriginalSeverity = OriginalSeverity,\r\n ActorOriginalUserType = OriginalUserType,\r\n SrcIsp,\r\n SrcIpAddr,\r\n SrcGeoRegion,\r\n SrcGeoLongitude = toreal(SrcGeoLongtitude),\r\n SrcGeoLatitude = toreal(SrcGeoLatitude),\r\n SrcGeoCountry,\r\n SrcGeoCity,\r\n SrcDvcOs,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n SrcDeviceType = SrcDeviceTypeMapped\r\n // Aliases\r\n | extend\r\n User = TargetUsername,\r\n Dvc = EventVendor,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventVendor,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventResultDetails,\r\n EventType,\r\n ActingAppName,\r\n ActingAppType,\r\n TargetSessionId,\r\n TargetUserId,\r\n TargetUserIdType,\r\n ActorUsername,\r\n ActorUsernameType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n TargetUserType,\r\n EventResult,\r\n EventSeverity,\r\n HttpUserAgent,\r\n DvcAction,\r\n EventMessage,\r\n EventOriginalResultDetails,\r\n EventOriginalType,\r\n EventOriginalUid,\r\n LogonMethod,\r\n EventOriginalSeverity,\r\n ActorOriginalUserType,\r\n SrcIsp,\r\n SrcIpAddr,\r\n SrcGeoRegion,\r\n SrcGeoLongitude,\r\n SrcGeoLatitude,\r\n SrcGeoCountry,\r\n SrcGeoCity,\r\n SrcDvcOs,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n SrcDeviceType,\r\n User,\r\n Dvc,\r\n IpAddr\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for OktaSystemLogs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"e75d711c-4e13-5c99-b771-065c8a65a21e","name":"_ASim_Authentication_OktaV2V03","body":"let parser=(disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let emptyOctaV2Table = datatable(\r\n TimeGenerated: datetime,\r\n ActorDetailEntry: dynamic,\r\n ActorDisplayName: string,\r\n AuthenticationContext: string,\r\n AuthenticationProvider: string,\r\n AuthenticationStep: string,\r\n AuthenticationContextAuthenticationProvider: string,\r\n AuthenticationContextAuthenticationStep: int,\r\n AuthenticationContextCredentialProvider: string,\r\n AuthenticationContextInterface: string,\r\n AuthenticationContextIssuerId: string,\r\n AuthenticationContextIssuerType: string,\r\n DebugData: dynamic,\r\n DvcAction: string,\r\n EventResult:string,\r\n OriginalActorAlternateId: string,\r\n OriginalClientDevice: string,\r\n OriginalOutcomeResult: string,\r\n OriginalSeverity: string,\r\n OriginalTarget: dynamic,\r\n OriginalUserId: string,\r\n OriginalUserType: string,\r\n Request: dynamic,\r\n SecurityContextAsNumber: int,\r\n SecurityContextAsOrg: string,\r\n SecurityContextDomain: string,\r\n SecurityContextIsProxy: bool,\r\n TransactionDetail: dynamic,\r\n TransactionId: string,\r\n TransactionType: string\r\n)[];\r\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\r\n | where not(disabled) \r\n | extend\r\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \r\n ,\r\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\r\n ,\r\n ActorUsername=column_ifexists('ActorUsername', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\r\n | where EventOriginalType in (OktaSigninEvents)\r\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \r\n ,\r\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\r\n ,\r\n TargetUserId= column_ifexists('ActorUserId', \"\")\r\n ,\r\n TargetUsername=column_ifexists('ActorUsername', \"\")\r\n ,\r\n TargetUserType=column_ifexists('ActorUserType', \"\")\r\n ,\r\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\r\n ,\r\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\r\n //** extend non-normalized fields to be projected-away \r\n ,\r\n ActorDetailEntry,\r\n ActorDisplayName,\r\n AuthenticationContextAuthenticationProvider,\r\n AuthenticationContextAuthenticationStep,\r\n AuthenticationContextCredentialProvider,\r\n AuthenticationContextInterface,\r\n AuthenticationContextIssuerId,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData,\r\n DvcAction,\r\n OriginalActorAlternateId,\r\n OriginalClientDevice,\r\n OriginalOutcomeResult,\r\n OriginalSeverity,\r\n OriginalTarget,\r\n OriginalUserId,\r\n OriginalUserType,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg,\r\n SecurityContextDomain,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail,\r\n TransactionId,\r\n TransactionType\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n ActorDetailEntry,\r\n ActorDisplayName,\r\n AuthenticationContextAuthenticationProvider,\r\n AuthenticationContextAuthenticationStep,\r\n AuthenticationContextCredentialProvider,\r\n AuthenticationContextInterface,\r\n AuthenticationContextIssuerId,\r\n AuthenticationContextIssuerType,\r\n DebugData,\r\n DvcAction,\r\n OriginalActorAlternateId,\r\n OriginalClientDevice,\r\n OriginalOutcomeResult,\r\n OriginalSeverity,\r\n OriginalTarget,\r\n OriginalUserId,\r\n OriginalUserType,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg,\r\n SecurityContextDomain,\r\n SecurityContextIsProxy,\r\n TransactionId,\r\n TransactionType;\r\n OktaV2\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for OktaV2.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"440cc65c-1f24-58d7-a03c-5a7b32559cfa","name":"_ASim_Authentication_OktaV2V04","body":"let parser=(disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string)\r\n [\r\n \"Computer\", \"Computer\",\r\n \"Mobile\", \"Mobile Device\",\r\n \"Tablet\", \"Mobile Device\"\r\n ];\r\n let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\r\n [\r\n \"LOCKED_OUT\", \"User locked\",\r\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\r\n \"UNKNOWN_USER\", \"No such user\",\r\n \"VERIFICATION_ERROR\", \"Incorrect key\",\r\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\r\n \"PASSWORD_EXPIRED\", \"Password expired\",\r\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\r\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\r\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\r\n ];\r\n OktaV2_CL\r\n | where not(disabled)\r\n | where EventOriginalType in (OktaSigninEvents)\r\n | lookup OutcomeReasonLookup on EventOriginalResultDetails\r\n | extend EventResultDetails = iif(OriginalOutcomeResult in (OktaFailedOutcome), coalesce(EventResultDetails, \"Other\"), \"\")\r\n | lookup SrcDeviceTypeLookup on OriginalClientDevice\r\n | extend SrcDeviceType = coalesce(SrcDeviceType, \"Other\")\r\n | extend\r\n Type = \"OktaV2_CL\",\r\n EventProduct = \"Okta\",\r\n EventSchema = \"Authentication\",\r\n EventVendor = \"Okta\",\r\n EventCount = int(1),\r\n EventSchemaVersion='0.1.3',\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff'),\r\n ActorUsername = coalesce(ActorUsername, OriginalActorAlternateId),\r\n ActorUserIdType = \"OktaId\",\r\n EventResult = coalesce(EventResult,\r\n case (\r\n OriginalOutcomeResult in (OktaSuccessfulOutcome), 'Success',\r\n OriginalOutcomeResult in (OktaFailedOutcome), 'Failure',\r\n 'Partial')),\r\n SrcIpAddr,\r\n ActorSessionId,\r\n ActorUserId,\r\n SrcGeoRegion,\r\n SrcGeoCity,\r\n SrcGeoCountry,\r\n SrcDvcOs,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n DvcAction,\r\n EventOriginalUid,\r\n TargetSessionId = ActorSessionId,\r\n TargetUserId = ActorUserId,\r\n TargetUsername = ActorUsername,\r\n TargetUserType = ActorUserType,\r\n TargetUserIdType = ActorUserIdType\r\n | extend TargetUserType = case(\r\n TargetUserType == \"System Principal\", \"System\",\r\n TargetUserType\r\n )\r\n | extend\r\n ActorUserType = TargetUserType,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername,\r\n Dvc=EventVendor,\r\n IpAddr=SrcIpAddr\r\n | project\r\n TimeGenerated,\r\n EventOriginalType,\r\n EventOriginalResultDetails,\r\n EventOriginalUid,\r\n EventResultDetails,\r\n SrcDeviceType,\r\n Type,\r\n EventProduct,\r\n EventSchema,\r\n EventVendor,\r\n EventCount,\r\n EventSchemaVersion,\r\n EventStartTime,\r\n EventEndTime,\r\n EventType,\r\n TargetSessionId,\r\n TargetUserId,\r\n TargetUsername,\r\n TargetUserType,\r\n TargetUserIdType,\r\n SrcIpAddr,\r\n ActorSessionId,\r\n ActorUserId,\r\n ActorUsername,\r\n ActorUserType,\r\n ActorUserIdType,\r\n EventResult,\r\n SrcGeoRegion,\r\n SrcGeoCity,\r\n SrcGeoCountry,\r\n SrcDvcOs,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n DvcAction,\r\n TargetUsernameType,\r\n ActorUsernameType,\r\n User,\r\n Dvc,\r\n IpAddr\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for OktaV2.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"faa9385d-b3b4-5150-8caa-686d73034598","name":"_ASim_Authentication_PaloAltoCortexDataLakeV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\r\n and DeviceEventClassID == \"AUTH\"\r\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n EventStartTime = todatetime(start),\r\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n EventMessage = Message,\r\n LogonMethod = case(\r\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\r\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\r\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\r\n \"\"\r\n ),\r\n AdditionalFields = bag_pack(\r\n \"FileName\",\r\n FileName,\r\n \"PanOSLogSource\",\r\n PanOSLogSource,\r\n \"PanOSRuleMatchedUUID\",\r\n PanOSRuleMatchedUUID,\r\n DeviceCustomNumber1Label,\r\n FieldDeviceCustomNumber1, \r\n DeviceCustomNumber2Label,\r\n FieldDeviceCustomNumber2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n \"PanOSAuthenticationDescription\",\r\n PanOSAuthenticationDescription,\r\n \"PanOSClientTypeName\",\r\n PanOSClientTypeName,\r\n \"PanOSConfigVersion\",\r\n PanOSConfigVersion,\r\n \"PanOSMFAVendor\",\r\n PanOSMFAVendor,\r\n \"PanOSSourceDeviceCategory\",\r\n PanOSSourceDeviceCategory,\r\n \"PanOSSourceDeviceModel\",\r\n PanOSSourceDeviceModel,\r\n \"PanOSSourceDeviceProfile\",\r\n PanOSSourceDeviceProfile,\r\n \"PanOSSourceDeviceVendor\",\r\n PanOSSourceDeviceVendor\r\n )\r\n | project-rename\r\n DvcIpAddr = Computer,\r\n EventUid = _ItemId,\r\n DvcId = DeviceExternalID,\r\n EventOriginalResultDetails = Message,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalUid = ExtID,\r\n EventProductVersion = DeviceVersion,\r\n LogonProtocol = PanOSAuthenticationProtocol,\r\n SrcDvcOs = PanOSSourceDeviceOSFamily,\r\n TargetUsername = PanOSAuthenticatedUserName,\r\n TargetUserId = PanOSAuthenticatedUserUUID,\r\n TargetDomain = PanOSAuthenticatedUserDomain,\r\n EventOriginalSubType = Activity,\r\n HttpUserAgent = PanOSUserAgentString,\r\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\r\n TargetSessionId = PanOSSessionID,\r\n TargetDvc = DeviceCustomString1\r\n | extend\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\r\n Dst = TargetIpAddr,\r\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetDomainType = case(\r\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\r\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\r\n \"\"\r\n ),\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventType = \"Logon\",\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\"\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n EventOutcome,\r\n PanOS*,\r\n start,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n Threat*,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Reason,\r\n ApplicationProtocol,\r\n Indicator*,\r\n _ResourceId\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"045e9ce2-e479-57cd-a473-f49ee8bf1bb9","name":"_ASim_Authentication_PaloAltoCortexDataLakeV02","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet LogonMethod = datatable(FieldDeviceCustomNumber1: long, LogonMethod: string)\r\n[\r\n 1, \"Username & Password\",\r\n 2, \"Multi factor authentication\",\r\n 3, \"Multi factor authentication\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"LF\"\r\n and DeviceEventClassID == \"AUTH\"\r\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n EventStartTime = coalesce(todatetime(start), TimeGenerated),\r\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n EventMessage = Message,\r\n LogonMethod = case(\r\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\r\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\r\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\r\n \"\"\r\n ),\r\n AdditionalFields = bag_pack(\r\n \"FileName\",\r\n FileName,\r\n \"PanOSLogSource\",\r\n PanOSLogSource,\r\n \"PanOSRuleMatchedUUID\",\r\n PanOSRuleMatchedUUID,\r\n DeviceCustomNumber1Label,\r\n FieldDeviceCustomNumber1, \r\n DeviceCustomNumber2Label,\r\n FieldDeviceCustomNumber2,\r\n DeviceCustomString3Label,\r\n DeviceCustomString3,\r\n DeviceCustomString4Label,\r\n DeviceCustomString4,\r\n DeviceCustomString5Label,\r\n DeviceCustomString5,\r\n DeviceCustomString6Label,\r\n DeviceCustomString6,\r\n \"PanOSAuthenticationDescription\",\r\n PanOSAuthenticationDescription,\r\n \"PanOSClientTypeName\",\r\n PanOSClientTypeName,\r\n \"PanOSConfigVersion\",\r\n PanOSConfigVersion,\r\n \"PanOSMFAVendor\",\r\n PanOSMFAVendor,\r\n \"PanOSSourceDeviceCategory\",\r\n PanOSSourceDeviceCategory,\r\n \"PanOSSourceDeviceModel\",\r\n PanOSSourceDeviceModel,\r\n \"PanOSSourceDeviceProfile\",\r\n PanOSSourceDeviceProfile,\r\n \"PanOSSourceDeviceVendor\",\r\n PanOSSourceDeviceVendor\r\n ),\r\n TargetUsername = coalesce(PanOSAuthenticatedUserName, DestinationUserName)\r\n | project-rename\r\n DvcIpAddr = Computer,\r\n DvcId = DeviceExternalID,\r\n EventOriginalResultDetails = Message,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalUid = ExtID,\r\n EventProductVersion = DeviceVersion,\r\n LogonProtocol = PanOSAuthenticationProtocol,\r\n SrcDvcOs = PanOSSourceDeviceOSFamily,\r\n TargetUserId = PanOSAuthenticatedUserUUID,\r\n TargetDomain = PanOSAuthenticatedUserDomain,\r\n EventOriginalSubType = Activity,\r\n HttpUserAgent = PanOSUserAgentString,\r\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\r\n TargetSessionId = PanOSSessionID,\r\n TargetDvcId = DeviceCustomString1,\r\n EventUid = _ItemId\r\n | extend\r\n TargetDvcIdType = iff(isempty(TargetDvcId), \"\", \"Other\"),\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\r\n Dst = TargetIpAddr,\r\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetDomainType = case(\r\n array_length(split(TargetUsername, \".\")) > 1, \"FQDN\",\r\n array_length(split(TargetUsername, \"\\\\\")) > 1, \"Windows\",\r\n \"\"\r\n )\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventType = \"Logon\",\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\",\r\n Type = \"CommonSecurityLog\",\r\n EventCount = int(1)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n SrcHostname,\r\n SrcDomain,\r\n SrcFQDN,\r\n SrcDomainType,\r\n EventSeverity,\r\n EventStartTime,\r\n SrcIpAddr,\r\n TargetIpAddr,\r\n EventMessage,\r\n LogonMethod,\r\n DvcIpAddr,\r\n DvcId,\r\n EventOriginalResultDetails,\r\n EventOriginalSeverity,\r\n EventOriginalType,\r\n EventOriginalUid,\r\n EventProductVersion,\r\n LogonProtocol,\r\n SrcDvcOs,\r\n TargetUsername,\r\n TargetUserId,\r\n TargetDomain,\r\n TargetDomainType,\r\n EventOriginalSubType,\r\n HttpUserAgent,\r\n TargetDvcScopeId,\r\n TargetSessionId,\r\n TargetDvcId,\r\n TargetDvcIdType,\r\n EventUid,\r\n Dvc,\r\n EventEndTime,\r\n EventResult,\r\n Dst,\r\n Src,\r\n TargetUserType,\r\n User,\r\n IpAddr,\r\n DvcIdType,\r\n TargetUserIdType,\r\n TargetUsernameType,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventProduct,\r\n EventVendor,\r\n Type,\r\n EventCount\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"a5b9b3eb-d502-5361-97fb-eaa2de5f683c","name":"_ASim_Authentication_PaloAltoGlobalProtectV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\",\r\n \"Informational\", \"Informational\"\r\n];\r\nlet parser = (disabled: bool=false, pack: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"PAN-OS\"\r\n and DeviceEventClassID == \"GLOBALPROTECT\"\r\n | where AdditionalExtensions has_any (\"gateway-login\", \"gateway-logout\", \"gateway-auth\", \"portal-auth\", \"portal-prelogin\", \"gateway-connected\")\r\n | parse-kv AdditionalExtensions as (\r\n PanOSEventID: string,\r\n PanOSStage: string,\r\n PanOSLogTimeStamp: string,\r\n PanOSAuthMethod: string,\r\n PanOSTunnelType: string,\r\n PanOSSourceUserName: string,\r\n PanOSSourceRegion: string,\r\n PanOSEndpointDeviceName: string,\r\n PanOSPublicIPv4: string,\r\n PanOSPublicIPv6: string,\r\n PanOSPrivateIPv4: string,\r\n PanOSPrivateIPv6: string,\r\n PanOSHostID: string,\r\n PanOSGlobalProtectClientVersion: string,\r\n PanOSEndpointOSType: string,\r\n PanOSEndpointOSVersion: string,\r\n PanOSEventStatus: string,\r\n PanOSGPGatewayLocation: string,\r\n PanOSPortal: string,\r\n PanOSLoginDuration: string,\r\n PanOSConnectionError: string,\r\n PanOSDescription: string,\r\n PanOSDeviceSN: string,\r\n PanOSVirtualSystem: string\r\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | extend EventType = case(\r\n PanOSEventID =~ \"gateway-login\", \"Logon\",\r\n PanOSEventID =~ \"gateway-logout\", \"Logoff\",\r\n PanOSEventID =~ \"gateway-auth\", \"Logon\",\r\n PanOSEventID =~ \"portal-auth\", \"Logon\",\r\n PanOSEventID =~ \"portal-prelogin\", \"Logon\",\r\n PanOSEventID =~ \"gateway-connected\", \"Logon\",\r\n \"\"\r\n )\r\n | where isnotempty(EventType)\r\n | extend LogonMethod = case(\r\n PanOSAuthMethod =~ \"LDAP\", \"Username & Password\",\r\n PanOSAuthMethod =~ \"RADIUS\", \"Username & Password\",\r\n PanOSAuthMethod =~ \"SAML\", \"Other\",\r\n PanOSAuthMethod =~ \"certificate\", \"PKI\",\r\n PanOSAuthMethod =~ \"local-database\", \"Username & Password\",\r\n PanOSAuthMethod =~ \"Kerberos\", \"Username & Password\",\r\n PanOSAuthMethod =~ \"TACACS+\", \"Username & Password\",\r\n PanOSAuthMethod =~ \"Cookie\", \"Other\",\r\n \"\"\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSEndpointDeviceName')\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend EventSeverity = iif(isempty(EventSeverity), \"Informational\", EventSeverity)\r\n | extend\r\n EventResult = case(\r\n PanOSEventStatus =~ \"success\", \"Success\",\r\n PanOSEventStatus =~ \"failure\", \"Failure\",\r\n isnotempty(PanOSConnectionError), \"Failure\",\r\n \"Success\"\r\n ),\r\n EventResultDetails = case(\r\n PanOSConnectionError has \"auth\", \"No such user or password\",\r\n PanOSConnectionError has \"expired\", \"Session expired\",\r\n PanOSConnectionError has \"timeout\", \"Session expired\",\r\n PanOSConnectionError has \"cert\", \"Incorrect key\",\r\n PanOSConnectionError has \"policy\", \"Logon violates policy\",\r\n PanOSConnectionError has \"locked\", \"User locked\",\r\n PanOSConnectionError has \"disabled\", \"User disabled\",\r\n isnotempty(PanOSConnectionError), \"Other\",\r\n \"\"\r\n ),\r\n TargetUsername = coalesce(SourceUserName, PanOSSourceUserName),\r\n SrcIpAddr = coalesce(SourceIP, PanOSPublicIPv4, PanOSPublicIPv6),\r\n EventStartTime = coalesce(todatetime(PanOSLogTimeStamp), TimeGenerated),\r\n EventMessage = Message,\r\n SrcDvcOs = coalesce(PanOSEndpointOSVersion, PanOSEndpointOSType),\r\n TargetAppName = coalesce(PanOSPortal, \"GlobalProtect\"),\r\n TargetAppType = \"Service\",\r\n AdditionalFields = iff(\r\n pack,\r\n bag_pack(\r\n \"PanOSPortal\", PanOSPortal,\r\n \"PanOSGPGatewayLocation\", PanOSGPGatewayLocation,\r\n \"PanOSTunnelType\", PanOSTunnelType,\r\n \"PanOSGlobalProtectClientVersion\", PanOSGlobalProtectClientVersion,\r\n \"PanOSLoginDuration\", PanOSLoginDuration,\r\n \"PanOSHostID\", PanOSHostID,\r\n \"PanOSSourceRegion\", PanOSSourceRegion,\r\n \"PanOSVirtualSystem\", PanOSVirtualSystem,\r\n \"PanOSDescription\", PanOSDescription,\r\n \"PanOSPublicIPv4\", PanOSPublicIPv4,\r\n \"PanOSPublicIPv6\", PanOSPublicIPv6,\r\n \"PanOSPrivateIPv4\", PanOSPrivateIPv4,\r\n \"PanOSPrivateIPv6\", PanOSPrivateIPv6,\r\n \"PanOSDeviceSN\", PanOSDeviceSN,\r\n \"PanOSStage\", PanOSStage\r\n ),\r\n dynamic([])\r\n )\r\n | project-rename\r\n DvcIpAddr = Computer,\r\n DvcId = DeviceExternalID,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalUid = ExtID,\r\n EventProductVersion = DeviceVersion,\r\n EventOriginalSubType = PanOSEventID,\r\n EventOriginalResultDetails = PanOSConnectionError,\r\n LogonProtocol = PanOSTunnelType,\r\n TargetIpAddr = DestinationIP,\r\n EventUid = _ResourceId\r\n | extend\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Dst = TargetIpAddr,\r\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n Application = TargetAppName,\r\n DvcAction = iff(EventResult == \"Success\", \"Allowed\", \"Blocked\"),\r\n TargetHostname = DvcHostname,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n EventSubType = \"Remote\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventProduct = \"PAN-OS\",\r\n EventVendor = \"Palo Alto\",\r\n Type = \"CommonSecurityLog\",\r\n EventCount = int(1)\r\n | project\r\n TimeGenerated,\r\n EventType,\r\n EventResult,\r\n EventResultDetails,\r\n EventOriginalResultDetails,\r\n EventMessage,\r\n EventStartTime,\r\n EventEndTime,\r\n EventCount,\r\n EventSeverity,\r\n EventOriginalSeverity,\r\n EventOriginalType,\r\n EventOriginalSubType,\r\n EventOriginalUid,\r\n EventSubType,\r\n EventProduct,\r\n EventProductVersion,\r\n EventVendor,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventUid,\r\n Dvc,\r\n DvcIpAddr,\r\n DvcId,\r\n DvcIdType,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n TargetUserType,\r\n User,\r\n TargetAppName,\r\n TargetAppType,\r\n TargetIpAddr,\r\n Dst,\r\n SrcIpAddr,\r\n SrcHostname,\r\n SrcDomain,\r\n SrcFQDN,\r\n SrcDomainType,\r\n SrcDvcOs,\r\n Src,\r\n IpAddr,\r\n LogonMethod,\r\n LogonProtocol,\r\n Application,\r\n DvcAction,\r\n TargetHostname,\r\n TargetDomain,\r\n TargetDomainType,\r\n AdditionalFields,\r\n Type\r\n};\r\nparser(disabled=disabled, pack=pack)\r\n","parameters":"disabled:bool = false, pack:bool = false","description":"Authentication ASIM parser for Palo Alto PAN-OS GlobalProtect.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"5a6f419c-70b8-5f97-8d14-994ac6d2af24","name":"_ASim_Authentication_PaloAltoPanOSV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet EventResultLookup = datatable (DeviceEventClassID: string, EventResult: string, EventResultDetails: string)\r\n[\r\n \"auth-success\", \"Success\", \"\",\r\n \"auth-fail\", \"Failure\", \"No such user or password\",\r\n \"auth-error\", \"Failure\", \"Other\",\r\n \"auth-timeout\", \"Failure\", \"Session expired\",\r\n \"auth-challenge\", \"Partial\", \"Logon violates policy\",\r\n \"auth-unknown\", \"Failure\", \"Other\",\r\n \"auth\", \"NA\", \"\"\r\n];\r\nlet parser = (disabled: bool=false, pack: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"PAN-OS\"\r\n and DeviceEventClassID startswith \"auth\"\r\n | lookup EventResultLookup on DeviceEventClassID\r\n | extend EventResult = coalesce(EventResult, \"NA\")\r\n | parse-kv AdditionalExtensions as (\r\n PanOSAuthenticationDescription: string,\r\n PanOSAuthenticationProtocol: string,\r\n PanOSAuthenticatedUserDomain: string,\r\n PanOSAuthenticatedUserName: string,\r\n PanOSAuthenticatedUserUUID: string,\r\n PanOSClientTypeName: string,\r\n PanOSConfigVersion: string,\r\n PanOSCortexDataLakeTenantID: string,\r\n PanOSDGHierarchyLevel1: string,\r\n PanOSDGHierarchyLevel2: string,\r\n PanOSDGHierarchyLevel3: string,\r\n PanOSDGHierarchyLevel4: string,\r\n PanOSIsDuplicateLog: string,\r\n PanOSLogExported: string,\r\n PanOSLogForwarded: string,\r\n PanOSIsPrismaNetworks: string,\r\n PanOSIsPrismaUsers: string,\r\n PanOSLocation: string,\r\n PanOSLogSource: string,\r\n LogSourceGroupID: string,\r\n PanOSLogSourceTimeZoneOffset: string,\r\n PanOSMFAVendor: string,\r\n PanOSPanoramaSN: string,\r\n PlatformType: string,\r\n PanOSRuleMatched: string,\r\n PanOSRuleMatchedUUID: string,\r\n PanOSAuthCacheServiceRegion: string,\r\n PanOSSessionID: string,\r\n PanOSSourceDeviceCategory: string,\r\n PanOSSourceDeviceHost: string,\r\n PanOSSourceDeviceMac: string,\r\n PanOSSourceDeviceModel: string,\r\n PanOSSourceDeviceOSFamily: string,\r\n PanOSSourceDeviceOSVersion: string,\r\n PanOSSourceDeviceProfile: string,\r\n PanOSSourceDeviceVendor: string,\r\n PanOSTimeGeneratedHighResolution: string,\r\n PanOSUserAgentString: string,\r\n PanOSVirtualSystemID: string,\r\n PanOSVirtualSystemName: string,\r\n start: string\r\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend\r\n temp_SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n temp_TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n temp_DvcIpAddr = Computer\r\n | extend\r\n SrcIpAddr = iff(isnotnull(parse_ipv4(temp_SrcIpAddr)) or isnotempty(parse_ipv6(temp_SrcIpAddr)), temp_SrcIpAddr, \"\"),\r\n TargetIpAddr = temp_TargetIpAddr,\r\n DvcIpAddr = temp_DvcIpAddr,\r\n DvcHostname = iff(isnotempty(temp_DvcIpAddr), temp_DvcIpAddr, DvcHostname),\r\n EventStartTime = coalesce(todatetime(start), TimeGenerated),\r\n EventMessage = Message,\r\n TargetUsername = coalesce(PanOSAuthenticatedUserName, DestinationUserName, SourceUserName),\r\n AdditionalFields = iff(pack, bag_pack(\r\n \"PanOSAuthenticationDescription\", PanOSAuthenticationDescription,\r\n \"PanOSClientTypeName\", PanOSClientTypeName,\r\n \"PanOSConfigVersion\", PanOSConfigVersion,\r\n \"PanOSCortexDataLakeTenantID\", PanOSCortexDataLakeTenantID,\r\n \"PanOSDGHierarchyLevel1\", PanOSDGHierarchyLevel1,\r\n \"PanOSDGHierarchyLevel2\", PanOSDGHierarchyLevel2,\r\n \"PanOSDGHierarchyLevel3\", PanOSDGHierarchyLevel3,\r\n \"PanOSDGHierarchyLevel4\", PanOSDGHierarchyLevel4,\r\n \"PanOSIsDuplicateLog\", PanOSIsDuplicateLog,\r\n \"PanOSLogExported\", PanOSLogExported,\r\n \"PanOSLogForwarded\", PanOSLogForwarded,\r\n \"PanOSIsPrismaNetworks\", PanOSIsPrismaNetworks,\r\n \"PanOSIsPrismaUsers\", PanOSIsPrismaUsers,\r\n \"PanOSLocation\", PanOSLocation,\r\n \"PanOSLogSource\", PanOSLogSource,\r\n \"LogSourceGroupID\", LogSourceGroupID,\r\n \"PanOSLogSourceTimeZoneOffset\", PanOSLogSourceTimeZoneOffset,\r\n \"PanOSMFAVendor\", PanOSMFAVendor,\r\n \"PanOSPanoramaSN\", PanOSPanoramaSN,\r\n \"PlatformType\", PlatformType,\r\n \"PanOSRuleMatched\", PanOSRuleMatched,\r\n \"PanOSRuleMatchedUUID\", PanOSRuleMatchedUUID,\r\n \"PanOSAuthCacheServiceRegion\", PanOSAuthCacheServiceRegion,\r\n \"PanOSSourceDeviceCategory\", PanOSSourceDeviceCategory,\r\n \"PanOSSourceDeviceMac\", PanOSSourceDeviceMac,\r\n \"PanOSSourceDeviceModel\", PanOSSourceDeviceModel,\r\n \"PanOSSourceDeviceOSVersion\", PanOSSourceDeviceOSVersion,\r\n \"PanOSSourceDeviceProfile\", PanOSSourceDeviceProfile,\r\n \"PanOSSourceDeviceVendor\", PanOSSourceDeviceVendor,\r\n \"PanOSTimeGeneratedHighResolution\", PanOSTimeGeneratedHighResolution,\r\n \"PanOSVirtualSystemID\", PanOSVirtualSystemID,\r\n \"PanOSVirtualSystemName\", PanOSVirtualSystemName,\r\n DeviceCustomNumber1Label, FieldDeviceCustomNumber1,\r\n DeviceCustomNumber2Label, FieldDeviceCustomNumber2,\r\n DeviceCustomString3Label, DeviceCustomString3,\r\n DeviceCustomString4Label, DeviceCustomString4,\r\n DeviceCustomString5Label, DeviceCustomString5,\r\n DeviceCustomString6Label, DeviceCustomString6\r\n ), dynamic([]))\r\n | project-rename\r\n DvcId = DeviceExternalID,\r\n EventOriginalResultDetails = Message,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalType = DeviceEventClassID,\r\n EventProductVersion = DeviceVersion,\r\n LogonProtocol = PanOSAuthenticationProtocol,\r\n SrcDvcOs = PanOSSourceDeviceOSFamily,\r\n TargetUserId = PanOSAuthenticatedUserUUID,\r\n TargetDomain = PanOSAuthenticatedUserDomain,\r\n EventOriginalSubType = Activity,\r\n HttpUserAgent = PanOSUserAgentString,\r\n TargetSessionId = PanOSSessionID\r\n | invoke _ASIM_ResolveDstFQDN('DestinationHostName')\r\n | extend\r\n TargetHostname = DstHostname,\r\n DvcAction = case(\r\n EventResult == \"Success\", \"Allow\",\r\n EventResult == \"Failure\", \"Deny\",\r\n \"\"\r\n ),\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Dst = coalesce(DstFQDN, DstHostname, TargetIpAddr),\r\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n User = TargetUsername,\r\n IpAddr = SrcIpAddr,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetDomainType = case(\r\n array_length(split(TargetDomain, \".\")) > 1, \"FQDN\",\r\n isnotempty(TargetDomain), \"Windows\",\r\n \"\"\r\n )\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventType = \"Logon\",\r\n EventProduct = \"PAN-OS\",\r\n EventVendor = \"Palo Alto\",\r\n EventCount = int(1),\r\n Type = \"CommonSecurityLog\"\r\n | project\r\n TimeGenerated,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventResult,\r\n EventResultDetails,\r\n EventSeverity,\r\n EventProduct,\r\n EventVendor,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventMessage,\r\n EventOriginalResultDetails,\r\n EventOriginalSeverity,\r\n EventOriginalType,\r\n EventOriginalSubType,\r\n EventProductVersion,\r\n Dvc,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n DvcIpAddr,\r\n DvcId,\r\n DvcIdType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n TargetUserId,\r\n TargetUserIdType,\r\n TargetUserType,\r\n TargetDomain,\r\n TargetDomainType,\r\n TargetHostname,\r\n TargetIpAddr,\r\n TargetSessionId,\r\n DvcAction,\r\n SrcIpAddr,\r\n SrcHostname,\r\n SrcDomain,\r\n SrcFQDN,\r\n SrcDomainType,\r\n SrcDvcOs,\r\n LogonProtocol,\r\n HttpUserAgent,\r\n Dst,\r\n Src,\r\n User,\r\n IpAddr,\r\n AdditionalFields,\r\n Type\r\n};\r\nparser(disabled=disabled, pack=pack)\r\n","parameters":"disabled:bool = false, pack:bool = false","description":"Authentication ASIM parser for Palo Alto PAN-OS.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"c388dfc7-dc9f-5b2c-acc6-be7dc5b05fe2","name":"_ASim_Authentication_PostgreSQLV01","body":"let PostgreSQLSignInAuthorized=(disabled:bool=false){\r\nPostgreSQL_CL \r\n| where not(disabled)\r\n| where RawData has 'connection authorized'\r\n| project-rename \r\n EventUid = _ItemId\r\n| extend\r\n DvcHostname = Computer,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'Connection authorized',\r\n EventProduct = 'PostgreSQL',\r\n EventResult = 'Success',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'PostgreSQL',\r\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\r\n TargetUsernameType = 'Simple'\r\n// ************************ \r\n// \r\n// ************************\r\n| extend\r\n Dvc=Computer,\r\n User=TargetUsername\r\n// ************************ \r\n// \r\n// ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\r\nPostgreSQL_CL \r\n| where not(disabled)\r\n| where RawData has 'authentication failed'\r\n| extend \r\n DvcHostname = Computer,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'User authentication failed',\r\n EventProduct = 'PostgreSQL',\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user or password',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'PostgreSQL',\r\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\r\n TargetUsernameType = 'Simple'\r\n// ************************ \r\n// \r\n// ************************\r\n| extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n// ************************ \r\n// \r\n// ************************\r\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n};\r\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\r\nPostgreSQL_CL \r\n| where not(disabled)\r\n| where RawData has_all ('role', 'does', 'not', 'exist')\r\n| extend \r\n DvcHostname = Computer,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'Role does not exist',\r\n EventProduct = 'PostgreSQL',\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user or password',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'PostgreSQL',\r\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\r\n TargetUsernameType = 'Simple'\r\n// ************************ \r\n// \r\n// ************************\r\n| extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n// ************************ \r\n// \r\n// ************************\r\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n};\r\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\r\nPostgreSQL_CL \r\n| where not(disabled)\r\n| where RawData has_all ('no', 'entry', 'user')\r\n| extend \r\n DvcHostname = Computer,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'No entry for user',\r\n EventProduct = 'PostgreSQL',\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user or password',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'PostgreSQL',\r\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\r\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\r\n TargetUsernameType = 'Simple'\r\n// ************************ \r\n// \r\n// ************************\r\n| extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n// ************************ \r\n// \r\n// ************************\r\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n};\r\nlet PostgreSQLDisconnect=(disabled:bool=false){\r\nPostgreSQL_CL \r\n| where not(disabled)\r\n| where RawData has 'disconnection'\r\n| extend \r\n DvcHostname = Computer,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'User session closed',\r\n EventProduct = 'PostgreSQL',\r\n EventResult = 'Success',\r\n EventResultDetails = 'Session expired',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logoff',\r\n EventVendor = 'PostgreSQL',\r\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData),\r\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\r\n TargetUsernameType = 'Simple'\r\n// ************************ \r\n// \r\n// ************************\r\n| extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n// ************************ \r\n// \r\n// ************************\r\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n};\r\nunion isfuzzy=false \r\n PostgreSQLSignInAuthorized(disabled = disabled), \r\n PostgreSQLAuthFailure1(disabled = disabled), \r\n PostgreSQLAuthFailure2(disabled = disabled), \r\n PostgreSQLAuthFailure3(disabled = disabled), \r\n PostgreSQLDisconnect(disabled = disabled)\r\n","parameters":"disabled:bool = false","description":"Authentication ASIM parser for PostgreSQL.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"2aa4e228-ebd8-5e57-b13a-cc8a8777fee9","name":"_ASim_Authentication_SalesforceSCV01","body":"let parser = (\r\ndisabled: bool=false\r\n) {\r\nlet SalesforceSchema = datatable(\r\napi_version_s: string,\r\nbrowser_type_s: string,\r\ncipher_suite_s: string,\r\nclient_ip_s: string,\r\ndelegated_user_id_s: string,\r\ndelegated_user_name_s: string,\r\nevent_type_s: string,\r\nlogin_key_s: string,\r\nlogin_status_s: string,\r\nlogin_type_s: string,\r\nlogin_sub_type_s: string,\r\norganization_id_s: string,\r\nplatform_type_s: string,\r\nrequest_id_s: string,\r\nrequest_status_s: string,\r\nsession_key_s: string,\r\nsource_ip_s: string,\r\ntimestamp_s: string,\r\ntls_protocol_s: string,\r\nuri_s: string,\r\nuser_id_s: string,\r\nuser_name_s: string,\r\nuser_type_s: string,\r\nwave_session_id_g: string\r\n)[];\r\n let EventResultLookup = datatable (\r\n login_status_s: string,\r\n DvcAction: string,\r\n EventResultDetails: string,\r\n EventResult: string,\r\n EventSeverity: string\r\n)[\r\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\r\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\r\n];\r\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\r\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\r\n \"Login\", \"Logon\",\r\n \"LoginAs\", \"Logon\",\r\n \"Logout\", \"Logoff\"\r\n];\r\n let DvcOsLookup = datatable(\r\n platform_type_s: string,\r\n DvcOs: string,\r\n DvcOsVersion: string\r\n)[\r\n \"1000\", \"Windows\", \"\",\r\n \"1008\", \"Windows\", \"2003\",\r\n \"1013\", \"Windows\", \"8.1\",\r\n \"1015\", \"Windows\", \"10\",\r\n \"2003\", \"Macintosh/Apple\", \"OSX\",\r\n \"4000\", \"Linux\", \"\",\r\n \"5005\", \"Android\", \"\",\r\n \"5006\", \"iPhone\", \"\",\r\n \"5007\", \"iPad\", \"\",\r\n \"5200\", \"Android\", \"10.0\"\r\n];\r\n let LogonMethodLookup = datatable(\r\n LoginType_s: string,\r\n LogonMethodOriginal: string,\r\n LogonMethod: string\r\n)[\r\n \"7\", \"AppExchange\", \"Other\",\r\n \"A\", \"Application\", \"Other\",\r\n \"s\", \"Certificate-based login\", \"PKI\",\r\n \"k\", \"Chatter Communities External User\", \"Other\",\r\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\r\n \"r\", \"Employee Login to Community\", \"Other\",\r\n \"z\", \"Lightning Login\", \"Username & Password\",\r\n \"l\", \"Networks Portal API Only\", \"Other\",\r\n \"6\", \"Remote Access Client\", \"Other\",\r\n \"i\", \"Remote Access 2.0\", \"Other\",\r\n \"I\", \"Other Apex API\", \"Other\",\r\n \"R\", \"Partner Product\", \"Other\",\r\n \"w\", \"Passwordless Login\", \"Passwordless\",\r\n \"3\", \"Customer Service Portal\", \"Other\",\r\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\r\n \"9\", \"Partner Portal\", \"Other\",\r\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\r\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\r\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\r\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\r\n \"h\", \"SAML Site SSO\", \"Other\",\r\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\r\n \"E\", \"SelfService\", \"Other\",\r\n \"j\", \"Third Party SSO\", \"Other\"\r\n];\r\n let LogonProtocolLookup = datatable(\r\n LoginSubType_s: string,\r\n LogonProtocolOriginal: string,\r\n LogonProtocol: string\r\n)[\r\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\r\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\r\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\r\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\r\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\r\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\r\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\r\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\r\n];\r\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\r\n \"S\", \"Success\",\r\n \"F\", \"Failure\",\r\n \"A\", \"Failure\",\r\n \"R\", \"Success\",\r\n \"N\", \"Failure\",\r\n \"U\", \"NA\"\r\n];\r\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\r\n \"CsnOnly\", \"Other\",\r\n \"CspLitePortal\", \"Other\",\r\n \"CustomerSuccess\", \"Other\",\r\n \"Guest\", \"Anonymous\",\r\n \"PowerCustomerSuccess\", \"Other\",\r\n \"PowerPartner\", \"Other\",\r\n \"SelfService\", \"Other\",\r\n \"Standard\", \"Regular\",\r\n \"A\", \"Application\",\r\n \"b\", \"Other\",\r\n \"C\", \"Other\",\r\n \"D\", \"Other\",\r\n \"F\", \"Other\",\r\n \"G\", \"Anonymous\",\r\n \"L\", \"Other\",\r\n \"N\", \"Service\",\r\n \"n\", \"Other\",\r\n \"O\", \"Other\",\r\n \"o\", \"Other\",\r\n \"P\", \"Other\",\r\n \"p\", \"Other\",\r\n \"S\", \"Regular\",\r\n \"X\", \"Admin\"\r\n];\r\n union isfuzzy=true\r\n SalesforceSchema,\r\n SalesforceServiceCloud_CL \r\n | where not(disabled)\r\n | where event_type_s in~ (SalesforceEventType)\r\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\r\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\r\n | lookup EventResultLookup on login_status_s\r\n | lookup EventTypeLookup on event_type_s\r\n | lookup LogonMethodLookup on LoginType_s\r\n | lookup LogonProtocolLookup on LoginSubType_s\r\n | lookup TempEventResultLookup on request_status_s\r\n | lookup DvcOsLookup on platform_type_s\r\n | lookup UserTypeLookup on user_type_s\r\n | project-rename\r\n EventProductVersion = api_version_s,\r\n EventOriginalResultDetails = login_status_s,\r\n TargetUserId = user_id_s,\r\n SrcIpAddr = source_ip_s,\r\n EventOriginalUid = request_id_s,\r\n TlsCipher = cipher_suite_s,\r\n TlsVersion = tls_protocol_s,\r\n HttpUserAgent= browser_type_s,\r\n TargetUserScopeId = organization_id_s,\r\n TargetUrl = uri_s,\r\n TargetOriginalUserType = user_type_s,\r\n ActorUsername = delegated_user_name_s,\r\n ActorUserId = delegated_user_id_s,\r\n TargetUsername = user_name_s\r\n | extend\r\n EventVendor = 'Salesforce',\r\n EventProduct='Service Cloud',\r\n EventCount = int(1),\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\r\n TargetAppType = \"SaaS application\",\r\n EventUid = _ItemId,\r\n EventOriginalType=event_type_s,\r\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\r\n | extend\r\n TargetSessionId = coalesce(session_key_s, login_key_s),\r\n TargetUserScope = \"Salesforce Organization\",\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\r\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\r\n User = coalesce(TargetUsername, TargetUserId),\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Dvc = EventProduct,\r\n EventResult = coalesce(EventResult, TempEventResult),\r\n Application = TargetAppName,\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated\r\n | project-away\r\n *_s,\r\n *_t,\r\n *_g,\r\n TenantId,\r\n SourceSystem,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n Message,\r\n RawData,\r\n TempEventResult,\r\n _ItemId\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Salesforce Service Cloud.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"7765aa9d-5d8c-5760-ab75-7827c9d8378d","name":"_ASim_Authentication_SentinelOneV01","body":"let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\r\n [\r\n \"invalid 2FA code\", \"Incorrect password\",\r\n \"IP/User mismatch\", \"No such user or password\",\r\n \"invalid password\", \"Incorrect password\",\r\n \"user temporarily locked 2FA attempt\", \"User locked\",\r\n \"no active site\", \"Other\"\r\n ];\r\n let EventFieldsLookup = datatable (\r\n activityType_d: real,\r\n EventType: string,\r\n EventResult: string,\r\n EventOriginalResultDetails: string\r\n )\r\n [\r\n 27, \"Logon\", \"Success\", \"User Logged In\",\r\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\r\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\r\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\r\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\r\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\r\n ];\r\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\r\n [\r\n \"WINLOGONATTEMPT\", \"Logon\",\r\n \"WINLOGOFFATTEMPT\", \"Logoff\"\r\n ];\r\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\r\n [\r\n \"BATCH\", \"System\",\r\n \"CACHED_INTERACTIVE\", \"Interactive\",\r\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\r\n \"CACHED_UNLOCK\", \"System\",\r\n \"INTERACTIVE\", \"Interactive\",\r\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\r\n \"NETWORK_CREDENTIALS\", \"Remote\",\r\n \"NETWORK\", \"Remote\",\r\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\r\n \"SERVICE\", \"Service\",\r\n \"SYSTEM\", \"System\",\r\n \"UNLOCK\", \"System\"\r\n ];\r\n let DeviceTypeLookup = datatable (\r\n agentDetectionInfo_machineType_s: string,\r\n SrcDeviceType: string\r\n )\r\n [\r\n \"desktop\", \"Computer\",\r\n \"server\", \"Computer\",\r\n \"laptop\", \"Computer\",\r\n \"kubernetes node\", \"Other\",\r\n \"unknown\", \"Other\"\r\n ];\r\n let ThreatConfidenceLookup_undefined = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n )\r\n [\r\n \"FALSE_POSITIVE\", 5,\r\n \"Undefined\", 15,\r\n \"SUSPICIOUS\", 25,\r\n \"TRUE_POSITIVE\", 33 \r\n ];\r\n let ThreatConfidenceLookup_suspicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n )\r\n [\r\n \"FALSE_POSITIVE\", 40,\r\n \"Undefined\", 50,\r\n \"SUSPICIOUS\", 60,\r\n \"TRUE_POSITIVE\", 67 \r\n ];\r\n let ThreatConfidenceLookup_malicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n )\r\n [\r\n \"FALSE_POSITIVE\", 75,\r\n \"Undefined\", 80,\r\n \"SUSPICIOUS\", 90,\r\n \"TRUE_POSITIVE\", 100 \r\n ];\r\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\r\n let parser = (disabled: bool=false) {\r\n let alldata = SentinelOne_CL\r\n | where not(disabled);\r\n let activitydata = alldata\r\n | where event_name_s == \"Activities.\"\r\n and activityType_d in (27, 33, 133, 134, 139, 3629)\r\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | lookup EventFieldsLookup on activityType_d\r\n | lookup EventResultDetailsLookup on comments_s\r\n | extend \r\n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\r\n EventOriginalType = tostring(toint(activityType_d)),\r\n TargetUsername = username,\r\n TargetUserScope = userScope,\r\n AdditionalFields = bag_pack(\r\n \"accountName\", accountName,\r\n \"fullScopeDetails\", fullScopeDetails,\r\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\r\n \"scopeLevel\", scopeLevel,\r\n \"source\", source,\r\n \"sourceType\", sourceType\r\n ),\r\n TargetOriginalUserType = role,\r\n TargetUserType = case(\r\n role in (TargetUserTypesList), role,\r\n role == \"null\", \"\",\r\n \"Other\"\r\n )\r\n | project-rename\r\n EventStartTime = createdAt_t,\r\n TargetUserId = userId_s,\r\n EventOriginalUid = activityUuid_g,\r\n EventMessage = primaryDescription_s\r\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\r\n let alertdata = alldata\r\n | where event_name_s == \"Alerts.\"\r\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\r\n | lookup EventTypeLookup on alertInfo_eventType_s\r\n | lookup EventSubTypeLookup on alertInfo_loginType_s\r\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\r\n let undefineddata = alertdata\r\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\r\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\r\n let suspiciousdata = alertdata\r\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\r\n let maliciousdata = alertdata\r\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\r\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\r\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\r\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\r\n | extend\r\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\r\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\r\n | project-rename\r\n EventStartTime = alertInfo_createdAt_t,\r\n SrcIpAddr = alertInfo_srcMachineIp_s,\r\n ActingAppName = sourceProcessInfo_name_s,\r\n DvcId = agentDetectionInfo_uuid_g,\r\n DvcOs = agentDetectionInfo_osName_s,\r\n DvcOsVersion = agentDetectionInfo_osRevision_s,\r\n EventOriginalSeverity = ruleInfo_severity_s,\r\n EventOriginalType = alertInfo_eventType_s,\r\n EventOriginalSubType = alertInfo_loginType_s,\r\n RuleName = ruleInfo_name_s,\r\n TargetUserId = alertInfo_loginAccountSid_s,\r\n TargetUsername = alertInfo_loginsUserName_s,\r\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\r\n | extend\r\n Rule = RuleName,\r\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\r\n union activitydata, alertdatawiththreatfield\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"SentinelOne\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventVendor = \"SentinelOne\",\r\n EventSchema = \"Authentication\"\r\n | extend\r\n Dvc = coalesce(DvcHostname, EventProduct),\r\n EventEndTime = EventStartTime,\r\n EventUid = _ItemId,\r\n User = TargetUsername\r\n | extend\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr\r\n | project-away\r\n *_b,\r\n *_d,\r\n *_g,\r\n *_s,\r\n *_t,\r\n ipAddress,\r\n username,\r\n accountName,\r\n fullScopeDetails,\r\n fullScopeDetailsPath,\r\n role,\r\n scopeLevel,\r\n source,\r\n sourceType,\r\n userScope,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n _ItemId,\r\n _ResourceId,\r\n ThreatConfidence_*\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"ASIM Authentication parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"4253b281-edf2-54a7-8b4c-ed6d82562842","name":"_ASim_Authentication_SigninLogsV03","body":"let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\r\n '0', 'Success',\r\n '50005', 'Logon violates policy',\r\n '50011', 'Logon violates policy', \r\n '50020', 'Logon violates policy',\r\n '50034', 'No such user or password',\r\n '50053', 'User locked',\r\n '50055', 'Password expired',\r\n '50056', 'Incorrect password',\r\n '50057', 'User disabled',\r\n '50058', 'Logon violates policy',\r\n '50059', 'No such user or password',\r\n '50064', 'No such user or password',\r\n '50072', 'Logon violates policy',\r\n '50074', 'Logon violates policy', \r\n '50076', 'Logon violates policy',\r\n '50079', 'Logon violates policy',\r\n '50105', 'Logon violates policy',\r\n '50126', 'No such user or password',\r\n '50132', 'Password expired',\r\n '50133', 'Password expired',\r\n '50144', 'Password expired',\r\n '50173', 'Password expired',\r\n '51004', 'No such user or password',\r\n '53003', 'Logon violates policy',\r\n '70008', 'Password expired',\r\n '80012', 'Logon violates policy',\r\n '500011', 'No such user or password',\r\n '700016', 'No such user or password', \r\n ];\r\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\r\n 'Guest','Guest', \r\n 'Member', 'Regular',\r\n '',''\r\n];\r\nlet parser=(disabled:bool=false){\r\nSigninLogs \r\n| where not(disabled)\r\n| extend\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\r\n EventProduct = 'Entra ID',\r\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\r\n EventSchemaVersion = '0.1.0',\r\n EventStartTime = TimeGenerated,\r\n EventSubType = 'Interactive',\r\n EventType = 'Logon',\r\n EventVendor = 'Microsoft',\r\n Location = todynamic(LocationDetails),\r\n SrcHostname = tostring(DeviceDetail.displayName),\r\n SrcDvcId = tostring(DeviceDetail.deviceId),\r\n SrcIpAddr = IPAddress,\r\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\r\n TargetUserIdType = 'EntraID',\r\n TargetUsernameType = 'UPN'\r\n| extend\r\n SrcGeoCity = tostring(Location.city),\r\n SrcGeoCountry = tostring(Location.countryOrRegion),\r\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\r\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\r\n | lookup FailedReason on ResultType\r\n | project-rename\r\n EventOriginalUid = Id,\r\n EventUid = _ItemId,\r\n HttpUserAgent = UserAgent,\r\n LogonMethod = AuthenticationRequirement,\r\n TargetAppId = ResourceIdentity,\r\n TargetAppName = ResourceDisplayName,\r\n TargetSessionId = CorrelationId,\r\n TargetUserId = UserId,\r\n TargetUsername = UserPrincipalName\r\n //\r\n | lookup UserTypeLookup on UserType\r\n | project-away UserType\r\n // ** Aliases\r\n | extend \r\n Dvc = EventVendor,\r\n LogonTarget = TargetAppName,\r\n User = TargetUsername,\r\n // -- Entity identifier explicit aliases\r\n TargetUserAadId = TargetUserId,\r\n TargetUserUpn = TargetUsername\r\n };\r\n parser \r\n (\r\n disabled = disabled\r\n )","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"090947e4-eb27-50d5-b0aa-295684c0f504","name":"_ASim_Authentication_SigninLogsV04","body":"let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\r\n '0', 'Success',\r\n '50005', 'Logon violates policy',\r\n '50011', 'Logon violates policy', \r\n '50020', 'Logon violates policy',\r\n '50034', 'No such user or password',\r\n '50053', 'User locked',\r\n '50055', 'Password expired',\r\n '50056', 'Incorrect password',\r\n '50057', 'User disabled',\r\n '50058', 'Logon violates policy',\r\n '50059', 'No such user or password',\r\n '50064', 'No such user or password',\r\n '50072', 'Logon violates policy',\r\n '50074', 'Logon violates policy', \r\n '50076', 'Logon violates policy',\r\n '50079', 'Logon violates policy',\r\n '50105', 'Logon violates policy',\r\n '50126', 'No such user or password',\r\n '50132', 'Password expired',\r\n '50133', 'Password expired',\r\n '50144', 'Password expired',\r\n '50173', 'Password expired',\r\n '51004', 'No such user or password',\r\n '53003', 'Logon violates policy',\r\n '70008', 'Password expired',\r\n '80012', 'Logon violates policy',\r\n '500011', 'No such user or password',\r\n '700016', 'No such user or password', \r\n ];\r\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\r\n 'Guest','Guest', \r\n 'Member', 'Regular',\r\n '',''\r\n];\r\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\r\n 'Mobile Apps and Desktop clients', 'Process',\r\n 'Browser', 'Service',\r\n 'Authenticated STMP', 'CSP',\r\n 'Exchange Active Sync', 'CSP',\r\n 'Other', 'Other',\r\n 'Unknown', 'Other'\r\n];\r\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\r\n[\r\n \"singleFactorAuthentication\", \"Username & Password\",\r\n \"multiFactorAuthentication\", \"Multi factor authentication\"\r\n];\r\nlet parser=(disabled:bool=false) {\r\n SigninLogs\r\n | where not(disabled)\r\n | extend\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\r\n EventProduct = 'AAD',\r\n EventResult = iff (ResultType == 0, 'Success', 'Failure'),\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventStartTime = TimeGenerated,\r\n EventSubType = 'Interactive',\r\n EventType = 'Logon',\r\n EventVendor = 'Microsoft',\r\n Type = 'SigninLogs',\r\n Location = todynamic(LocationDetails),\r\n SrcHostname = tostring(DeviceDetail.displayName),\r\n SrcDvcId = tostring(DeviceDetail.deviceId),\r\n SrcDvcIdType = \"\",\r\n SrcIpAddr = IPAddress,\r\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\r\n TargetUserIdType = 'AADID',\r\n TargetUsernameType = 'UPN',\r\n OriginalLogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement),\r\n TargetAppType = \"\"\r\n | extend\r\n SrcDvcIdType = iif(isempty(SrcDvcId), \"\", \"Other\"),\r\n SrcGeoCity = tostring(Location.city),\r\n SrcGeoCountry = tostring(Location.countryOrRegion),\r\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\r\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\r\n | lookup FailedReason on ResultType\r\n | lookup LogonMethodLookup on OriginalLogonMethod\r\n | project-rename\r\n EventOriginalUid = Id,\r\n HttpUserAgent = UserAgent,\r\n TargetAppId = AppId,\r\n TargetAppName = AppDisplayName,\r\n TargetSessionId = CorrelationId,\r\n TargetUserId = UserId,\r\n TargetUsername = UserPrincipalName,\r\n ActingOriginalAppType = ClientAppUsed\r\n | lookup ActingAppType on ActingOriginalAppType\r\n | extend EventUid = column_ifexists(\"_ItemId\", \"\")\r\n | lookup UserTypeLookup on UserType\r\n // ** Aliases\r\n | extend \r\n Application = TargetAppName,\r\n IpAddr = SrcIpAddr,\r\n Dvc = EventVendor,\r\n LogonTarget = TargetAppName,\r\n User = TargetUsername\r\n | project\r\n TimeGenerated,\r\n EventSchema,\r\n Type,\r\n EventVendor,\r\n EventProduct,\r\n EventCount,\r\n EventSchemaVersion,\r\n EventResult,\r\n EventOriginalResultDetails,\r\n EventStartTime,\r\n EventEndTime,\r\n EventType,\r\n Application,\r\n IpAddr,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n SrcHostname,\r\n SrcDvcOs,\r\n TargetUsernameType,\r\n TargetUserIdType,\r\n SrcIpAddr,\r\n LogonMethod,\r\n SrcGeoCity,\r\n SrcGeoCountry,\r\n SrcGeoLatitude,\r\n SrcGeoLongitude,\r\n EventOriginalUid,\r\n EventUid,\r\n HttpUserAgent,\r\n TargetSessionId,\r\n TargetUserId,\r\n TargetUsername,\r\n TargetAppId,\r\n TargetAppName,\r\n TargetAppType,\r\n ActingAppType,\r\n ActingOriginalAppType,\r\n TargetUserType,\r\n User,\r\n LogonTarget,\r\n Dvc\r\n};\r\nparser \r\n(\r\n disabled = disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"6d31c590-f1cf-5977-ad0e-98760e4adaf2","name":"_ASim_Authentication_SshdV02","body":"let parser = (disabled:bool=false) {\r\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\r\n //\r\n // -- Successful login \r\n let SSHDAccepted=(disabled:bool=false) { \r\n // -- Parse events with the format \"Accepted (password|none|publickey) for from port ssh2\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\r\n | parse SyslogMessage with \"Accepted \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logon'\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n //\r\n // -- Failed login - incorrect password\r\n let SSHDFailed=(disabled:bool=false) {\r\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\r\n // -- Or a number of such events message repeated times: [ ]\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and (\r\n SyslogMessage startswith 'Failed' \r\n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\r\n )\r\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \r\n | extend\r\n EventCount = toint(coalesce(EventCount,1)),\r\n EventResult = 'Failure',\r\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\r\n EventSeverity = 'Low' ,\r\n EventType = 'Logon',\r\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n //\r\n // -- Logoff - Timeout\r\n let SSHDTimeout=(disabled:bool=false) {\r\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\r\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logoff'\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n //\r\n // -- Failed login - invalid user\r\n let SSHDInvalidUser=(disabled:bool=false) {\r\n // -- Parse events with the format \"Invalid user [] from port \"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\r\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\r\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user',\r\n EventSeverity = 'Low',\r\n EventType = 'Logon',\r\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\r\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\r\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\r\n };\r\n //\r\n // -- Blocked intrusion attempts\r\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\r\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\r\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Reverse mapping failed\", \r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\r\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\r\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Address to host to address mapping does not map back to address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\r\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\r\n SyslogProjects | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\r\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Nasty PTR record set for IP Address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n union isfuzzy=false \r\n SSHDAccepted (disabled=disabled),\r\n SSHDFailed (disabled=disabled),\r\n SSHDInvalidUser (disabled=disabled),\r\n SSHDTimeout (disabled=disabled),\r\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\r\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\r\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend \r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'OpenSSH',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.2',\r\n EventStartTime = TimeGenerated,\r\n EventSubType = 'Remote',\r\n EventVendor = 'OpenBSD',\r\n LogonProtocol = 'ssh',\r\n TargetAppId = tostring(ProcessID),\r\n TargetAppName = 'sshd',\r\n TargetAppType = 'Service',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple'\r\n | project-away Computer, ProcessID\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n Dvc = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcIdType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername,\r\n Application = TargetAppName\r\n };\r\n parser (\r\n disabled=disabled\r\n )","parameters":"disabled:bool = false","description":"Authentication ASIM parser for OpenSSH sshd.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"58a9982a-10a7-5375-aa43-cf2c92919cd1","name":"_ASim_Authentication_SshdV03","body":"let parser = (disabled:bool=false) {\r\n let LogonMethodLookup = datatable(Method: string, LogonMethod: string)\r\n [\r\n 'password', 'Username & password',\r\n 'publickey', 'PKI',\r\n 'keyboard-interactive/pam', 'PAM'\r\n ];\r\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\r\n //\r\n // -- Successful login \r\n let SSHDAccepted=(disabled:bool=false) { \r\n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\r\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logon'\r\n | lookup LogonMethodLookup on Method\r\n | extend LogonMethod = case(\r\n isnotempty(LogonMethod), LogonMethod,\r\n SyslogMessage has \"key RSA\", \"PKI\",\r\n \"Other\")\r\n | project-away SyslogMessage, ProcessName, Method\r\n };\r\n //\r\n // -- Failed login - incorrect password\r\n let SSHDFailed=(disabled:bool=false) {\r\n // -- Parse events with the format \"Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\r\n // -- Or a number of such events message repeated times: [ ]\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and (\r\n SyslogMessage startswith 'Failed' \r\n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\r\n )\r\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \r\n | extend\r\n EventCount = toint(coalesce(EventCount,1)),\r\n EventResult = 'Failure',\r\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\r\n EventSeverity = 'Low' ,\r\n EventType = 'Logon'\r\n | lookup LogonMethodLookup on Method\r\n | extend LogonMethod = case(\r\n isnotempty(LogonMethod), LogonMethod,\r\n SyslogMessage has \"key RSA\", \"PKI\",\r\n \"Other\")\r\n | project-away SyslogMessage, ProcessName, Method\r\n };\r\n //\r\n // -- Logoff - Timeout\r\n let SSHDTimeout=(disabled:bool=false) {\r\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\r\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logoff'\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n //\r\n // -- Failed login - invalid user\r\n let SSHDInvalidUser=(disabled:bool=false) {\r\n // -- Parse events with the format \"Invalid user [] from port \"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\r\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\r\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\r\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\r\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user',\r\n EventSeverity = 'Low',\r\n EventType = 'Logon',\r\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\r\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\r\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\r\n };\r\n //\r\n // -- Blocked intrusion attempts\r\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\r\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\r\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Reverse mapping failed\", \r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\r\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\r\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Address to host to address mapping does not map back to address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\r\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\r\n SyslogProjects | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\r\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Nasty PTR record set for IP Address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n union isfuzzy=false \r\n SSHDAccepted (disabled=disabled),\r\n SSHDFailed (disabled=disabled),\r\n SSHDInvalidUser (disabled=disabled),\r\n SSHDTimeout (disabled=disabled),\r\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\r\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\r\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend \r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'OpenSSH',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventStartTime = TimeGenerated,\r\n EventSubType = 'Remote',\r\n EventVendor = 'OpenBSD',\r\n LogonProtocol = 'ssh',\r\n TargetAppId = tostring(ProcessID),\r\n TargetAppName = 'sshd',\r\n TargetAppType = 'Service',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple',\r\n Type = 'Syslog'\r\n | project-away Computer, ProcessID\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcIdType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername,\r\n Application = TargetAppName\r\n | extend Dvc = Dst\r\n };\r\n parser (\r\n disabled=disabled\r\n )","parameters":"disabled:bool = false","description":"Authentication ASIM parser for OpenSSH sshd.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"6d1a0114-0988-51c4-968e-ae724bbc0741","name":"_ASim_Authentication_SuV02","body":"let parser = (disabled: bool=false)\r\n{\r\n let SyslogProjects = Syslog\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n SyslogMessage,\r\n ProcessName,\r\n ProcessID,\r\n HostIP,\r\n Type,\r\n _ItemId,\r\n _ResourceId,\r\n _SubscriptionId;\r\n //\r\n // -- Successful SU\r\n // Parses the event \"Successful su for by \"\r\n let SuSignInAuthorized=(disabled: bool=false)\r\n{\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\r\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\r\n | extend\r\n EventType = 'Elevation'\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n // \r\n // -- SU end\r\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\r\n let SuDisconnect=(disabled: bool=false)\r\n{\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\r\n | parse SyslogMessage with * \"for user \" TargetUsername: string\r\n | extend\r\n EventType = 'Logoff'\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n union isfuzzy=false \r\n SuDisconnect(disabled = disabled),\r\n SuSignInAuthorized (disabled = disabled)\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend\r\n ActingAppId = tostring(ProcessID),\r\n ActingAppType = 'Process',\r\n ActorUsernameType = 'Simple',\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'su',\r\n EventResult = 'Success',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.2',\r\n EventSeverity = 'Informational',\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Linux',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple'\r\n | project-away Computer, ProcessID\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n Dvc = DvcHostname,\r\n IpAddr = DvcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcDomainType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername\r\n};\r\nparser\r\n(\r\n disabled=disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Linux su.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"a883fc10-c239-51ff-92e8-d2ee3ebb7a56","name":"_ASim_Authentication_SuV03","body":"let parser = (disabled: bool=false)\r\n{\r\n let SyslogProjects = Syslog\r\n | project\r\n TimeGenerated,\r\n Computer,\r\n SyslogMessage,\r\n ProcessName,\r\n ProcessID,\r\n HostIP,\r\n Type,\r\n _ItemId,\r\n _ResourceId,\r\n _SubscriptionId;\r\n //\r\n // -- Successful SU\r\n // Parses the event \"Successful su for by \"\r\n let SuSignInAuthorized=(disabled: bool=false)\r\n {\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\r\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\r\n | extend\r\n EventType = 'Logon',\r\n EventResult = \"Success\"\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n // \r\n // -- SU end\r\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\r\n let SuDisconnect=(disabled: bool=false)\r\n {\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\r\n | parse SyslogMessage with * \"for user \" TargetUsername: string\r\n | extend\r\n EventType = 'Logoff',\r\n EventResult = \"Success\"\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n // Failed SU\r\n let SuFailed=(disabled: bool=false)\r\n {\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"FAILED SU\"\r\n | parse SyslogMessage with * \"to \" TargetUsername: string \") \" ActorUsername: string \" on \" *\r\n | extend \r\n EventType = \"Logon\",\r\n EventResult = \"Failure\"\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n union isfuzzy=false \r\n SuDisconnect(disabled = disabled),\r\n SuSignInAuthorized(disabled = disabled),\r\n SuFailed(disabled = disabled)\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend\r\n ActingAppId = tostring(ProcessID),\r\n ActingAppType = 'Process',\r\n ActorUsernameType = 'Simple',\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'su',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventSeverity = 'Informational',\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Linux',\r\n TargetAppName = 'su',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple',\r\n Type = \"Syslog\"\r\n | project-away Computer, ProcessID\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n SrcIpAddr = DvcIpAddr,\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n IpAddr = DvcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcDomainType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername\r\n | extend Dvc = Dst\r\n | project\r\n TimeGenerated,\r\n EventType,\r\n EventResult,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n ActingAppId,\r\n ActingAppType,\r\n ActorUsernameType,\r\n DvcIdType,\r\n DvcOs,\r\n EventCount,\r\n EventEndTime,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventSeverity,\r\n EventStartTime,\r\n EventVendor,\r\n TargetAppName,\r\n TargetDvcOs,\r\n TargetUsernameType,\r\n Type,\r\n DvcId,\r\n DvcIpAddr,\r\n DvcScopeId,\r\n EventUid,\r\n SrcIpAddr,\r\n Dst,\r\n Dvc,\r\n IpAddr,\r\n TargetDomain,\r\n TargetDomainType,\r\n TargetDvcId,\r\n TargetDvcIdType,\r\n TargetDvcScopeId,\r\n TargetFQDN,\r\n TargetHostname,\r\n TargetIpAddr,\r\n User,\r\n TargetUsername,\r\n ActorUsername\r\n};\r\nparser\r\n(\r\n disabled=disabled\r\n)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Linux su.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"472a0def-2c79-538e-b25c-6151f6e8ec56","name":"_ASim_Authentication_SudoV01","body":"let SudoSignInAuthorized=(disabled:bool=false){\r\nSyslog \r\n | where not(disabled)\r\n | where ProcessName == \"sudo\" and \r\n SyslogMessage has 'TTY=' and \r\n SyslogMessage has 'USER=' and\r\n SyslogMessage has 'COMMAND='\r\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\r\n | project-rename TargetUsername = USER\r\n | extend\r\n EventVendor = 'sudo',\r\n EventProduct = 'sudo',\r\n EventCount = int(1),\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventResult = 'Success',\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType = 'Logon',\r\n DvcHostname = Computer,\r\n ActorUsernameType = 'Simple',\r\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\r\n TargetUsernameType = 'Simple',\r\n EventResultDetails = 'Other',\r\n EventOriginalRestultDetails = 'Connection authorized'\r\n// ************************\r\n// \r\n// ************************\r\n | extend\r\n User = TargetUsername,\r\n Dvc = Computer\r\n// ************************\r\n// \r\n// ************************\r\n | project-away Computer, MG, SourceSystem, TenantId\r\n };\r\nlet SudoAuthFailure1=(disabled:bool=false){\r\nSyslog | where not(disabled)\r\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\r\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\r\n | project-rename \r\n EventUid = _ItemId,\r\n TargetUsername = USER\r\n | extend\r\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\r\n ActorUsernameType = 'Simple',\r\n DvcHostname = Computer,\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'User authentication failed',\r\n EventProduct = 'sudo',\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user or password',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logon',\r\n EventVendor = 'sudo',\r\n TargetUsernameType = 'Simple'\r\n | project-away Computer, MG, SourceSystem, TenantId\r\n };\r\nlet SudoDisconnect=(disabled:bool=false){\r\n Syslog \r\n | where not(disabled)\r\n | where ProcessName == \"sudo\" and \r\n SyslogMessage has 'session closed for user '\r\n | parse SyslogMessage with * \"for user \" TargetUsername:string\r\n | extend\r\n DvcHostname = Computer,\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventOriginalRestultDetails = 'User session closed',\r\n EventProduct = 'sudo',\r\n EventResult = 'Success',\r\n EventResultDetails = 'Other',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.1',\r\n EventStartTime = TimeGenerated,\r\n EventType = 'Logoff',\r\n EventVendor = 'sudo',\r\n TargetUsernameType = 'Simple'\r\n// ************************\r\n// \r\n// ************************\r\n| extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n// ************************\r\n// \r\n// ************************\r\n | project-away Computer, MG, SourceSystem, TenantId\r\n };\r\nunion isfuzzy=false \r\n SudoSignInAuthorized(disabled = disabled), \r\n SudoAuthFailure1(disabled = disabled), \r\n SudoDisconnect(disabled = disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Syslog sudo.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"ac3bfd92-4174-57a1-9383-f1cb7f87bc90","name":"_ASim_Authentication_SudoV02","body":"let parser = (disabled: bool = false) {\r\n let SeverityLevelLookup = datatable (SeverityLevel: string, EventSeverity: string)\r\n [\r\n \"info\", \"Informational\",\r\n \"notice\", \"Informational\",\r\n \"alert\", \"Low\",\r\n \"error\", \"Medium\",\r\n \"err\", \"Medium\",\r\n \"critical\", \"High\",\r\n \"warning\", \"Low\",\r\n \"warn\", \"Low\",\r\n \"debug\", \"Informational\",\r\n \"crit\", \"High\"\r\n ];\r\n let SudoLogs = Syslog\r\n | where not(disabled)\r\n | where ProcessName == \"sudo\";\r\n let SudoSignInAuthorized = () {\r\n SudoLogs\r\n | where SyslogMessage has 'TTY=' and \r\n SyslogMessage has 'USER=' and\r\n SyslogMessage has 'COMMAND='\r\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\r\n | project-rename TargetUsername = USER\r\n | extend\r\n EventResult = 'Success',\r\n EventType = 'Logon',\r\n ActorUsernameType = 'Simple',\r\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\r\n EventResultDetails = 'Other',\r\n EventOriginalResultDetails = 'Connection authorized'\r\n };\r\n let SudoAuthenticationFailure = () {\r\n SudoLogs\r\n | where (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\r\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\r\n | project-rename \r\n TargetUsername = USER\r\n | extend\r\n EventResult = 'Failure',\r\n EventType = 'Logon',\r\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\r\n ActorUsernameType = 'Simple',\r\n EventResultDetails = 'No such user or password',\r\n EventOriginalResultDetails = 'User authentication failed'\r\n };\r\n let SudoDisconnect = () {\r\n SudoLogs\r\n | where SyslogMessage has 'session closed for user '\r\n | parse SyslogMessage with * \"for user \" TargetUsername:string\r\n | extend\r\n EventResult = 'Success',\r\n EventType = 'Logoff',\r\n EventOriginalResultDetails = 'User session closed',\r\n EventResultDetails = 'Other'\r\n };\r\n union isfuzzy=false \r\n SudoSignInAuthorized(), \r\n SudoAuthenticationFailure(),\r\n SudoDisconnect()\r\n | extend\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventVendor = \"Linux\",\r\n EventProduct = \"sudo\",\r\n TargetUsernameType = \"Simple\",\r\n Type = \"Syslog\",\r\n ActingAppId = tostring(ProcessID)\r\n | extend\r\n SrcIpAddr = iff(ipv4_is_in_range(HostIP, \"0.0.0.0/0\"), HostIP, \"\"),\r\n TargetAppType = \"Process\"\r\n | lookup SeverityLevelLookup on SeverityLevel\r\n | project-rename\r\n SrcHostname = HostName,\r\n DvcHostname = Computer,\r\n EventOriginalSeverity = SeverityLevel,\r\n ActingAppName = ProcessName,\r\n EventUid = _ItemId\r\n | extend\r\n TargetAppName = ActingAppName,\r\n Application = ActingAppName,\r\n User = TargetUsername,\r\n DvcIpAddr = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Src = coalesce(SrcIpAddr, SrcHostname),\r\n Dvc = coalesce(SrcIpAddr, DvcHostname)\r\n | project\r\n TimeGenerated,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventVendor,\r\n EventProduct,\r\n EventResult,\r\n EventType,\r\n ActorUsername,\r\n ActorUsernameType,\r\n EventResultDetails,\r\n EventOriginalResultDetails,\r\n TargetUsername,\r\n TargetUsernameType,\r\n Type,\r\n SrcIpAddr,\r\n SrcHostname,\r\n EventSeverity,\r\n DvcHostname,\r\n EventOriginalSeverity,\r\n ActingAppName,\r\n ActingAppId,\r\n EventUid,\r\n TargetAppName,\r\n TargetAppType,\r\n Application,\r\n Src,\r\n Dvc,\r\n User,\r\n DvcIpAddr,\r\n IpAddr\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Syslog sudo.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"810886bf-781f-53eb-af42-85fec417b5db","name":"_ASim_Authentication_VMwareCarbonBlackCloudV01","body":"let parser = (disabled: bool=false) {\r\n CarbonBlackAuditLogs_CL\r\n | where not(disabled)\r\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\r\n | extend\r\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\r\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\r\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\r\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventVendor = \"VMware\",\r\n EventType = \"Logon\",\r\n EventResultDetails = case(\r\n EventResult == \"Failure\" and description_s has (\"locked\"),\r\n \"User locked\",\r\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\r\n \"Incorrect password\",\r\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\r\n \"MFA not satisfied\",\r\n \"\"\r\n ),\r\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\r\n | project-rename\r\n EventMessage = description_s,\r\n EventOriginalUid = eventId_g,\r\n TargetUsername = loginName_s,\r\n SrcIpAddr = clientIp_s,\r\n EventUid=_ItemId,\r\n EventOwner = orgName_s\r\n | extend\r\n IpAddr = SrcIpAddr,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n Dvc = EventProduct,\r\n EventEndTime = EventStartTime,\r\n User = TargetUsername,\r\n Src = SrcIpAddr\r\n | project-away\r\n *_s,\r\n *_d,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId \r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"ASIM Authentication parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"4bbfb554-ba4f-5ba4-b72e-e707efe0b1e2","name":"_ASim_Authentication_VMwareVCenterV01","body":"let parser = (disabled: bool = false, pack: bool = false) {\r\n let EventSeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity: string) [\r\n \"info\", \"Informational\"\r\n ];\r\n let EventTypeLookup = datatable (EventOriginalType: string, EventType: string) [\r\n \"vim.event.UserLoginSessionEvent\", \"Logon\",\r\n \"vim.event.UserLogoutSessionEvent\", \"LogOff\"\r\n ];\r\n let LoginEvents = (T: (Message: string), TableType: string) {\r\n T\r\n | where Message has \"UserLoginSessionEvent\"\r\n | extend Type = TableType\r\n | parse Message with PreEventString \"Event [\" EventOriginalUid:string \"] [1-1] [\" EventTime:datetime \"] [\" EventOriginalType:string \"] [\" EventOriginalSeverity:string \"]\" * \"[User \" TargetUsername:string \"@\" SrcIpAddr:string \" logged in as \" HttpUserAgent:string \"]\" *\r\n | extend DvcId = tostring(split(PreEventString, \" \")[3]);\r\n };\r\n let LogoutEvents = (T: (Message: string), TableType: string) {\r\n T\r\n | where Message has \"UserLogoutSessionEvent\"\r\n | extend Type = TableType\r\n | parse Message with PreEventString \"Event [\" EventOriginalUid: string \"] [1-1] [\" EventTime: datetime \"] [\" EventOriginalType: string \"] [\" EventOriginalSeverity:string \"]\" * \"[User \" TargetUsername:string \"@\" SrcIpAddr \" logged out (login time:\" LoginTime: string \", number of API invocations: \" APIInvocationCount: string \", user agent:\" HttpUserAgent: string \")]\" *\r\n | extend DvcId = tostring(split(PreEventString, \" \")[3]);\r\n };\r\n let vCenterLogs = vcenter_CL\r\n | where not(disabled);\r\n let AzureVCenterLogs = AVSVcSyslog\r\n | where not(disabled);\r\n union\r\n LoginEvents(vCenterLogs, \"vcenter_CL\"),\r\n LogoutEvents(vCenterLogs, \"vcenter_CL\"),\r\n LoginEvents(AzureVCenterLogs, \"AVSVcSyslog\"),\r\n LogoutEvents(AzureVCenterLogs, \"AVSVcSyslog\")\r\n | extend\r\n EventVendor = \"VMware\",\r\n EventProduct = \"vCenter\",\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventStartTime = EventTime,\r\n EventEndTime = EventTime,\r\n EventCount = coalesce(toint(APIInvocationCount), int(1)),\r\n TargetUsernameType = \"Simple\",\r\n EventResult = \"Success\"\r\n | lookup EventTypeLookup on EventOriginalType\r\n | lookup EventSeverityLookup on EventOriginalSeverity\r\n | project-rename\r\n EventOriginalResultDetails = Message\r\n | extend\r\n AdditionalFields = iff(pack, bag_pack(\"LoginTime\", LoginTime), dynamic([])),\r\n IpAddr = SrcIpAddr,\r\n User = TargetUsername,\r\n Dvc = DvcId\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventVendor,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventStartTime,\r\n EventEndTime,\r\n EventCount,\r\n TargetUsernameType,\r\n EventResult,\r\n EventOriginalType,\r\n EventType,\r\n EventSeverity,\r\n EventOriginalSeverity,\r\n EventOriginalResultDetails,\r\n EventOriginalUid,\r\n TargetUsername,\r\n SrcIpAddr,\r\n HttpUserAgent,\r\n AdditionalFields,\r\n IpAddr,\r\n Dvc,\r\n DvcId,\r\n User;\r\n};\r\nparser(disabled=disabled, pack=pack)\r\n","parameters":"disabled:bool = false, pack:bool = false","description":"ASIM Authentication parser for VMware vCenter.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"987bc689-20d4-5536-ab25-20c43137212a","name":"_ASim_Authentication_VectraXDRAuditV01","body":"let parser = (disabled:bool = false)\r\n{\r\n Audits_Data_CL\r\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\r\n | extend\r\n EventCount = int(1),\r\n EventEndTime = event_timestamp_t,\r\n EventProduct = 'Vectra XDR',\r\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventStartTime = event_timestamp_t,\r\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\r\n EventVendor = 'Vectra',\r\n ActorUserId = tostring(toint(user_id_d)),\r\n ActorUserIdType = \"VectraUserId\",\r\n ActorUsernameType = \"UPN\",\r\n EventUid = tostring(toint(id_d))\r\n | project-rename\r\n DvcIpAddr = source_ip_s,\r\n ActorOriginalUserType = user_type_s,\r\n ActorUsername = username_s,\r\n EventMessage = Message,\r\n EventProductVersion = version_s\r\n | extend\r\n User = ActorUsername,\r\n Dvc = DvcIpAddr\r\n | project-away\r\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Authentication ASIM parser for Vectra XDR Audit Logs Event.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"28711922-7194-5661-9b56-0084740d77a3","name":"_Im_Authentication","body":"union isfuzzy=true\r\n_Im_AuthenticationBuiltIn(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, pack= pack),\r\nIm_AuthenticationSolutions(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, pack= pack),\r\nIm_AuthenticationCustom(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', pack:bool = false","description":"Authentication ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"49e89c0a-0759-5596-92af-91ec2817b0a8","name":"_Im_AuthenticationBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_Authentication') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_AuthenticationBuiltIn', 'Exclude_Im_Authentication', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_Authentication_AADManagedIdentitySignInLogsV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_AADManagedIdentitySignInLogs' in (DisabledParsers)))),\r\n_Im_Authentication_AADNonInteractiveUserSignInLogsV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_AADNonInteractiveUserSignInLogs' in (DisabledParsers)))),\r\n_Im_Authentication_AADServicePrincipalSignInLogsV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_AADServicePrincipalSignInLogs' in (DisabledParsers)))),\r\n_Im_Authentication_SigninLogsV04(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_SigninLogs' in (DisabledParsers)))),\r\n_Im_Authentication_AWSCloudTrailV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_AWSCloudTrail' in (DisabledParsers)))),\r\n_Im_Authentication_BarracudaWAFV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_BarracudaWAF' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoASAV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoASA' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoDNACV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoDNAC' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoIOSV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoIOS' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoISEV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoISE' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoISEAdministratorV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoISEAdministrator' in (DisabledParsers))), pack= pack),\r\n_Im_Authentication_CiscoMerakiV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoMeraki' in (DisabledParsers)))),\r\n_Im_Authentication_CiscoMerakiSyslogV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CiscoMerakiSyslog' in (DisabledParsers)))),\r\n_Im_Authentication_CrowdStrikeFalconHostV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_CrowdStrikeFalconHost' in (DisabledParsers)))),\r\n_Im_Authentication_EmptyV02,\r\n_Im_Authentication_FortinetFortigateV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_FortinetFortigate' in (DisabledParsers)))),\r\n_Im_Authentication_GoogleWorkspaceV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_GoogleWorkspace' in (DisabledParsers)))),\r\n_Im_Authentication_IllumioSaaSCoreV03(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_IllumioSaaSCore' in (DisabledParsers)))),\r\n_Im_Authentication_M365DefenderV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_M365Defender' in (DisabledParsers)))),\r\n_Im_Authentication_MD4IoTV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_MD4IoT' in (DisabledParsers)))),\r\n_Im_Authentication_MicrosoftWindowsEventV03(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_MicrosoftWindowsEvent' in (DisabledParsers)))),\r\n_Im_Authentication_NativeV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_Native' in (DisabledParsers)))),\r\n_Im_Authentication_OktaSSOV04(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_OktaSSO' in (DisabledParsers)))),\r\n_Im_Authentication_OktaSystemLogsV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_OktaSystemLogs' in (DisabledParsers)))),\r\n_Im_Authentication_OktaV2V04(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_OktaV2' in (DisabledParsers)))),\r\n_Im_Authentication_PaloAltoCortexDataLakeV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_PaloAltoCortexDataLake' in (DisabledParsers)))),\r\n_Im_Authentication_PaloAltoGlobalProtectV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_PaloAltoGlobalProtect' in (DisabledParsers))), pack= pack),\r\n_Im_Authentication_PaloAltoPanOSV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_PaloAltoPanOS' in (DisabledParsers))), pack= pack),\r\n_Im_Authentication_PostgreSQLV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_PostgreSQL' in (DisabledParsers)))),\r\n_Im_Authentication_SalesforceSCV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_SalesforceSC' in (DisabledParsers)))),\r\n_Im_Authentication_SentinelOneV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_SentinelOne' in (DisabledParsers)))),\r\n_Im_Authentication_SshdV03(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_Sshd' in (DisabledParsers)))),\r\n_Im_Authentication_SuV03(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_Su' in (DisabledParsers)))),\r\n_Im_Authentication_SudoV02(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_Sudo' in (DisabledParsers)))),\r\n_Im_Authentication_VectraXDRAuditV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_VectraXDRAudit' in (DisabledParsers)))),\r\n_Im_Authentication_VMwareCarbonBlackCloudV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_VMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_Authentication_VMwareVCenterV01(starttime= starttime, endtime= endtime, username_has_any= username_has_any, targetappname_has_any= targetappname_has_any, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, srchostname_has_any= srchostname_has_any, eventtype_in= eventtype_in, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_Authentication_VMwareVCenter' in (DisabledParsers))), pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', pack:bool = false","description":"Authentication ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"474823eb-1dcf-5681-9ac4-e78d35e2d0ae","name":"_Im_Authentication_AADManagedIdentitySignInLogsV02","body":"let AADResultTypes = (T: (ResultType: string))\r\n{\r\n let AADResultTypesLookup = datatable\r\n(\r\n ResultType: string,\r\n EventResultDetails: string,\r\n EventType: string,\r\n EventResult: string,\r\n EventOriginalResultDetails: string,\r\n EventSeverity: string\r\n)\r\n[\r\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\r\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\r\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\r\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\r\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\r\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\r\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\r\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\r\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\r\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\r\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\r\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\r\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\r\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\r\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\r\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\r\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\r\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\r\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\r\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\r\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\r\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\r\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\r\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\r\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\r\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\r\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\r\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\r\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\r\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\r\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\r\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\r\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\r\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\r\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\r\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\r\n];\r\n T \r\n | lookup AADResultTypesLookup on ResultType\r\n | extend\r\n EventType = iff(isempty(EventType), \"Logon\", EventType)\r\n ,\r\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\r\n ,\r\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\r\n ,\r\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\r\n};\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n )\r\n{\r\n AADManagedIdentitySignInLogs\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | extend\r\n EventVendor = 'Microsoft'\r\n ,\r\n EventProduct = 'AAD'\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\r\n ,\r\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime= TimeGenerated\r\n ,\r\n EventType= 'Logon'\r\n ,\r\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\r\n ,\r\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\r\n ,\r\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\r\n ,\r\n Location = todynamic(LocationDetails)\r\n ,\r\n TargetAppId = ResourceIdentity \r\n ,\r\n EventSubType = 'NonInteractive'\r\n ,\r\n TargetUsernameType='UPN'\r\n ,\r\n TargetUserIdType='AADID'\r\n ,\r\n TargetAppName=ResourceDisplayName\r\n // Filtering on 'eventresult'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n | extend\r\n SrcGeoCity=tostring(Location.city)\r\n ,\r\n SrcGeoCountry=tostring(Location.countryOrRegion)\r\n ,\r\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\r\n ,\r\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\r\n | project-rename\r\n EventOriginalUid =Id\r\n ,\r\n LogonMethod = AuthenticationRequirement\r\n ,\r\n HttpUserAgent=UserAgent\r\n ,\r\n TargetSessionId=CorrelationId\r\n ,\r\n TargetUserId = UserId\r\n ,\r\n TargetUsername=UserPrincipalName\r\n ,\r\n SrcIpAddr = IPAddress\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case(\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | lookup FailedReason on ResultType\r\n // filtering on 'eventresultdetails_in'\r\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n | extend\r\n User=TargetUsername\r\n ,\r\n LogonTarget=ResourceIdentity\r\n ,\r\n Dvc=EventVendor\r\n // -- Entity identifier explicit aliases\r\n ,\r\n TargetUserUpn = TargetUsername\r\n ,\r\n TargetUserAadId = TargetUserId\r\n};\r\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"3c6c7bcb-d601-5f76-9c0b-9287b3b24925","name":"_Im_Authentication_AADServicePrincipalSignInLogsV02","body":"let AADResultTypes = (T: (ResultType: string))\r\n{\r\n let AADResultTypesLookup = datatable\r\n(\r\n ResultType: string,\r\n EventResultDetails: string,\r\n EventType: string,\r\n EventResult: string,\r\n EventOriginalResultDetails: string,\r\n EventSeverity: string\r\n)\r\n[\r\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\r\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\r\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\r\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\r\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\r\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\r\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\r\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\r\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\r\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\r\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\r\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\r\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\r\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\r\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\r\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\r\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\r\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\r\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\r\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\r\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\r\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\r\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\r\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\r\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\r\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\r\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\r\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\r\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\r\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\r\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\r\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\r\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\r\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\r\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\r\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\r\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\r\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\r\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\r\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\r\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\r\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\r\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\r\n];\r\n T \r\n | lookup AADResultTypesLookup on ResultType\r\n | extend\r\n EventType = iff(isempty(EventType), \"Logon\", EventType)\r\n ,\r\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\r\n ,\r\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\r\n ,\r\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\r\n};\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n )\r\n{\r\n AADServicePrincipalSignInLogs\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and\r\n (isnull(endtime) or TimeGenerated User IP \" *\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 315011\r\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 113010\r\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 113006\r\n | parse Message with * 'User ' TargetUsername ' locked' *\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 716040\r\n | parse Message with * 'Denied ' TargetUsername ' login' *\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 713198\r\n | parse Message with * 'Failed: ' TargetUsername ' User' *\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID == 716038\r\n | parse Message with * 'User IP Authentication'*\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772002)\r\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ),\r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772003, 772004)\r\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n | project-away Message\r\n ), \r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772005)\r\n | parse Message with * 'user ' TargetUsername ' passed'\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n ), \r\n (\r\n LogMessages\r\n | where DeviceEventClassID in(772006)\r\n | parse Message with * 'user ' TargetUsername ' failed'\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0))\r\n | project-away Message\r\n )\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | project-rename \r\n DvcHostname = Computer,\r\n EventUid = _ItemId,\r\n EventOriginalType = DeviceEventClassID,\r\n DvcIpAddr = DeviceAddress\r\n | extend \r\n EventSchemaVersion = \"0.1.3\",\r\n EventSchema = \"Authentication\",\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n Dvc = DvcHostname,\r\n User = TargetUsername,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n Dst = TargetIpAddr,\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\r\n // filtering on 'eventresultdetails_in'\r\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n };\r\n parser (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n ) ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering for Cisco Device Logon Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"cb619d81-23ad-57a5-899b-a5060af6f0ac","name":"_Im_Authentication_CiscoDNACV01","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false) {\r\nlet DNACEvents = Syslog\r\n| where not(disabled)\r\n| where ProcessName == \"DNAC\"\r\n| where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated ******************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated *****************************\r\n | where ProcessName has_any (\"CISE\", \"CSCO\")\r\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\r\n | where EventOriginalType in (EventOriginalTypeList)\r\n | lookup EventFieldsLookup on EventOriginalType\r\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\r\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\r\n and ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in~ (eventresultdetails_in)))\r\n and ((eventresult == \"*\") or (EventResult == eventresult))\r\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n | project-rename\r\n LogonProtocol=Protocol\r\n ,\r\n TargetIpAddr=DestinationIPAddress\r\n ,\r\n TargetPortNumber=DestinationPort\r\n ,\r\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\r\n ,\r\n SrcPortNumber=['Device Port']\r\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\r\n | extend\r\n EventStartTime = coalesce(EventTime, TimeGenerated)\r\n ,\r\n EventEndTime = coalesce(EventTime, TimeGenerated)\r\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\r\n | extend\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n ,\r\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\r\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\r\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | extend \r\n EventVendor = \"Cisco\"\r\n ,\r\n EventProduct = \"ISE\"\r\n ,\r\n EventProductVersion = \"3.2\"\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = \"Authentication\"\r\n ,\r\n EventSchemaVersion = \"0.1.3\" \r\n // ************************* **********************\r\n | extend \r\n Dvc = coalesce(DvcIpAddr, DvcHostname)\r\n ,\r\n IpAddr = SrcIpAddr\r\n ,\r\n Dst = TargetIpAddr\r\n ,\r\n Src = SrcIpAddr\r\n ,\r\n User = TargetUsername\r\n // ************************* ******************** \r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n FailureReason,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName,\r\n User,\r\n ['Remote-Address'],\r\n ['Device IP Address'],\r\n ['Caller-Station-ID']\r\n};\r\nCiscoISEAuthParser(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"1be457d9-37da-557e-b848-c876083c4195","name":"_Im_Authentication_CiscoMerakiSyslogV02","body":"let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\r\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\r\n [\r\n \"0\", \"Other\",\r\n \"1\", \"Other\",\r\n \"2\", \"Password expired\",\r\n \"3\", \"Other\",\r\n \"4\", \"Session expired\",\r\n \"5\", \"Other\",\r\n \"6\", \"Other\",\r\n \"7\", \"Other\",\r\n \"8\", \"Other\",\r\n \"9\", \"Other\",\r\n \"10\", \"Logon violates policy\",\r\n \"11\", \"Logon violates policy\",\r\n \"12\", \"Other\",\r\n \"13\", \"Logon violates policy\",\r\n \"14\", \"Other\",\r\n \"15\", \"Other\",\r\n \"16\", \"Other\",\r\n \"17\", \"Other\",\r\n \"18\", \"Incorrect key\",\r\n \"19\", \"Incorrect key\",\r\n \"20\", \"Incorrect key\",\r\n \"21\", \"Other\",\r\n \"22\", \"Other\",\r\n \"23\", \"Other\",\r\n \"24\", \"Logon violates policy\",\r\n];\r\nlet EventFieldsLookup = datatable (\r\n LogSubType: string,\r\n EventResult: string,\r\n EventType: string,\r\n EventSeverity: string\r\n)\r\n [\r\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\r\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\r\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\r\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n )\r\n | where not(disabled)\r\n and LogMessage has \"events\"\r\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or Timestamp = starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | extend\r\n EventDetails = todynamic(EventDetails)\r\n //\r\n | extend\r\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \r\n EventProduct = 'Microsoft Defender for IoT',\r\n EventCount=int(1),\r\n EventVendor = 'Microsoft', \r\n EventSchemaVersion = '0.1.0', \r\n EventStartTime = todatetime(EventDetails.TimestampUTC), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \r\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \r\n // Filtering on 'eventtype_in' and 'eventresult'\r\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n and (eventresult == \"*\" or (EventResult == eventresult))\r\n | extend\r\n ActingProcessId = tostring(EventDetails.ProcessId), \r\n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \r\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\r\n TargetUsernameType = \"Simple\",\r\n TargetUsername = tostring(EventDetails.UserName)\r\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress)\r\n // Post-filtering on username_has_any and srcipaddr_has_any_prefix\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | project-rename\r\n DvcHostname = DeviceId, \r\n EventProductVersion = AgentVersion, // -- Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId \r\n //\r\n // -- aliases\r\n | extend \r\n User = TargetUsername, \r\n Process = ActingProcessName, \r\n Dvc = DvcHostname,\r\n SrcDvcIpAddr = SrcIpAddr,\r\n IpAddr = SrcIpAddr\r\n};\r\n Authentication_MD4IoT(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"3ca213f1-7c16-5b8c-bdb2-c8d24097d73b","name":"_Im_Authentication_MicrosoftWindowsEventV03","body":"let LogonEvents=dynamic([4624, 4625]);\r\nlet LogoffEvents=dynamic([4634, 4647]);\r\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\r\n[\r\n 2, 'Interactive',\r\n 3, 'Remote',\r\n 4, 'System',\r\n 5, 'Service',\r\n 7, 'Interactive',\r\n 8, 'NetworkCleartext',\r\n 9, 'AssumeRole',\r\n 10, 'RemoteInteractive',\r\n 11, 'Interactive'\r\n];\r\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\r\nlet LogonStatus=datatable \r\n(\r\n EventStatus: string,\r\n EventOriginalResultDetails: string,\r\n EventResultDetails: string\r\n)\r\n[\r\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\r\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\r\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\r\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\r\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\r\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\r\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\r\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\r\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\r\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\r\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\r\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\r\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\r\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\r\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\r\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\r\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\r\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\r\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\r\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\r\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\r\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\r\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\r\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\r\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\r\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\r\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\r\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\r\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\r\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\r\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\r\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\r\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\r\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\r\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\r\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\r\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\r\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\r\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\r\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\r\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\r\n];\r\nlet WinLogon=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false)\r\n{ \r\n WindowsEvent\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where Provider == 'Microsoft-Windows-Security-Auditing'\r\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\r\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\r\n | extend\r\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\r\n SrcIpAddr = tostring(EventData.IpAddress),\r\n TargetPortNumber = toint(EventData.IpPort),\r\n LogonGuid = tostring(EventData.LogonGuid),\r\n LogonType = toint(EventData.LogonType),\r\n ActingProcessCreationTime = EventData.ProcessCreationTime,\r\n ActingProcessId = tostring(toint(EventData.ProcessId)),\r\n ActingProcessName = tostring(EventData.ProcessName),\r\n Status = tostring(EventData.Status),\r\n ActorSessionId = tostring(EventData.SubjectLogonId),\r\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\r\n ActorUserId = tostring(EventData.SubjectUserSid),\r\n SubStatus = tostring(EventData.SubStatus),\r\n TargetDomainName = tostring(EventData.TargetDomainName),\r\n TargetSessionId = tostring(EventData.TargetLogonId),\r\n TargetUserId = tostring(EventData.TargetUserSid),\r\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n ,\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\r\n \"Both\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n temp_isMatchActorUsername,\r\n \"ActorUsername\",\r\n \"No match\"\r\n )\r\n | extend \r\n SrcHostname = tostring(iff(EventData.WorkstationName in ('-', ''), Computer, EventData.WorkstationName)),\r\n EventProduct = \"Security Events\"\r\n // Filtering on SrcHostname\r\n | where (array_length(srchostname_has_any) == 0 or SrcHostname has_any (srchostname_has_any))\r\n | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\r\n // -- creating EventMessage matching EventMessage in SecurityEvent table\r\n | extend\r\n EventMessage = case\r\n (\r\n EventID == 4634,\r\n \"4634 - An account was logged off.\", \r\n EventID == 4625,\r\n \"4625 - An account failed to log on.\",\r\n EventID == 4624,\r\n \"4624 - An account was successfully logged on.\",\r\n \"4647 - User initiated logoff.\"\r\n ),\r\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\r\n // Filtering on 'eventresult' and 'username_has_any'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\r\n | project-rename \r\n TargetDvcHostname = Computer\r\n ,\r\n EventOriginalUid = EventOriginId\r\n ,\r\n EventOriginalType=EventID\r\n | extend\r\n EventCount=int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion='0.1.3'\r\n ,\r\n ActorUserIdType='SID'\r\n ,\r\n TargetUserIdType='SID'\r\n ,\r\n EventVendor='Microsoft' \r\n ,\r\n EventStartTime =TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \r\n ,\r\n ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') \r\n ,\r\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\r\n ,\r\n SrcDvcOs = 'Windows'\r\n ,\r\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\r\n // filtering on 'eventtype_in'\r\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\r\n ,\r\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\r\n ,\r\n EventOriginalType = tostring(EventOriginalType)\r\n | lookup LogonStatus on EventStatus\r\n // filtering on 'eventresultdetails_in'\r\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n | lookup LogonTypes on LogonType\r\n /// ** Aliases \r\n | extend\r\n User=TargetUsername,\r\n LogonTarget=TargetDvcHostname,\r\n Dvc=SrcHostname,\r\n DvcHostName=SrcHostname,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n EventData,\r\n LogonGuid,\r\n EventStatus,\r\n LogonType,\r\n Status,\r\n SubStatus,\r\n TargetDomainName,\r\n TargetDvcHostname\r\n};\r\nlet SecEventLogon =(starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false)\r\n{\r\n SecurityEvent\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where EventID in (LogonEvents) or \r\n EventID in (LogoffEvents)\r\n | project\r\n SubjectLogonId,\r\n SubjectUserSid,\r\n Activity,\r\n EventID,\r\n EventOriginId,\r\n AuthenticationPackageName,\r\n WorkstationName,\r\n IpAddress,\r\n Computer,\r\n TargetLogonId,\r\n TargetUserSid,\r\n SubjectDomainName,\r\n SubjectUserName,\r\n SubjectAccount,\r\n TimeGenerated,\r\n SubStatus,\r\n TargetDomainName,\r\n TargetUserName,\r\n AccountType,\r\n TargetAccount,\r\n Status,\r\n LogonType,\r\n Type\r\n | project-rename \r\n EventMessage = Activity\r\n ,\r\n ActorSessionId=SubjectLogonId\r\n ,\r\n TargetSessionId=TargetLogonId\r\n ,\r\n ActorUserId=SubjectUserSid\r\n ,\r\n TargetUserId =TargetUserSid\r\n ,\r\n TargetDvcHostname = Computer\r\n ,\r\n EventOriginalUid = EventOriginId\r\n ,\r\n LogonProtocol=AuthenticationPackageName\r\n ,\r\n SrcIpAddr=IpAddress\r\n ,\r\n EventOriginalType=EventID\r\n | extend\r\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion='0.1.3'\r\n ,\r\n EventProduct = \"Security Events\"\r\n ,\r\n ActorUserIdType='SID'\r\n ,\r\n TargetUserIdType='SID'\r\n ,\r\n EventVendor='Microsoft' \r\n ,\r\n EventStartTime =TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\r\n ,\r\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\r\n ,\r\n ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\r\n ,\r\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\r\n ,\r\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\r\n ,\r\n SrcDvcOs = 'Windows'\r\n ,\r\n SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName)\r\n ,\r\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n ,\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\r\n \"Both\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n temp_isMatchActorUsername,\r\n \"ActorUsername\",\r\n \"No match\"\r\n )\r\n // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\r\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n and (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\r\n | project-away TargetUserName, AccountType\r\n | extend\r\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\r\n ,\r\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\r\n ,\r\n EventOriginalType = tostring(EventOriginalType)\r\n | lookup LogonStatus on EventStatus\r\n // filtering on 'eventresultdetails_in'\r\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n | lookup LogonTypes on LogonType\r\n /// ** Aliases \r\n | extend\r\n User=TargetUsername,\r\n LogonTarget=TargetDvcHostname,\r\n Dvc=SrcHostname,\r\n DvcHostName = SrcHostname,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n EventStatus,\r\n LogonType,\r\n Status,\r\n SubStatus,\r\n SubjectAccount,\r\n SubjectDomainName,\r\n SubjectUserName,\r\n EventStatus,\r\n TargetAccount,\r\n TargetDomainName,\r\n TargetDvcHostname\r\n};\r\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"686d1b26-62f3-5e14-9f94-c36d07c303b5","name":"_Im_Authentication_NativeV01","body":"let parser=\r\n(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n)\r\n{\r\n ASimAuthenticationEventLogs | where not(disabled)\r\n // -- Pre-parsing filtering:\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | extend \r\n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\r\n eventType_s=column_ifexists('eventType_s', \"\"),\r\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\r\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\r\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\r\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\r\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where eventType_s in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\r\n ,\r\n EventSubType=legacyEventType_s\r\n ,\r\n EventMessage=column_ifexists('displayMessage_s', \"\")\r\n ,\r\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\r\n ,\r\n EventOriginalUid = column_ifexists('uuid_g', \"\")\r\n ,\r\n TargetUserIdType='OktaId'\r\n ,\r\n TargetUsernameType='UPN'\r\n ,\r\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\r\n ,\r\n TargetUserId=column_ifexists('actor_id_s', \"\")\r\n ,\r\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\r\n ,\r\n TargetUserType=column_ifexists('actor_type_s', \"\")\r\n ,\r\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\r\n ,\r\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\r\n ,\r\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\r\n ,\r\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\r\n ,\r\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\r\n ,\r\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\r\n ,\r\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\r\n ,\r\n ActingAppType=\"Browser\"\r\n ,\r\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\r\n ,\r\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\r\n // Filtering on 'eventresult' and 'eventtype_in'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away *_s, *_d, *_b, *_g, *_t;\r\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\r\n | extend\r\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \r\n ,\r\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\r\n ,\r\n ActorUsername=column_ifexists('ActorUsername', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where EventOriginalType in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \r\n ,\r\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\r\n ,\r\n TargetUserId= column_ifexists('ActorUserId', \"\")\r\n ,\r\n TargetUsername=ActorUsername\r\n ,\r\n TargetUserType=column_ifexists('ActorUserType', \"\")\r\n ,\r\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\r\n ,\r\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\r\n //** extend non-normalized fields to be projected-away \r\n ,\r\n ActorDetailEntry\r\n ,\r\n ActorDisplayName\r\n ,\r\n AuthenticationContextAuthenticationProvider\r\n ,\r\n AuthenticationContextAuthenticationStep\r\n ,\r\n AuthenticationContextCredentialProvider\r\n ,\r\n AuthenticationContextInterface\r\n ,\r\n AuthenticationContextIssuerId\r\n ,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData\r\n ,\r\n DvcAction\r\n ,\r\n OriginalActorAlternateId\r\n ,\r\n OriginalClientDevice\r\n ,\r\n OriginalOutcomeResult\r\n ,\r\n OriginalSeverity\r\n ,\r\n OriginalTarget\r\n ,\r\n OriginalUserId\r\n ,\r\n OriginalUserType\r\n ,\r\n Request\r\n ,\r\n SecurityContextAsNumber\r\n ,\r\n SecurityContextAsOrg\r\n ,\r\n SecurityContextDomain\r\n ,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail\r\n ,\r\n TransactionId\r\n ,\r\n TransactionType\r\n // Filtering on 'eventresult' and 'eventtype_in'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n ,\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\r\n \"Both\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n temp_isMatchActorUsername,\r\n \"ActorUsername\",\r\n \"No match\"\r\n )\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n ActorDetailEntry\r\n ,\r\n ActorDisplayName\r\n ,\r\n AuthenticationContextAuthenticationProvider\r\n ,\r\n AuthenticationContextAuthenticationStep\r\n ,\r\n AuthenticationContextCredentialProvider\r\n ,\r\n AuthenticationContextInterface\r\n ,\r\n AuthenticationContextIssuerId\r\n ,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData\r\n ,\r\n DvcAction\r\n ,\r\n OriginalActorAlternateId\r\n ,\r\n OriginalClientDevice\r\n ,\r\n OriginalOutcomeResult\r\n ,\r\n OriginalSeverity\r\n ,\r\n OriginalTarget\r\n ,\r\n OriginalUserId\r\n ,\r\n OriginalUserType\r\n ,\r\n Request\r\n ,\r\n SecurityContextAsNumber\r\n ,\r\n SecurityContextAsOrg\r\n ,\r\n SecurityContextDomain\r\n ,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail\r\n ,\r\n TransactionId\r\n ,\r\n TransactionType;\r\n union isfuzzy=true OktaV1, OktaV2\r\n};\r\nOktaSignin (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"9e9fc152-813f-5ae6-86c6-a8ddc51f5641","name":"_Im_Authentication_OktaSSOV03","body":"let OktaSignin = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\r\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\r\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | extend \r\n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\r\n eventType_s=column_ifexists('eventType_s', \"\"),\r\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\r\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\r\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\r\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\r\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where eventType_s in (OktaSigninEvents)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\r\n ,\r\n EventSubType=legacyEventType_s\r\n ,\r\n EventMessage=column_ifexists('displayMessage_s', \"\")\r\n ,\r\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\r\n ,\r\n EventOriginalUid = column_ifexists('uuid_g', \"\")\r\n ,\r\n TargetUserIdType='OktaId'\r\n ,\r\n TargetUsernameType='UPN'\r\n ,\r\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\r\n ,\r\n TargetUserId=column_ifexists('actor_id_s', \"\")\r\n ,\r\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\r\n ,\r\n TargetUserType=column_ifexists('actor_type_s', \"\")\r\n ,\r\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\r\n ,\r\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\r\n ,\r\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\r\n ,\r\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\r\n ,\r\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\r\n ,\r\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\r\n ,\r\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\r\n ,\r\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\r\n ,\r\n ActingAppType=\"Browser\"\r\n ,\r\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\r\n ,\r\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\r\n // Filtering on 'eventresult' and 'eventtype_in'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away *_s, *_d, *_b, *_g, *_t;\r\n OktaV1\r\n};\r\nOktaSignin (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"c861b54b-80b4-50b1-94c8-60249c6365d5","name":"_Im_Authentication_OktaSSOV04","body":"let parser=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let OutcomeReasonLookup = datatable(outcome_reason_s: string, EventResultDetails: string)\r\n [\r\n \"LOCKED_OUT\", \"User locked\",\r\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\r\n \"UNKNOWN_USER\", \"No such user\",\r\n \"VERIFICATION_ERROR\", \"Incorrect key\",\r\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\r\n \"PASSWORD_EXPIRED\", \"Password expired\",\r\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\r\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\r\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\r\n ];\r\n let SrcDeviceTypeLookup = datatable(client_device_s: string, SrcDeviceType: string)\r\n [\r\n \"Computer\", \"Computer\",\r\n \"Mobile\", \"Mobile Device\",\r\n \"Tablet\", \"Mobile Device\"\r\n ];\r\n let ActorUserTypeLookup = datatable(ActorOriginalUserType: string, ActorUserType: string)\r\n [\r\n \"User\", \"Regular\",\r\n \"SystemPrincipal\", \"System\"\r\n ];\r\n let emptyOktaTable = datatable(\r\n TimeGenerated: datetime,\r\n outcome_result_s: string,\r\n eventType_s: string,\r\n legacyEventType_s: string,\r\n client_geographicalContext_geolocation_lat_d: double,\r\n client_geographicalContext_geolocation_lon_d: double,\r\n displayMessage_s: string,\r\n outcome_reason_s: string,\r\n uuid_g: string,\r\n actor_id_s: string,\r\n actor_alternateId_s: string,\r\n authenticationContext_externalSessionId_s: string,\r\n actor_type_s: string,\r\n client_userAgent_os_s: string,\r\n securityContext_isp_s: string,\r\n client_geographicalContext_city_s: string,\r\n client_geographicalContext_country_s: string,\r\n client_ipAddress_s: string,\r\n client_userAgent_browser_s: string,\r\n authenticationContext_credentialType_s: string,\r\n client_userAgent_rawUserAgent_s: string,\r\n client_geographicalContext_state_s: string,\r\n client_device_s: string\r\n )[];\r\n let OktaTable = union isfuzzy=true emptyOktaTable, Okta_CL;\r\n OktaTable\r\n | where not(disabled)\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where EventOriginalType in (OktaSigninEvents)\r\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\r\n | extend \r\n EventProduct='Okta'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventVendor='Okta'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventStartTime=TimeGenerated\r\n ,\r\n EventEndTime=TimeGenerated\r\n ,\r\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \r\n ,\r\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\r\n ,\r\n TargetUserId= column_ifexists('ActorUserId', \"\")\r\n ,\r\n TargetUsername=ActorUsername\r\n ,\r\n TargetUserType=column_ifexists('ActorUserType', \"\")\r\n ,\r\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\r\n ,\r\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\r\n //** extend non-normalized fields to be projected-away \r\n ,\r\n //\r\n ActorDetailEntry,\r\n ActorDisplayName\r\n ,\r\n AuthenticationContextAuthenticationProvider\r\n ,\r\n AuthenticationContextAuthenticationStep,\r\n AuthenticationContextCredentialProvider\r\n ,\r\n AuthenticationContextInterface\r\n ,\r\n AuthenticationContextIssuerId\r\n ,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData,\r\n DvcAction\r\n ,\r\n OriginalActorAlternateId\r\n ,\r\n OriginalClientDevice\r\n ,\r\n OriginalOutcomeResult\r\n ,\r\n OriginalSeverity\r\n ,\r\n OriginalTarget,\r\n OriginalUserId\r\n ,\r\n OriginalUserType\r\n ,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg\r\n ,\r\n SecurityContextDomain\r\n ,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail,\r\n TransactionId\r\n ,\r\n TransactionType\r\n // Filtering on 'eventresult' and 'eventtype_in'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n ,\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\r\n \"Both\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n temp_isMatchActorUsername,\r\n \"ActorUsername\",\r\n \"No match\"\r\n )\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n Dvc=EventVendor\r\n ,\r\n IpAddr=SrcIpAddr\r\n | project-away\r\n ActorDetailEntry,\r\n ActorDisplayName\r\n ,\r\n AuthenticationContextAuthenticationProvider\r\n ,\r\n AuthenticationContextAuthenticationStep,\r\n AuthenticationContextCredentialProvider\r\n ,\r\n AuthenticationContextInterface\r\n ,\r\n AuthenticationContextIssuerId\r\n ,\r\n AuthenticationContextIssuerType\r\n ,\r\n DebugData,\r\n DvcAction\r\n ,\r\n OriginalActorAlternateId\r\n ,\r\n OriginalClientDevice\r\n ,\r\n OriginalOutcomeResult\r\n ,\r\n OriginalSeverity\r\n ,\r\n OriginalTarget,\r\n OriginalUserId\r\n ,\r\n OriginalUserType\r\n ,\r\n Request,\r\n SecurityContextAsNumber,\r\n SecurityContextAsOrg\r\n ,\r\n SecurityContextDomain\r\n ,\r\n SecurityContextIsProxy\r\n ,\r\n TransactionDetail,\r\n TransactionId\r\n ,\r\n TransactionType;\r\n OktaV2\r\n};\r\nOktaSignin (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Okta.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"52b80ba7-df6b-5a81-8c78-37b2df8656e4","name":"_Im_Authentication_OktaV2V04","body":"let parser=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n) {\r\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\r\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\r\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\r\n let SrcDeviceTypeLookup = datatable(OriginalClientDevice: string, SrcDeviceType: string)\r\n [\r\n \"Computer\", \"Computer\",\r\n \"Mobile\", \"Mobile Device\",\r\n \"Tablet\", \"Mobile Device\"\r\n ];\r\n let OutcomeReasonLookup = datatable(EventOriginalResultDetails: string, EventResultDetails: string)\r\n [\r\n \"LOCKED_OUT\", \"User locked\",\r\n \"INVALID_CREDENTIALS\", \"Incorrect password\",\r\n \"UNKNOWN_USER\", \"No such user\",\r\n \"VERIFICATION_ERROR\", \"Incorrect key\",\r\n \"SSO_AUTHENTICATION_FAILURE\", \"Logon violates policy\",\r\n \"PASSWORD_EXPIRED\", \"Password expired\",\r\n \"USER_ACCOUNT_EXPIRED\", \"Account expired\",\r\n \"DEL_AUTH_TIMEOUT\", \"Session expired\",\r\n \"PASSWORD_BASED_LOGIN_DISALLOWED\", \"Logon violates policy\"\r\n ];\r\n OktaV2_CL\r\n | where not(disabled)\r\n | where EventOriginalType in (OktaSigninEvents)\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated 1,\r\n \"FQDN\",\r\n array_length(split(DestinationUserName, \"\\\\\")) > 1,\r\n \"Windows\",\r\n \"\"\r\n ),\r\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\"\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n EventOutcome,\r\n PanOS*,\r\n start,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n Threat*,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Reason,\r\n ApplicationProtocol,\r\n Indicator*,\r\n _ResourceId,\r\n temp_*\r\n};\r\nparser(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"7126b721-8c8f-5cc9-a4ae-1ffd4ff65c0d","name":"_Im_Authentication_PaloAltoCortexDataLakeV02","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet LogonMethod = datatable(FieldDeviceCustomNumber1: long, LogonMethod: string)\r\n[\r\n 1, \"Username & Password\",\r\n 2, \"Multi factor authentication\",\r\n 3, \"Multi factor authentication\"\r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n) {\r\n CommonSecurityLog \r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"LF\"\r\n and DeviceEventClassID == \"AUTH\"\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated 1, \"FQDN\",\r\n array_length(split(TargetUsername, \"\\\\\")) > 1, \"Windows\",\r\n \"\"\r\n )\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case(\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\",\r\n Type = \"CommonSecurityLog\",\r\n EventCount = int(1)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n SrcHostname,\r\n SrcDomain,\r\n SrcFQDN,\r\n SrcDomainType,\r\n EventSeverity,\r\n EventStartTime,\r\n SrcIpAddr,\r\n TargetIpAddr,\r\n EventMessage,\r\n LogonMethod,\r\n DvcIpAddr,\r\n DvcId,\r\n EventOriginalResultDetails,\r\n EventOriginalSeverity,\r\n EventOriginalType,\r\n EventOriginalUid,\r\n EventProductVersion,\r\n LogonProtocol,\r\n SrcDvcOs,\r\n TargetUsername,\r\n TargetUserId,\r\n TargetDomain,\r\n TargetDomainType,\r\n EventOriginalSubType,\r\n HttpUserAgent,\r\n TargetDvcScopeId,\r\n TargetSessionId,\r\n TargetDvcId,\r\n TargetDvcIdType,\r\n EventUid,\r\n Dvc,\r\n EventEndTime,\r\n EventResult,\r\n Dst,\r\n Src,\r\n TargetUserType,\r\n User,\r\n IpAddr,\r\n DvcIdType,\r\n TargetUserIdType,\r\n TargetUsernameType,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventProduct,\r\n EventVendor,\r\n Type,\r\n EventCount,\r\n ASimMatchingUsername\r\n};\r\nparser(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"ce767a8d-658c-573a-96f8-f7bb9ca56020","name":"_Im_Authentication_PaloAltoGlobalProtectV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\",\r\n \"Informational\", \"Informational\"\r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false,\r\n pack: bool=false\r\n) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"PAN-OS\"\r\n and DeviceEventClassID == \"GLOBALPROTECT\"\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated 1, \"FQDN\",\r\n isnotempty(TargetDomain), \"Windows\",\r\n \"\"\r\n )\r\n | extend temp_isMatchTargetUsername = TargetUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case(\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | extend\r\n EventSchema = \"Authentication\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventType = \"Logon\",\r\n EventProduct = \"PAN-OS\",\r\n EventVendor = \"Palo Alto\",\r\n EventCount = int(1),\r\n Type = \"CommonSecurityLog\"\r\n | project\r\n TimeGenerated,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventType,\r\n EventResult,\r\n EventResultDetails,\r\n EventSeverity,\r\n EventProduct,\r\n EventVendor,\r\n EventCount,\r\n EventStartTime,\r\n EventEndTime,\r\n EventMessage,\r\n EventOriginalResultDetails,\r\n EventOriginalSeverity,\r\n EventOriginalType,\r\n EventOriginalSubType,\r\n EventProductVersion,\r\n Dvc,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n DvcIpAddr,\r\n DvcId,\r\n DvcIdType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n TargetUserId,\r\n TargetUserIdType,\r\n TargetUserType,\r\n TargetDomain,\r\n TargetDomainType,\r\n TargetHostname,\r\n TargetIpAddr,\r\n TargetSessionId,\r\n DvcAction,\r\n SrcIpAddr,\r\n SrcHostname,\r\n SrcDomain,\r\n SrcFQDN,\r\n SrcDomainType,\r\n SrcDvcOs,\r\n LogonProtocol,\r\n HttpUserAgent,\r\n Dst,\r\n Src,\r\n User,\r\n IpAddr,\r\n AdditionalFields,\r\n ASimMatchingUsername,\r\n Type\r\n};\r\nparser(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled,\r\n pack=pack\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false, pack:bool = false","description":"Authentication ASIM filtering parser for Palo Alto PAN-OS.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"01d425b3-4ea5-58b6-ad05-dd382aa75727","name":"_Im_Authentication_PostgreSQLV01","body":"let PostgreSQLSignInAuthorized=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n PostgreSQL_CL\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | where RawData has 'connection authorized'\r\n | extend\r\n EventVendor = 'PostgreSQL'\r\n ,\r\n EventProduct = 'PostgreSQL'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.1'\r\n ,\r\n EventResult = 'Success'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcHostname = Computer\r\n ,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\r\n ,\r\n EventOriginalRestultDetails = 'Connection authorized'\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ************************ \r\n // \r\n // ************************\r\n | extend\r\n User=TargetUsername\r\n ,\r\n Dvc=Computer\r\n // ************************ \r\n // \r\n // ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\n let PostgreSQLAuthFailure1=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n PostgreSQL_CL\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where RawData has 'authentication failed'\r\n | extend \r\n EventVendor = 'PostgreSQL'\r\n ,\r\n EventProduct = 'PostgreSQL'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.1'\r\n ,\r\n EventResult = 'Failure'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcHostname = Computer\r\n ,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\r\n ,\r\n EventResultDetails = 'No such user or password'\r\n ,\r\n EventOriginalRestultDetails = 'User authentication failed'\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ************************ \r\n // \r\n // ************************\r\n | extend\r\n User=TargetUsername\r\n ,\r\n Dvc=Computer\r\n // ************************ \r\n // \r\n // ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\n let PostgreSQLAuthFailure2=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n PostgreSQL_CL\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where RawData has_all ('role', 'does', 'not', 'exist')\r\n | extend \r\n EventVendor = 'PostgreSQL'\r\n ,\r\n EventProduct = 'PostgreSQL'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.1'\r\n ,\r\n EventResult = 'Failure'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcHostname = Computer\r\n ,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\r\n ,\r\n EventResultDetails = 'No such user or password'\r\n ,\r\n EventOriginalRestultDetails = 'Role does not exist'\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ************************ \r\n // \r\n // ************************\r\n | extend\r\n User=TargetUsername\r\n ,\r\n Dvc=Computer\r\n // ************************ \r\n // \r\n // ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\n let PostgreSQLAuthFailure3=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n PostgreSQL_CL\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where RawData has_all ('no', 'entry', 'user')\r\n | extend \r\n EventVendor = 'PostgreSQL'\r\n ,\r\n EventProduct = 'PostgreSQL'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.1'\r\n ,\r\n EventResult = 'Failure'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcHostname = Computer\r\n ,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\r\n ,\r\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\r\n ,\r\n EventResultDetails = 'No such user or password'\r\n ,\r\n EventOriginalRestultDetails = 'No entry for user'\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ************************ \r\n // \r\n // ************************\r\n | extend\r\n User=TargetUsername\r\n ,\r\n Dvc=Computer\r\n // ************************ \r\n // \r\n // ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\n let PostgreSQLDisconnect=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n PostgreSQL_CL\r\n | where not(disabled)\r\n // ************************************************************************* \r\n // \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where RawData has 'disconnection'\r\n | extend \r\n EventVendor = 'PostgreSQL'\r\n ,\r\n EventProduct = 'PostgreSQL'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.1'\r\n ,\r\n EventResult = 'Success'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n EventType = 'Logoff'\r\n ,\r\n DvcHostname = Computer\r\n ,\r\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\r\n ,\r\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData)\r\n ,\r\n EventResultDetails = 'Session expired'\r\n ,\r\n EventOriginalRestultDetails = 'User session closed'\r\n // ********************** **********************************\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n // ********************** *********************************\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n // ************************ \r\n // \r\n // ************************\r\n | extend\r\n User=TargetUsername\r\n ,\r\n Dvc=Computer\r\n // ************************ \r\n // \r\n // ************************\r\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n };\r\n union isfuzzy=false PostgreSQLSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n , PostgreSQLAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n , PostgreSQLAuthFailure2(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n , PostgreSQLAuthFailure3(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n , PostgreSQLDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for PostgreSQL.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"51a34575-887b-514c-9d0a-84db2c759525","name":"_Im_Authentication_SalesforceSCV01","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n )\r\n{\r\n let SalesforceSchema = datatable\r\n(\r\n api_version_s: string,\r\n browser_type_s: string,\r\n cipher_suite_s: string,\r\n client_ip_s: string,\r\n delegated_user_id_s: string,\r\n delegated_user_name_s: string,\r\n event_type_s: string,\r\n login_key_s: string,\r\n login_status_s: string,\r\n login_type_s: string,\r\n login_sub_type_s: string,\r\n organization_id_s: string,\r\n platform_type_s: string,\r\n request_id_s: string,\r\n request_status_s: string,\r\n session_key_s: string,\r\n source_ip_s: string,\r\n timestamp_s: string,\r\n tls_protocol_s: string,\r\n uri_s: string,\r\n user_id_s: string,\r\n user_name_s: string,\r\n user_type_s: string,\r\n wave_session_id_g: string\r\n)[];\r\n let EventResultLookup = datatable\r\n(\r\n login_status_s: string,\r\n DvcAction: string,\r\n EventResultDetails: string,\r\n EventResult: string,\r\n EventSeverity: string\r\n)\r\n[\r\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\r\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\r\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\r\n];\r\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\r\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)\r\n[\r\n \"Login\", \"Logon\",\r\n \"LoginAs\", \"Logon\",\r\n \"Logout\", \"Logoff\"\r\n];\r\n let DvcOsLookup = datatable\r\n(\r\n platform_type_s: string,\r\n DvcOs: string,\r\n DvcOsVersion: string\r\n)\r\n[\r\n \"1000\", \"Windows\", \"\",\r\n \"1008\", \"Windows\", \"2003\",\r\n \"1013\", \"Windows\", \"8.1\",\r\n \"1015\", \"Windows\", \"10\",\r\n \"2003\", \"Macintosh/Apple\", \"OSX\",\r\n \"4000\", \"Linux\", \"\",\r\n \"5005\", \"Android\", \"\",\r\n \"5006\", \"iPhone\", \"\",\r\n \"5007\", \"iPad\", \"\",\r\n \"5200\", \"Android\", \"10.0\"\r\n];\r\n let LogonMethodLookup = datatable\r\n(\r\n LoginType_s: string,\r\n LogonMethodOriginal: string,\r\n LogonMethod: string\r\n)\r\n[\r\n \"7\", \"AppExchange\", \"Other\",\r\n \"A\", \"Application\", \"Other\",\r\n \"s\", \"Certificate-based login\", \"PKI\",\r\n \"k\", \"Chatter Communities External User\", \"Other\",\r\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\r\n \"r\", \"Employee Login to Community\", \"Other\",\r\n \"z\", \"Lightning Login\", \"Username & Password\",\r\n \"l\", \"Networks Portal API Only\", \"Other\",\r\n \"6\", \"Remote Access Client\", \"Other\",\r\n \"i\", \"Remote Access 2.0\", \"Other\",\r\n \"I\", \"Other Apex API\", \"Other\",\r\n \"R\", \"Partner Product\", \"Other\",\r\n \"w\", \"Passwordless Login\", \"Passwordless\",\r\n \"3\", \"Customer Service Portal\", \"Other\",\r\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\r\n \"9\", \"Partner Portal\", \"Other\",\r\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\r\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\r\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\r\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\r\n \"h\", \"SAML Site SSO\", \"Other\",\r\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\r\n \"E\", \"SelfService\", \"Other\",\r\n \"j\", \"Third Party SSO\", \"Other\"\r\n];\r\n let LogonProtocolLookup = datatable\r\n(\r\n LoginSubType_s: string,\r\n LogonProtocolOriginal: string,\r\n LogonProtocol: string\r\n)\r\n[\r\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\r\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\r\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\r\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\r\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\r\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\r\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\r\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\r\n];\r\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)\r\n[\r\n \"S\", \"Success\",\r\n \"F\", \"Failure\",\r\n \"A\", \"Failure\",\r\n \"R\", \"Success\",\r\n \"N\", \"Failure\",\r\n \"U\", \"NA\"\r\n];\r\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)\r\n[\r\n \"CsnOnly\", \"Other\",\r\n \"CspLitePortal\", \"Other\",\r\n \"CustomerSuccess\", \"Other\",\r\n \"Guest\", \"Anonymous\",\r\n \"PowerCustomerSuccess\", \"Other\",\r\n \"PowerPartner\", \"Other\",\r\n \"SelfService\", \"Other\",\r\n \"Standard\", \"Regular\",\r\n \"A\", \"Application\",\r\n \"b\", \"Other\",\r\n \"C\", \"Other\",\r\n \"D\", \"Other\",\r\n \"F\", \"Other\",\r\n \"G\", \"Anonymous\",\r\n \"L\", \"Other\",\r\n \"N\", \"Service\",\r\n \"n\", \"Other\",\r\n \"O\", \"Other\",\r\n \"o\", \"Other\",\r\n \"P\", \"Other\",\r\n \"p\", \"Other\",\r\n \"S\", \"Regular\",\r\n \"X\", \"Admin\"\r\n];\r\n union isfuzzy=true\r\n SalesforceSchema,\r\n SalesforceServiceCloud_CL \r\n | where not(disabled)\r\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // *************************************************************************\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated \r\n // ************************************************************************* \r\n | extend\r\n EventVendor = 'Microsoft'\r\n ,\r\n EventProduct = 'Entra ID'\r\n ,\r\n EventCount=int(1)\r\n ,\r\n EventSchemaVersion='0.1.0'\r\n ,\r\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\r\n ,\r\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime= TimeGenerated\r\n ,\r\n EventType= 'Logon'\r\n ,\r\n SrcDvcId=tostring(DeviceDetail.deviceId)\r\n ,\r\n SrcDvcHostname = tostring(DeviceDetail.displayName) // Backword Compatibility. Will be removed by July 2024\r\n ,\r\n SrcHostname = tostring(DeviceDetail.displayName)\r\n ,\r\n SrcDvcOs=tostring(DeviceDetail.operatingSystem)\r\n // , SrcBrowser= tostring(DeviceDetail.browser)\r\n ,\r\n Location = todynamic(LocationDetails)\r\n ,\r\n TargetUsernameType='Upn'\r\n ,\r\n TargetUserIdType='EntraID'\r\n ,\r\n SrcIpAddr = IPAddress\r\n // Filtering on 'eventresult'\r\n | where (eventresult == \"*\" or (EventResult == eventresult))\r\n | extend\r\n SrcGeoCity=tostring(Location.city)\r\n ,\r\n SrcGeoCountry=tostring(Location.countryOrRegion)\r\n ,\r\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\r\n ,\r\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\r\n | lookup FailedReason on ResultType\r\n // filtering on 'eventresultdetails_in'\r\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n | project-rename\r\n EventOriginalUid =Id\r\n ,\r\n LogonMethod = AuthenticationRequirement\r\n ,\r\n HttpUserAgent=UserAgent\r\n ,\r\n TargetSessionId=CorrelationId\r\n ,\r\n TargetUserId = UserId\r\n ,\r\n TargetUsername=UserPrincipalName\r\n ,\r\n TargetAppId = ResourceIdentity\r\n ,\r\n TargetAppName=ResourceDisplayName\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case(\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | lookup UserTypeLookup on UserType\r\n | project-away UserType\r\n // ** Aliases\r\n | extend \r\n User=TargetUsername\r\n ,\r\n LogonTarget=TargetAppName\r\n ,\r\n Dvc=EventVendor\r\n // -- Entity identifier explicit aliases\r\n ,\r\n TargetUserUpn = TargetUsername\r\n ,\r\n TargetUserAadId = TargetUserId \r\n};\r\nAADSigninLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"296533c8-1431-52d4-b4d3-440bd01bd983","name":"_Im_Authentication_SigninLogsV04","body":"let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\r\n '0', 'Success',\r\n '50005', 'Logon violates policy',\r\n '50011', 'Logon violates policy', \r\n '50020', 'Logon violates policy',\r\n '50034', 'No such user or password',\r\n '50053', 'User locked',\r\n '50055', 'Password expired',\r\n '50056', 'Incorrect password',\r\n '50057', 'User disabled',\r\n '50058', 'Logon violates policy',\r\n '50059', 'No such user or password',\r\n '50064', 'No such user or password',\r\n '50072', 'Logon violates policy',\r\n '50074', 'Logon violates policy', \r\n '50076', 'Logon violates policy',\r\n '50079', 'Logon violates policy',\r\n '50105', 'Logon violates policy',\r\n '50126', 'No such user or password',\r\n '50132', 'Password expired',\r\n '50133', 'Password expired',\r\n '50144', 'Password expired',\r\n '50173', 'Password expired',\r\n '51004', 'No such user or password',\r\n '53003', 'Logon violates policy',\r\n '70008', 'Password expired',\r\n '80012', 'Logon violates policy',\r\n '500011', 'No such user or password',\r\n '700016', 'No such user or password', \r\n ];\r\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\r\n 'Guest','Guest', \r\n 'Member', 'Regular',\r\n '',''\r\n];\r\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\r\n 'Mobile Apps and Desktop clients', 'Process',\r\n 'Browser', 'Service',\r\n 'Authenticated STMP', 'CSP',\r\n 'Exchange Active Sync', 'CSP',\r\n 'Other', 'Other',\r\n 'Unknown', 'Other'\r\n];\r\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\r\n[\r\n \"singleFactorAuthentication\", \"Username & Password\",\r\n \"multiFactorAuthentication\", \"Multi factor authentication\"\r\n];\r\nlet parser=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic,\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n) {\r\n SigninLogs\r\n | where not(disabled)\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated from port ssh2\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Accepted \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\r\n | extend\r\n EventResult = 'Success'\r\n ,\r\n EventSeverity = 'Informational'\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n EventCount = int(1)\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n //\r\n // -- Failed login - incorrect password\r\n let SSHDFailed=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\r\n // -- Or a number of such events message repeated times: [ ]\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and (\r\n SyslogMessage startswith 'Failed' \r\n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\r\n )\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\r\n | parse SyslogMessage with \"message repeated\" EventCount: int \" times:\" * \r\n | extend\r\n EventResult = 'Failure'\r\n ,\r\n EventSeverity = 'Low' \r\n ,\r\n EventType = 'Logon'\r\n ,\r\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\r\n ,\r\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\r\n ,\r\n EventCount = toint(coalesce(EventCount, 1))\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n //\r\n // -- Logoff - Timeout\r\n let SSHDTimeout=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\r\n | invoke prefilter()\r\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\r\n | extend\r\n EventSeverity = 'Informational'\r\n ,\r\n EventType = 'Logoff'\r\n ,\r\n EventResult = 'Success'\r\n ,\r\n EventCount = int(1)\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n //\r\n // -- Failed login - invalid user\r\n let SSHDInvalidUser=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format \"Invalid user [] from port \"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Invalid user \" TargetUsername: string \" from \" SrcIpAddr: string \" port \" SrcPortNumber: int\r\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser: string \" port \" SrcPortNumberNoUser: int\r\n | extend\r\n EventResult = 'Failure'\r\n ,\r\n EventSeverity = 'Low'\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n EventResultDetails = 'No such user'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\r\n ,\r\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\r\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\r\n};\r\n //\r\n // -- Blocked intrusion attempts\r\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n EventResult = 'Failure'\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcAction = 'Block'\r\n ,\r\n TargetUsername = ''\r\n ,\r\n EventSeverity = 'Medium'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventResultDetails = 'Logon violates policy'\r\n ,\r\n RuleName = \"Reverse mapping failed\"\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n};\r\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n EventResult = 'Failure'\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcAction = 'Block'\r\n ,\r\n TargetUsername = ''\r\n ,\r\n EventSeverity = 'Medium'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventResultDetails = 'Logon violates policy'\r\n ,\r\n RuleName = \"Address to host to address mapping does not map back to address\"\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n};\r\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\r\n{\r\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\r\n | extend\r\n EventResult = 'Failure'\r\n ,\r\n EventType = 'Logon'\r\n ,\r\n DvcAction = 'Block'\r\n ,\r\n TargetUsername = ''\r\n ,\r\n EventSeverity = 'Medium'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventResultDetails = 'Logon violates policy'\r\n ,\r\n RuleName = \"Nasty PTR record set for IP Address\"\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n union isfuzzy=false \r\n SSHDAccepted (disabled=disabled)\r\n ,\r\n SSHDFailed (disabled=disabled)\r\n ,\r\n SSHDInvalidUser (disabled=disabled)\r\n ,\r\n SSHDTimeout (disabled=disabled)\r\n ,\r\n SSHDABreakInAttemptMappingFailed (disabled=disabled)\r\n ,\r\n SSHDABreakInAttemptMappingMismatch (disabled=disabled)\r\n ,\r\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\r\n // Post-filtering\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n and (eventresult == \"*\" or (EventResult == eventresult))\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend \r\n EventVendor = 'OpenBSD'\r\n ,\r\n EventProduct = 'OpenSSH'\r\n ,\r\n DvcOs = 'Linux'\r\n ,\r\n TargetDvcOs = 'Linux'\r\n ,\r\n LogonProtocol = 'ssh'\r\n ,\r\n TargetAppName = 'sshd'\r\n ,\r\n TargetAppType = 'Service'\r\n ,\r\n EventSubType = 'Remote'\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.2'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\r\n ,\r\n TargetAppId = tostring(ProcessID)\r\n | project-away Computer, ProcessID, temp*\r\n | project-rename \r\n EventUid = _ItemId\r\n ,\r\n DvcScopeId = _SubscriptionId\r\n ,\r\n DvcId = _ResourceId\r\n ,\r\n DvcIpAddr = HostIP\r\n //\r\n // -- Aliases\r\n | extend\r\n User = TargetUsername\r\n ,\r\n Dvc = DvcHostname\r\n ,\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\r\n ,\r\n TargetDomain = DvcDomain\r\n ,\r\n TargetFQDN = DvcFQDN\r\n ,\r\n TargetDomainType = DvcDomainType\r\n ,\r\n TargetHostname = DvcHostname\r\n ,\r\n TargetDvcId = DvcId\r\n ,\r\n TargetDvcScopeId = DvcScopeId\r\n ,\r\n TargetDvcIdType = DvcIdType\r\n ,\r\n IpAddr = SrcIpAddr\r\n ,\r\n TargetIpAddr = DvcIpAddr\r\n ,\r\n Application = TargetAppName\r\n};\r\n parser\r\n (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for OpenSSH sshd.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"7e67c8a0-0ef5-533e-8559-9e359be23a78","name":"_Im_Authentication_SshdV03","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n )\r\n{\r\nlet LogonMethodLookup = datatable(Method: string, LogonMethod: string)\r\n[\r\n 'password', 'Username & password',\r\n 'publickey', 'PKI',\r\n 'keyboard-interactive/pam', 'PAM'\r\n];\r\nlet prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\r\n{\r\n T\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated from port ssh2\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logon'\r\n | lookup LogonMethodLookup on Method\r\n | extend LogonMethod = case(\r\n isnotempty(LogonMethod), LogonMethod,\r\n SyslogMessage has \"key RSA\", \"PKI\",\r\n \"Other\")\r\n | project-away SyslogMessage, ProcessName, Method\r\n };\r\n //\r\n // -- Failed login - incorrect password\r\n let SSHDFailed=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\r\n // -- Or a number of such events message repeated times: [ ]\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and (\r\n SyslogMessage startswith 'Failed' \r\n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\r\n )\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\r\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \r\n | extend\r\n EventCount = toint(coalesce(EventCount,1)),\r\n EventResult = 'Failure',\r\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\r\n EventSeverity = 'Low' ,\r\n EventType = 'Logon'\r\n | lookup LogonMethodLookup on Method\r\n | extend LogonMethod = coalesce(LogonMethod, \"Other\")\r\n | project-away SyslogMessage, ProcessName, Method\r\n };\r\n //\r\n // -- Logoff - Timeout\r\n let SSHDTimeout=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\r\n | invoke prefilter()\r\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n EventType = 'Logoff'\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n //\r\n // -- Failed login - invalid user\r\n let SSHDInvalidUser=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format \"Invalid user [] from port \"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\r\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\r\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\r\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\r\n | extend\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'No such user',\r\n EventSeverity = 'Low',\r\n EventType = 'Logon',\r\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\r\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\r\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\r\n };\r\n //\r\n // -- Blocked intrusion attempts\r\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Reverse mapping failed\", \r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\r\n | invoke _ASIM_ResolveSrcFQDN ('Src')\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Address to host to address mapping does not map back to address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName, Src\r\n };\r\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\r\n {\r\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\r\n | extend\r\n DvcAction = 'Block',\r\n EventCount = int(1),\r\n EventResult = 'Failure',\r\n EventResultDetails = 'Logon violates policy',\r\n EventSeverity = 'Medium',\r\n EventType = 'Logon',\r\n RuleName = \"Nasty PTR record set for IP Address\",\r\n TargetUsername = ''\r\n | extend\r\n Rule = RuleName\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n union isfuzzy=false \r\n SSHDAccepted (disabled=disabled),\r\n SSHDFailed (disabled=disabled),\r\n SSHDInvalidUser (disabled=disabled),\r\n SSHDTimeout (disabled=disabled),\r\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\r\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\r\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\r\n // Post-filtering\r\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\r\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\r\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\r\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\r\n and (eventresult == \"*\" or (EventResult == eventresult))\r\n // mapping ASimMatchingUsername\r\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n // ActorUsername not coming from source. Hence, not mapped.\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0, \"-\",\r\n temp_isMatchTargetUsername, \"TargetUsername\",\r\n \"No match\"\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend \r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'OpenSSH',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.2',\r\n EventStartTime = TimeGenerated,\r\n EventSubType = 'Remote',\r\n EventVendor = 'OpenBSD',\r\n LogonProtocol = 'ssh',\r\n TargetAppId = tostring(ProcessID),\r\n TargetAppName = 'sshd',\r\n TargetAppType = 'Service',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple',\r\n Type = 'Syslog'\r\n | project-away Computer, ProcessID, temp*\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcIdType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername,\r\n Application = TargetAppName\r\n | extend Dvc = Dst\r\n};\r\nparser(\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for OpenSSH sshd.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"b7527ae5-d322-50e4-9abc-c2ada6b97733","name":"_Im_Authentication_SuV02","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n )\r\n{\r\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\r\n{\r\n T\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated by \"\r\n let SuSignInAuthorized=(disabled: bool=false)\r\n{\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\r\n | extend\r\n EventType = 'Elevation'\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n // \r\n // -- SU end\r\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\r\n let SuDisconnect=(disabled: bool=false)\r\n{\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"for user \" TargetUsername: string\r\n | extend\r\n EventType = 'Logoff'\r\n | project-away SyslogMessage, ProcessName\r\n};\r\n union isfuzzy=false \r\n SuSignInAuthorized (disabled = disabled)\r\n ,\r\n SuDisconnect(disabled = disabled)\r\n // Post-filtering\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\r\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\r\n ,\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0,\r\n \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\r\n \"Both\",\r\n temp_isMatchTargetUsername,\r\n \"TargetUsername\",\r\n temp_isMatchActorUsername,\r\n \"ActorUsername\",\r\n \"No match\"\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\r\n | extend\r\n EventVendor = 'Linux'\r\n ,\r\n EventProduct = 'su'\r\n ,\r\n DvcOs = 'Linux'\r\n ,\r\n TargetDvcOs = 'Linux'\r\n ,\r\n EventCount = int(1)\r\n ,\r\n EventSchema = 'Authentication'\r\n ,\r\n EventSchemaVersion = '0.1.2'\r\n ,\r\n EventResult = 'Success'\r\n ,\r\n EventStartTime = TimeGenerated\r\n ,\r\n EventEndTime = TimeGenerated\r\n ,\r\n ActorUsernameType = 'Simple'\r\n ,\r\n TargetUsernameType = 'Simple'\r\n ,\r\n EventSeverity = 'Informational'\r\n ,\r\n ActingAppType = 'Process'\r\n ,\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\r\n ,\r\n ActingAppId = tostring(ProcessID)\r\n | project-away Computer, ProcessID, temp*\r\n | project-rename \r\n EventUid = _ItemId\r\n ,\r\n DvcScopeId = _SubscriptionId\r\n ,\r\n DvcId = _ResourceId\r\n ,\r\n DvcIpAddr = HostIP\r\n //\r\n // -- Aliases\r\n | extend\r\n User = TargetUsername\r\n ,\r\n Dvc = DvcHostname\r\n ,\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\r\n ,\r\n TargetDomain = DvcDomain\r\n ,\r\n TargetFQDN = DvcFQDN\r\n ,\r\n TargetDomainType = DvcDomainType\r\n ,\r\n TargetHostname = DvcHostname\r\n ,\r\n TargetDvcId = DvcId\r\n ,\r\n TargetDvcScopeId = DvcScopeId\r\n ,\r\n TargetDvcIdType = DvcDomainType\r\n ,\r\n IpAddr = DvcIpAddr\r\n ,\r\n TargetIpAddr = DvcIpAddr\r\n};\r\nparser (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Linux su.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"763a8f5c-6449-5e00-9ef2-e3f9443ea07c","name":"_Im_Authentication_SuV03","body":"let parser = (\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n)\r\n{\r\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime, EventResult: string, EventType: string, HostIP: string))\r\n {\r\n T\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated by \"\r\n let SuSignInAuthorized=(disabled: bool=false)\r\n {\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\r\n | extend\r\n EventType = 'Logon',\r\n EventResult = \"Success\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n // \r\n // -- SU end\r\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\r\n let SuDisconnect=(disabled: bool=false)\r\n {\r\n SyslogProjects \r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\r\n | extend\r\n EventType = 'Logoff',\r\n EventResult = \"Success\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"for user \" TargetUsername: string\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n // Failed SU\r\n let SuFailed=(disabled: bool=false)\r\n {\r\n SyslogProjects\r\n | where not(disabled)\r\n | where ProcessName == \"su\" and SyslogMessage startswith \"FAILED SU\"\r\n | extend \r\n EventType = \"Logon\",\r\n EventResult = \"Failure\"\r\n | invoke prefilter()\r\n | parse SyslogMessage with * \"to \" TargetUsername: string \") \" ActorUsername: string \" on \" *\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n union isfuzzy=false \r\n SuDisconnect(disabled = disabled),\r\n SuSignInAuthorized(disabled = disabled),\r\n SuFailed(disabled = disabled)\r\n // Post-filtering\r\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\r\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\r\n // mapping ASimMatchingUsername\r\n | extend\r\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any),\r\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\r\n | extend ASimMatchingUsername = case\r\n (\r\n array_length(username_has_any) == 0, \"-\",\r\n temp_isMatchTargetUsername and temp_isMatchActorUsername, \"Both\",\r\n temp_isMatchTargetUsername, \"TargetUsername\",\r\n temp_isMatchActorUsername, \"ActorUsername\",\r\n \"No match\"\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN('Computer')\r\n | extend\r\n ActingAppId = tostring(ProcessID),\r\n ActingAppType = 'Process',\r\n ActorUsernameType = 'Simple',\r\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\r\n DvcOs = 'Linux',\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventProduct = 'su',\r\n EventSchema = 'Authentication',\r\n EventSchemaVersion = '0.1.3',\r\n EventSeverity = 'Informational',\r\n EventStartTime = TimeGenerated,\r\n EventVendor = 'Linux',\r\n TargetAppName = 'su',\r\n TargetDvcOs = 'Linux',\r\n TargetUsernameType = 'Simple',\r\n Type = \"Syslog\"\r\n | project-away Computer, ProcessID\r\n | project-rename \r\n DvcId = _ResourceId,\r\n DvcIpAddr = HostIP,\r\n DvcScopeId = _SubscriptionId,\r\n EventUid = _ItemId\r\n //\r\n // -- Aliases\r\n | extend\r\n SrcIpAddr = DvcIpAddr,\r\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\r\n IpAddr = DvcIpAddr,\r\n TargetDomain = DvcDomain,\r\n TargetDomainType = DvcDomainType,\r\n TargetDvcId = DvcId,\r\n TargetDvcIdType = DvcDomainType,\r\n TargetDvcScopeId = DvcScopeId,\r\n TargetFQDN = DvcFQDN,\r\n TargetHostname = DvcHostname,\r\n TargetIpAddr = DvcIpAddr,\r\n User = TargetUsername\r\n | extend Dvc = Dst\r\n | project\r\n TimeGenerated,\r\n EventType,\r\n EventResult,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcFQDN,\r\n DvcDomainType,\r\n ActingAppId,\r\n ActingAppType,\r\n ActorUsernameType,\r\n DvcIdType,\r\n DvcOs,\r\n EventCount,\r\n EventEndTime,\r\n EventProduct,\r\n EventSchema,\r\n EventSchemaVersion,\r\n EventSeverity,\r\n EventStartTime,\r\n EventVendor,\r\n TargetAppName,\r\n TargetDvcOs,\r\n TargetUsernameType,\r\n Type,\r\n DvcId,\r\n DvcIpAddr,\r\n DvcScopeId,\r\n EventUid,\r\n SrcIpAddr,\r\n Dst,\r\n Dvc,\r\n IpAddr,\r\n TargetDomain,\r\n TargetDomainType,\r\n TargetDvcId,\r\n TargetDvcIdType,\r\n TargetDvcScopeId,\r\n TargetFQDN,\r\n TargetHostname,\r\n TargetIpAddr,\r\n User,\r\n TargetUsername,\r\n ActorUsername,\r\n ASimMatchingUsername\r\n};\r\nparser (\r\n starttime=starttime,\r\n endtime=endtime,\r\n username_has_any=username_has_any,\r\n targetappname_has_any=targetappname_has_any,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\r\n srchostname_has_any=srchostname_has_any,\r\n eventtype_in=eventtype_in,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Linux su.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"0758d388-f402-5004-8e98-4b8d58d4e68e","name":"_Im_Authentication_SudoV01","body":"let SudoSignInAuthorized=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n Syslog \r\n | where not(disabled)\r\n | where ProcessName == \"sudo\" and \r\n SyslogMessage has 'TTY=' and \r\n SyslogMessage has 'USER=' and\r\n SyslogMessage has 'COMMAND='\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // ************************\r\n | extend\r\n User = TargetUsername,\r\n Dvc = Computer\r\n // ************************\r\n // \r\n // ************************\r\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\r\n};\r\nlet SudoAuthFailure1=(\r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false\r\n ) {\r\n Syslog\r\n | where not(disabled)\r\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated \r\n // ************************\r\n | extend\r\n Dvc = Computer,\r\n User = TargetUsername\r\n // ************************\r\n // \r\n // ************************\r\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\r\n};\r\nunion isfuzzy=false \r\n SudoSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \r\n SudoAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \r\n SudoDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), username_has_any:dynamic = dynamic([]), targetappname_has_any:dynamic = dynamic([]), srcipaddr_has_any_prefix:dynamic = dynamic([]), srchostname_has_any:dynamic = dynamic([]), eventtype_in:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Authentication ASIM filtering parser for Syslog sudo.","related":{"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"23c7e460-b763-5c3b-90f3-76bee46f0501","name":"_Im_Authentication_SudoV02","body":"let parser = (starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n username_has_any: dynamic = dynamic([]),\r\n targetappname_has_any: dynamic = dynamic([]),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n srchostname_has_any: dynamic = dynamic([]),\r\n eventtype_in: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool=false) {\r\n let SeverityLevelLookup = datatable (SeverityLevel: string, EventSeverity: string)\r\n [\r\n \"info\", \"Informational\",\r\n \"notice\", \"Informational\",\r\n \"alert\", \"Low\",\r\n \"error\", \"Medium\",\r\n \"err\", \"Medium\",\r\n \"critical\", \"High\",\r\n \"warning\", \"Low\",\r\n \"warn\", \"Low\",\r\n \"debug\", \"Informational\",\r\n \"crit\", \"High\"\r\n ];\r\n let SudoLogs = Syslog\r\n | where not(disabled)\r\n | where ProcessName == \"sudo\"\r\n // Initial pre-filtering\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or event_timestamp_t \" DstIpAddr:string \":\" DstPortNumber:int \r\n \": \" EventResultOriginalDetails:string\r\n | project-away msg_s\r\n | extend \r\n EventResult = \"Failure\",\r\n EventSubType = \"request\"\r\n};\r\nlet DNS = (disabled:bool=false) {\r\n union DNS_query(disabled), DNS_error(disabled)\r\n | extend\r\n NetworkProtocol = toupper(NetworkProtocol)\r\n | project-rename\r\n DvcId = ResourceId\r\n | extend\r\n DvcIdType = \"AzureResourceId\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Azure Firewall\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventEndTime = TimeGenerated, \r\n EventType = 'Query',\r\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\r\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\r\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\r\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\r\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\r\n DnsFlagsTruncates = DnsFlags has \"tc\"\r\n | extend\r\n // -- Aliases\r\n DnsResponseCodeName=EventResultDetails,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n Duration = DnsNetworkDuration,\r\n Dvc=DvcId\r\n | extend\r\n // -- Backward Compatibility\r\n Query = DnsQuery,\r\n QueryTypeName = DnsQueryTypeName,\r\n ResponseCodeName = DnsResponseCodeName,\r\n Flags = DnsFlags\r\n};\r\nDNS(disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Azure Firewall","description":"DNS activity ASIM parser for Azure Firewall.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"9e586f9b-925b-5830-a979-d510cab99dd3","name":"_ASim_Dns_AzureFirewallV04","body":"let legacy_DNS_query=(disabled:bool=false){\r\n AzureDiagnostics | where not(disabled)\r\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\r\n | where Category == \"AzureFirewallDnsProxy\"\r\n | where msg_s startswith \"DNS Request:\"\r\n | project msg_s, TimeGenerated, ResourceId, SubscriptionId\r\n | parse msg_s with\r\n \"DNS Request: \" \r\n SrcIpAddr:string \":\" SrcPortNumber:int \r\n \" - \" EventOriginalUid:string \r\n \" \" DnsQueryTypeName:string \r\n \" \" DnsQueryClassName:string\r\n \" \" DnsQuery:string\r\n \". \" NetworkProtocol:string \r\n \" \" SrcBytes:int \r\n \" \" DnsDNSSECflag:bool \r\n \" \" DnsDNSSECBufferSize:int \r\n \" \" EventResultDetails:string \r\n \" \" DnsFlags:string\r\n \" \" DstBytes:int\r\n \" \" DnsNetworkDuration:double\r\n \"s\"\r\n | project-away msg_s\r\n | extend\r\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\r\n EventSubType = \"response\",\r\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \r\n};\r\nlet legacy_DNS_error=(disabled:bool=false) {\r\n AzureDiagnostics | where not(disabled)\r\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\r\n | where Category == \"AzureFirewallDnsProxy\"\r\n | project msg_s, TimeGenerated, ResourceId, SubscriptionId\r\n | where msg_s startswith \" Error:\"\r\n | parse msg_s with \r\n \" Error: \" nu:string \r\n \" \" DnsQuery:string \r\n \". \" DnsQueryTypeName:string \r\n \": \" op:string \r\n \" \" NetworkProtocol:string\r\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \r\n \"->\" DstIpAddr:string \":\" DstPortNumber:int \r\n \": \" EventResultOriginalDetails:string\r\n | project-away msg_s\r\n | extend \r\n EventResult = \"Failure\",\r\n EventSubType = \"request\"\r\n};\r\nlet AZFW_Dns = (disabled:bool=false) {\r\n AZFWDnsQuery\r\n | where not(disabled)\r\n | extend DnsNetworkDuration = toint(RequestDurationSecs * 1000) // Convert to ms\r\n | extend EventResultDetails = iff(ResponseCode == \"0\", \"NA\", ResponseCode) // ResponseCode of 0 indicates a request\r\n | project-rename\r\n EventMessage = ErrorMessage,\r\n SrcIpAddr = SourceIp,\r\n SrcPortNumber = SourcePort,\r\n DnsQuery = QueryName,\r\n DnsQueryType = QueryId,\r\n DnsQueryClassName = QueryClass,\r\n DnsFlags = ResponseFlags,\r\n NetworkProtocol = Protocol\r\n | extend\r\n EventSubType = iff(ResponseCode == \"0\", \"request\", \"response\"),\r\n EventOriginalUid = _ItemId,\r\n EventResult = iff(ResponseCode == \"NOERROR\", \"Success\", \"Failure\"),\r\n DnsQueryTypeName = trim(\":\", QueryType),\r\n AdditionalFields = bag_pack(\r\n \"DnssecOkBit\", DnssecOkBit,\r\n \"RequestSize\", RequestSize,\r\n \"EDNS0BufferSize\", EDNS0BufferSize,\r\n \"ResponseSize\", ResponseSize,\r\n \"SourceSystem\", SourceSystem\r\n )\r\n | project-away \r\n DnssecOkBit,\r\n EDNS0BufferSize,\r\n ErrorNumber,\r\n QueryType,\r\n RequestDurationSecs,\r\n RequestSize,\r\n ResponseCode,\r\n ResponseSize,\r\n SourceSystem,\r\n _ItemId,\r\n _TimeReceived\r\n};\r\nlet DNS = (disabled:bool=false) {\r\n union \r\n legacy_DNS_query (disabled),\r\n legacy_DNS_error (disabled),\r\n AZFW_Dns (disabled)\r\n | extend\r\n NetworkProtocol = toupper(NetworkProtocol),\r\n DvcId = coalesce(ResourceId, _ResourceId),\r\n DvcScopeId = coalesce(SubscriptionId, _SubscriptionId)\r\n | project-away \r\n ResourceId,\r\n SubscriptionId\r\n | extend\r\n DvcIdType = \"AzureResourceId\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Azure Firewall\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion = \"0.1.7\",\r\n EventEndTime = TimeGenerated, \r\n EventType = 'Query',\r\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\r\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\r\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\r\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\r\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\r\n DnsFlagsTruncates = DnsFlags has \"tc\"\r\n | extend\r\n // -- Aliases\r\n DnsResponseCodeName=EventResultDetails,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n SrcHostname=SrcIpAddr,\r\n Hostname=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n Duration = DnsNetworkDuration,\r\n Dvc=DvcId\r\n | extend\r\n // -- Backward Compatibility\r\n Query = DnsQuery,\r\n QueryTypeName = DnsQueryTypeName,\r\n ResponseCodeName = DnsResponseCodeName,\r\n Flags = DnsFlags\r\n};\r\nDNS(disabled)","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Azure Firewall.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"bd97655a-1311-54f6-b344-3f997c69ef73","name":"_ASim_Dns_CiscoUmbrellaV03","body":"let DNSQuery_CiscoUmbrella=(disabled:bool=false){\r\n Cisco_Umbrella_dns_CL | where not(disabled)\r\n // \r\n // *********** Parsing\r\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\r\n //\r\n | project \r\n //\r\n // ******************* Mandatory\r\n EventCount=int(1),\r\n EventStartTime= column_ifexists(\"Timestamp_t\", todatetime(column_ifexists(\"Timestamp_s\",\"\"))),\r\n EventProduct=\"Umbrella\",\r\n EventVendor=\"Cisco\",\r\n EventSchema=\"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n Dvc=\"CiscoUmbrella\",\r\n EventType=\"Query\",\r\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\r\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\r\n //\r\n TimeGenerated, // not handled by schema, but we need to preserve it\r\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\r\n EventSubType='response',\r\n // ********** Renamed columns\r\n UrlCategory=column_ifexists('Categories_s', ''),\r\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \r\n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\r\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\r\n DvcAction=column_ifexists('Action_s', ''),\r\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )), \r\n //\r\n // *************** keep Parsed data\r\n DnsQueryType, DnsQueryTypeName\r\n // **************Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n DomainCategory=UrlCategory,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr\r\n };\r\nDNSQuery_CiscoUmbrella(disabled)","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Cisco Umbrella.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"ee29d8bf-9567-5c21-b060-d2a95de59682","name":"_ASim_Dns_CorelightZeekV03","body":"let DNSQuery_CorelightZeek=(disabled:bool=false){\r\n Corelight_CL | where not(disabled)\r\n | where log_file_s has \"dns\"\r\n | extend data = todynamic(Message)\r\n | extend \r\n EventCount=int(1),\r\n EventProduct=\"Zeek\",\r\n EventVendor=\"Corelight\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n Dvc=\"Zeek\",\r\n EventType=\"Query\",\r\n EventSubType=iff(isnull(data.rcode),'request','response'),\r\n EventEndTime= todatetime(data.ts),\r\n EventOriginalUid = tostring(data.uid),\r\n SrcIpAddr = tostring (data.[\"id.orig_h\"]),\r\n SrcPortNumber = toint (data.[\"id.orig_p\"]),\r\n DstIpAddr = tostring (data.[\"id.dest_h\"]),\r\n DstPortNumber = toint (data.[\"id.dest_p\"]),\r\n NetworkProtocol = tostring(data.proto),\r\n TransactionIdHex = tohex(toint(data.trans_id)), \r\n DnsQuery = tostring(data.query),\r\n DnsResponseCode = toint(data.rcode),\r\n EventResultDetails = tostring (data.rcode_name),\r\n DnsFlagsAuthoritative = tobool(data.AA),\r\n DnsFlagsTruncated = tobool(data.TC),\r\n DnsFlagsRecursionDesired = tobool(data.RD),\r\n DnsFlagsZ = tobool(data.Z),\r\n DnsQueryClassName =tostring(data.qclass_name), \r\n DnsQueryClass = toint(data.qclass),\r\n DnsQueryTypeName =tostring(data.qtype_name), \r\n DnsQueryType = toint(data.qtype),\r\n DnsNetworkDuration = toint(data.rtt),\r\n DnsResponseName = tostring(pack ('answers', data.answers, 'ttls', data.TTLs, 'authoritative ', data.auth, 'additional', data.addl))\r\n | extend\r\n EventStartTime = EventEndTime,\r\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure'),\r\n DnsQueryClassName=case(DnsQueryClassName==\"C_INTERNET\",\"IN\",\r\n isempty(DnsQueryClassName) and data.answers has \".\",\"ANY\"\r\n ,\"\")\r\n // Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n Duration=DnsNetworkDuration\r\n // Backward Compatibility\r\n | extend\r\n Query=DnsQuery,\r\n QueryType=DnsQueryType,\r\n ResponseCodeName=DnsResponseCodeName,\r\n QueryTypeName=DnsQueryTypeName\r\n };\r\n DNSQuery_CorelightZeek(disabled)\r\n","parameters":"disabled:bool = false","displayName":"DNS Parser for Corelight Zeek V03","description":"DNS activity ASIM parser for Corelight Zeek.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"6766687b-e8f2-5e29-b8e4-09001a6a2106","name":"_ASim_Dns_CorelightZeekV04","body":"let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\r\n 0, \"Reserved\",\r\n 1, \"A\",\r\n 2, \"NS\",\r\n 3, \"MD\",\r\n 4, \"MF\",\r\n 5, \"CNAME\",\r\n 6, \"SOA\",\r\n 7, \"MB\",\r\n 8, \"MG\",\r\n 9, \"MR\",\r\n 10, \"NULL\",\r\n 11, \"WKS\",\r\n 12, \"PTR\",\r\n 13, \"HINFO\",\r\n 14, \"MINFO\",\r\n 15, \"MX\",\r\n 16, \"TXT\",\r\n 17, \"RP\",\r\n 18, \"AFSDB\",\r\n 19, \"X25\",\r\n 20, \"ISDN\",\r\n 21, \"RT\",\r\n 22, \"NSAP\",\r\n 23, \"NSAP-PTR\",\r\n 24, \"SIG\",\r\n 25, \"KEY\",\r\n 26, \"PX\",\r\n 27, \"GPOS\",\r\n 28, \"AAAA\",\r\n 29, \"LOC\",\r\n 30, \"NXT\",\r\n 31, \"EID\",\r\n 32, \"NIMLOC\",\r\n 33, \"SRV\",\r\n 34, \"ATMA\",\r\n 35, \"NAPTR\",\r\n 36, \"KX\",\r\n 37, \"CERT\",\r\n 38, \"A6\",\r\n 39, \"DNAME\",\r\n 40, \"SINK\",\r\n 41, \"OPT\",\r\n 42, \"APL\",\r\n 43, \"DS\",\r\n 44, \"SSHFP\",\r\n 45, \"IPSECKEY\",\r\n 46, \"RRSIG\",\r\n 47, \"NSEC\",\r\n 48, \"DNSKEY\",\r\n 49, \"DHCID\",\r\n 50, \"NSEC3\",\r\n 51, \"NSEC3PARAM\",\r\n 52, \"TLSA\",\r\n 53, \"SMIMEA\",\r\n 54, \"Unassigned\",\r\n 55, \"HIP\",\r\n 56, \"NINFO\",\r\n 57, \"RKEY\",\r\n 58, \"TALINK\",\r\n 59, \"CDS\",\r\n 60, \"CDNSKEY\",\r\n 61, \"OPENPGPKEY\",\r\n 62, \"CSYNC\",\r\n 99, \"SPF\",\r\n 100, \"UINFO\",\r\n 101, \"UID\",\r\n 102, \"GID\",\r\n 103, \"UNSPEC\",\r\n 104, \"NID\",\r\n 105, \"L32\",\r\n 106, \"L64\",\r\n 107, \"LP\",\r\n 108, \"EUI48\",\r\n 109, \"EUI64\",\r\n 249, \"TKEY\",\r\n 250, \"TSIG\",\r\n 251, \"IXFR\",\r\n 252, \"AXFR\",\r\n 253, \"MAILB\",\r\n 254, \"MAILA\",\r\n 255, \"ANY\",\r\n 256, \"URI\",\r\n 257, \"CAA\",\r\n 258, \"AVC\",\r\n 259, \"DOA\",\r\n 32768, \"TA\",\r\n 32769, \"DLV\"];\r\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\r\n 0, 'Reserved',\r\n 1, 'IN',\r\n 2, 'Unassigned',\r\n 3, 'CH',\r\n 4, 'HS',\r\n 254, 'None',\r\n 255, 'Any'];\r\nlet parser=(disabled:bool=false){\r\n Corelight_CL | where not(disabled)\r\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\r\n | parse-kv Message as (\r\n ['\"_system_name\"']:string,\r\n ['\"_write_ts\"']:datetime,\r\n ['\"ts\"']:datetime,\r\n ['\"uid\"']:string,\r\n ['\"id.orig_h\"']:string,\r\n ['\"id.orig_p\"']:int,\r\n ['\"id.resp_h\"']:string,\r\n ['\"id.resp_p\"']:int,\r\n ['\"proto\"']:string,\r\n ['\"trans_id\"']:int,\r\n ['\"query\"']:string,\r\n ['\"qclass\"']:int,\r\n ['\"qtype\"']:int,\r\n ['\"AA\"']:bool,\r\n ['\"TC\"']:bool,\r\n ['\"CD\"']:bool,\r\n ['\"RD\"']:bool,\r\n ['\"RA\"']:bool,\r\n ['\"Z\"']:int,\r\n ['\"rejected\"']:bool,\r\n ['\"rcode\"']:int,\r\n ['\"rcode_name\"']:string,\r\n ['\"rtt\"']:real,\r\n ) \r\n with (quote = '\"')\r\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\r\n | extend \r\n EventCount=int(1),\r\n EventProduct=\"Zeek\",\r\n EventVendor=\"Corelight\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion=\"0.1.4\",\r\n EventType=\"Query\"\r\n | project-rename\r\n EventStartTime= ['\"ts\"'],\r\n EventEndTime = ['\"_write_ts\"'],\r\n EventOriginalUid = ['\"uid\"'],\r\n SrcIpAddr = ['\"id.orig_h\"'],\r\n SrcPortNumber = ['\"id.orig_p\"'],\r\n DstIpAddr = ['\"id.resp_h\"'],\r\n DstPortNumber = ['\"id.resp_p\"'],\r\n NetworkProtocol = ['\"proto\"'],\r\n DnsQuery = ['\"query\"'],\r\n DnsResponseCode = ['\"rcode\"'],\r\n EventResultDetails = ['\"rcode_name\"'],\r\n DnsFlagsAuthoritative = ['\"AA\"'],\r\n DnsFlagsTruncated = ['\"TC\"'],\r\n DnsFlagsRecursionDesired = ['\"RD\"'],\r\n DnsFlagsCheckingDisabled = ['\"CD\"'],\r\n DnsFlagsRecursionAvailable = ['\"RA\"'],\r\n DnsQueryClass = ['\"qclass\"'],\r\n DnsQueryType = ['\"qtype\"'],\r\n rtt = ['\"rtt\"'],\r\n Z = ['\"Z\"'],\r\n trans_id = ['\"trans_id\"'],\r\n rejected = ['\"rejected\"'],\r\n Dvc = ['\"_system_name\"']\r\n | lookup query_type_lookup on DnsQueryType\r\n | lookup class_lookup on DnsQueryClass\r\n | extend\r\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\r\n DnsNetworkDuration = toint(rtt*1000),\r\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\r\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\r\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\r\n TransactionIdHex = tohex(toint(trans_id)),\r\n DnsFlagsZ = (Z != 0),\r\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\r\n // Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n //Duration=DnsNetworkDuration,\r\n Dst=DstIpAddr\r\n | project-away Message, MG, ManagementGroupName, RawData, SourceSystem, Computer, Z, TTLs, answers, trans_id, rejected, hostname_s\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Corelight Zeek V04","description":"DNS activity ASIM parser for Corelight Zeek.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"a1712e60-355e-5946-a25a-bbc9c187ec6b","name":"_ASim_Dns_CorelightZeekV05","body":"let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\r\n 0, \"Reserved\",\r\n 1, \"A\",\r\n 2, \"NS\",\r\n 3, \"MD\",\r\n 4, \"MF\",\r\n 5, \"CNAME\",\r\n 6, \"SOA\",\r\n 7, \"MB\",\r\n 8, \"MG\",\r\n 9, \"MR\",\r\n 10, \"NULL\",\r\n 11, \"WKS\",\r\n 12, \"PTR\",\r\n 13, \"HINFO\",\r\n 14, \"MINFO\",\r\n 15, \"MX\",\r\n 16, \"TXT\",\r\n 17, \"RP\",\r\n 18, \"AFSDB\",\r\n 19, \"X25\",\r\n 20, \"ISDN\",\r\n 21, \"RT\",\r\n 22, \"NSAP\",\r\n 23, \"NSAP-PTR\",\r\n 24, \"SIG\",\r\n 25, \"KEY\",\r\n 26, \"PX\",\r\n 27, \"GPOS\",\r\n 28, \"AAAA\",\r\n 29, \"LOC\",\r\n 30, \"NXT\",\r\n 31, \"EID\",\r\n 32, \"NIMLOC\",\r\n 33, \"SRV\",\r\n 34, \"ATMA\",\r\n 35, \"NAPTR\",\r\n 36, \"KX\",\r\n 37, \"CERT\",\r\n 38, \"A6\",\r\n 39, \"DNAME\",\r\n 40, \"SINK\",\r\n 41, \"OPT\",\r\n 42, \"APL\",\r\n 43, \"DS\",\r\n 44, \"SSHFP\",\r\n 45, \"IPSECKEY\",\r\n 46, \"RRSIG\",\r\n 47, \"NSEC\",\r\n 48, \"DNSKEY\",\r\n 49, \"DHCID\",\r\n 50, \"NSEC3\",\r\n 51, \"NSEC3PARAM\",\r\n 52, \"TLSA\",\r\n 53, \"SMIMEA\",\r\n 54, \"Unassigned\",\r\n 55, \"HIP\",\r\n 56, \"NINFO\",\r\n 57, \"RKEY\",\r\n 58, \"TALINK\",\r\n 59, \"CDS\",\r\n 60, \"CDNSKEY\",\r\n 61, \"OPENPGPKEY\",\r\n 62, \"CSYNC\",\r\n 99, \"SPF\",\r\n 100, \"UINFO\",\r\n 101, \"UID\",\r\n 102, \"GID\",\r\n 103, \"UNSPEC\",\r\n 104, \"NID\",\r\n 105, \"L32\",\r\n 106, \"L64\",\r\n 107, \"LP\",\r\n 108, \"EUI48\",\r\n 109, \"EUI64\",\r\n 249, \"TKEY\",\r\n 250, \"TSIG\",\r\n 251, \"IXFR\",\r\n 252, \"AXFR\",\r\n 253, \"MAILB\",\r\n 254, \"MAILA\",\r\n 255, \"ANY\",\r\n 256, \"URI\",\r\n 257, \"CAA\",\r\n 258, \"AVC\",\r\n 259, \"DOA\",\r\n 32768, \"TA\",\r\n 32769, \"DLV\"];\r\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\r\n 0, 'Reserved',\r\n 1, 'IN',\r\n 2, 'Unassigned',\r\n 3, 'CH',\r\n 4, 'HS',\r\n 254, 'None',\r\n 255, 'Any'];\r\nlet parser=(disabled:bool=false){\r\n Corelight_CL | where not(disabled)\r\n | project Message, TimeGenerated\r\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\r\n | parse-kv Message as (\r\n ['\"_system_name\"']:string,\r\n ['\"_write_ts\"']:datetime,\r\n ['\"ts\"']:datetime,\r\n ['\"uid\"']:string,\r\n ['\"id.orig_h\"']:string,\r\n ['\"id.orig_p\"']:int,\r\n ['\"id.resp_h\"']:string,\r\n ['\"id.resp_p\"']:int,\r\n ['\"proto\"']:string,\r\n ['\"trans_id\"']:int,\r\n ['\"query\"']:string,\r\n ['\"qclass\"']:int,\r\n ['\"qtype\"']:int,\r\n ['\"AA\"']:bool,\r\n ['\"TC\"']:bool,\r\n ['\"CD\"']:bool,\r\n ['\"RD\"']:bool,\r\n ['\"RA\"']:bool,\r\n ['\"Z\"']:int,\r\n ['\"rejected\"']:bool,\r\n ['\"rcode\"']:int,\r\n ['\"rcode_name\"']:string,\r\n ['\"rtt\"']:real,\r\n ) \r\n with (quote = '\"')\r\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\r\n | extend \r\n EventCount=int(1),\r\n EventProduct=\"Zeek\",\r\n EventVendor=\"Corelight\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion=\"0.1.4\",\r\n EventType=\"Query\"\r\n | project-rename\r\n EventStartTime= ['\"ts\"'],\r\n EventEndTime = ['\"_write_ts\"'],\r\n EventOriginalUid = ['\"uid\"'],\r\n SrcIpAddr = ['\"id.orig_h\"'],\r\n SrcPortNumber = ['\"id.orig_p\"'],\r\n DstIpAddr = ['\"id.resp_h\"'],\r\n DstPortNumber = ['\"id.resp_p\"'],\r\n NetworkProtocol = ['\"proto\"'],\r\n DnsQuery = ['\"query\"'],\r\n DnsResponseCode = ['\"rcode\"'],\r\n EventResultDetails = ['\"rcode_name\"'],\r\n DnsFlagsAuthoritative = ['\"AA\"'],\r\n DnsFlagsTruncated = ['\"TC\"'],\r\n DnsFlagsRecursionDesired = ['\"RD\"'],\r\n DnsFlagsCheckingDisabled = ['\"CD\"'],\r\n DnsFlagsRecursionAvailable = ['\"RA\"'],\r\n DnsQueryClass = ['\"qclass\"'],\r\n DnsQueryType = ['\"qtype\"'],\r\n rtt = ['\"rtt\"'],\r\n Z = ['\"Z\"'],\r\n trans_id = ['\"trans_id\"'],\r\n rejected = ['\"rejected\"'],\r\n Dvc = ['\"_system_name\"']\r\n | lookup query_type_lookup on DnsQueryType\r\n | lookup class_lookup on DnsQueryClass\r\n | extend\r\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\r\n DnsNetworkDuration = toint(rtt*1000),\r\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\r\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\r\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\r\n TransactionIdHex = tohex(toint(trans_id)),\r\n DnsFlagsZ = (Z != 0),\r\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\r\n | project-away rtt\r\n // Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Duration=DnsNetworkDuration,\r\n Dst=DstIpAddr\r\n | project-away Message, Z, TTLs, answers, trans_id, rejected\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Corelight Zeek.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"bbe046de-19c5-5557-ab27-4df676195bdb","name":"_ASim_Dns_FortinetFortiGateV01","body":"let Parser = (disabled:bool=false) {\r\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\r\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\r\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\r\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\r\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\r\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\r\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\r\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\r\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\r\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\r\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\r\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\r\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\r\n ];\r\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\r\n \"\", \"NOERROR\", \"Success\",\r\n \"0\", \"NOERROR\", \"Success\",\r\n \"1\", \"FORMERR\", \"Failure\",\r\n \"2\", \"SERVFAIL\", \"Failure\",\r\n \"3\", \"NXDOMAIN\", \"Failure\",\r\n \"4\", \"NOTIMP\", \"Failure\",\r\n \"5\", \"REFUSED\", \"Failure\",\r\n \"6\", \"YXDOMAIN\", \"Failure\",\r\n \"7\", \"YXRRSET\", \"Failure\",\r\n \"8\", \"NXRRSET\", \"Failure\",\r\n \"9\", \"NOTAUTH\", \"Failure\",\r\n \"10\", \"NOTZONE\", \"Failure\",\r\n \"11\", \"DSOTYPENI\", \"Failure\",\r\n \"16\", \"BADVERS\", \"Failure\",\r\n \"16\", \"BADSIG\", \"Failure\",\r\n \"17\", \"BADKEY\", \"Failure\",\r\n \"18\", \"BADTIME\", \"Failure\",\r\n \"19\", \"BADMODE\", \"Failure\",\r\n \"20\", \"BADNAME\", \"Failure\",\r\n \"21\", \"BADALG\", \"Failure\",\r\n \"22\", \"BADTRUNC\", \"Failure\",\r\n \"23\", \"BADCOOKIE\", \"Failure\"\r\n ];\r\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\r\n 0, \"Reserved\",\r\n 1, \"A\",\r\n 2, \"NS\",\r\n 3, \"MD\",\r\n 4, \"MF\",\r\n 5, \"CNAME\",\r\n 6, \"SOA\",\r\n 7, \"MB\",\r\n 8, \"MG\",\r\n 9, \"MR\",\r\n 10, \"NULL\",\r\n 11, \"WKS\",\r\n 12, \"PTR\",\r\n 13, \"HINFO\",\r\n 14, \"MINFO\",\r\n 15, \"MX\",\r\n 16, \"TXT\",\r\n 17, \"RP\",\r\n 18, \"AFSDB\",\r\n 19, \"X25\",\r\n 20, \"ISDN\",\r\n 21, \"RT\",\r\n 22, \"NSAP\",\r\n 23, \"NSAP-PTR\",\r\n 24, \"SIG\",\r\n 25, \"KEY\",\r\n 26, \"PX\",\r\n 27, \"GPOS\",\r\n 28, \"AAAA\",\r\n 29, \"LOC\",\r\n 30, \"NXT\",\r\n 31, \"EID\",\r\n 32, \"NIMLOC\",\r\n 33, \"SRV\",\r\n 34, \"ATMA\",\r\n 35, \"NAPTR\",\r\n 36, \"KX\",\r\n 37, \"CERT\",\r\n 38, \"A6\",\r\n 39, \"DNAME\",\r\n 40, \"SINK\",\r\n 41, \"OPT\",\r\n 42, \"APL\",\r\n 43, \"DS\",\r\n 44, \"SSHFP\",\r\n 45, \"IPSECKEY\",\r\n 46, \"RRSIG\",\r\n 47, \"NSEC\",\r\n 48, \"DNSKEY\",\r\n 49, \"DHCID\",\r\n 50, \"NSEC3\",\r\n 51, \"NSEC3PARAM\",\r\n 52, \"TLSA\",\r\n 53, \"SMIMEA\",\r\n 55, \"HIP\",\r\n 56, \"NINFO\",\r\n 57, \"RKEY\",\r\n 58, \"TALINK\",\r\n 59, \"CDS\",\r\n 60, \"CDNSKEY\",\r\n 61, \"OPENPGPKEY\",\r\n 62, \"CSYNC\",\r\n 63, \"ZONEMD\",\r\n 64, \"SVCB\",\r\n 65, \"HTTPS\",\r\n 99, \"SPF\",\r\n 100, \"UINFO\",\r\n 101, \"UID\",\r\n 102, \"GID\",\r\n 103, \"UNSPEC\",\r\n 104, \"NID\",\r\n 105, \"L32\",\r\n 106, \"L64\",\r\n 107, \"LP\",\r\n 108, \"EUI48\",\r\n 109, \"EUI64\",\r\n 249, \"TKEY\",\r\n 250, \"TSIG\",\r\n 251, \"IXFR\",\r\n 252, \"AXFR\",\r\n 253, \"MAILB\",\r\n 254, \"MAILA\",\r\n 255, \"*\",\r\n 256, \"URI\",\r\n 257, \"CAA\",\r\n 258, \"AVC\",\r\n 259, \"DOA\",\r\n 32768, \"TA\",\r\n 32769, \"DLV\"\r\n ];\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"Fortigate\"\r\n | where DeviceEventClassID endswith \"54000\" or \r\n DeviceEventClassID endswith \"54200\" or \r\n DeviceEventClassID endswith \"54400\" or \r\n DeviceEventClassID endswith \"54401\" or \r\n DeviceEventClassID endswith \"54600\" or \r\n DeviceEventClassID endswith \"54601\" or \r\n DeviceEventClassID endswith \"54800\" or \r\n DeviceEventClassID endswith \"54801\" or \r\n DeviceEventClassID endswith \"54802\" or \r\n DeviceEventClassID endswith \"54803\" or \r\n DeviceEventClassID endswith \"54804\" or \r\n DeviceEventClassID endswith \"54805\"\r\n | extend EventOriginalSubType = case(\r\n DeviceEventClassID endswith \"54000\", \"54000\",\r\n DeviceEventClassID endswith \"54200\", \"54200\",\r\n DeviceEventClassID endswith \"54400\", \"54400\",\r\n DeviceEventClassID endswith \"54401\", \"54401\",\r\n DeviceEventClassID endswith \"54600\", \"54600\",\r\n DeviceEventClassID endswith \"54601\", \"54601\",\r\n DeviceEventClassID endswith \"54800\", \"54800\",\r\n DeviceEventClassID endswith \"54801\", \"54801\",\r\n DeviceEventClassID endswith \"54802\", \"54802\",\r\n DeviceEventClassID endswith \"54803\", \"54803\",\r\n DeviceEventClassID endswith \"54804\", \"54804\",\r\n DeviceEventClassID endswith \"54805\", \"54805\",\r\n DeviceEventClassID\r\n )\r\n | project TimeGenerated, EventOriginalSubType, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\r\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\r\n | parse-kv AdditionalExtensions as (\r\n // FTNTFGT format for FortiGate\r\n FTNTFGTlogid:string, \r\n FTNTFGTsubtype:string, \r\n FTNTFGTsrccountry:string, \r\n FTNTFGTdstcountry:string,\r\n FTNTFGTsrcintfrole:string, \r\n FTNTFGTrcode:string, \r\n FTNTFGTqname:string, \r\n FTNTFGTqtype:string, \r\n FTNTFGTxid:string, \r\n FTNTFGTqtypeval:int, \r\n FTNTFGTqclass:string, \r\n FTNTFGTcatdesc:string, \r\n FTNTFGTipaddr:string, \r\n FTNTFGTunauthuser:string, \r\n FTNTFGTuser:string, \r\n FTNTFGTbotnetip:string,\r\n // Simple format for FortiAnalyzer\r\n logid:string, \r\n subtype:string, \r\n srccountry:string, \r\n dstcountry:string,\r\n srcintfrole:string, \r\n rcode:string, \r\n qname:string, \r\n qtype:string, \r\n xid:string, \r\n qtypeval:int, \r\n qclass:string, \r\n catdesc:string, \r\n ipaddr:string, \r\n unauthuser:string, \r\n user:string, \r\n botnetip:string,\r\n // Additional fields\r\n sessionid:int\r\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | extend \r\n EventOriginalResultDetails = coalesce(FTNTFGTrcode, rcode),\r\n EventOriginalUid = coalesce(FTNTFGTlogid, logid),\r\n DvcZone = coalesce(FTNTFGTsrcintfrole, srcintfrole),\r\n EventOriginalType = coalesce(FTNTFGTsubtype, subtype),\r\n SrcGeoCountry = coalesce(FTNTFGTsrccountry, srccountry),\r\n DstGeoCountry = coalesce(FTNTFGTdstcountry, dstcountry),\r\n DnsQuery = coalesce(FTNTFGTqname, qname),\r\n DnsQueryTypeName = coalesce(FTNTFGTqtype, qtype),\r\n TransactionIdHex = coalesce(FTNTFGTxid, xid),\r\n DnsQueryClass = coalesce(FTNTFGTqtypeval, qtypeval),\r\n DnsQueryClassName = coalesce(FTNTFGTqclass, qclass),\r\n UrlCategory = coalesce(FTNTFGTcatdesc, catdesc),\r\n DnsResponseName = coalesce(FTNTFGTipaddr, ipaddr),\r\n ThreatIpAddr = coalesce(FTNTFGTbotnetip, botnetip),\r\n User1 = coalesce(FTNTFGTuser, user),\r\n UnauthUser1 = coalesce(FTNTFGTunauthuser, unauthuser)\r\n | extend \r\n DnsQueryTypeName = case(\r\n DnsQueryTypeName == \"Unknown\",\"\",\r\n DnsQueryTypeName\r\n )\r\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\r\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\r\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\r\n | extend \r\n SrcUsername = coalesce(User1, UnauthUser1),\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Dvc = DvcHostname,\r\n DnsResponseCodeName = EventResultDetails,\r\n EventType = \"Query\",\r\n EventSchemaVersion = \"0.1.7\",\r\n EventSchema = \"Dns\",\r\n EventCount = int(1),\r\n EventEndTime = TimeGenerated,\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Fortinet\",\r\n EventProduct = \"FortiGate\",\r\n Domain = DnsQuery,\r\n DomainCategory = UrlCategory,\r\n SessionId = DnsSessionId,\r\n DvcIdType = \"Other\"\r\n | extend \r\n User = SrcUsername,\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\r\n | project-away FTNTFGT*, logid, subtype, srccountry, dstcountry, srcintfrole, rcode,\r\n qname, qtype, xid, qtypeval, qclass, catdesc, ipaddr, unauthuser, user, botnetip, sessionid,\r\n User1, UnauthUser1, AdditionalExtensions, Computer, NetworkProtocolNumber\r\n};\r\nParser(\r\n disabled = disabled\r\n)\r\n","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Fortinet FortiGate.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"1d6a9420-068e-53fb-b07d-84a46dcba3e9","name":"_ASim_Dns_GcpV03","body":"// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\r\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\r\n[\"DEFAULT\",\"Informational\",\r\n\"DEBUG\",\"Informational\",\r\n\"INFO\",\"Informational\",\r\n\"NOTICE\",\"Medium\",\r\n\"WARNING\",\"Medium\",\r\n\"ERROR\",\"High\",\r\n\"CRITICAL\",\"High\",\r\n\"ALERT\",\"High\",\r\n\"EMERGENCY\",\"High\"\r\n];\r\nlet DNSQuery_GcpDns=(disabled:bool=false){\r\n GCP_DNS_CL | where not(disabled)\r\n | where resource_type_s == \"dns_query\"\r\n | lookup GCPSeverityTable on severity_s\r\n | project-rename\r\n DnsQueryTypeName=payload_queryType_s,\r\n DnsResponseName=payload_rdata_s, \r\n EventResultDetails=payload_responseCode_s,\r\n NetworkProtocol=payload_protocol_s, \r\n SrcIpAddr=payload_sourceIP_s,\r\n EventOriginalUid=insert_id_s,\r\n EventOriginalSeverity=severity_s \r\n | extend\r\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \r\n EventCount=int(1),\r\n EventProduct='Cloud DNS',\r\n EventVendor='GCP',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.3\",\r\n Dvc=\"GCPDNS\" ,\r\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\r\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\r\n EventSubType='response',\r\n EventEndTime=todatetime(timestamp_t)\r\n | extend\r\n EventStartTime = EventEndTime,\r\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\r\n // -- Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr\r\n // Backward Computability\r\n | extend\r\n Query=DnsQuery,\r\n ResponseCodeName=DnsResponseCodeName,\r\n QueryTypeName=DnsQueryTypeName\r\n };\r\n DNSQuery_GcpDns(disabled)\r\n","parameters":"disabled:bool = false","displayName":"DNS Parser for GCP V03","description":"DNS activity ASIM parser for GCP.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"37684ffa-7f8f-5053-b9e8-589618aabde4","name":"_ASim_Dns_GcpV04","body":"// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\r\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\r\n[\"DEFAULT\",\"Informational\",\r\n\"DEBUG\",\"Informational\",\r\n\"INFO\",\"Informational\",\r\n\"NOTICE\",\"Medium\",\r\n\"WARNING\",\"Medium\",\r\n\"ERROR\",\"High\",\r\n\"CRITICAL\",\"High\",\r\n\"ALERT\",\"High\",\r\n\"EMERGENCY\",\"High\"\r\n];\r\nlet DNSQuery_GcpDns=(disabled:bool=false){\r\n GCP_DNS_CL | where not(disabled)\r\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\r\n | where resource_type_s == \"dns_query\"\r\n | lookup GCPSeverityTable on severity_s\r\n | project-rename\r\n DnsQueryTypeName=payload_queryType_s,\r\n DnsResponseName=payload_rdata_s, \r\n EventResultDetails=payload_responseCode_s,\r\n NetworkProtocol=payload_protocol_s, \r\n SrcIpAddr=payload_sourceIP_s,\r\n EventOriginalUid=insert_id_s,\r\n EventOriginalSeverity=severity_s \r\n | extend\r\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \r\n EventCount=int(1),\r\n EventProduct='Cloud DNS',\r\n EventVendor='GCP',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.3\",\r\n Dvc=\"GCPDNS\" ,\r\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\r\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\r\n EventSubType='response',\r\n EventEndTime=todatetime(timestamp_t)\r\n | extend\r\n EventStartTime = EventEndTime,\r\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\r\n // -- Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr\r\n // Backward Computability\r\n | project-away *_s, *_d, *_b, *_t\r\n };\r\n DNSQuery_GcpDns(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for GCP.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"3f54a213-5941-52f2-81da-ec2ddd8037d8","name":"_ASim_Dns_InfobloxBloxOneV01","body":"let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int) [ \"A\", 1, \"NS\", 2, \"MD\", 3, \"MF\", 4, \"CNAME\", 5, \"SOA\", 6, \"MB\", 7, \"MG\", 8, \"MR\", 9, \"NULL\", 10, \"WKS\", 11, \"PTR\", 12, \"HINFO\", 13, \"MINFO\", 14, \"MX\", 15, \"TXT\", 16, \"RP\", 17, \"AFSDB\", 18, \"X25\", 19, \"ISDN\", 20, \"RT\", 21, \"NSAP\", 22, \"NSAPPTR\", 23, \"SIG\", 24, \"KEY\", 25, \"PX\", 26, \"GPOS\", 27, \"AAAA\", 28, \"LOC\", 29, \"NXT\", 30, \"EID\", 31, \"NIMLOC\", 32, \"SRV\", 33, \"ATMA\", 34, \"NAPTR\", 35, \"KX\", 36, \"CERT\", 37, \"A6\", 38, \"DNAME\", 39, \"SINK\", 40, \"OPT\", 41, \"APL\", 42, \"DS\", 43, \"SSHFP\", 44, \"IPSECKEY\", 45, \"RRSIG\", 46, \"NSEC\", 47, \"DNSKEY\", 48, \"DHCID\", 49, \"NSEC3\", 50, \"NSEC3PARAM\", 51, \"TLSA\", 52, \"SMIMEA\", 53, \"HIP\", 55, \"NINFO\", 56, \"RKEY\", 57, \"TALINK\", 58, \"CDS\", 59, \"CDNSKEY\", 60, \"OPENPGPKEY\", 61, \"CSYNC\", 62, \"ZONEMD\", 63, \"SVCB\", 64, \"HTTPS\", 65, \"SPF\", 99, \"UINFO\", 100, \"UID\", 101, \"GID\", 102, \"UNSPEC\", 103, \"TKEY\", 249, \"TSIG\", 250, \"IXFR\", 251, \"MAILB\", 253, \"MAILA\", 254, \"ANY\", 255, \"URI\", 256, \"CAA\", 257, \"TA\", 32768, \"DLV\", 32769 ]; let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int) [ \"NOERROR\", 0, \"FORMERR\", 1, \"SERVFAIL\", 2, \"NXDOMAIN\", 3, \"NOTIMPL\", 4, \"REFUSED\", 5, \"YXDOMAIN\", 6, \"YXRRSET\", 7, \"NXRRSET\", 8, \"NOTAUTH\", 9, \"NOTZONE\", 10, \"DSOTYPENI\", 11, \"RESERVED12\", 12, \"RESERVED13\", 13, \"RESERVED14\", 14, \"RESERVED15\", 15, \"BADVERS\", 16, \"BADKEY\", 17, \"BADTIME\", 18, \"BADMODE\", 19, \"BADNAME\", 20, \"BADALG\", 21, \"BADTRUNC\", 22, \"BADCOOKIE\", 23, ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DNS\" | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | project-rename EventResultDetails = InfobloxDNSRCode, DnsQueryTypeName = InfobloxDNSQType, DnsFlags = InfobloxDNSQFlags | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) | lookup EventSeverityLookup on LogSeverity | lookup DnsQueryTypeLookup on DnsQueryTypeName | lookup DnsResponseCodeLookup on EventResultDetails | invoke _ASIM_ResolveDvcFQDN('DeviceName') | project-rename DnsQuery = DestinationDnsDomain, DvcIpAddr = DeviceAddress, SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, SrcUsername = SourceUserName, SrcPortNumber = SourcePort, EventUid = _ItemId | extend Dvc = coalesce(DvcHostname, DvcIpAddr), EventEndTime = TimeGenerated, EventResult = iff(EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"), DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == \".\", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), EventStartTime = TimeGenerated, Src = SrcIpAddr, SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), DnsResponseCodeName = EventResultDetails, IpAddr = SrcIpAddr, User = SrcUsername | extend Domain = DnsQuery | extend EventCount = toint(1), EventSchema = \"Dns\", EventSchemaVersion = \"0.1.7\", EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventType = \"Query\", DnsQueryClass = toint(1), DnsQueryClassName = \"IN\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason }; parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Dns ASIM parser for Infoblox BloxOne.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"06afff4c-4b38-54c4-a744-56e63428e412","name":"_ASim_Dns_InfobloxNIOSV03","body":"let Sources_by_SourceType=(sourcetype:string){_GetWatchlist('ASimSourceType') | where SearchKey == tostring(sourcetype) | extend Source=column_ifexists('Source','') | where isnotempty(Source)| distinct Source };\r\nlet Infoblox=(disabled:bool=false){\r\n let RawData = Syslog | where not(disabled) | where ProcessName == \"named\" and SyslogMessage has \"client\"\r\n | where Computer in (Sources_by_SourceType('InfobloxNIOS'))\r\n | extend Parser = extract_all(@\"^(\\d{2}\\-[a-zA-Z]{3}\\-\\d{4}\\s[0-9\\.\\:]+)?\\s?([a-zA-Z-_]+)(\\s|\\:)?(.*)\", dynamic([1,2,3,4]), SyslogMessage)[0]\r\n | extend ResponseTime = todatetime(Parser[0]),\r\n Log_Type = tostring(Parser[1]),\r\n RawData_subString = tostring(Parser[3])\r\n | where Log_Type == \"client\"\r\n | project-away Parser;\r\n RawData \r\n | extend dnsdata=tostring(extract_all(@\"^(\\d{2}\\-[a-zA-Z]{3}\\-\\d{4}\\s[0-9\\.\\:]+)?\\s?([a-zA-Z-_]+)(\\s|\\:)?(.*)\", dynamic([1,2,3,4]), SyslogMessage)[0][3])\r\n | extend EventSubType=iff(dnsdata has \"response:\", \"response\", \"request\")\r\n | extend dnsclient=iff(EventSubType==\"response\"\r\n //#port : [view: DNS view] query: response: [; [;] ...]\r\n , extract_all(@\"^(\\@[a-z0-9]+\\s)?([0-9\\.]+)\\#(\\d+):? (UDP|TCP):? (view: DNS view)?query: (\\S+) ([A-Z]+) (\\S+) response:? ([A-Z]+) (\\S+)(([^;]+;\\s*)*)\",dnsdata)[0]\r\n //# query: [SETDC] \r\n , extract_all(@\"^(\\@[a-z0-9]+\\s)?([0-9\\.]+)\\#(\\d+):? query: (\\S+) (\\S+) (\\S+) ([+-]) \\(([0-9.]+)\\)\",dnsdata)[0])\r\n | project-away SyslogMessage\r\n | extend\r\n // ******************* Mandatory\r\n EventCount=int(1),\r\n EventStartTime=todatetime(TimeGenerated),\r\n EventEndTime=todatetime(TimeGenerated),\r\n EventProduct=\"NIOS\",\r\n EventVendor=\"Infoblox\",\r\n EventSchema=\"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n EventType=\"Query\", \r\n EventResult=iff(EventSubType==\"request\" or tostring(dnsclient[8])==\"NOERROR\",\"Success\",\"Failure\"),\r\n EventResultDetails=iff (EventSubType==\"response\",tostring(dnsclient[8]),\"\"),\r\n // TimeGenerated, // not handled by schema, but we need to preserve it\r\n SrcIpAddr = tostring(dnsclient[1]),\r\n EventSubType=iff(dnsclient has \"response:\", \"response\",\"request\"), \r\n // \r\n SrcPortNumber = toint(dnsclient[2]),\r\n NetworkProtocol = iff (EventSubType==\"response\", tostring(dnsclient[3]),\"\"), \r\n DnsQuery = iff (EventSubType==\"response\",tostring(dnsclient[5]), tostring(dnsclient[3])),\r\n DnsQueryClassName = iff (EventSubType==\"response\",tostring(dnsclient[6]),tostring(dnsclient[4])),\r\n DnsQueryTypeName = iff (EventSubType==\"response\",tostring(dnsclient[7]),tostring(dnsclient[5])),\r\n DnsResponseCodeName = iff (EventSubType==\"response\",tostring(dnsclient[8]),\"\"),\r\n DnsFlags =iff (EventSubType==\"response\", tostring(dnsclient[9]),tostring(dnsclient[6])),\r\n // \r\n DnsResponseName = iff (EventSubType==\"response\",tostring(dnsclient[-2]),\"\"),\r\n DstIpAddr=iff(EventSubType==\"response\",\"\",dnsclient[-1])\r\n | project-rename\r\n // * Added in version 0.1.1\r\n DvcHostname=Computer\r\n , DvcIpAddr=HostIP\r\n // *\r\n // **************Aliases\r\n | extend\r\n Dvc=DvcHostname,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n // Backward Compatibility\r\n Query=DnsQuery\r\n , QueryTypeName=DnsQueryTypeName\r\n , ResponseCodeName=DnsResponseCodeName\r\n , QueryClassName=DnsQueryClassName\r\n , Flags=DnsFlags\r\n };\r\n Infoblox(disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Infoblox NIOS V03","description":"DNS activity ASIM parser for Infoblox NIOS.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"764d1d4f-0832-57bc-b6fb-67ca754c1866","name":"_ASim_Dns_InfobloxNIOSV05","body":"let response = (disabled: boolean=false) {\r\n Syslog\r\n | where not(disabled)\r\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n | parse SyslogMessage with *\r\n \"client \" SrcIpAddr: string\r\n \"#\" SrcPortNumber: int\r\n \" \" NetworkProtocol: string\r\n \": query: \" DnsQuery: string\r\n \" \" DnsQueryClassName: string\r\n \" \" DnsQueryTypeName: string\r\n \" response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\r\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\r\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\r\n | extend EventSubType = \"response\"\r\n | project-away DnsResponseNameIndex,SyslogMessage, ProcessName, ProcessID, Facility, SeverityLevel, HostName\r\n };\r\n let request = (disabled: boolean=false) {\r\n Syslog \r\n | where not(disabled)\r\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\r\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\r\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\r\n | parse SyslogMessage with \r\n SrcIpAddr: string\r\n \"#\" SrcPortNumber: int *\r\n \"query: \" DnsQuery: string\r\n \" \" DnsQueryClassName: string\r\n \" \" DnsQueryTypeName: string\r\n \" \" DnsFlags: string\r\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\r\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\r\n | extend \r\n EventSubType = \"request\",\r\n DnsResponseCodeName = \"NA\"\r\n | project-away SyslogMessage, ProcessName, ProcessID, Facility, SeverityLevel, HostName\r\n };\r\n let parser = (disabled:boolean=false) {\r\n union response (disabled), request (disabled)\r\n | extend\r\n EventCount=int(1),\r\n EventStartTime=todatetime(TimeGenerated),\r\n EventEndTime=todatetime(TimeGenerated),\r\n EventProduct=\"NIOS\",\r\n EventVendor=\"Infoblox\",\r\n EventSchema=\"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n EventType=\"Query\", \r\n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\r\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\r\n // -- Aliases\r\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n | project-away Computer\r\n | extend\r\n Dvc=DvcHostname,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n EventResultDetails = DnsResponseCodeName\r\n // -- Backward Compatibility\r\n | extend\r\n Query=DnsQuery,\r\n QueryTypeName=DnsQueryTypeName,\r\n ResponseCodeName=DnsResponseCodeName,\r\n QueryClassName=DnsQueryClassName,\r\n Flags=DnsFlags\r\n };\r\n parser (disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Infoblox NIOS V05","description":"DNS activity ASIM parser for Infoblox NIOS.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"355c44cb-79ef-53dd-8cf2-d942d8021c69","name":"_ASim_Dns_InfobloxNIOSV06","body":"let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\r\nlet response = (disabled: boolean=false) {\r\n SyslogProjected\r\n | where not(disabled)\r\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n | parse SyslogMessage with *\r\n \"client \" SrcIpAddr: string\r\n \"#\" SrcPortNumber: string\r\n \" \" NetworkProtocol: string\r\n \": query: \" DnsQuery: string\r\n \" \" DnsQueryClassName: string\r\n \" \" DnsQueryTypeName: string\r\n \" response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\r\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\r\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\r\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\r\n | extend SrcPortNumber = toint(SrcPortNumber)\r\n | extend EventSubType = \"response\"\r\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\r\n };\r\n let request = (disabled: boolean=false) {\r\n SyslogProjected \r\n | where not(disabled)\r\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\r\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\r\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\r\n | parse SyslogMessage with \r\n SrcIpAddr: string\r\n \"#\" SrcPortNumber: int *\r\n \"query: \" DnsQuery: string\r\n \" \" DnsQueryClassName: string\r\n \" \" DnsQueryTypeName: string\r\n \" \" DnsFlags: string\r\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\r\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\r\n | extend \r\n EventSubType = \"request\",\r\n DnsResponseCodeName = \"NA\"\r\n | project-away SyslogMessage, ProcessName\r\n };\r\n let parser = (disabled:boolean=false) {\r\n union response (disabled), request (disabled)\r\n | extend\r\n EventCount=int(1),\r\n EventStartTime=todatetime(TimeGenerated),\r\n EventEndTime=todatetime(TimeGenerated),\r\n EventProduct=\"NIOS\",\r\n EventVendor=\"Infoblox\",\r\n EventSchema=\"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n EventType=\"Query\", \r\n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\r\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\r\n // -- Aliases\r\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\r\n | project-away Computer\r\n | extend\r\n Dvc=DvcHostname,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n EventResultDetails = DnsResponseCodeName\r\n | project-away HostIP\r\n };\r\n parser (disabled)","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Infoblox NIOS.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"7ba58875-d3d2-5a57-8b33-7a1653f5ad48","name":"_ASim_Dns_MicrosoftNXlogV03","body":"let ASimDnsMicrosoftNXLog = (disabled:bool=false) {\r\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\r\n 256, 'Query'\r\n , 257, 'Query'\r\n , 258, 'Query'\r\n , 259, 'Query'\r\n , 260, 'Query'\r\n , 261, 'Query'\r\n , 262, 'Query'\r\n , 263, 'Dynamic update'\r\n , 264, 'Dynamic update'\r\n , 265, 'Zone XFR'\r\n , 266, 'Zone XFR'\r\n , 267, 'Zone XFR'\r\n , 268, 'Zone XFR'\r\n , 269, 'Zone XFR'\r\n , 270, 'Zone XFR'\r\n , 271, 'Zone XFR'\r\n , 272, 'Zone XFR'\r\n , 273, 'Zone XFR'\r\n , 274, 'Zone XFR'\r\n , 275, 'Zone XFR'\r\n , 276, 'Zone XFR'\r\n , 277, 'Dynamic update'\r\n , 278, 'Dynamic update'\r\n , 279, 'Query'\r\n , 280, 'Query'\r\n];\r\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\r\n 256, 'request'\r\n, 257, 'response'\r\n, 258, 'response'\r\n, 259, 'response'\r\n, 260, 'request'\r\n, 261, 'response'\r\n, 262, 'response'\r\n, 263, 'request'\r\n, 264, 'response'\r\n, 265, 'request'\r\n, 266, 'request'\r\n, 267, 'response'\r\n, 268, 'response'\r\n, 269, 'request'\r\n, 270, 'request'\r\n, 271, 'response'\r\n, 272, 'response'\r\n, 273, 'request'\r\n, 274, 'request'\r\n, 275, 'response'\r\n, 276, 'response'\r\n, 277, 'request'\r\n, 278, 'response'\r\n, 279, 'response'\r\n, 280, 'response'\r\n];\r\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\r\n 256, 'NA'\r\n , 257, 'Success'\r\n , 258, 'Failure'\r\n , 259, 'Failure'\r\n , 260, 'NA'\r\n , 261, 'NA'\r\n , 262, 'Failure'\r\n , 263, 'NA'\r\n , 264, 'Based on RCODE'\r\n , 265, 'NA'\r\n , 266, 'NA'\r\n , 267, 'Based on RCODE'\r\n , 268, 'Based on RCODE'\r\n , 269, 'NA'\r\n , 270, 'NA'\r\n , 271, 'Based on RCODE'\r\n , 272, 'Based on RCODE'\r\n , 273, 'NA'\r\n , 274, 'NA'\r\n , 275, 'Success'\r\n , 276, 'Success'\r\n , 277, 'NA'\r\n , 278, 'Based on RCODE'\r\n , 279, 'NA'\r\n , 280, 'NA'\r\n];\r\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\r\n 0,'NOERROR'\r\n , 1,'FORMERR'\r\n , 2,'SERVFAIL'\r\n , 3,'NXDOMAIN'\r\n , 4,'NOTIMP'\r\n , 5,'REFUSED'\r\n , 6,'YXDOMAIN'\r\n , 7,'YXRRSET'\r\n , 8,'NXRRSET'\r\n , 9,'NOTAUTH'\r\n , 10,'NOTZONE'\r\n , 11,'DSOTYPENI'\r\n , 16,'BADVERS'\r\n , 16,'BADSIG'\r\n , 17,'BADKEY'\r\n , 18,'BADTIME'\r\n , 19,'BADMODE'\r\n , 20,'BADNAME'\r\n , 21,'BADALG'\r\n , 22,'BADTRUNC'\r\n , 23,'BADCOOKIE'\r\n];\r\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\r\n 0, 'Reserved'\r\n , 1, 'A'\r\n , 2, 'NS'\r\n , 3, 'MD'\r\n , 4, 'MF'\r\n , 5, 'CNAME'\r\n , 6, 'SOA'\r\n , 7, 'MB'\r\n , 8 ,'MG'\r\n , 9 ,'MR'\r\n , 10,'NULL'\r\n , 11,'WKS'\r\n , 12,'PTR'\r\n , 13,'HINFO'\r\n , 14,'MINFO'\r\n , 15,'MX'\r\n , 16,'TXT'\r\n , 17,'RP'\r\n , 18,'AFSDB'\r\n , 19,'X25'\r\n , 20,'ISDN'\r\n , 21,'RT'\r\n , 22,'NSAP'\r\n , 23,'NSAP-PTR'\r\n , 24,'SIG'\r\n , 25,'KEY'\r\n , 26,'PX'\r\n , 27,'GPOS'\r\n , 28,'AAAA'\r\n , 29,'LOC'\r\n , 30,'NXT'\r\n , 31,'EID'\r\n , 32,'NIMLOC'\r\n , 33,'SRV'\r\n];\r\nNXLog_DNS_Server_CL | where not(disabled)\r\n| where EventID_d ' RuleName:string '' \r\n '' EventEndTime:datetime ''\r\n '{' SrcProcessGuid:string '}'\r\n '' SrcProcessId:string ''\r\n '' DnsQuery:string ''\r\n '' DnsResponseCode:int ''\r\n '' DnsResponseName:string ''\r\n '' Process:string ''\r\n '' SrcProcessName:string ''\r\n | parse EventData with * ''SrcUsername:string '' *\r\n | project-away EventData\r\n};\r\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider // , _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\r\n | project-away Provider, EventID \r\n | extend \r\n RuleName = tostring(EventData.RuleName),\r\n EventEndTime = todatetime(EventData.UtcTime),\r\n SrcProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n SrcProcessId = tostring(EventData.ProcessId), \r\n DnsQuery = tostring(EventData.QueryName),\r\n DnsResponseCode = toint(EventData.QueryStatus),\r\n DnsResponseName = tostring(EventData.QueryResults),\r\n SrcProcessName = tostring(EventData.Image),\r\n SrcUsername = tostring(EventData.User)\r\n | project-away EventData\r\n};\r\nunion isfuzzy=true ParsedDnsEvent_Event(disabled), ParsedDnsEvent_WindowsEvent(disabled)\r\n | lookup RCodeTable on DnsResponseCode\r\n | project-rename \r\n DvcHostname = Computer,\r\n // EventUid = _ItemId, \r\n DvcScopeId = _SubscriptionId\r\n | extend\r\n EventOriginalType = '22',\r\n EventCount=int(1),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.3\",\r\n EventType = 'lookup',\r\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\r\n EventStartTime = EventEndTime,\r\n EventSubType= 'response',\r\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\r\n SrcUsernameType = 'Windows'\r\n // -- Aliases\r\n | extend \r\n EventResultDetails = DnsResponseCodeName,\r\n Domain = DnsQuery,\r\n Dvc = DvcHostname,\r\n SrcHostname = DvcHostname,\r\n Hostname=DvcHostname,\r\n Src = DvcHostname,\r\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode {?([^')\r\n | project-rename \r\n EventEndTime = UtcTime,\r\n SrcProcessId = ProcessId,\r\n SrcProcessGuid = ProcessGuid,\r\n DnsQuery = QueryName,\r\n DnsResponseCode = QueryStatus,\r\n DnsResponseName = QueryResults,\r\n SrcProcessName = Image,\r\n SrcUsername = User\r\n | project-away EventData\r\n};\r\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type // , _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\r\n | project-away Provider, EventID \r\n | extend \r\n RuleName = tostring(EventData.RuleName),\r\n EventEndTime = todatetime(EventData.UtcTime),\r\n SrcProcessGuid = tostring(EventData.ProcessGuid),\r\n // extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n SrcProcessId = tostring(EventData.ProcessId), \r\n DnsQuery = tostring(EventData.QueryName),\r\n DnsResponseCode = toint(EventData.QueryStatus),\r\n DnsResponseName = tostring(EventData.QueryResults),\r\n SrcProcessName = tostring(EventData.Image),\r\n SrcUsername = tostring(EventData.User)\r\n | project-away EventData\r\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\r\n};\r\nunion isfuzzy=true \r\n //ParsedDnsEvent_Event(disabled), \r\n ParsedDnsEvent_WindowsEvent(disabled)\r\n | lookup RCodeTable on DnsResponseCode\r\n | project-rename \r\n DvcHostname = Computer,\r\n // EventUid = _ItemId, \r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventOriginalType = '22',\r\n EventCount=int(1),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.6\",\r\n EventType = 'Query',\r\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\r\n EventStartTime = EventEndTime,\r\n EventSubType= 'response',\r\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\r\n SrcUsernameType = 'Windows',\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\r\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\")\r\n // -- Aliases\r\n | extend \r\n EventResultDetails = DnsResponseCodeName,\r\n Domain = DnsQuery,\r\n Dvc = DvcHostname,\r\n SrcHostname = DvcHostname,\r\n Hostname=DvcHostname,\r\n Src = DvcHostname,\r\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode {?([^')\r\n | project-rename \r\n EventEndTime = UtcTime,\r\n SrcProcessId = ProcessId,\r\n SrcProcessGuid = ProcessGuid,\r\n DnsQuery = QueryName,\r\n DnsResponseCode = QueryStatus,\r\n DnsResponseName = QueryResults,\r\n SrcProcessName = Image,\r\n SrcUsername = User\r\n | project-away EventData\r\n};\r\nParsedDnsEvent_Event(disabled)\r\n | lookup RCodeTable on DnsResponseCode\r\n | project-rename \r\n DvcHostname = Computer,\r\n // EventUid = _ItemId, \r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n | extend\r\n EventOriginalType = '22',\r\n EventCount=int(1),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.6\",\r\n EventType = 'Query',\r\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\r\n EventStartTime = EventEndTime,\r\n EventSubType= 'response',\r\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\r\n SrcUsernameType = 'Windows',\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\r\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventUid = _ItemId\r\n // -- Aliases\r\n | extend \r\n EventResultDetails = DnsResponseCodeName,\r\n Domain = DnsQuery,\r\n Dvc = DvcHostname,\r\n SrcHostname = DvcHostname,\r\n Hostname=DvcHostname,\r\n Src = DvcHostname,\r\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode 9000 and DnsResponseCode 0, \"Failure\", \"Success\"),\r\n EventSchema = 'Dns', \r\n EventSchemaVersion='0.1.3',\r\n EventType = 'Query',\r\n EventVendor = 'Vectra AI',\r\n SrcDvcIdType = 'VectraId',\r\n DstDvcIdType = 'VectraId',\r\n DvcIdType = 'VectraId',\r\n SrcPortNumber = toint(id_orig_p_d),\r\n TransactionIdHex = tostring(toint(trans_id_d)),\r\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\r\n | lookup DnsClassLookup on DnsQueryClass\r\n | lookup NetworkProtocolLookup on proto_d\r\n | extend\r\n EventResultDetails = DnsResponseCodeName,\r\n EventStartTime = EventEndTime,\r\n SessionId = DnsSessionId,\r\n Domain = DnsQuery,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Dvc = coalesce (DvcId, DvcDescription),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n | project-away\r\n *_d, *_s, *_b, *_g\r\n };\r\nparser (disabled)","parameters":"disabled:bool = false","description":"DNS ASIM parser for Vectra AI Steams.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"1d4ab680-de7f-5a17-b787-6cd634995e4a","name":"_ASim_Dns_ZscalerZIAV04","body":"let ZscalerDNSevents=(disabled:bool=false){\r\n CommonSecurityLog \r\n | where not(disabled)\r\n | where DeviceProduct == \"NSSDNSlog\" \r\n | project-rename\r\n Dvc=Computer , \r\n SrcIpAddr = SourceIP, \r\n SrcUsername = SourceUserName, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n EventProductVersion = DeviceVersion, \r\n DnsQueryTypeName = DeviceCustomString4, \r\n DnsQuery = DeviceCustomString5, \r\n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\r\n reqaction = DeviceCustomString2, \r\n resaction = DeviceCustomString3, \r\n DvcUsername = SourceUserID,\r\n DvcZone = SourceUserPrivileges,\r\n SrcHostname = DeviceName\r\n | extend\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA DNS\", \r\n EventSchema = \"Dns\", \r\n EventSchemaVersion=\"0.1.3\", \r\n EventEndTime=TimeGenerated, \r\n SrcUsernameType = \"Upn\", \r\n SrcHostnameType = \"Simple\",\r\n EventSubType = iff(resaction == 'None', 'request', 'response'), \r\n DvcAction = iff(resaction == 'None', reqaction, resaction), \r\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \r\n EventType = 'Query', \r\n DnsRuleName = strcat (FlexString1, \" / \", FlexString2),\r\n // -- Adjustment to support both old and new CSL fields.\r\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \r\n DnsNetworkDuration = coalesce(\r\n toint(column_ifexists (\"fieldDeviceCustomNumber1\", int(null))), \r\n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\r\n )\r\n | extend \r\n EventResult = case (\r\n EventSubType == 'request', 'NA', \r\n EventResultDetails == 'NOERROR', 'Success',\r\n 'Failure'),\r\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\r\n // -- Aliases\r\n | extend\r\n DnsResponseCodeName = EventResultDetails,\r\n Domain = DnsQuery,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Hostname = SrcHostname,\r\n Dst = DstIpAddr,\r\n DvcHostname = Dvc,\r\n Duration = DnsNetworkDuration,\r\n User = SrcUsername\r\n // -- Backward Compatibility\r\n | extend\r\n Query=DnsQuery, \r\n QueryTypeName=DnsQueryTypeName, \r\n ResponseName=DnsResponseName, \r\n ResponseCodeName=DnsResponseCodeName\r\n };\r\nZscalerDNSevents (disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Zscaler ZIA V04","description":"DNS activity ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"0f3b2de2-15fa-5ea2-a7e7-3f5adc3691cc","name":"_ASim_Dns_ZscalerZIAV05","body":"let ZscalerDNSevents=(disabled:bool=false){\r\n CommonSecurityLog \r\n | where not(disabled)\r\n | where DeviceProduct == \"NSSDNSlog\" \r\n | project-rename\r\n Dvc=Computer , \r\n SrcIpAddr = SourceIP, \r\n SrcUsername = SourceUserName, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n EventProductVersion = DeviceVersion, \r\n DnsQueryTypeName = DeviceCustomString4, \r\n DnsQuery = DeviceCustomString5, \r\n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\r\n reqaction = DeviceCustomString2, \r\n resaction = DeviceCustomString3, \r\n DvcUsername = SourceUserID,\r\n DvcZone = SourceUserPrivileges,\r\n SrcHostname = DeviceName,\r\n NetworkProtocol = Protocol,\r\n EventOriginalSeverity = LogSeverity,\r\n EventMessage = Message\r\n | extend\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA DNS\", \r\n EventSchema = \"Dns\", \r\n EventSchemaVersion=\"0.1.3\", \r\n EventEndTime=TimeGenerated, \r\n SrcUsernameType = \"Upn\", \r\n EventSubType = iff(resaction == 'None', 'request', 'response'), \r\n DvcAction = iff(resaction == 'None', reqaction, resaction), \r\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \r\n EventType = 'Query', \r\n RuleName = strcat (FlexString1, \" / \", FlexString2),\r\n // -- Adjustment to support both old and new CSL fields.\r\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \r\n DnsNetworkDuration = coalesce(\r\n toint(column_ifexists (\"fieldDeviceCustomNumber1\", int(null))), \r\n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\r\n )\r\n | extend \r\n EventResult = case (\r\n EventSubType == 'request', 'NA', \r\n EventResultDetails == 'NOERROR', 'Success',\r\n 'Failure'),\r\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\r\n // -- Aliases\r\n | extend\r\n DnsResponseCodeName = EventResultDetails,\r\n Domain = DnsQuery,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Hostname = SrcHostname,\r\n Dst = DstIpAddr,\r\n DvcHostname = Dvc,\r\n Duration = DnsNetworkDuration,\r\n User = SrcUsername\r\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\r\n };\r\nZscalerDNSevents (disabled)","parameters":"disabled:bool = false","displayName":"DNS Parser for Zscaler ZIA V05","description":"DNS activity ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"3da27875-fa0c-5f10-8ddf-abc6f8b7c8a6","name":"_ASim_Dns_ZscalerZIAV06","body":"let ZscalerDNSevents=(disabled:bool=false){\r\n CommonSecurityLog \r\n | where not(disabled)\r\n | where DeviceProduct == \"NSSDNSlog\" \r\n | project-rename\r\n Dvc=Computer , \r\n SrcIpAddr = SourceIP, \r\n SrcUsername = SourceUserName, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n EventProductVersion = DeviceVersion, \r\n DnsQueryTypeName = DeviceCustomString4, \r\n DnsQuery = DeviceCustomString5, \r\n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\r\n reqaction = DeviceCustomString2, \r\n resaction = DeviceCustomString3, \r\n DvcUsername = SourceUserID,\r\n DvcZone = SourceUserPrivileges,\r\n SrcHostname = DeviceName,\r\n NetworkProtocol = Protocol,\r\n EventOriginalSeverity = LogSeverity,\r\n EventMessage = Message\r\n | extend\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA DNS\", \r\n EventSchema = \"Dns\", \r\n EventSchemaVersion=\"0.1.3\", \r\n EventEndTime=TimeGenerated, \r\n SrcUsernameType = \"UPN\", \r\n EventSubType = iff(resaction == 'None', 'request', 'response'), \r\n DvcAction = iff(resaction == 'None', reqaction, resaction), \r\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \r\n EventType = 'Query', \r\n RuleName = strcat (FlexString1, \" / \", FlexString2),\r\n // -- Adjustment to support both old and new CSL fields.\r\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \r\n DnsNetworkDuration = coalesce(\r\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \r\n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\r\n )\r\n | extend \r\n EventResult = case (\r\n EventSubType == 'request', 'NA', \r\n EventResultDetails == 'NOERROR', 'Success',\r\n 'Failure'),\r\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\r\n // -- Aliases\r\n | extend\r\n DnsResponseCodeName = EventResultDetails,\r\n Domain = DnsQuery,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Hostname = SrcHostname,\r\n Dst = DstIpAddr,\r\n DvcHostname = Dvc,\r\n Duration = DnsNetworkDuration,\r\n User = SrcUsername,\r\n // -- Entity identifier explicit aliases\r\n SrcUserUpn = SrcUsername\r\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\r\n };\r\nZscalerDNSevents (disabled)","parameters":"disabled:bool = false","description":"DNS activity ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"7ad17758-6e1b-5ca9-911e-6b64cdd3d1fe","name":"_Im_Dns","body":"union isfuzzy=true\r\n_Im_DnsBuiltIn(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, pack= pack),\r\nIm_DnsSolutions(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, pack= pack),\r\nIm_DnsCustom(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'lookup', pack:bool = false","description":"DNS activity ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"0b2a8509-ddf3-56e7-9e4a-bc6ea62275f0","name":"_Im_DnsBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_Dns') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_DnsBuiltIn', 'Exclude_Im_Dns', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_Dns_AzureFirewallV04(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_AzureFirewall' in (DisabledParsers)))),\r\n_Im_Dns_CiscoUmbrellaV03(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_CiscoUmbrella' in (DisabledParsers)))),\r\n_Im_Dns_CorelightZeekV05(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_CorelightZeek' in (DisabledParsers)))),\r\n_Im_Dns_EmptyV05,\r\n_Im_Dns_FortinetFortiGateV01(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_FortinetFortiGate' in (DisabledParsers)))),\r\n_Im_Dns_GcpV04(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_Gcp' in (DisabledParsers)))),\r\n_Im_Dns_InfobloxBloxOneV01(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_InfobloxBloxOne' in (DisabledParsers)))),\r\n_Im_Dns_InfobloxNIOSV05(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_InfobloxNIOS' in (DisabledParsers)))),\r\n_Im_Dns_MicrosoftNXlogV05(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_MicrosoftNXlog' in (DisabledParsers)))),\r\n_Im_Dns_MicrosoftOMSV04(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_MicrosoftOMS' in (DisabledParsers)))),\r\n_Im_Dns_MicrosoftSysmonV05(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_MicrosoftSysmon' in (DisabledParsers)))),\r\n_Im_Dns_MicrosoftSysmonWindowsEventV05(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_MicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\r\n_Im_Dns_NativeV08(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_Native' in (DisabledParsers)))),\r\n_Im_Dns_VectraAIV01(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_VectraAI' in (DisabledParsers)))),\r\n_Im_Dns_ZscalerZIAV04(starttime= starttime, endtime= endtime, srcipaddr= srcipaddr, domain_has_any= domain_has_any, responsecodename= responsecodename, response_has_ipv4= response_has_ipv4, response_has_any_prefix= response_has_any_prefix, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_Dns_ZscalerZIA' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'lookup', pack:bool = false","description":"DNS activity ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"7a82d264-ada7-56a4-87b9-bd8e395a9f38","name":"_Im_Dns_AzureFirewallV03","body":"let DNS_query=(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\r\n , disabled:bool=false\r\n ){\r\n AzureDiagnostics | where not(disabled)\r\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\r\n | where Category == \"AzureFirewallDnsProxy\"\r\n | project msg_s, TimeGenerated, ResourceId\r\n | where msg_s startswith \"DNS Request:\"\r\n // --Pre-parsing filtering:\r\n | where\r\n // Return empty list if response IPs are passed\r\n (response_has_ipv4=='*')\r\n and (array_length(response_has_any_prefix) ==0) \r\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated \" DstIpAddr:string \":\" DstPortNumber:int \r\n \": \" EventResultOriginalDetails:string\r\n // -- Post-filtering accurately now that message is parsed\r\n | where\r\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\r\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\r\n | project-away msg_s\r\n | extend \r\n EventResult = \"Failure\",\r\n EventSubType = \"request\"\r\n};\r\nlet DNS = (\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\r\n , disabled:bool=false\r\n ) {\r\n union \r\n DNS_query (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled),\r\n DNS_error (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\r\n | extend\r\n NetworkProtocol = toupper(NetworkProtocol)\r\n | project-rename\r\n DvcId = ResourceId\r\n | extend\r\n DvcIdType = \"AzureResourceId\",\r\n EventCount = int(1),\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Azure Firewall\",\r\n EventSchema = \"Dns\",\r\n EventSchemaVersion = \"0.1.3\",\r\n EventEndTime = TimeGenerated, \r\n EventType = 'Query',\r\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\r\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\r\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\r\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\r\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\r\n DnsFlagsTruncates = DnsFlags has \"tc\"\r\n | extend\r\n // -- Aliases\r\n DnsResponseCodeName=EventResultDetails,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n Duration = DnsNetworkDuration,\r\n Dvc=DvcId\r\n | extend\r\n // -- Backward Compatibility\r\n Query = DnsQuery,\r\n QueryTypeName = DnsQueryTypeName,\r\n ResponseCodeName = DnsResponseCodeName,\r\n Flags = DnsFlags\r\n};\r\nDNS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'Query', disabled:bool = false","displayName":"DNS Filtering Parser for Azure Firewall V03","description":"DNS activity ASIM filtering parser for Azure Firewall.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"87d6f873-5ad7-51af-bbde-6ff91f2762cb","name":"_Im_Dns_AzureFirewallV04","body":"let legacy_DNS_query=(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\r\n , disabled:bool=false\r\n ){\r\n AzureDiagnostics | where not(disabled)\r\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\r\n | where Category == \"AzureFirewallDnsProxy\"\r\n | project msg_s, TimeGenerated, ResourceId, SubscriptionId\r\n | where msg_s startswith \"DNS Request:\"\r\n // --Pre-parsing filtering:\r\n | where\r\n // Return empty list if response IPs are passed\r\n (response_has_ipv4=='*')\r\n and (array_length(response_has_any_prefix) ==0) \r\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated \" DstIpAddr:string \":\" DstPortNumber:int \r\n \": \" EventResultOriginalDetails:string\r\n // -- Post-filtering accurately now that message is parsed\r\n | where\r\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\r\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\r\n | project-away msg_s\r\n | extend \r\n EventResult = \"Failure\",\r\n EventSubType = \"request\"\r\n};\r\nlet AZFW_Dns = (\r\n starttime:datetime = datetime(null)\r\n , endtime:datetime = datetime(null)\r\n , srcipaddr:string = '*'\r\n , domain_has_any:dynamic = dynamic([])\r\n , responsecodename:string = '*'\r\n , response_has_ipv4:string = '*'\r\n , response_has_any_prefix:dynamic = dynamic([])\r\n , eventtype:string = 'Query'\r\n , disabled:bool = false\r\n) {\r\n AZFWDnsQuery\r\n | where not(disabled)\r\n // Pre-filtering\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated ResponseCodeNames\r\n //\r\n TimeGenerated, // not handled by schema, but we need to preserve it\r\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\r\n EventSubType='response',\r\n // ********** Renamed columns\r\n UrlCategory=column_ifexists('Categories_s', ''),\r\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \r\n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\r\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\r\n DvcAction=column_ifexists('Action_s', ''),\r\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )),\r\n //\r\n // *************** keep Parsed data\r\n DnsQueryType, DnsQueryTypeName\r\n // **************Aliases\r\n | extend \r\n DnsResponseCodeName=EventResultDetails, \r\n DomainCategory=UrlCategory,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr\r\n };\r\nDNSQuery_CiscoUmbrella( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'Query', disabled:bool = false","description":"DNS activity ASIM filtering parser for Cisco Umbrella.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"36030c6d-4196-5c11-bd02-44e8770888f9","name":"_Im_Dns_CorelightZeekV03","body":"let DNSQuery_CorelightZeek=(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\r\n , disabled:bool=false\r\n ){\r\n Corelight_CL | where not(disabled)\r\n | where log_file_s has \"dns\"\r\n // Pre-parsing filtering:\r\n | where\r\n (eventtype in~ ('lookup', 'Query'))\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and\r\n (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated #port : [view: DNS view] query: response: [; [;] ...]\r\n , extract_all(@\"^(\\@[a-z0-9]+\\s)?([0-9\\.]+)\\#(\\d+):? (UDP|TCP):? (view: DNS view)?query: (\\S+) ([A-Z]+) (\\S+) response:? ([A-Z]+) (\\S+)(([^;]+;\\s*)*)\",dnsdata)[0]\r\n //# query: [SETDC] \r\n , extract_all(@\"^(\\@[a-z0-9]+\\s)?([0-9\\.]+)\\#(\\d+):? query: (\\S+) (\\S+) (\\S+) ([+-]) \\(([0-9.]+)\\)\",dnsdata)[0])\r\n | project-away SyslogMessage\r\n | extend \r\n SrcIpAddr = tostring(dnsclient[1]),\r\n DnsQuery = iff (EventSubType==\"response\",tostring(dnsclient[5]), tostring(dnsclient[3])),\r\n DnsResponseCodeName = iff (EventSubType==\"response\",tostring(dnsclient[8]),\"\")\r\n // Post-filtering accurately now that message is parsed\r\n | where\r\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\r\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\r\n and (responsecodename==\"*\" or DnsResponseCodeName has responsecodename)\r\n | extend\r\n // ******************* Mandatory\r\n EventCount=int(1),\r\n EventStartTime=todatetime(TimeGenerated),\r\n EventEndTime=todatetime(TimeGenerated),\r\n EventProduct=\"NIOS\",\r\n EventVendor=\"Infoblox\",\r\n EventSchema=\"Dns\",\r\n EventSchemaVersion=\"0.1.3\",\r\n EventType=\"Query\", \r\n EventResult=iff(EventSubType==\"request\" or tostring(dnsclient[8])==\"NOERROR\",\"Success\",\"Failure\"),\r\n EventResultDetails=iff (EventSubType==\"response\",tostring(dnsclient[8]),\"\"),\r\n EventSubType=iff(dnsclient has \"response:\", \"response\",\"request\"), \r\n // \r\n SrcPortNumber = toint(dnsclient[2]),\r\n NetworkProtocol = iff (EventSubType==\"response\", tostring(dnsclient[3]),\"\"), \r\n DnsQueryClassName = iff (EventSubType==\"response\",tostring(dnsclient[6]),tostring(dnsclient[4])),\r\n DnsQueryTypeName = iff (EventSubType==\"response\",tostring(dnsclient[7]),tostring(dnsclient[5])),\r\n DnsFlags =iff (EventSubType==\"response\", tostring(dnsclient[9]),tostring(dnsclient[6])),\r\n // \r\n DnsResponseName = iff (EventSubType==\"response\",tostring(dnsclient[-2]),\"\"),\r\n DstIpAddr=iff(EventSubType==\"response\",\"\",dnsclient[-1])\r\n // Post filtering step 2\r\n | where \r\n (array_length(domain_has_any) ==0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix)) and\r\n (response_has_ipv4 == '*' or has_ipv4(DnsResponseName,response_has_ipv4))\r\n | project-rename\r\n // * Added in version 0.1.1\r\n DvcHostname=Computer\r\n , DvcIpAddr=HostIP\r\n // *\r\n // **************Aliases\r\n | extend\r\n Dvc=DvcHostname,\r\n Domain=DnsQuery,\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n // Backward Compatibility\r\n Query=DnsQuery\r\n , QueryTypeName=DnsQueryTypeName\r\n , ResponseCodeName=DnsResponseCodeName\r\n , QueryClassName=DnsQueryClassName\r\n , Flags=DnsFlags\r\n };\r\n Infoblox(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'Query', disabled:bool = false","displayName":"DNS Filtering Parser for Infoblox NIOS V03","description":"DNS activity ASIM filtering parser for Infoblox NIOS.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"5f0e9e37-72b5-533e-8e35-1ed932fe3084","name":"_Im_Dns_InfobloxNIOSV04","body":"let response = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr:string=\"*\", \r\n domain_has_any:dynamic=dynamic([]), \r\n responsecodename:string=\"*\", \r\n response_has_ipv4:string=\"*\",\r\n response_has_any_prefix:dynamic=dynamic([]),\r\n eventtype:string=\"Query\",\r\n disabled:bool=false\r\n) \r\n{\r\n Syslog\r\n | where not(disabled)\r\n and (eventtype in~ ('lookup', 'Query'))\r\n // -- Pre filtering\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated ' RuleName:string '' \r\n '' EventEndTime:datetime ''\r\n '{' SrcProcessGuid:string '}'\r\n '' SrcProcessId:string ''\r\n '' DnsQuery:string ''\r\n '' DnsResponseCode:int ''\r\n '' DnsResponseName:string ''\r\n '' SrcProcessName:string ''\r\n *\r\n | parse EventData with * ''SrcUsername:string '' *\r\n | project-away EventData \r\n // -- Post-filtering tests differnt for Event and WindowsEvent\r\n | lookup RCodeTable on DnsResponseCode\r\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\r\n // --\r\n };\r\nlet ParsedDnsEvent_WindowsEvent =(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\r\n , disabled:bool=false\r\n) \r\n{\r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider //, _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\r\n | project-away Provider, EventID\r\n // -- Pre-parsing filtering (srcipaddr not available)\r\n | where\r\n (eventtype=='lookup')\r\n and (srcipaddr=='*')\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated 9000 and DnsResponseCode = starttime)\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename \r\n EventEndTime = UtcTime,\r\n SrcProcessId = ProcessId,\r\n SrcProcessGuid = ProcessGuid,\r\n DnsQuery = QueryName,\r\n DnsResponseCode = QueryStatus,\r\n DnsResponseName = QueryResults,\r\n SrcProcessName = Image,\r\n SrcUsername = User\r\n | project-away EventData \r\n // -- Post-filtering tests differnt for Event and WindowsEvent\r\n | lookup RCodeTable on DnsResponseCode\r\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\r\n // --\r\n };\r\nlet ParsedDnsEvent_WindowsEvent =(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\r\n , disabled:bool=false\r\n) \r\n{\r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type //, _ItemId \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\r\n | project-away Provider, EventID\r\n // -- Pre-parsing filtering (srcipaddr not available)\r\n | where\r\n (eventtype=='lookup')\r\n and (srcipaddr=='*')\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated 9000 and DnsResponseCode = starttime)\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename \r\n EventEndTime = UtcTime,\r\n SrcProcessId = ProcessId,\r\n SrcProcessGuid = ProcessGuid,\r\n DnsQuery = QueryName,\r\n DnsResponseCode = QueryStatus,\r\n DnsResponseName = QueryResults,\r\n SrcProcessName = Image,\r\n SrcUsername = User\r\n | project-away EventData \r\n // -- Post-filtering tests differnt for Event and WindowsEvent\r\n | lookup RCodeTable on DnsResponseCode\r\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\r\n // --\r\n };\r\nlet ParsedDnsEvent=(\r\n starttime:datetime=datetime(null)\r\n , endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*'\r\n , response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) \r\n , eventtype:string='lookup'\r\n , disabled:bool=false\r\n) \r\n{\r\n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\r\n// -- Post-filtering accurately now that message is parsed\r\n| where\r\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\r\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\r\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\r\n// --\r\n| project-rename \r\n DvcHostname = Computer,\r\n //EventUid = _ItemId,\r\n DvcScopeId = _SubscriptionId,\r\n DvcId = _ResourceId\r\n| extend\r\n EventOriginalType = '22',\r\n EventCount=int(1),\r\n EventProduct = 'Sysmon',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'Dns',\r\n EventSchemaVersion=\"0.1.6\",\r\n EventType = 'Query',\r\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\r\n EventStartTime = EventEndTime,\r\n EventSubType= 'response',\r\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\r\n SrcUsernameType = 'Windows',\r\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\r\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\r\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\r\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\r\n EventUid = _ItemId\r\n// -- Aliases\r\n| extend \r\n EventResultDetails = DnsResponseCodeName,\r\n Domain = DnsQuery,\r\n Dvc = DvcHostname,\r\n SrcHostname = DvcHostname,\r\n Src = DvcHostname,\r\n Hostname=DvcHostname,\r\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode = starttime)\r\n and (isnull(endtime) or TimeGenerated 9000 and DnsResponseCode = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated 0, \"Failure\", \"Success\"),\r\n EventSchema = 'Dns', \r\n EventSchemaVersion='0.1.3',\r\n EventType = 'Query',\r\n EventVendor = 'Vectra AI',\r\n SrcDvcIdType = 'VectraId',\r\n DstDvcIdType = 'VectraId',\r\n DvcIdType = 'VectraId',\r\n SrcPortNumber = toint(id_orig_p_d),\r\n TransactionIdHex = tostring(toint(trans_id_d)),\r\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\r\n | lookup DnsClassLookup on DnsQueryClass\r\n | lookup NetworkProtocolLookup on proto_d\r\n | extend\r\n EventResultDetails = DnsResponseCodeName,\r\n EventStartTime = EventEndTime,\r\n SessionId = DnsSessionId,\r\n Domain = DnsQuery,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Dvc = coalesce (DvcId, DvcDescription),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n | project-away\r\n *_d, *_s, *_b, *_g\r\n };\r\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr:string = '*', domain_has_any:dynamic = dynamic([]), responsecodename:string = '*', response_has_ipv4:string = '*', response_has_any_prefix:dynamic = dynamic([]), eventtype:string = 'Query', disabled:bool = false","description":"DNS ASIM parser for Vectra AI Steams.","related":{"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"]}},{"id":"b052f410-754b-5cbb-a24d-c88c78bbafad","name":"_Im_Dns_ZscalerZIAV02","body":"let ZscalerDNSevents=(\r\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n , srcipaddr:string='*'\r\n , domain_has_any:dynamic=dynamic([]) \r\n , responsecodename:string='*', response_has_ipv4:string='*'\r\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\r\n , disabled:bool=false\r\n){\r\n CommonSecurityLog \r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated no mapping required, RemainingString will be empty \r\n | parse Message with * \" bytes \" * \" \" RemainingString\r\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\r\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\r\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \r\n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\r\n ReasonString)\r\n // Finally extract the required Reason information from the string to be utilized later\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away DstUsernameSimple, *String, Reason;\r\n let all_302014_parsed = parsedData\r\n | where DeviceEventClassID == \"302014\"\r\n | project-away DvcAction, EventResult\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse Message with * \" bytes \" * \" \" ReasonString\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | extend \r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away Reason, ReasonString;\r\n let all_302016_parsed = parsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\";\r\n let all_302016_unparsed = unparsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\r\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\r\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\"\r\n | project-away DstUsernameSimple, *InfoString;\r\n let all_302020_302021 = parsedData\r\n | where DeviceEventClassID in (\"302020\",\"302021\")\r\n | parse Message with * \"(\" SrcUsername \")\" *\r\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\r\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\r\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\r\n \"End\");\r\n let all_7_series = parsedData\r\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\r\n | parse Message with * \" to \" DstInterfaceName \":\" *;\r\n let all_106007 = parsedData\r\n | where DeviceEventClassID == \"106007\"\r\n | extend DstAppName = \"DNS\"\r\n | parse Message with * \" due to \" EventOriginalResultDetails;\r\n let all_106017 = parsedData\r\n | where DeviceEventClassID == \"106017\"\r\n | extend ThreatName = \"Land Attack\";\r\n let all_106100_parsed = parsedData\r\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\r\n let all_106100_unparsed = unparsedData\r\n | where DeviceEventClassID == \"106100\"\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\r\n let remainingLogs = parsedData\r\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\r\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\r\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\r\n | extend \r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = coalesce(EventCount,toint(1)),\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.4\",\r\n SrcInterfaceName = tolower(SrcInterfaceName),\r\n DstInterfaceName = tolower(SrcInterfaceName)\r\n | extend \r\n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\r\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"),\r\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\r\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\r\n isnotempty(DstUsername), \"Simple\",\r\n \"\")\r\n | lookup ProtocolLookup on Protocol\r\n | project-rename \r\n EventProductVersion = DeviceVersion,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalSeverity = OriginalLogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n EventMessage = Message,\r\n Dvc = Computer\r\n | extend\r\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\r\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\r\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\r\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\r\n DstInterfaceName in (externalInterface), \"Outbound\",\r\n SrcInterfaceName in (externalInterface), \"Inbound\",\r\n \"\"),\r\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\r\n NetworkProtocol)\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Duration = NetworkDuration,\r\n IpAddr = SrcIpAddr,\r\n Rule = NetworkRuleName,\r\n User = DstUsername\r\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\r\n };\r\n NWParser (disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Cisco ASA.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"2722ab8e-1141-5636-97cd-4c416669a402","name":"_ASim_NetworkSession_CiscoASAV11","body":"let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\r\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\r\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\r\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\r\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \r\n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\r\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\r\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \r\n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\r\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\r\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\r\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\r\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\r\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\r\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\r\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\r\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\r\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\r\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\r\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\r\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\r\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \r\n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \r\n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\r\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\r\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\r\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\r\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \r\n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\r\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\r\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\r\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\r\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \r\n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\r\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \r\n 'Xlate Clear', '', '', '', 'A command line was removed.',\r\n];\r\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\r\n \"0\",\"HOPOPT\"\r\n , \"1\",\"ICMP\"\r\n , \"2\",\"IGMP\"\r\n , \"3\",\"GGP\"\r\n , \"4\",\"IPv4\"\r\n , \"5\",\"ST\"\r\n , \"6\",\"TCP\"\r\n , \"7\",\"CBT\"\r\n , \"8\",\"EGP\"\r\n , \"9\",\"IGP\"\r\n , \"10\",\"BBN-RCC-MON\"\r\n , \"11\",\"NVP-II\"\r\n , \"12\",\"PUP\"\r\n , \"13\",\"ARGUS (deprecated)\"\r\n , \"14\",\"EMCON\"\r\n , \"15\",\"XNET\"\r\n , \"16\",\"CHAOS\"\r\n , \"17\",\"UDP\"\r\n , \"18\",\"MUX\"\r\n , \"19\",\"DCN-MEAS\"\r\n , \"20\",\"HMP\"\r\n , \"21\",\"PRM\"\r\n , \"22\",\"XNS-IDP\"\r\n , \"23\",\"TRUNK-1\"\r\n , \"24\",\"TRUNK-2\"\r\n , \"25\",\"LEAF-1\"\r\n , \"26\",\"LEAF-2\"\r\n , \"27\",\"RDP\"\r\n , \"28\",\"IRTP\"\r\n , \"29\",\"ISO-TP4\"\r\n , \"30\",\"NETBLT\"\r\n , \"31\",\"MFE-NSP\"\r\n , \"32\",\"MERIT-INP\"\r\n , \"33\",\"DCCP\"\r\n , \"34\",\"3PC\"\r\n , \"35\",\"IDPR\"\r\n , \"36\",\"XTP\"\r\n , \"37\",\"DDP\"\r\n , \"38\",\"IDPR-CMTP\"\r\n , \"39\",\"TP++\"\r\n , \"40\",\"IL\"\r\n , \"41\",\"IPv6\"\r\n , \"42\",\"SDRP\"\r\n , \"43\",\"IPv6-Route\"\r\n , \"44\",\"IPv6-Frag\"\r\n , \"45\",\"IDRP\"\r\n , \"46\",\"RSVP\"\r\n , \"47\",\"GRE\"\r\n , \"48\",\"DSR\"\r\n , \"49\",\"BNA\"\r\n , \"50\",\"ESP\"\r\n , \"51\",\"AH\"\r\n , \"52\",\"I-NLSP\"\r\n , \"53\",\"SWIPE (deprecated)\"\r\n , \"54\",\"NARP\"\r\n , \"55\",\"MOBILE\"\r\n , \"56\",\"TLSP\"\r\n , \"57\",\"SKIP\"\r\n , \"58\",\"IPv6-ICMP\"\r\n , \"59\",\"IPv6-NoNxt\"\r\n , \"60\",\"IPv6-Opts\"\r\n , \"61\",\"\"\r\n , \"62\",\"CFTP\"\r\n , \"63\",\"\"\r\n , \"64\",\"SAT-EXPAK\"\r\n , \"65\",\"KRYPTOLAN\"\r\n , \"66\",\"RVD\"\r\n , \"67\",\"IPPC\"\r\n , \"68\",\"\"\r\n , \"69\",\"SAT-MON\"\r\n , \"70\",\"VISA\"\r\n , \"71\",\"IPCV\"\r\n , \"72\",\"CPNX\"\r\n , \"73\",\"CPHB\"\r\n , \"74\",\"WSN\"\r\n , \"75\",\"PVP\"\r\n , \"76\",\"BR-SAT-MON\"\r\n , \"77\",\"SUN-ND\"\r\n , \"78\",\"WB-MON\"\r\n , \"79\",\"WB-EXPAK\"\r\n , \"80\",\"ISO-IP\"\r\n , \"81\",\"VMTP\"\r\n , \"82\",\"SECURE-VMTP\"\r\n , \"83\",\"VINES\"\r\n , \"84\",\"TTP\"\r\n , \"84\",\"IPTM\"\r\n , \"85\",\"NSFNET-IGP\"\r\n , \"86\",\"DGP\"\r\n , \"87\",\"TCF\"\r\n , \"88\",\"EIGRP\"\r\n , \"89\",\"OSPFIGP\"\r\n , \"90\",\"Sprite-RPC\"\r\n , \"91\",\"LARP\"\r\n , \"92\",\"MTP\"\r\n , \"93\",\"AX.25\"\r\n , \"94\",\"IPIP\"\r\n , \"95\",\"MICP (deprecated)\"\r\n , \"96\",\"SCC-SP\"\r\n , \"97\",\"ETHERIP\"\r\n , \"98\",\"ENCAP\"\r\n , \"99\",\"\"\r\n , \"100\",\"GMTP\"\r\n , \"101\",\"IFMP\"\r\n , \"102\",\"PNNI\"\r\n , \"103\",\"PIM\"\r\n , \"104\",\"ARIS\"\r\n , \"105\",\"SCPS\"\r\n , \"106\",\"QNX\"\r\n , \"107\",\"A/N\"\r\n , \"108\",\"IPComp\"\r\n , \"109\",\"SNP\"\r\n , \"110\",\"Compaq-Peer\"\r\n , \"111\",\"IPX-in-IP\"\r\n , \"112\",\"VRRP\"\r\n , \"113\",\"PGM\"\r\n , \"114\",\"\"\r\n , \"115\",\"L2TP\"\r\n , \"116\",\"DDX\"\r\n , \"117\",\"IATP\"\r\n , \"118\",\"STP\"\r\n , \"119\",\"SRP\"\r\n , \"120\",\"UTI\"\r\n , \"121\",\"SMP\"\r\n , \"122\",\"SM (deprecated)\"\r\n , \"123\",\"PTP\"\r\n , \"124\",\"ISIS over IPv4\"\r\n , \"125\",\"FIRE\"\r\n , \"126\",\"CRTP\"\r\n , \"127\",\"CRUDP\"\r\n , \"128\",\"SSCOPMCE\"\r\n , \"129\",\"IPLT\"\r\n , \"130\",\"SPS\"\r\n , \"131\",\"PIPE\"\r\n , \"132\",\"SCTP\"\r\n , \"133\",\"FC\"\r\n , \"134\",\"RSVP-E2E-IGNORE\"\r\n , \"135\",\"Mobility Header\"\r\n , \"136\",\"UDPLite\"\r\n , \"137\",\"MPLS-in-IP\"\r\n , \"138\",\"manet\"\r\n , \"139\",\"HIP\"\r\n , \"140\",\"Shim6\"\r\n , \"141\",\"WESP\"\r\n , \"142\",\"ROHC\"\r\n , \"143\",\"Ethernet\"\r\n , \"253\",\"\"\r\n , \"254\",\"\"\r\n , \"255\",\"Reserved\"\r\n ];\r\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\r\n \"106001\", \"Deny\", \"Failure\",\r\n \"106002\", \"Deny\", \"Failure\",\r\n \"106006\", \"Deny\", \"Failure\",\r\n \"106007\", \"Deny\", \"Failure\",\r\n \"106010\", \"Deny\", \"Failure\",\r\n \"106012\", \"Deny\", \"Failure\",\r\n \"106013\", \"Drop\", \"Failure\",\r\n \"106014\", \"Deny\", \"Failure\",\r\n \"106015\", \"Deny\", \"Failure\",\r\n \"106016\", \"Deny\", \"Failure\",\r\n \"106017\", \"Deny\", \"Failure\",\r\n \"106018\", \"Deny\", \"Failure\",\r\n \"106020\", \"Deny\", \"Failure\",\r\n \"106021\", \"Deny\", \"Failure\",\r\n \"106022\", \"Deny\", \"Failure\",\r\n \"106023\", \"Deny\", \"Failure\",\r\n \"106100\", \"\", \"\",\r\n \"302013\", \"Allow\", \"Success\",\r\n \"302014\", \"\", \"\", \r\n \"302015\", \"Allow\", \"Success\",\r\n \"302016\", \"Allow\", \"Success\",\r\n \"302020\", \"Allow\", \"Success\",\r\n \"302021\", \"Allow\", \"Success\",\r\n \"710002\", \"Allow\", \"Success\",\r\n \"710003\", \"Deny\", \"Failure\",\r\n \"710004\", \"Drop\", \"Failure\",\r\n \"710005\", \"Drop\", \"Failure\",\r\n ];\r\n let NWParser = (disabled:bool=false)\r\n { \r\n let allLogs = CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\r\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\r\n | lookup ActionResultLookup on DeviceEventClassID\r\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\r\n let parsedData = allLogs\r\n | where isnotempty(SourceIP)\r\n | project-rename NetworkRuleName = DeviceCustomString2,\r\n SrcIpAddr = SourceIP,\r\n SrcPortNumber = SourcePort,\r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort;\r\n let unparsedData = allLogs\r\n | where isempty(SourceIP)\r\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\r\n let all_106001_alike = parsedData\r\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \r\n | parse Message with * \" interface \" DstInterfaceName;\r\n let all_106010_alike = parsedData\r\n | where DeviceEventClassID in (\"106010\", \"106014\")\r\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\r\n let all_106018 = parsedData\r\n | where DeviceEventClassID == \"106018\"\r\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\r\n let all_106023 = parsedData\r\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\r\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\r\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\r\n let all_106023_unparsed = unparsedData\r\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\r\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\r\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\r\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\r\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\r\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\r\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\r\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\r\n DstPortNumber = toint(DstIpAddrAndPort[1])\r\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\r\n let all_106023_41 = unparsedData\r\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\r\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\r\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\r\n | extend Protocol = case(isnotempty(Protocol), Protocol,\r\n ProtocolFromLog endswith \"41\", \"41\",\r\n \"\"),\r\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\r\n | project-away ProtocolFromLog;\r\n let all_302013_302015_parsed = parsedData\r\n | where DeviceEventClassID in (\"302013\",\"302015\")\r\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\r\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"Start\";\r\n let all_302013_302015_unparsed = unparsedData\r\n | where DeviceEventClassID in (\"302013\",\"302015\")\r\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\r\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\r\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\r\n NetworkDirection == \"outbound\", \"Outbound\",\r\n \"\"),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"Start\"; \r\n let all_302014_unparsed = unparsedData\r\n | where DeviceEventClassID == \"302014\"\r\n | project-away DvcAction, EventResult\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\r\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\r\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\r\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\r\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\r\n // 1. empty --> no mapping required, RemainingString will be empty \r\n | parse Message with * \" bytes \" * \" \" RemainingString\r\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\r\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\r\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \r\n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\r\n ReasonString)\r\n // Finally extract the required Reason information from the string to be utilized later\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away DstUsernameSimple, *String, Reason;\r\n let all_302014_parsed = parsedData\r\n | where DeviceEventClassID == \"302014\"\r\n | project-away DvcAction, EventResult\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse Message with * \" bytes \" * \" \" ReasonString\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | extend \r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away Reason, ReasonString;\r\n let all_302016_parsed = parsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\";\r\n let all_302016_unparsed = unparsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\r\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\r\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\"\r\n | project-away DstUsernameSimple, *InfoString;\r\n let all_302020_302021 = parsedData\r\n | where DeviceEventClassID in (\"302020\",\"302021\")\r\n | parse Message with * \"(\" SrcUsername \")\" *\r\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\r\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\r\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\r\n \"End\");\r\n let all_7_series = parsedData\r\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\r\n | parse Message with * \" to \" DstInterfaceName \":\" *;\r\n let all_106007 = parsedData\r\n | where DeviceEventClassID == \"106007\"\r\n | extend DstAppName = \"DNS\"\r\n | parse Message with * \" due to \" EventOriginalResultDetails;\r\n let all_106017 = parsedData\r\n | where DeviceEventClassID == \"106017\"\r\n | extend ThreatName = \"Land Attack\";\r\n let all_106100_parsed = parsedData\r\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\r\n let all_106100_unparsed = unparsedData\r\n | where DeviceEventClassID == \"106100\"\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\r\n let remainingLogs = parsedData\r\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\r\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\r\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\r\n | extend \r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = coalesce(EventCount,toint(1)),\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.4\",\r\n SrcInterfaceName = tolower(SrcInterfaceName),\r\n DstInterfaceName = tolower(DstInterfaceName)\r\n | extend \r\n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\r\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"),\r\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\r\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\r\n isnotempty(DstUsername), \"Simple\",\r\n \"\")\r\n | lookup ProtocolLookup on Protocol\r\n | project-rename \r\n EventProductVersion = DeviceVersion,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalSeverity = OriginalLogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n EventMessage = Message,\r\n Dvc = Computer\r\n | extend\r\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\r\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\r\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\r\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\r\n DstInterfaceName in (externalInterface), \"Outbound\",\r\n SrcInterfaceName in (externalInterface), \"Inbound\",\r\n \"\"),\r\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\r\n NetworkProtocol)\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Duration = NetworkDuration,\r\n IpAddr = SrcIpAddr,\r\n Rule = NetworkRuleName,\r\n User = DstUsername\r\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\r\n };\r\n NWParser (disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Cisco ASA.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"ab36ec57-c9a0-5291-8aec-d848bc3757e3","name":"_ASim_NetworkSession_CiscoFirepowerV01","body":"let ActionLookup = datatable(\r\n DeviceAction: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)\r\n [\r\n \"Blocked\", \"Deny\", \"Failure\",\r\n \"Alerted\", \"Allow\", \"Success\",\r\n \"Rewritten\", \"Allow\", \"Success\",\r\n \"Would be Rewritten\", \"Allow\", \"Partial\",\r\n \"Would be Blocked\", \"Deny\", \"Partial\",\r\n \"Would Be Blocked\", \"Deny\", \"Partial\",\r\n \"Dropped\", \"Drop\", \"Failure\",\r\n \"Would be Dropped\", \"Drop\", \"Partial\",\r\n \"Partially Dropped\", \"Drop\", \"Partial\",\r\n \"Would be Block\", \"Deny\", \"Partial\",\r\n \"Partial Blocked\", \"Deny\", \"Partial\",\r\n \"Rejected\", \"Deny\", \"Failure\",\r\n \"Would be Rejected\", \"Deny\", \"Partial\",\r\n \"Would Rejected\", \"Deny\", \"Partial\",\r\n \"Block\", \"Deny\", \"Failure\",\r\n \"Partial Block\", \"Deny\", \"Partial\",\r\n \"Drop\", \"Drop\", \"Failure\",\r\n \"Would Drop\", \"Drop\", \"Partial\",\r\n \"Reject\", \"Deny\", \"Failure\",\r\n \"Rewrite\", \"Allow\", \"Success\",\r\n \"Allow\", \"Allow\", \"Success\",\r\n \"Monitor\", \"Allow\", \"Success\"\r\n];\r\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n [\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Medium\",\r\n \"5\", \"Medium\",\r\n \"6\", \"Medium\",\r\n \"7\", \"High\",\r\n \"8\", \"High\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\r\n [\r\n \"N/A\", \"NA\",\r\n \"IP Block\", \"Terminated\",\r\n \"IP Monitor\", \"Unknown\",\r\n \"User Bypass\", \"Unknown\",\r\n \"File Monitor\", \"Unknown\",\r\n \"File Block\", \"Terminated\",\r\n \"Intrusion Monitor\", \"Unknown\",\r\n \"Intrusion Block\", \"Terminated\",\r\n \"File Resume Block\", \"Terminated\",\r\n \"File Resume Allow\", \"Unknown\",\r\n \"File Custom Detection\", \"Unknown\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let AllLogs = CommonSecurityLog\r\n | where not(disabled) \r\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\r\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\r\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\r\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\r\n let Connection_Statistics_Events = AllLogs\r\n | where DeviceEventClassID has \"RNA:1003:1\"\r\n | parse-kv AdditionalExtensions as (\r\n start: long,\r\n end: long,\r\n bytesIn: long,\r\n bytesOut: long,\r\n )\r\n with (pair_delimiter=';', kv_delimiter='=')\r\n | lookup EventResultDetailsLookup on Reason\r\n | extend\r\n SrcBytes = bytesIn,\r\n DstBytes = bytesOut,\r\n EventOriginalResultDetails = Reason,\r\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\r\n \"instanceID\", ProcessID,\r\n \"clientApplicationID\", RequestClientApplication,\r\n \"clientUrl\", RequestURL);\r\n let Intrusion_Events = AllLogs\r\n | where DeviceEventClassID has \"INTRUSION:400\"\r\n | parse-kv AdditionalExtensions as (\r\n start: long\r\n )\r\n with (pair_delimiter=';', kv_delimiter='=')\r\n | extend \r\n EventMessage = Activity,\r\n ThreatCategory = DeviceEventCategory,\r\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\r\n \"ipspolicy\", DeviceCustomString5,\r\n \"clientApplicationID\", RequestClientApplication,\r\n \"clientUrl\", RequestURL);\r\n let Policy_Violation_Events = AllLogs\r\n | where DeviceEventClassID has \"PV:112\"\r\n | extend\r\n EventMessage = Message,\r\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\r\n | project-rename DstUsername = DestinationUserName\r\n | extend\r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\r\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\r\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\r\n | extend\r\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\r\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\r\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\r\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\r\n SrcZone = DeviceCustomString3,\r\n DstZone = DeviceCustomString4\r\n | lookup ActionLookup on DeviceAction\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend \r\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\r\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\r\n SrcVlanId = tostring(DeviceCustomNumber1)\r\n | extend\r\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\r\n NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\",\r\n \"IPv4\",\r\n DstIpAddr contains \":\",\r\n \"IPv6\",\r\n \"\"\r\n )\r\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\r\n | extend\r\n DvcIpAddr = Ip_device,\r\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\r\n | extend host = coalesce(DeviceName, Computer)\r\n | invoke _ASIM_ResolveDvcFQDN('host')\r\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\r\n | extend\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"NetworkSession\",\r\n EventCount = int(1)\r\n | project-rename \r\n EventProduct = DeviceProduct,\r\n EventVendor = DeviceVendor,\r\n SrcUsername = SourceUserName,\r\n DvcInboundInterface = DeviceInboundInterface,\r\n DvcOutboundInterface = DeviceOutboundInterface,\r\n EventOriginalSeverity = LogSeverity,\r\n DvcId = DeviceExternalID,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n EventProductVersion = DeviceVersion,\r\n EventOriginalUid = ExtID,\r\n NetworkRuleName = DeviceCustomString2,\r\n EventUid = _ItemId,\r\n DvcOriginalAction = DeviceAction\r\n | extend\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\r\n DvcIdType = \"Other\"\r\n | extend \r\n IpAddr = SrcIpAddr,\r\n InnerVlanId = SrcVlanId,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Dvc = coalesce(DvcIpAddr, DvcHostname),\r\n Rule = NetworkRuleName,\r\n User = SrcUsername,\r\n Hostname = DstHostname\r\n | project-away\r\n bytesIn,\r\n bytesOut,\r\n start,\r\n end,\r\n CommunicationDirection,\r\n AdditionalExtensions,\r\n Device*,\r\n Source*,\r\n Destination*,\r\n Activity,\r\n ProcessID,\r\n Protocol,\r\n Reason,\r\n ReceiptTime,\r\n SimplifiedDeviceAction,\r\n OriginalLogSeverity,\r\n ProcessName,\r\n EndTime,\r\n ExternalID,\r\n File*,\r\n ReceivedBytes,\r\n Message,\r\n Old*,\r\n EventOutcome,\r\n Request*,\r\n StartTime,\r\n Field*,\r\n Flex*,\r\n Remote*,\r\n Malicious*,\r\n ThreatConfidence,\r\n ThreatSeverity,\r\n IndicatorThreatType,\r\n ThreatDescription,\r\n _ResourceId,\r\n SentBytes,\r\n ReportReferenceLink,\r\n Computer,\r\n TenantId,\r\n Ip_*,\r\n host,\r\n NetworkProtocolNumber\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Cisco Firepower.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"123c03bc-6d03-53ca-8027-8a1172717fbe","name":"_ASim_NetworkSession_CiscoISEV11","body":"let EventFieldsLookup=datatable(\r\nEventOriginalType: string,\r\nEventResult: string,\r\nDvcAction: string,\r\nEventResultDetails: string,\r\nEventSubType: string,\r\nEventOriginalSeverity: string,\r\nEventSeverity: string,\r\nEventMessage: string,\r\nEventOriginalResultDetails: string\r\n)[\r\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\r\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\r\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\r\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\r\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\r\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\r\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\r\n\"61026\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\r\n\"60509\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\r\n\"61231\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\r\n\"61232\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\r\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\r\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\r\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\r\n\"24019\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\r\n\"24030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\r\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\r\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\r\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\r\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\r\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\r\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\r\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\r\n\"34147\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\r\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\r\n\"34149\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\r\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\r\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\r\n\"34160\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\r\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\r\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\r\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\r\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\r\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\r\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\r\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\r\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\r\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\r\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\r\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\r\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\r\n];\r\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \r\n | summarize make_set(EventOriginalType));\r\nlet GetSrcIpAddr = (src_ip: string) {\r\n case ( \r\n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\r\n src_ip,\r\n \"\"\r\n )\r\n};\r\nlet GetMacAddr = (mac: string) {\r\n case ( \r\n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\r\n mac,\r\n \"\"\r\n )\r\n};\r\nlet CiscoISENSParser=(disabled: bool=false) {\r\n Syslog\r\n | where not(disabled)\r\n | where ProcessName has_any (\"CISE\", \"CSCO\")\r\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\r\n | where EventOriginalType in (EventOriginalTypeList)\r\n | lookup EventFieldsLookup on EventOriginalType\r\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\r\n | project-rename\r\n DstIpAddr=DestinationIPAddress\r\n , DstPortNumber=DestinationPort\r\n , SrcPortNumber=['Device Port']\r\n , NetworkApplicationProtocol=Protocol\r\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\r\n | extend \r\n EventVendor = \"Cisco\"\r\n , EventProduct = \"ISE\"\r\n , EventProductVersion = \"3.2\"\r\n , EventCount = int(1)\r\n , EventSchema = \"NetworkSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventStartTime = coalesce(EventTime, TimeGenerated)\r\n , EventEndTime = coalesce(EventTime, TimeGenerated)\r\n , EventType = \"NetworkSession\"\r\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\r\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\r\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\r\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\r\n , DstUsername = coalesce(UserName, ['User-Name'], User)\r\n | extend\r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\r\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\r\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\r\n //********************** ************************\r\n | extend \r\n Dvc = coalesce(DvcHostname, DvcIpAddr)\r\n , IpAddr = SrcIpAddr\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , User = DstUsername\r\n //********************** ***********************\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n FailureReason,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName,\r\n ['Device IP Address'],\r\n ['Remote-Address'],\r\n ['Calling-Station-ID'],\r\n ['Called-Station-ID']\r\n};\r\nCiscoISENSParser(disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"fb1c0a95-92fa-56ec-9e88-e79dba5ba6b6","name":"_ASim_NetworkSession_CiscoMerakiSyslogV12","body":"let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\r\n[\r\n \"0\", \"Unknown\",\r\n \"1\", \"Unknown\",\r\n \"2\", \"Timeout\",\r\n \"3\", \"Terminated\",\r\n \"4\", \"Timeout\",\r\n \"5\", \"Transient error\",\r\n \"6\", \"Invalid Tunnel\",\r\n \"7\", \"Invalid Tunnel\",\r\n \"8\", \"Terminated\",\r\n \"9\", \"Invalid Tunnel\",\r\n \"10\", \"Unknown\",\r\n \"11\", \"Invalid TCP\",\r\n \"12\", \"Unknown\",\r\n \"13\", \"Invalid TCP\",\r\n \"14\", \"Invalid Tunnel\",\r\n \"15\", \"Invalid TCP\",\r\n \"16\", \"Timeout\",\r\n \"17\", \"Invalid Tunnel\",\r\n \"18\", \"Invalid TCP\",\r\n \"19\", \"Invalid TCP\",\r\n \"20\", \"Invalid TCP\",\r\n \"21\", \"Unknown\",\r\n \"22\", \"Invalid TCP\",\r\n \"23\", \"Invalid Tunnel\",\r\n \"24\", \"Invalid Tunnel\",\r\n \"32\", \"Unknown\",\r\n \"33\", \"Invalid TCP\",\r\n \"34\", \"Invalid TCP\",\r\n \"35\", \"Invalid TCP\",\r\n \"36\", \"Unknown\",\r\n \"37\", \"Unknown\",\r\n \"38\", \"Unknown\",\r\n \"39\", \"Timeout\",\r\n \"40\", \"Invalid TCP\",\r\n \"98\", \"Unknown\",\r\n \"99\", \"Unknown\"\r\n];\r\nlet NetworkIcmpTypeLookup=datatable(\r\n NetworkIcmpCode_lookup: int,\r\n NetworkIcmpType_lookup: string\r\n)\r\n [\r\n 0, \"Reserved\",\r\n 1, \"Destination Unreachable\",\r\n 2, \"Packet Too Big\",\r\n 3, \"Time Exceeded\",\r\n 4, \"Parameter Problem\",\r\n 100, \"Private experimentation\",\r\n 101, \"Private experimentation\",\r\n 127, \"Reserved for expansion of ICMPv6 error messages\",\r\n 128, \"Echo Request\",\r\n 129, \"Echo Reply\",\r\n 130, \"Multicast Listener Query\",\r\n 131, \"Multicast Listener Report\",\r\n 132, \"Multicast Listener Done\",\r\n 133, \"Router Solicitation\",\r\n 134, \"Router Advertisement\",\r\n 135, \"Neighbor Solicitation\",\r\n 136, \"Neighbor Advertisement\",\r\n 137, \"Redirect Message\",\r\n 138, \"Router Renumbering\",\r\n 139, \"ICMP Node Information Query\",\r\n 140, \"ICMP Node Information Response\",\r\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\r\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\r\n 143, \"Version 2 Multicast Listener Report\",\r\n 144, \"Home Agent Address Discovery Request Message\",\r\n 145, \"Home Agent Address Discovery Reply Message\",\r\n 146, \"Mobile Prefix Solicitation\",\r\n 147, \"Mobile Prefix Advertisement\",\r\n 148, \"Certification Path Solicitation Message\",\r\n 149, \"Certification Path Advertisement Message\",\r\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\r\n 151, \"Multicast Router Advertisement\",\r\n 152, \"Multicast Router Solicitation\",\r\n 153, \"Multicast Router Termination\",\r\n 154, \"FMIPv6 Messages\",\r\n 155, \"RPL Control Message\",\r\n 156, \"ILNPv6 Locator Update Message\",\r\n 157, \"Duplicate Address Request\",\r\n 158, \"Duplicate Address Confirmation\",\r\n 159, \"MPL Control Message\",\r\n 160, \"Extended Echo Request\",\r\n 161, \"Extended Echo Reply\",\r\n 200, \"Private experimentation\",\r\n 201, \"Private experimentation\",\r\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\r\n];\r\nlet NetworkProtocolLookup=datatable(\r\n protocol: string,\r\n NetworkProtocol_lookup: string,\r\n NetworkProtocolVersion: string\r\n)[\r\n \"tcp\", \"TCP\", \"\",\r\n \"tcp/ip\", \"TCP\", \"\",\r\n \"udp\", \"UDP\", \"\",\r\n \"udp/ip\", \"UDP\", \"\",\r\n \"icmp\", \"ICMP\", \"IPV4\",\r\n \"icmp6\", \"ICMP\", \"IPV6\",\r\n];\r\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\r\n \"1\", \"High\",\r\n \"2\", \"Medium\",\r\n \"3\", \"Low\",\r\n \"4\", \"Informational\"\r\n];\r\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\r\n \"Allow\", \"Informational\",\r\n \"Deny\", \"Low\"\r\n];\r\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\r\n \"ingress\", \"Inbound\",\r\n \"egress\", \"Outbound\",\r\n \"Unknown\", \"NA\"\r\n];\r\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\r\n \"allow\", \"Allow\", \"Success\",\r\n \"deny\", \"Deny\", \"Failure\",\r\n \"Blocked\", \"Deny\", \"Failure\"\r\n];\r\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\r\n \"association\", \"Success\",\r\n \"disassociation\", \"Failure\",\r\n \"Virtual router collision\", \"Failure\",\r\n];\r\nlet parser=(disabled: bool=false) {\r\n let allData = (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\n let PreFilteredData = allData\r\n | where not(disabled) and (\r\n LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\", \"cellular_firewall\", \"vpn_firewall\", \"ip_flow_start\", \"ip_flow_end\") \r\n or LogMessage has_all(\"security_event\", \"ids-alerted\") \r\n or LogMessage has_all(\"security_event\", \"ids_alerted\")\r\n or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) \r\n or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\"))\r\n )\r\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\r\n | extend\r\n LogType = tostring(Parser[2]),\r\n Substring = tostring(Parser[3]);\r\n let FlowsFirewallData = PreFilteredData\r\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\", \"ip_flow_start\", \"ip_flow_end\")\r\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int, translated_dst_ip: string, translated_port: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\r\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\r\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\r\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\r\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\r\n | invoke _ASIM_ResolveICMPType('type_icmp4')\r\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\r\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\r\n | extend pattern = coalesce(pattern1, pattern2)\r\n | lookup DvcActionLookup on pattern\r\n | lookup EventSeverityDvcActionLookup on DvcAction\r\n | extend\r\n SrcMacAddr = trim('\"', mac),\r\n EventType = \"Flow\";\r\n let IDSAlertData = PreFilteredData\r\n | where LogType in (\"ids-alerts\", \"security_event\")\r\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \r\n | where LogType == \"security_event\" and (LogSubType == \"ids-alerted\" or LogSubType == \"ids_alerted\") or LogType == \"ids-alerts\"\r\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend EventResult = \"Success\"\r\n | extend\r\n priority = trim('\"', priority),\r\n direction = trim('\"', direction)\r\n | lookup EventSeverityPriorityLookup on priority\r\n | lookup NetworkDirectionLookup on direction\r\n | extend AdditionalFields = bag_pack(\r\n \"signature\", trim('\"', signature)\r\n )\r\n | extend\r\n SrcMacAddr = trim('\"', shost),\r\n DstMacAddr = trim('\"', dhost),\r\n EventMessage = trim('\"', message);\r\n let AirmarshalEvents = PreFilteredData\r\n | where LogType in (\"airmarshal_events\")\r\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\r\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend\r\n SrcMacAddr = trim('\"', src),\r\n DstMacAddr = trim('\"', dst),\r\n DvcMacAddr = trim('\"', wired_mac)\r\n | extend\r\n EventResult = \"Success\",\r\n EventSeverity = \"High\";\r\n let EventsData = PreFilteredData\r\n | where LogType == \"events\";\r\n let EventsData_associ = EventsData\r\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\r\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\r\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\r\n | extend AdditionalFields = bag_pack(\r\n \"aid\", aid,\r\n \"rssi\", rssi\r\n )\r\n | extend SrcMacAddr = trim('\"', client_mac)\r\n | lookup EventResultLookup on LogSubType\r\n | extend EventResult = EventResult_type\r\n | lookup EventResultDetailsLookup on reason\r\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) = 25 and toint(reason) = 25 and toint(reason) = 25 and toint(reason) = 25 and toint(reason) = 25 and toint(reason) = 200000, \"High\",\r\n MessageCode 3')\r\n | project-away ProcessName, ProcessID\r\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\r\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\r\n ;\r\n let parser = (T: (SyslogMessage: string)) {\r\n T \r\n | parse SyslogMessage with \r\n *\r\n '' EventOriginalUid:string ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n '' RuleName:string ''\r\n '' EventEndTime:datetime ''\r\n '{' ProcessGuid:string '}'\r\n '' ProcessId:string ''\r\n '' Process:string ''\r\n '' User:string ''\r\n '' Protocol:string '' // -- source is lowercase\r\n '' Initiated:bool '' \r\n '' SourceIsIpv6:bool ''\t\t\r\n '' * ''\r\n '' SrcHostname:string ''\r\n '' SrcPortNumber:int ''\r\n '' SrcPortName:string ''\r\n '' DestinationIsIpv6:bool ''\r\n '' DstIpAddr:string ''\r\n '' DstHostname:string ''\r\n '' DstPortNumber:int ''\r\n '' DstPortName:string ''\r\n *\r\n };\r\n let OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | extend\r\n SrcUsernameType = 'Simple',\r\n SrcUsername = User,\r\n SrcProcessId = ProcessId, \r\n SrcProcessGuid = ProcessGuid,\r\n SrcProcessName = Process,\r\n SrcAppName = Process,\r\n SrcAppType = 'Process'\r\n | project-away SyslogMessage\r\n ;\r\n let InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n | extend\r\n DstUsernameType = 'Simple',\r\n DstUsername = User,\r\n DstProcessId = ProcessId, \r\n DstProcessGuid = ProcessGuid,\r\n DstProcessName = Process,\r\n DstAppName = Process,\r\n DstAppType = 'Process' \r\n | project-away SyslogMessage\r\n ; \r\n let SysmonForLinuxNetwork=\r\n union OutboundNetworkEvents, InboundNetworkEvents\r\n | extend \r\n EventType = 'NetworkSession',\r\n EventStartTime = EventEndTime,\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.0',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon for Linux',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Linux',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing\r\n | project-rename \r\n DvcIpAddr = HostIP,\r\n DvcHostname = SysmonComputer\r\n | extend // aliases\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n ;\r\n SysmonForLinuxNetwork","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"b6f80673-9685-5486-939e-0d8427f0ab42","name":"_ASim_NetworkSession_LinuxSysmonV03","body":"let DirectionNetworkEvents =\r\n Syslog | where not(disabled)\r\n | project SyslogMessage, TimeGenerated, HostIP\r\n | where SyslogMessage has_all ('3')\r\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\r\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\r\n ;\r\n let parser = (T: (SyslogMessage: string)) {\r\n T \r\n | parse SyslogMessage with \r\n *\r\n '' EventOriginalUid:string ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n '' RuleName:string ''\r\n '' EventEndTime:datetime ''\r\n '{' ProcessGuid:string '}'\r\n '' ProcessId:string ''\r\n '' Process:string ''\r\n '' User:string ''\r\n '' Protocol:string '' // -- source is lowercase\r\n '' Initiated:bool '' \r\n '' SourceIsIpv6:bool ''\t\t\r\n '' * ''\r\n '' SrcHostname:string ''\r\n '' SrcPortNumber:int ''\r\n '' SrcPortName:string ''\r\n '' DestinationIsIpv6:bool ''\r\n '' DstIpAddr:string ''\r\n '' DstHostname:string ''\r\n '' DstPortNumber:int ''\r\n '' DstPortName:string ''\r\n *\r\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\r\n };\r\n let OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | extend\r\n SrcUsernameType = 'Simple',\r\n SrcAppType = 'Process'\r\n | project-rename \r\n SrcUsername = User,\r\n SrcProcessId = ProcessId, \r\n SrcProcessGuid = ProcessGuid,\r\n SrcProcessName = Process\r\n | extend\r\n SrcAppName = SrcProcessName\r\n | project-away SyslogMessage\r\n ;\r\n let InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n | extend\r\n DstUsernameType = 'Simple',\r\n DstAppType = 'Process'\r\n | project-rename \r\n DstUsername = User,\r\n DstProcessId = ProcessId, \r\n DstProcessGuid = ProcessGuid,\r\n DstProcessName = Process\r\n | extend\r\n DstAppName = DstProcessName\r\n | project-away SyslogMessage\r\n ; \r\n let SysmonForLinuxNetwork=\r\n union OutboundNetworkEvents, InboundNetworkEvents\r\n | extend \r\n EventType = 'NetworkSession',\r\n EventStartTime = EventEndTime,\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.0',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon for Linux',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Linux',\r\n NetworkProtocol = toupper(Protocol),\r\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing\r\n | project-away\r\n outbound, Protocol\r\n | project-rename \r\n DvcIpAddr = HostIP,\r\n DvcHostname = SysmonComputer\r\n | extend // aliases\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n ;\r\n SysmonForLinuxNetwork","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"18cec1b9-295c-57ba-85b4-bdbe2b014f7e","name":"_ASim_NetworkSession_MD4IoTAgentV02","body":"let DirectionNetworkEvents =\r\n SecurityIoTRawEvent | where not(disabled)\r\n | where RawEventName == \"NetworkActivity\"\r\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\r\n | extend outbound = LocalPort > RemotePort\r\n;\r\nlet parser = (T: (EventDetails: string)) {\r\n T \r\n | parse EventDetails with \r\n '{\"LocalAddress\":\"' LocalAddress:string '\",'\r\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\r\n *\r\n '\"BytesIn\":' BytesIn:long ','\r\n '\"BytesOut\":' BytesOut:long ','\r\n '\"Protocol\":\"' Protocol:string '\",'\r\n '\"ProcessId\":' ProcessId:string ','\r\n '\"UserId\":' UserId:string ','\r\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\r\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\r\n '\"DeviceId\":\"' DeviceId:string '\",'\r\n '\"MessageSource\":\"' MessageSource:string '\",'\r\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\r\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\r\n *\r\n}\r\n; \r\nlet OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | project-rename\r\n SrcBytes = BytesOut,\r\n DstBytes = BytesIn,\r\n SrcPortNumber = LocalPort,\r\n DstIpAddr = RemoteAddress,\r\n DstPortNumber = RemotePort,\r\n SrcProcessId = ProcessId\r\n | extend\r\n SrcIpAddr = LocalAddress,\r\n SrcDvcIdType = \"MD4IoTid\",\r\n SrcUserId = UserId,\r\n SrcUserIdType = \"UID\",\r\n SrcDvcId = DeviceId,\r\n Process = SrcProcessId, // alias\r\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n;\r\nlet InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n | project-rename\r\n DstBytes = BytesOut,\r\n SrcBytes = BytesIn,\r\n DstPortNumber = LocalPort,\r\n SrcIpAddr = RemoteAddress,\r\n SrcPortNumber = RemotePort,\r\n DstProcessId = ProcessId\r\n | extend\r\n DstIpAddr = LocalAddress,\r\n DstDvcIdType = \"MD4IoTid\",\r\n DstUserId = UserId,\r\n DstUserIdType = \"UID\",\r\n DstDvcId = DeviceId,\r\n Process = DstProcessId, // alias\r\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n;\r\nlet NetworkSessionMD4IoT = \r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = 'Azure Defender for IoT', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.0',\r\n EventSchema = \"NetworkSession\", \r\n EventType = 'NetworkSession',\r\n EventStartTime = TimeGenerated, // Open question about timestamps\r\n EventEndTime = TimeGenerated, // Open question about timestamps\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational'\r\n | project-rename\r\n EventProductVersion = AgentVersion, // Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId, \r\n EventOriginalUid = OriginalEventId, // OK pending question\r\n DvcOs = MessageSource,\r\n NetworkProtocol = Protocol,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n DvcId = DeviceId,\r\n DvcIpAddr = LocalAddress\r\n | extend\r\n Dvc = DvcId,\r\n DvcIdType = \"MD4IoTid\",\r\n User = UserId,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n | project-away outbound\r\n;\r\nNetworkSessionMD4IoT\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Defender for IoT micro agent.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"b7f8ff2a-274f-50b1-be1a-38bff328a942","name":"_ASim_NetworkSession_MD4IoTSensorV01","body":"let parser = (disabled:bool=false) \r\n{\r\n DefenderIoTRawEvent\r\n | where RawEventName == \"NetworkConnectionData\"\r\n | project-rename \r\n DvcSubscriptionId = AzureSubscriptionId\r\n | extend \r\n Dvc = tostring(EventDetails.SourceId),\r\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\r\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\r\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\r\n DstPortNumber = toint(EventDetails.Destination.Port),\r\n DstDescription = tostring(EventDetails.Destination.DeviceName),\r\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\r\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\r\n SrcIpAddr = tostring(EventDetails.Source.IPAddress),\r\n SrcPortNumber = toint(EventDetails.Source.Port),\r\n SrcDescription = tostring(EventDetails.Source.DeviceName),\r\n EventOriginalUid = tostring(EventDetails.Id),\r\n EventEndTime = todatetime(EventDetails.LastSeen),\r\n EventStartTime = todatetime(EventDetails.StartTime),\r\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\r\n | extend\r\n EventProduct = 'Defender for IoT',\r\n EventResult = 'Success',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion='0.2.4',\r\n EventCount = toint(1),\r\n EventSeverity = 'Informational',\r\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\r\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\r\n EventVendor = 'Microsoft',\r\n DstDvcIdType = 'MD4IoTid',\r\n SrcDvcIdType = 'MD4IoTid'\r\n | extend // -- Aliases\r\n Dst = coalesce(DstIpAddr,DstMacAddr),\r\n Src = coalesce(SrcIpAddr,SrcMacAddr),\r\n IpAddr = SrcIpAddr,\r\n EventStartTime = EventEndTime\r\n | project-away \r\n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\r\n | project-away EventDetails, AssociatedResourceId\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Defender for IoT sensor logs.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"6d9ba913-7800-5bc6-8c12-5c8003d402d3","name":"_ASim_NetworkSession_MD4IoTV02","body":"let DirectionNetworkEvents =\r\n SecurityIoTRawEvent | where not(disabled)\r\n | where RawEventName == \"NetworkActivity\"\r\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\r\n | extend outbound = LocalPort > RemotePort\r\n;\r\nlet parser = (T: (EventDetails: string)) {\r\n T \r\n | parse EventDetails with \r\n '{\"LocalAddress\":\"' LocalAddress:string '\",'\r\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\r\n *\r\n '\"BytesIn\":' BytesIn:long ','\r\n '\"BytesOut\":' BytesOut:long ','\r\n '\"Protocol\":\"' Protocol:string '\",'\r\n '\"ProcessId\":' ProcessId:string ','\r\n '\"UserId\":' UserId:string ','\r\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\r\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\r\n '\"DeviceId\":\"' DeviceId:string '\",'\r\n '\"MessageSource\":\"' MessageSource:string '\",'\r\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\r\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\r\n *\r\n}\r\n; \r\nlet OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | project-rename\r\n SrcBytes = BytesOut,\r\n DstBytes = BytesIn,\r\n SrcPortNumber = LocalPort,\r\n DstIpAddr = RemoteAddress,\r\n DstPortNumber = RemotePort,\r\n SrcProcessId = ProcessId\r\n | extend\r\n SrcIpAddr = LocalAddress,\r\n SrcDvcIdType = \"MD4IoTid\",\r\n SrcUserId = UserId,\r\n SrcUserIdType = \"UID\",\r\n SrcDvcId = DeviceId,\r\n Process = SrcProcessId, // alias\r\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n;\r\nlet InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n | project-rename\r\n DstBytes = BytesOut,\r\n SrcBytes = BytesIn,\r\n DstPortNumber = LocalPort,\r\n SrcIpAddr = RemoteAddress,\r\n SrcPortNumber = RemotePort,\r\n DstProcessId = ProcessId\r\n | extend\r\n DstIpAddr = LocalAddress,\r\n DstDvcIdType = \"MD4IoTid\",\r\n DstUserId = UserId,\r\n DstUserIdType = \"UID\",\r\n DstDvcId = DeviceId,\r\n Process = DstProcessId, // alias\r\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n;\r\nlet NetworkSessionMD4IoT = \r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = 'Azure Defender for IoT', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.0',\r\n EventSchema = \"NetworkSession\", \r\n EventType = 'NetworkSession',\r\n EventStartTime = TimeGenerated, // Open question about timestamps\r\n EventEndTime = TimeGenerated, // Open question about timestamps\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational'\r\n | project-rename\r\n EventProductVersion = AgentVersion, // Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId, \r\n EventOriginalUid = OriginalEventId, // OK pending question\r\n DvcOs = MessageSource,\r\n NetworkProtocol = Protocol,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n DvcId = DeviceId,\r\n DvcIpAddr = LocalAddress\r\n | extend\r\n Dvc = DvcId,\r\n DvcIdType = \"MD4IoTid\",\r\n User = UserId,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n | project-away outbound\r\n;\r\nNetworkSessionMD4IoT\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Defender for IoT.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"f72bedb2-6af8-5f65-a153-1a5880771538","name":"_ASim_NetworkSession_Microsoft365DefenderV02","body":"let M365Defender=(disabled:bool=false){\r\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\r\n 'ConnectionSuccess','Outbound', true\r\n ,'ConnectionFailed', 'Outbound', true\r\n ,'ConnectionRequest','Outbound', true\r\n ,'InboundConnectionAccepted', 'Inbound', false\r\n ,'ConnectionFound', 'Unknown', false\r\n ,'ListeningConnectionCreated', 'Listen', false \r\n ];\r\n // -- Common preprocessing to both input and outbound events\r\n let RawNetworkEvents = (select_outbound:boolean) {\r\n DeviceNetworkEvents | where not(disabled) \r\n | lookup DirectionLookup on ActionType\r\n | where Outbound == select_outbound\r\n | extend\r\n // Event\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion = '0.1.0',\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType = 'NetworkSession',\r\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\r\n EventSeverity = \"Informational\",\r\n DvcIdType = 'MDEid'\r\n | extend\r\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\r\n | extend\r\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n SplitHostname = split(DeviceName,\".\"),\r\n SplitUrl = split(RemoteUrl,\".\"),\r\n NetworkProtocol = case (\r\n Protocol startswith \"Tcp\", \"TCP\",\r\n Protocol == \"Unknown\", \"\",\r\n toupper(Protocol)\r\n )\r\n | extend \r\n DvcHostname = tostring(SplitHostname[0]),\r\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\r\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\r\n UrlHostname = SplitUrl[0],\r\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\r\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\r\n | extend\r\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\r\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\r\n DvcIpAddr = LocalIP\r\n | extend\r\n Dvc = DvcHostname \r\n | project-rename\r\n DvcId = DeviceId\r\n | project-away SplitUrl, SplitHostname\r\n };\r\n let OutboundNetworkEvents = \r\n RawNetworkEvents (true)\r\n | project-rename\r\n DstIpAddr = RemoteIP,\r\n SrcIpAddr = LocalIP,\r\n DstPortNumber = RemotePort,\r\n SrcPortNumber = LocalPort,\r\n SrcUsernameType = UsernameType,\r\n SrcUserAadId = InitiatingProcessAccountObjectId,\r\n SrcUserId = InitiatingProcessAccountSid,\r\n SrcUserUpn = InitiatingProcessAccountUpn,\r\n SrcUserDomain = InitiatingProcessAccountDomain\r\n | extend\r\n SrcUsername = User,\r\n SrcDvcId = DvcId,\r\n SrcDvcIdType = 'MDEid',\r\n SrcUserIdType = \"SID\",\r\n DstHostname = UrlHostname\r\n | project-rename\r\n DstDomain = UrlDomain,\r\n DstFQDN = UrlFQDN,\r\n DstDomainType = UrlDomainType\r\n | extend \r\n SrcHostname = DvcHostname,\r\n SrcDomain = DvcDomain,\r\n SrcFQDN = DvcDomain\r\n // Processes\r\n | extend\r\n SrcProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n SrcProcessName = InitiatingProcessFileName,\r\n SrcProcessCommandLine = InitiatingProcessCommandLine,\r\n SrcProcessCreationTime = InitiatingProcessCreationTime,\r\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = SrcProcessName,\r\n ProcessId = SrcProcessId,\r\n SrcAppName = SrcProcessName,\r\n SrcAppType = \"Process\"\r\n ;\r\n let InboundNetworkEvents = \r\n RawNetworkEvents (false)\r\n | project-rename\r\n SrcIpAddr = RemoteIP,\r\n DstIpAddr = LocalIP,\r\n SrcPortNumber = RemotePort,\r\n DstPortNumber = LocalPort,\r\n DstUsernameType = UsernameType,\r\n DstUserAadId = InitiatingProcessAccountObjectId,\r\n DstUserId = InitiatingProcessAccountSid,\r\n DstUserUpn = InitiatingProcessAccountUpn,\r\n DstUserDomain = InitiatingProcessAccountDomain\r\n | extend\r\n DstUsername = User,\r\n DstDvcId = DvcId,\r\n DstDvcIdType = 'MDEid',\r\n DstUserIdType = 'SID',\r\n SrcHostname = UrlHostname\r\n | project-rename\r\n SrcDomain = UrlDomain,\r\n SrcFQDN = UrlFQDN,\r\n SrcDomainType = UrlDomainType,\r\n DstHostname = DvcHostname,\r\n DstDomain = DvcDomain,\r\n DstFQDN = DvcFQDN\r\n // Processes\r\n | extend\r\n DstProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n DstProcessName = InitiatingProcessFileName,\r\n DstProcessCommandLine = InitiatingProcessCommandLine,\r\n DstProcessCreationTime = InitiatingProcessCreationTime,\r\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = DstProcessName,\r\n ProcessId = DstProcessId,\r\n DstAppName = DstProcessName,\r\n DstAppType = \"Process\"\r\n ;\r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | extend // aliases\r\n Hostname = UrlHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n };\r\n M365Defender(disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for M365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"5721e7ee-ece3-50a0-b342-e17b5b389a45","name":"_ASim_NetworkSession_Microsoft365DefenderV03","body":"let M365Defender=(disabled:bool=false){\r\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\r\n 'ConnectionSuccess','Outbound', true\r\n ,'ConnectionFailed', 'Outbound', true\r\n ,'ConnectionRequest','Outbound', true\r\n ,'InboundConnectionAccepted', 'Inbound', false\r\n ,'ConnectionFound', 'Unknown', false\r\n ,'ListeningConnectionCreated', 'Listen', false \r\n ];\r\n // -- Common preprocessing to both input and outbound events\r\n let RawNetworkEvents = (select_outbound:boolean) {\r\n DeviceNetworkEvents | where not(disabled) \r\n | lookup DirectionLookup on ActionType\r\n | where Outbound == select_outbound\r\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\r\n | extend\r\n // Event\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion = '0.1.0',\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType = 'NetworkSession',\r\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\r\n EventSeverity = \"Informational\",\r\n DvcIdType = 'MDEid'\r\n | project-away \r\n ReportId\r\n | project-rename \r\n EventOriginalResultDetails = ActionType\r\n | extend\r\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\r\n | extend\r\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n SplitHostname = split(DeviceName,\".\"),\r\n SplitUrl = split(RemoteUrl,\".\"),\r\n NetworkProtocol = case (\r\n Protocol startswith \"Tcp\", \"TCP\",\r\n Protocol == \"Unknown\", \"\",\r\n toupper(Protocol)\r\n )\r\n | project-away Protocol\r\n | extend \r\n DvcHostname = tostring(SplitHostname[0]),\r\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\r\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\r\n UrlHostname = tostring(SplitUrl[0]),\r\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\r\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\r\n | project-away RemoteUrl, DeviceName\r\n | extend\r\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\r\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\r\n DvcIpAddr = LocalIP\r\n | extend\r\n Dvc = DvcHostname \r\n | project-rename\r\n DvcId = DeviceId\r\n | project-away SplitUrl, SplitHostname\r\n };\r\n let OutboundNetworkEvents = \r\n RawNetworkEvents (true)\r\n | project-rename\r\n DstIpAddr = RemoteIP,\r\n SrcIpAddr = LocalIP,\r\n DstPortNumber = RemotePort,\r\n SrcPortNumber = LocalPort,\r\n SrcUsernameType = UsernameType,\r\n SrcUserAadId = InitiatingProcessAccountObjectId,\r\n SrcUserId = InitiatingProcessAccountSid,\r\n SrcUserUpn = InitiatingProcessAccountUpn\r\n | extend\r\n SrcUsername = User,\r\n SrcDvcId = DvcId,\r\n SrcDvcIdType = 'MDEid',\r\n SrcUserIdType = \"SID\",\r\n DstHostname = UrlHostname\r\n | project-rename\r\n DstDomain = UrlDomain,\r\n DstFQDN = UrlFQDN,\r\n DstDomainType = UrlDomainType\r\n | extend \r\n SrcHostname = DvcHostname,\r\n SrcDomain = DvcDomain,\r\n SrcFQDN = DvcDomain\r\n // Processes\r\n | extend\r\n SrcProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n SrcProcessName = InitiatingProcessFileName,\r\n SrcProcessCommandLine = InitiatingProcessCommandLine,\r\n SrcProcessCreationTime = InitiatingProcessCreationTime,\r\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = SrcProcessName,\r\n SrcAppName = SrcProcessName,\r\n SrcAppType = \"Process\"\r\n ;\r\n let InboundNetworkEvents = \r\n RawNetworkEvents (false)\r\n | project-rename\r\n SrcIpAddr = RemoteIP,\r\n DstIpAddr = LocalIP,\r\n SrcPortNumber = RemotePort,\r\n DstPortNumber = LocalPort,\r\n DstUsernameType = UsernameType,\r\n DstUserAadId = InitiatingProcessAccountObjectId,\r\n DstUserId = InitiatingProcessAccountSid,\r\n DstUserUpn = InitiatingProcessAccountUpn\r\n | extend\r\n DstUsername = User,\r\n DstDvcId = DvcId,\r\n DstDvcIdType = 'MDEid',\r\n DstUserIdType = 'SID',\r\n SrcHostname = UrlHostname\r\n | project-rename\r\n SrcDomain = UrlDomain,\r\n SrcFQDN = UrlFQDN,\r\n SrcDomainType = UrlDomainType,\r\n DstHostname = DvcHostname,\r\n DstDomain = DvcDomain,\r\n DstFQDN = DvcFQDN\r\n // Processes\r\n | extend\r\n DstProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n DstProcessName = InitiatingProcessFileName,\r\n DstProcessCommandLine = InitiatingProcessCommandLine,\r\n DstProcessCreationTime = InitiatingProcessCreationTime,\r\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = DstProcessName,\r\n DstAppName = DstProcessName,\r\n DstAppType = \"Process\"\r\n ;\r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | project-rename \r\n Hostname = UrlHostname\r\n | extend // aliases\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n };\r\n M365Defender (disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for M365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"c4c2c7f0-6344-529c-8e94-e4455d60e104","name":"_ASim_NetworkSession_Microsoft365DefenderV04","body":"let M365Defender=(disabled:bool=false){\r\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\r\n 'ConnectionSuccess','Outbound', true\r\n ,'ConnectionFailed', 'Outbound', true\r\n ,'ConnectionRequest','Outbound', true\r\n ,'InboundConnectionAccepted', 'Inbound', false\r\n ,'ConnectionFound', 'Unknown', false\r\n ,'ListeningConnectionCreated', 'Listen', false \r\n ];\r\n // -- Common preprocessing to both input and outbound events\r\n let RawNetworkEvents = (select_outbound:boolean) {\r\n DeviceNetworkEvents | where not(disabled) \r\n | lookup DirectionLookup on ActionType\r\n | where Outbound == select_outbound\r\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\r\n | extend\r\n // Event\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion = '0.1.0',\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventType = 'NetworkSession',\r\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\r\n EventSeverity = \"Informational\",\r\n DvcIdType = 'MDEid'\r\n | project-away \r\n ReportId\r\n | project-rename \r\n EventOriginalResultDetails = ActionType\r\n | extend\r\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\r\n | extend\r\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n SplitHostname = split(DeviceName,\".\"),\r\n SplitUrl = split(RemoteUrl,\".\"),\r\n NetworkProtocol = case (\r\n Protocol startswith \"Tcp\", \"TCP\",\r\n Protocol == \"Unknown\", \"\",\r\n toupper(Protocol)\r\n )\r\n | project-away Protocol\r\n | extend \r\n DvcHostname = tostring(SplitHostname[0]),\r\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\r\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\r\n UrlHostname = tostring(SplitUrl[0]),\r\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\r\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\r\n | project-away RemoteUrl, DeviceName\r\n | extend\r\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\r\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\r\n DvcIpAddr = LocalIP\r\n | extend\r\n Dvc = DvcHostname \r\n | project-rename\r\n DvcId = DeviceId\r\n | project-away SplitUrl, SplitHostname\r\n };\r\n let OutboundNetworkEvents = \r\n RawNetworkEvents (true)\r\n | project-rename\r\n DstIpAddr = RemoteIP,\r\n SrcIpAddr = LocalIP,\r\n DstPortNumber = RemotePort,\r\n SrcPortNumber = LocalPort,\r\n SrcUsernameType = UsernameType,\r\n SrcUserAadId = InitiatingProcessAccountObjectId,\r\n SrcUserUpn = InitiatingProcessAccountUpn,\r\n SrcUserId = InitiatingProcessAccountSid\r\n | extend\r\n SrcUsername = User,\r\n SrcDvcId = DvcId,\r\n SrcDvcIdType = 'MDEid',\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstHostname = UrlHostname\r\n | project-rename\r\n DstDomain = UrlDomain,\r\n DstFQDN = UrlFQDN,\r\n DstDomainType = UrlDomainType\r\n | extend \r\n SrcHostname = DvcHostname,\r\n SrcDomain = DvcDomain,\r\n SrcFQDN = DvcDomain\r\n // Processes\r\n | extend\r\n SrcProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n SrcProcessName = InitiatingProcessFileName,\r\n SrcProcessCommandLine = InitiatingProcessCommandLine,\r\n SrcProcessCreationTime = InitiatingProcessCreationTime,\r\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = SrcProcessName,\r\n SrcAppName = SrcProcessName,\r\n SrcAppType = \"Process\"\r\n ;\r\n let InboundNetworkEvents = \r\n RawNetworkEvents (false)\r\n | project-rename\r\n SrcIpAddr = RemoteIP,\r\n DstIpAddr = LocalIP,\r\n SrcPortNumber = RemotePort,\r\n DstPortNumber = LocalPort,\r\n DstUsernameType = UsernameType,\r\n DstUserAadId = InitiatingProcessAccountObjectId,\r\n DstUserId = InitiatingProcessAccountSid,\r\n DstUserUpn = InitiatingProcessAccountUpn\r\n | extend\r\n DstUsername = User,\r\n DstDvcId = DvcId,\r\n DstDvcIdType = 'MDEid',\r\n DstUserIdType = 'SID',\r\n SrcHostname = UrlHostname\r\n | project-rename\r\n SrcDomain = UrlDomain,\r\n SrcFQDN = UrlFQDN,\r\n SrcDomainType = UrlDomainType,\r\n DstHostname = DvcHostname,\r\n DstDomain = DvcDomain,\r\n DstFQDN = DvcFQDN\r\n // Processes\r\n | extend\r\n DstProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n DstProcessName = InitiatingProcessFileName,\r\n DstProcessCommandLine = InitiatingProcessCommandLine,\r\n DstProcessCreationTime = InitiatingProcessCreationTime,\r\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n // SrcProcessFileSize = InitiatingProcessFileSize,\r\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\r\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\r\n | extend\r\n Process = DstProcessName,\r\n DstAppName = DstProcessName,\r\n DstAppType = \"Process\"\r\n ;\r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | project-rename \r\n Hostname = UrlHostname\r\n | extend // aliases\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n };\r\n M365Defender (disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for M365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"d79c96eb-ddd8-5e1d-8d90-5197f02ffcd3","name":"_ASim_NetworkSession_MicrosoftSecurityEventFirewallV05","body":"// Data tables for mapping raw values into string\r\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n///////////////////////////////////////////////////////\r\n// this query extract data fields from EventData column from SecurityEvent table\r\n///////////////////////////////////////////////////////\r\nlet parser = (disabled: bool=false) {\r\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\r\n// will be extracting Event specific fields from 'EventData' field\r\n let SecurityEventProjected =\r\n SecurityEvent\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n ;\r\n let SecurityEvent_5152 = \r\n SecurityEventProjected | where not(disabled)\r\n | where EventID==5152\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | project-away EventData;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5154, 5155, 5158, 5159)\r\n | parse EventData with * ''ProcessId:string'' \r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | project-away EventData;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5156, 5157)\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID''\r\n '\\x0d\\x0a 'RemoteMachineID''*\r\n | project-away EventData;\r\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\r\n};\r\nWindowsFirewall_SecurityEvent \r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.0\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\r\n EventOriginalType = tostring(EventID),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n // aliases\r\n | extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring (NetworkRuleNumber)\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\r\n };\r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Windows Firewall Events.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"2d51a07c-c2c7-5425-8f5e-162d0f1f9005","name":"_ASim_NetworkSession_MicrosoftSysmonV01","body":"let parser = (disabled:bool = false) {\r\nlet Sysmon3_Event=(disabled:bool=false) {\r\n Event\r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\r\n | parse-kv EventData as (\r\n SourceIp:string,\r\n DestinationIp:string,\r\n SourceHostname:string,\r\n DestinationHostname:string,\r\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\r\n RuleName:string,\r\n UtcTime:datetime,\r\n ProcessGuid:string,\r\n ProcessId:string,\r\n Image:string,\r\n User:string,\r\n Protocol:string,\r\n SourceIsIpv6:bool,\r\n SourcePort:int,\r\n SourcePortName:string,\r\n DestinationIsIpv6:bool,\r\n DestinationPort:int,\r\n DestinationPortName:string\r\n ) with (regex=@'{?([^>]*?)}?')\r\n | project-away EventData\r\n | project-rename\r\n SrcHostname = SourceHostname,\r\n DstHostname = DestinationHostname\r\n | project-away\r\n Source,\r\n EventLog,\r\n EventCategory,\r\n UserName,\r\n Message,\r\n ParameterXml,\r\n RenderedDescription,\r\n MG,\r\n AzureDeploymentID,\r\n Role\r\n };\r\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\r\n WindowsEvent\r\n | where not(disabled) \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\r\n | extend\r\n SourceIp = tostring(EventData.SourceIp),\r\n DestinationIp = tostring(EventData.DestinationIp),\r\n DstHostname = tostring(EventData.DestinationHostname),\r\n SrcHostname = tostring(EventData.SrcHostname),\r\n RuleName = tostring(EventData.RuleName),\r\n UtcTime = todatetime(EventData.UtcTime),\r\n ProcessId = tostring(EventData.ProcessId),\r\n Image = tostring(EventData.Image),\r\n User = tostring(EventData.User),\r\n Protocol = tostring(EventData.Protocol),\r\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\r\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\r\n SourcePort = toint(EventData.SourcePort),\r\n SourcePortName = tostring(EventData.SourcePortName),\r\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\r\n DestinationPort = toint(EventData.DestinationPort),\r\n DestinationPortName = tostring(EventData.DestinationPortName)\r\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\r\n | project-away EventData\r\n | project-away\r\n Provider,\r\n Channel,\r\n Task,\r\n Data,\r\n RawEventData,\r\n EventOriginId\r\n };\r\nunion isfuzzy=true Sysmon3_Event,Sysmon3_WindowsEvent\r\n | extend\r\n AppName = tostring(split(Image, \"\\\\\")[-1])\r\n | extend\r\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\r\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\r\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\r\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\r\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\r\n SrcAppName = iff(not(Initiated), AppName, \"\"),\r\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\r\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\r\n DstUsername = iff(Initiated, tostring(User), \"\"),\r\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\r\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\r\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\r\n DstAppName = iff(Initiated, AppName, \"\"),\r\n DstAppType = iff(Initiated, 'Process', \"\")\r\n | project-away ProcessId, ProcessGuid, Image, AppName\r\n | project-rename \r\n EventStartTime = UtcTime,\r\n Dvc = Computer,\r\n SrcIpAddr = SourceIp,\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort,\r\n SrcPortNumber = SourcePort,\r\n NetworkRuleName = RuleName \r\n | extend \r\n EventEndTime = EventStartTime,\r\n Hostname = case(\r\n Initiated, DstHostname,\r\n not(Initiated), SrcHostname,\r\n Dvc),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\r\n IpAddr = SrcIpAddr,\r\n EventType = 'EndpointNetworkSession',\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.5',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Windows',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing \r\n | extend\r\n DvcHostname = Hostname\r\n | extend\r\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\r\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\r\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\r\n | project-rename\r\n TmpSrcHostname = SrcHostname,\r\n TmpDvcHostname = DvcHostname,\r\n TmpDstHostname = DstHostname\r\n | invoke \r\n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\r\n | invoke \r\n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\r\n | invoke \r\n _ASIM_ResolveDstFQDN('TmpDstHostname')\r\n | project-away\r\n TmpSrcHostname,\r\n TmpDvcHostname,\r\n TmpDstHostname\r\n | extend \r\n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\r\n NetworkProtocol = toupper(Protocol)\r\n | project-away \r\n Destination*,\r\n Initiated,\r\n ManagementGroupName,\r\n TenantId,\r\n Protocol,\r\n Source*,\r\n EventID,\r\n EventLevelName,\r\n EventLevel\r\n };\r\n parser (disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session Event ASIM parser for Sysmon (Event 3).","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"3b99a232-e260-562e-a503-13993a879f59","name":"_ASim_NetworkSession_MicrosoftSysmonV02","body":"let parser = (disabled:bool = false) {\r\n Event\r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\r\n | parse-kv EventData as (\r\n SourceIp:string,\r\n DestinationIp:string,\r\n SourceHostname:string,\r\n DestinationHostname:string,\r\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\r\n RuleName:string,\r\n UtcTime:datetime,\r\n ProcessGuid:string,\r\n ProcessId:string,\r\n Image:string,\r\n User:string,\r\n Protocol:string,\r\n SourceIsIpv6:bool,\r\n SourcePort:int,\r\n SourcePortName:string,\r\n DestinationIsIpv6:bool,\r\n DestinationPort:int,\r\n DestinationPortName:string\r\n ) with (regex=@'{?([^>]*?)}?')\r\n | project-away EventData\r\n | project-rename\r\n SrcHostname = SourceHostname,\r\n DstHostname = DestinationHostname\r\n | project-away\r\n Source,\r\n EventLog,\r\n EventCategory,\r\n UserName,\r\n Message,\r\n ParameterXml,\r\n RenderedDescription,\r\n MG,\r\n AzureDeploymentID,\r\n Role\r\n | extend\r\n AppName = tostring(split(Image, \"\\\\\")[-1])\r\n | extend\r\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\r\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\r\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\r\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\r\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\r\n SrcAppName = iff(not(Initiated), AppName, \"\"),\r\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\r\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\r\n DstUsername = iff(Initiated, tostring(User), \"\"),\r\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\r\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\r\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\r\n DstAppName = iff(Initiated, AppName, \"\"),\r\n DstAppType = iff(Initiated, 'Process', \"\"),\r\n EventUid = _ItemId\r\n | project-away ProcessId, ProcessGuid, Image, AppName\r\n | project-rename \r\n EventStartTime = UtcTime,\r\n Dvc = Computer,\r\n SrcIpAddr = SourceIp,\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort,\r\n SrcPortNumber = SourcePort,\r\n NetworkRuleName = RuleName \r\n | extend \r\n EventEndTime = EventStartTime,\r\n Hostname = case(\r\n Initiated, DstHostname,\r\n not(Initiated), SrcHostname,\r\n Dvc),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\r\n IpAddr = SrcIpAddr,\r\n EventType = 'EndpointNetworkSession',\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.5',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Windows',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing \r\n | extend\r\n DvcHostname = Hostname\r\n | extend\r\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\r\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\r\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\r\n | project-rename\r\n TmpSrcHostname = SrcHostname,\r\n TmpDvcHostname = DvcHostname,\r\n TmpDstHostname = DstHostname\r\n | invoke \r\n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\r\n | invoke \r\n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\r\n | invoke \r\n _ASIM_ResolveDstFQDN('TmpDstHostname')\r\n | project-away\r\n TmpSrcHostname,\r\n TmpDvcHostname,\r\n TmpDstHostname\r\n | extend \r\n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\r\n NetworkProtocol = toupper(Protocol)\r\n | project-away \r\n Destination*,\r\n Initiated,\r\n ManagementGroupName,\r\n TenantId,\r\n Protocol,\r\n Source*,\r\n EventID,\r\n EventLevelName,\r\n EventLevel,_ResourceId\r\n };\r\n parser (disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session Event ASIM parser for Sysmon (Event 3).","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"43261809-eb88-597e-8efa-26bff1194394","name":"_ASim_NetworkSession_MicrosoftSysmonWindowsEventV02","body":"let parser = (disabled:bool = false) {\r\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\r\n WindowsEvent\r\n | where not(disabled) \r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\r\n | extend\r\n SourceIp = tostring(EventData.SourceIp),\r\n DestinationIp = tostring(EventData.DestinationIp),\r\n DstHostname = tostring(EventData.DestinationHostname),\r\n SrcHostname = tostring(EventData.SrcHostname),\r\n RuleName = tostring(EventData.RuleName),\r\n UtcTime = todatetime(EventData.UtcTime),\r\n ProcessId = tostring(EventData.ProcessId),\r\n Image = tostring(EventData.Image),\r\n User = tostring(EventData.User),\r\n Protocol = tostring(EventData.Protocol),\r\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\r\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\r\n SourcePort = toint(EventData.SourcePort),\r\n SourcePortName = tostring(EventData.SourcePortName),\r\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\r\n DestinationPort = toint(EventData.DestinationPort),\r\n DestinationPortName = tostring(EventData.DestinationPortName)\r\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\r\n | project-away EventData\r\n | project-away\r\n Provider,\r\n Channel,\r\n Task,\r\n Data,\r\n RawEventData,\r\n EventOriginId\r\n };\r\nSysmon3_WindowsEvent\r\n | extend\r\n AppName = tostring(split(Image, \"\\\\\")[-1])\r\n | extend\r\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\r\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\r\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\r\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\r\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\r\n SrcAppName = iff(not(Initiated), AppName, \"\"),\r\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\r\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\r\n DstUsername = iff(Initiated, tostring(User), \"\"),\r\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\r\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\r\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\r\n DstAppName = iff(Initiated, AppName, \"\"),\r\n DstAppType = iff(Initiated, 'Process', \"\"),\r\n EventUid = _ItemId\r\n | project-away ProcessId, ProcessGuid, Image, AppName\r\n | project-rename \r\n EventStartTime = UtcTime,\r\n Dvc = Computer,\r\n SrcIpAddr = SourceIp,\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort,\r\n SrcPortNumber = SourcePort,\r\n NetworkRuleName = RuleName \r\n | extend \r\n EventEndTime = EventStartTime,\r\n Hostname = case(\r\n Initiated, DstHostname,\r\n not(Initiated), SrcHostname,\r\n Dvc),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\r\n IpAddr = SrcIpAddr,\r\n EventType = 'EndpointNetworkSession',\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.5',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Windows',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing \r\n | extend\r\n DvcHostname = Hostname\r\n | extend\r\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\r\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\r\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\r\n | project-rename\r\n TmpSrcHostname = SrcHostname,\r\n TmpDvcHostname = DvcHostname,\r\n TmpDstHostname = DstHostname\r\n | invoke \r\n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\r\n | invoke \r\n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\r\n | invoke \r\n _ASIM_ResolveDstFQDN('TmpDstHostname')\r\n | project-away\r\n TmpSrcHostname,\r\n TmpDvcHostname,\r\n TmpDstHostname\r\n | extend \r\n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\r\n NetworkProtocol = toupper(Protocol)\r\n | project-away \r\n Destination*,\r\n Initiated,\r\n ManagementGroupName,\r\n TenantId,\r\n Protocol,\r\n Source*,\r\n EventID,\r\n EventLevelName,\r\n EventLevel,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,_ResourceId,Version\r\n };\r\n parser (disabled)","parameters":"disabled:bool = false","description":"Network Session Event ASIM parser for Sysmon (Event 3).","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"3c29786d-858d-596b-9cf9-4256677c69b1","name":"_ASim_NetworkSession_MicrosoftWindowsEventFirewallV03","body":"// Data tables for mapping raw values into string\r\n let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\n let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\n let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n ///////////////////////////////////////////////////////\r\n // this query extract data fields from EventData column from SecurityEvent table\r\n ///////////////////////////////////////////////////////\r\n let WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\r\n // will be extracting Event specific fields from 'EventData' field\r\n let SecurityEventProjected =\r\n SecurityEvent\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n ;\r\n let SecurityEvent_5152 = \r\n SecurityEventProjected | where not(disabled)\r\n | where EventID==5152\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | project-away EventData;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5154, 5155, 5158, 5159)\r\n | parse EventData with * ''ProcessId:string'' \r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | project-away EventData;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5156, 5157)\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID''\r\n '\\x0d\\x0a 'RemoteMachineID''*\r\n | project-away EventData;\r\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\r\n };\r\n //////////////////////////////////////////////////////\r\n // this query extract the data from WindowsEvent table\r\n //////////////////////////////////////////////////////\r\n let WindowsFirewall_WindowsEvent=(){ \r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where EventID between (5150 .. 5159)\r\n | project-rename DvcHostname = Computer\r\n | extend \r\n EventSeverity=tostring(EventData.Severity),\r\n LayerCode = tostring(EventData.LayerName),\r\n NetworkRuleNumber = toint(EventData.FilterRTID),\r\n Protocol = toint(EventData.Protocol),\r\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\r\n | lookup Directions on DirectionCode \r\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\r\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\r\n SrcIpAddr = tostring(EventData.SourceAddress),\r\n DstIpAddr = tostring(EventData.DestAddress),\r\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\r\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\r\n SrcPortNumber=toint(EventData.SourcePort),\r\n DstPortNumber=toint(EventData.DestPort),\r\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\r\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away EventData\r\n };\r\n // Main query -> outputs both schemas as one normalized table\r\n union WindowsFirewall_SecurityEvent, WindowsFirewall_WindowsEvent \r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n DstUserIdType = \"SID\",\r\n SrcAppType = \"Process\",\r\n SrcUserIdType = \"SID\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.0\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\r\n EventOriginalType = tostring(EventID),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n // aliases\r\n | extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring (NetworkRuleNumber)\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Windows Firewall Events.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"d8b3754f-61e3-57d3-8acf-0e19df9f5477","name":"_ASim_NetworkSession_MicrosoftWindowsEventFirewallV04","body":"// Data tables for mapping raw values into string\r\n let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\n let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\n let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n ///////////////////////////////////////////////////////\r\n // this query extract data fields from EventData column from SecurityEvent table\r\n ///////////////////////////////////////////////////////\r\n let WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\r\n // will be extracting Event specific fields from 'EventData' field\r\n let SecurityEventProjected =\r\n SecurityEvent\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n ;\r\n let SecurityEvent_5152 = \r\n SecurityEventProjected | where not(disabled)\r\n | where EventID==5152\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | project-away EventData;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5154, 5155, 5158, 5159)\r\n | parse EventData with * ''ProcessId:string'' \r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | project-away EventData;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected | where not(disabled)\r\n | where EventID in (5156, 5157)\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID''\r\n '\\x0d\\x0a 'RemoteMachineID''*\r\n | project-away EventData;\r\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\r\n };\r\n //////////////////////////////////////////////////////\r\n // this query extract the data from WindowsEvent table\r\n //////////////////////////////////////////////////////\r\n let WindowsFirewall_WindowsEvent=(){ \r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where EventID between (5150 .. 5159)\r\n | project-rename DvcHostname = Computer\r\n | extend \r\n EventSeverity=tostring(EventData.Severity),\r\n LayerCode = tostring(EventData.LayerName),\r\n NetworkRuleNumber = toint(EventData.FilterRTID),\r\n Protocol = toint(EventData.Protocol),\r\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\r\n | lookup Directions on DirectionCode \r\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\r\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\r\n SrcIpAddr = tostring(EventData.SourceAddress),\r\n DstIpAddr = tostring(EventData.DestAddress),\r\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\r\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\r\n SrcPortNumber=toint(EventData.SourcePort),\r\n DstPortNumber=toint(EventData.DestPort),\r\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\r\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away EventData\r\n };\r\n // Main query -> outputs both schemas as one normalized table\r\n union WindowsFirewall_SecurityEvent, WindowsFirewall_WindowsEvent \r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.0\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\r\n EventOriginalType = tostring(EventID),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n // aliases\r\n | extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring (NetworkRuleNumber)\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Windows Firewall Events.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"e55278df-daa7-5d5c-934c-19afc6d3f13e","name":"_ASim_NetworkSession_MicrosoftWindowsEventFirewallV05","body":"// Data tables for mapping raw values into string\r\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n//////////////////////////////////////////////////////\r\n// this query extract the data from WindowsEvent table\r\n//////////////////////////////////////////////////////\r\nlet parser = (disabled: bool=false) {\r\nlet WindowsFirewall_WindowsEvent=(){ \r\n WindowsEvent | where not(disabled)\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where EventID between (5150 .. 5159)\r\n | project-rename DvcHostname = Computer\r\n | extend \r\n EventSeverity=tostring(EventData.Severity),\r\n LayerCode = tostring(EventData.LayerName),\r\n NetworkRuleNumber = toint(EventData.FilterRTID),\r\n Protocol = toint(EventData.Protocol),\r\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\r\n | lookup Directions on DirectionCode \r\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\r\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\r\n SrcIpAddr = tostring(EventData.SourceAddress),\r\n DstIpAddr = tostring(EventData.DestAddress),\r\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\r\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\r\n SrcPortNumber=toint(EventData.SourcePort),\r\n DstPortNumber=toint(EventData.DestPort),\r\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\r\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away EventData\r\n };\r\n// Main query -> outputs both schemas as one normalized table\r\nWindowsFirewall_WindowsEvent \r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.0\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\r\n EventOriginalType = tostring(EventID),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n // aliases\r\n | extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring (NetworkRuleNumber)\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\r\n }; \r\n parser(disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Windows Firewall Events.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"3884854a-6d4e-52f2-9725-03044e787b76","name":"_ASim_NetworkSession_NTANetAnalyticsV01","body":"let parser = (\r\n disabled: bool = false\r\n) {\r\nlet DvcActionLookup=datatable(FlowStatus:string, DvcAction:string, EventResult: string, EventSeverity: string)\r\n[\r\n \"Allowed\", \"Allow\", \"Success\", \"Informational\",\r\n \"Denied\", \"Deny\", \"Failure\", \"Low\",\r\n];\r\nlet ProtocolLookup=datatable(L4Protocol:string, NetworkProtocol:string)\r\n[\r\n \"T\", \"TCP\",\r\n \"U\", \"UDP\",\r\n \"TCP\", \"TCP\",\r\n \"UDP\", \"UDP\",\r\n \"ICMP\", \"ICMP\",\r\n];\r\nNTANetAnalytics\r\n| where not(disabled)\r\n| where SubType == \"FlowLog\"\r\n// Pre-filter DvcAction\r\n| lookup DvcActionLookup on FlowStatus\r\n| extend\r\n SrcHostname = case(isnotempty(SrcVm), extract(@\"([^/]+)$\", 1, SrcVm),\"\"),\r\n DstHostname = case(isnotempty(DestVm), extract(@\"([^/]+)$\", 1, SrcVm),\"\"),\r\n SrcPortNumber = toint(split(SrcPorts, \"|\")[0])\r\n| lookup ProtocolLookup on L4Protocol\r\n| extend\r\n EventCount = toint(iif(CompletedFlows != 0, CompletedFlows, 1)),\r\n EventType = \"Flow\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventProduct = \"Azure NSG flows\",\r\n EventVendor = \"Microsoft\",\r\n Dvc = \"Azure NSG flows\"\r\n| project-rename\r\n EventStartTime = FlowStartTime,\r\n EventEndTime = FlowEndTime,\r\n DstPortNumber = DestPort,\r\n SrcBytes = BytesSrcToDest,\r\n DstBytes = BytesDestToSrc,\r\n SrcPackets = PacketsSrcToDest,\r\n DstPackets = PacketsDestToSrc,\r\n SrcGeoCountry = Country,\r\n NetworkDirection = FlowDirection,\r\n SrcSubscriptionId = SrcSubscription,\r\n DstSubscriptionId = DestSubscription,\r\n EventUid = _ItemId,\r\n NetworkRuleName = AclRule,\r\n SrcInterfaceName = SrcNic,\r\n DstInterfaceName = DestNic\r\n// Map other values\r\n| extend DestPublicIpsList = split(replace_string(DestPublicIps, \" \", \"|\"), \"|\")\r\n| mv-apply Ips = DestPublicIpsList to typeof(string) on (\r\n extend length = strlen(Ips)\r\n | where length >= 7 // Max string length of a IPv4 address is 7 (1.2.3.4)\r\n | summarize DestPublicIpsList = make_list(Ips)\r\n)\r\n| extend SrcPublicIpsList = split(replace_string(SrcPublicIps, \" \", \"|\"), \"|\")\r\n| mv-apply Ips = SrcPublicIpsList to typeof(string) on (\r\n extend length = strlen(Ips)\r\n | where length >= 7 // Max string length of a IPv4 address is 7 (1.2.3.4)\r\n | summarize SrcPublicIpsList = make_list(Ips)\r\n)\r\n| extend AdditionalFields = bag_pack(\r\n \"SrcIpAddresses\", SrcPublicIpsList,\r\n \"DstIpAddresses\", DestPublicIpsList)\r\n| extend\r\n SrcIpAddr = iff(isnotempty(SrcIp), SrcIp, SrcPublicIpsList[0]),\r\n DstIpAddr = iff(isnotempty(DestIp), DestIp, DestPublicIpsList[0])\r\n| extend \r\n NetworkPackets = SrcPackets + DstPackets,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n EventOriginalResultDetails = case(\r\n FlowType == \"Malicious\", \"Malicious\",\r\n FlowType == \"Unknown\", \"Unknown\",\r\n FlowType == \"Unknown Private\", \"Unknown\",\r\n \"\"),\r\n DstHostname = coalesce(DstHostname, DstIpAddr),\r\n SrcHostname = coalesce(SrcHostname, SrcIpAddr),\r\n NetworkApplicationProtocol = toupper(L7Protocol),\r\n Src = coalesce(SrcHostname, SrcIpAddr),\r\n Dst = coalesce(DstHostname, DstIpAddr),\r\n DstDvcScopeId = DstSubscriptionId,\r\n SrcDvcScopeId = SrcSubscriptionId,\r\n SrcZone = case(\r\n FlowType == \"IntraVNet\", \"Internal\",\r\n FlowType == \"ExternalPublic\", \"Internet\",\r\n FlowType == \"AzurePublic\", \"Azure\",\r\n FlowType == \"InterVNet\", \"Internal\",\r\n FlowType == \"S2S\", \"S2S\",\r\n FlowType == \"P2S\", \"P2S\",\r\n \"Unknown\"\r\n ),\r\n DstDvcId = case(NetworkDirection == \"Inbound\", TargetResourceId, \"\"),\r\n DstDvcIdType = case(NetworkDirection == \"Inbound\", \"AzureResourceId\", \"\"),\r\n SrcDvcId = case(NetworkDirection == \"Outbound\", TargetResourceId, \"\"),\r\n SrcDvcIdType = case(NetworkDirection == \"Outbound\", \"AzureResourceId\", \"\"),\r\n DstMacAddr = case(NetworkDirection == \"Inbound\", MacAddress, \"\"),\r\n SrcMacAddr = case(NetworkDirection == \"Outbound\", MacAddress, \"\"),\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr\r\n| project \r\n EventStartTime,\r\n EventEndTime,\r\n EventSchema,\r\n TimeGenerated,\r\n AdditionalFields,\r\n SrcIpAddr,\r\n DstIpAddr,\r\n SrcHostname,\r\n DstHostname,\r\n DstPortNumber,\r\n NetworkDirection,\r\n SrcSubscriptionId,\r\n DstSubscriptionId,\r\n DstDvcScopeId,\r\n DstDvcScope = DstSubscriptionId,\r\n SrcDvcScopeId,\r\n SrcDvcScope = SrcSubscriptionId,\r\n SrcInterfaceName,\r\n DstInterfaceName,\r\n SrcGeoCountry,\r\n DstPackets,\r\n SrcPackets,\r\n NetworkPackets,\r\n DstBytes,\r\n SrcBytes,\r\n NetworkBytes,\r\n NetworkRuleName,\r\n Type,\r\n EventUid,\r\n DvcAction,\r\n EventResult,\r\n EventSeverity,\r\n SrcPortNumber,\r\n NetworkProtocol,\r\n EventCount,\r\n EventType,\r\n EventSchemaVersion,\r\n EventProduct,\r\n EventVendor,\r\n Dvc,\r\n NetworkApplicationProtocol,\r\n Src,\r\n Dst,\r\n DstMacAddr,\r\n SrcMacAddr,\r\n Hostname,\r\n IpAddr,\r\n DstDvcId,\r\n DstDvcIdType,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n SrcZone\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for NTANetAnalytics.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"6de16aaf-29eb-5a55-b863-8935487a9bec","name":"_ASim_NetworkSession_NativeV01","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimNetworkSessionLogs | where not(disabled)\r\n | extend\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSchema = \"NetworkSession\"\r\n // -- Aliases\r\n | extend\r\n IpAddr=SrcIpAddr,\r\n Src=SrcIpAddr,\r\n Dst=DstIpAddr,\r\n Dvc = coalesce (DvcFQDN, DvcHostname, SrcIpAddr, DvcId),\r\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId,\r\n User = DstUsername,\r\n Hostname = DstHostname,\r\n InnerVlanId = SrcVlanId,\r\n OuterVlanId = DstVlanId\r\n | project-away\r\n TenantId, SourceSystem\r\n};\r\nparser (disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Sentinel native Network Session table.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"a559199e-b624-52f2-b029-73a9535421da","name":"_ASim_NetworkSession_NativeV02","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimNetworkSessionLogs | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"NetworkSession\",\r\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = iff (isempty(Dvc), coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId), Dvc),\r\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\r\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\r\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\r\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\r\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\r\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId,\r\n User = DstUsername,\r\n InnerVlanId = SrcVlanId,\r\n OuterVlanId = DstVlanId\r\n | project-away\r\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\r\n };\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Sentinel native Network Session table.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"ec935ea2-52a9-59c4-90f1-d9402a477805","name":"_ASim_NetworkSession_NativeV03","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimNetworkSessionLogs | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"NetworkSession\",\r\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = case(EventType == 'L2NetworkSession',\r\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\r\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\r\n ),\r\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\r\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\r\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\r\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\r\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\r\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId,\r\n User = DstUsername,\r\n InnerVlanId = SrcVlanId,\r\n OuterVlanId = DstVlanId\r\n | project-away\r\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\r\n };\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Microsoft Sentinel native Network Session table.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"77083011-7edc-5791-8618-f1f9158ea41b","name":"_ASim_NetworkSession_PaloAltoCEFV04","body":"let Actions=datatable(DeviceAction:string,DvcAction:string)\r\n[ \"reset client\",\"Reset Source\"\r\n, \"reset server\",\"Reset Destination\"\r\n, \"reset both\", \"Reset\"\r\n, \"allow\",\"Allow\"\r\n, \"deny\",\"Deny\"\r\n, \"drop\", \"Drop\"\r\n, \"drop ICMP\", \"Drop ICMP\"];\r\nlet NWParser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor==\"Palo Alto Networks\" and (Activity==\"TRAFFIC\")\r\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long \",PanOSPacketsSent=\" SrcPackets:long \",start=\"EventStartTime \",reason=\"*\r\n| project-rename \r\n EventProductVersion=DeviceVersion // Not Documented\r\n , Dvc=DeviceName \r\n , NetworkApplicationProtocol=ApplicationProtocol\r\n , SrcZone=DeviceCustomString4 \r\n , DstZone=DeviceCustomString5\r\n , NetworkRuleName=DeviceCustomString1\r\n , SrcUsername=SourceUserName \r\n , DstUsername=DestinationUserName \r\n , EventOriginalSeverity=LogSeverity // not documented\r\n , SrcNatIpAddr=SourceTranslatedAddress\r\n , DstNatIpAddr=DestinationTranslatedAddress\r\n , PaloAltoFlags=FlexString1 // Flags\r\n| extend\r\nEventVendor=\"Palo Alto\"\r\n ,EventProduct=\"PanOS\" // Not Documented\r\n , SrcBytes=tolong(SentBytes)\r\n , DstBytes=tolong(ReceivedBytes) \r\n , NetworkPackets=tolong(DeviceCustomNumber2) \r\n , NetworkProtocol=toupper(Protocol)\r\n , NetworkBytes=tolong(FlexNumber1)\r\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\r\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\r\n , EventType=\"NetworkSession\"\r\n , EventCount=toint(1)\r\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\r\n , NetworkSessionId=tostring(DeviceCustomNumber1)\r\n , NetworkDuration=toint(1000*DeviceCustomNumber3)\r\n , EventSchemaVersion=\"0.2.1\"\r\n , EventSchema=\"NetworkSession\"\r\n , EventSeverity = \"Informational\"\r\n , EventStartTime=coalesce(todatetime(EventStartTime), TimeGenerated)\r\n| extend hostelements=split(Dvc,'.')\r\n| extend DvcHostname=tostring(hostelements[0])\r\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\r\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\r\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\r\n| project-away hostelements\r\n| lookup Actions on DeviceAction\r\n| project-rename\r\n DstMacAddr=DestinationMACAddress\r\n , SrcMacAddr=SourceMACAddress\r\n , DstIpAddr=DestinationIP\r\n , DstPortNumber=DestinationPort\r\n , DstNatPortNumber=DestinationTranslatedPort\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcNatPortNumber=SourceTranslatedPort\r\n , DvcOutboundInterface=DeviceOutboundInterface\r\n , DvcInboundInterface=DeviceInboundInterface\r\n , EventMessage=Message\r\n , DvcOriginalAction=DeviceAction\r\n// -- Aliases\r\n| extend\r\nIpAddr = SrcIpAddr,\r\nRule=NetworkRuleName,\r\nDst=DstIpAddr,\r\n// Host=DstHostname, \r\nUser=DstUsername,\r\nDuration=NetworkDuration,\r\nSessionId=NetworkSessionId,\r\nEventEndTime =EventStartTime,\r\nSrc=SrcIpAddr\r\n};\r\nNWParser(disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Palo Alto PanOS.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"00efb338-e9e3-514d-a25f-4c37f14f4898","name":"_ASim_NetworkSession_PaloAltoCEFV05","body":"let Actions=datatable(DeviceAction:string,DvcAction:string)\r\n[ \"reset client\",\"Reset Source\"\r\n, \"reset server\",\"Reset Destination\"\r\n, \"reset both\", \"Reset\"\r\n, \"allow\",\"Allow\"\r\n, \"deny\",\"Deny\"\r\n, \"drop\", \"Drop\"\r\n, \"drop ICMP\", \"Drop ICMP\"];\r\nlet NWParser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\r\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\r\n // -- Adjustment to support both old and new CSL fields.\r\n| extend \r\n EventStartTime = coalesce(\r\n todatetime(StartTime), \r\n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\r\n datetime(null)\r\n ),\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\r\n \"\"\r\n )\r\n| project-rename \r\n EventProductVersion=DeviceVersion // Not Documented\r\n , Dvc=DeviceName \r\n , NetworkApplicationProtocol=ApplicationProtocol\r\n , SrcZone=DeviceCustomString4 \r\n , DstZone=DeviceCustomString5\r\n , NetworkRuleName=DeviceCustomString1\r\n , SrcUsername=SourceUserName \r\n , DstUsername=DestinationUserName \r\n , EventOriginalSeverity=LogSeverity // not documented\r\n , SrcNatIpAddr=SourceTranslatedAddress\r\n , DstNatIpAddr=DestinationTranslatedAddress\r\n , PaloAltoFlags=FlexString1 // Flags\r\n| extend\r\nEventVendor=\"Palo Alto\"\r\n ,EventProduct=\"PanOS\" // Not Documented\r\n , SrcBytes=tolong(SentBytes)\r\n , DstBytes=tolong(ReceivedBytes) \r\n , NetworkProtocol=toupper(Protocol)\r\n , NetworkBytes=tolong(FlexNumber1)\r\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\r\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\r\n , EventType=\"NetworkSession\"\r\n , EventCount=toint(1)\r\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\r\n // -- Adjustment to support both old and new CSL fields.\r\n , NetworkPackets = coalesce(\r\n tolong(column_ifexists(\"fieldDeviceCustomNumber2\", long(null))),\r\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\r\n )\r\n , NetworkSessionId = coalesce(\r\n tostring(column_ifexists(\"fieldDeviceCustomNumber1\", long(null))),\r\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\r\n )\r\n , NetworkDuration= coalesce(\r\n toint(1000*column_ifexists(\"fieldDeviceCustomNumber3\", 0)),\r\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\r\n int(null)\r\n )\r\n , EventSchemaVersion=\"0.2.1\"\r\n , EventSchema=\"NetworkSession\"\r\n , EventSeverity = \"Informational\"\r\n| extend hostelements=split(Dvc,'.')\r\n| extend DvcHostname=tostring(hostelements[0])\r\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\r\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\r\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\r\n| project-away hostelements\r\n| lookup Actions on DeviceAction\r\n| project-rename\r\n DstMacAddr=DestinationMACAddress\r\n , SrcMacAddr=SourceMACAddress\r\n , DstIpAddr=DestinationIP\r\n , DstPortNumber=DestinationPort\r\n , DstNatPortNumber=DestinationTranslatedPort\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcNatPortNumber=SourceTranslatedPort\r\n , DvcOutboundInterface=DeviceOutboundInterface\r\n , DvcInboundInterface=DeviceInboundInterface\r\n , EventMessage=Message\r\n , DvcOriginalAction=DeviceAction\r\n// -- Aliases\r\n| extend\r\nIpAddr = SrcIpAddr,\r\nRule=NetworkRuleName,\r\nDst=DstIpAddr,\r\n// Host=DstHostname, \r\nUser=DstUsername,\r\nDuration=NetworkDuration,\r\nSessionId=NetworkSessionId,\r\nEventEndTime =EventStartTime,\r\nSrc=SrcIpAddr\r\n};\r\nNWParser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Palo Alto PanOS.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"1c61f70e-ed3a-57bc-8461-05248f2034dd","name":"_ASim_NetworkSession_PaloAltoCEFV06","body":"let Actions=datatable(DeviceAction:string,DvcAction:string)\r\n[ \"reset client\",\"Reset Source\"\r\n, \"reset server\",\"Reset Destination\"\r\n, \"reset both\", \"Reset\"\r\n, \"allow\",\"Allow\"\r\n, \"deny\",\"Deny\"\r\n, \"drop\", \"Drop\"\r\n, \"drop ICMP\", \"Drop ICMP\"];\r\nlet NWParser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\r\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\r\n // -- Adjustment to support both old and new CSL fields.\r\n| extend \r\n EventStartTime = coalesce(\r\n todatetime(StartTime), \r\n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\r\n datetime(null)\r\n ),\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\r\n \"\"\r\n )\r\n| project-rename \r\n EventProductVersion=DeviceVersion // Not Documented\r\n , Dvc=DeviceName \r\n , NetworkApplicationProtocol=ApplicationProtocol\r\n , SrcZone=DeviceCustomString4 \r\n , DstZone=DeviceCustomString5\r\n , NetworkRuleName=DeviceCustomString1\r\n , SrcUsername=SourceUserName \r\n , DstUsername=DestinationUserName \r\n , EventOriginalSeverity=LogSeverity // not documented\r\n , SrcNatIpAddr=SourceTranslatedAddress\r\n , DstNatIpAddr=DestinationTranslatedAddress\r\n , PaloAltoFlags=FlexString1 // Flags\r\n| extend\r\nEventVendor=\"Palo Alto\"\r\n ,EventProduct=\"PanOS\" // Not Documented\r\n , SrcBytes=tolong(SentBytes)\r\n , DstBytes=tolong(ReceivedBytes) \r\n , NetworkProtocol=toupper(Protocol)\r\n , NetworkBytes=tolong(FlexNumber1)\r\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\r\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\r\n , EventType=\"NetworkSession\"\r\n , EventCount=toint(1)\r\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\r\n // -- Adjustment to support both old and new CSL fields.\r\n , NetworkPackets = coalesce(\r\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\r\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\r\n )\r\n , NetworkSessionId = coalesce(\r\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\r\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\r\n )\r\n , NetworkDuration= coalesce(\r\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\r\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\r\n int(null)\r\n )\r\n , EventSchemaVersion=\"0.2.1\"\r\n , EventSchema=\"NetworkSession\"\r\n , EventSeverity = \"Informational\"\r\n| extend hostelements=split(Dvc,'.')\r\n| extend DvcHostname=tostring(hostelements[0])\r\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\r\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\r\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\r\n| project-away hostelements\r\n| lookup Actions on DeviceAction\r\n| project-rename\r\n DstMacAddr=DestinationMACAddress\r\n , SrcMacAddr=SourceMACAddress\r\n , DstIpAddr=DestinationIP\r\n , DstPortNumber=DestinationPort\r\n , DstNatPortNumber=DestinationTranslatedPort\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcNatPortNumber=SourceTranslatedPort\r\n , DvcOutboundInterface=DeviceOutboundInterface\r\n , DvcInboundInterface=DeviceInboundInterface\r\n , EventMessage=Message\r\n , DvcOriginalAction=DeviceAction\r\n// -- Aliases\r\n| extend\r\nIpAddr = SrcIpAddr,\r\nRule=NetworkRuleName,\r\nDst=DstIpAddr,\r\n// Host=DstHostname, \r\nUser=DstUsername,\r\nDuration=NetworkDuration,\r\nSessionId=NetworkSessionId,\r\nEventEndTime =EventStartTime,\r\nSrc=SrcIpAddr\r\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\r\n};\r\nNWParser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Palo Alto PanOS.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"956cb456-b35e-55da-b341-ce1e36f7bd03","name":"_ASim_NetworkSession_PaloAltoCEFV07","body":"let Actions=datatable(DeviceAction:string,DvcAction:string)\r\n[ \"reset client\",\"Reset Source\"\r\n, \"reset server\",\"Reset Destination\"\r\n, \"reset both\", \"Reset\"\r\n, \"allow\",\"Allow\"\r\n, \"deny\",\"Deny\"\r\n, \"drop\", \"Drop\"\r\n, \"drop ICMP\", \"Drop ICMP\"\r\n, \"reset-client\",\"Reset Source\"\r\n, \"reset-server\",\"Reset Destination\"\r\n, \"reset-both\", \"Reset\"\r\n, \"drop-icmp\", \"Drop ICMP\"];\r\nlet NWParser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\r\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\r\n // -- Adjustment to support both old and new CSL fields.\r\n| extend \r\n EventStartTime = coalesce(\r\n todatetime(StartTime), \r\n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\r\n datetime(null)\r\n ),\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\r\n \"\"\r\n )\r\n| project-rename \r\n EventProductVersion=DeviceVersion // Not Documented\r\n , Dvc=DeviceName \r\n , NetworkApplicationProtocol=ApplicationProtocol\r\n , SrcZone=DeviceCustomString4 \r\n , DstZone=DeviceCustomString5\r\n , NetworkRuleName=DeviceCustomString1\r\n , SrcUsername=SourceUserName \r\n , DstUsername=DestinationUserName \r\n , EventOriginalSeverity=LogSeverity // not documented\r\n , SrcNatIpAddr=SourceTranslatedAddress\r\n , DstNatIpAddr=DestinationTranslatedAddress\r\n , PaloAltoFlags=FlexString1 // Flags\r\n| extend\r\nEventVendor=\"Palo Alto\"\r\n ,EventProduct=\"PanOS\" // Not Documented\r\n , SrcBytes=tolong(SentBytes)\r\n , DstBytes=tolong(ReceivedBytes) \r\n , NetworkProtocol=toupper(Protocol)\r\n , NetworkBytes=tolong(FlexNumber1)\r\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\r\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\r\n , EventType=\"NetworkSession\"\r\n , EventCount=toint(1)\r\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\r\n // -- Adjustment to support both old and new CSL fields.\r\n , NetworkPackets = coalesce(\r\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\r\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\r\n )\r\n , NetworkSessionId = coalesce(\r\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\r\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\r\n )\r\n , NetworkDuration= coalesce(\r\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\r\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\r\n int(null)\r\n )\r\n , EventSchemaVersion=\"0.2.1\"\r\n , EventSchema=\"NetworkSession\"\r\n , EventSeverity = \"Informational\"\r\n| extend hostelements=split(Dvc,'.')\r\n| extend DvcHostname=tostring(hostelements[0])\r\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\r\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\r\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\r\n| project-away hostelements\r\n| lookup Actions on DeviceAction\r\n| project-rename\r\n DstMacAddr=DestinationMACAddress\r\n , SrcMacAddr=SourceMACAddress\r\n , DstIpAddr=DestinationIP\r\n , DstPortNumber=DestinationPort\r\n , DstNatPortNumber=DestinationTranslatedPort\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcNatPortNumber=SourceTranslatedPort\r\n , DvcOutboundInterface=DeviceOutboundInterface\r\n , DvcInboundInterface=DeviceInboundInterface\r\n , EventMessage=Message\r\n , DvcOriginalAction=DeviceAction\r\n// -- Aliases\r\n| extend\r\nIpAddr = SrcIpAddr,\r\nRule=NetworkRuleName,\r\nDst=DstIpAddr,\r\n// Host=DstHostname, \r\nUser=DstUsername,\r\nDuration=NetworkDuration,\r\nSessionId=NetworkSessionId,\r\nEventEndTime =EventStartTime,\r\nSrc=SrcIpAddr\r\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\r\n};\r\nNWParser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Palo Alto PanOS.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"67a14dba-d3c4-53fa-be3b-3cbf03e1d79d","name":"_ASim_NetworkSession_PaloAltoCortexDataLakeV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet EventResultDvcActionLookup = datatable (\r\n DeviceAction: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)\r\n [\r\n \"allow\", \"Allow\", \"Success\",\r\n \"deny\", \"Deny\", \"Failure\",\r\n \"reset client\", \"Reset Source\", \"Failure\",\r\n \"reset server\", \"Reset Destination\", \"Failure\",\r\n \"reset both\", \"Reset\", \"Failure\",\r\n \"drop\", \"Drop\", \"Failure\",\r\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\r\n \"reset-both\", \"Reset\", \"Failure\"\r\n];\r\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\r\n \"threat\", \"Reset\",\r\n \"policy-deny\", \"Unknown\",\r\n \"decrypt-cert-validation\", \"Terminated\",\r\n \"decrypt-unsupport-param\", \"Terminated\",\r\n \"decrypt-error\", \"Terminated\",\r\n \"tcp-rst-from-client\", \"Reset\",\r\n \"tcp-rst-from-server\", \"Reset\",\r\n \"resources-unavailable\", \"Unknown\",\r\n \"tcp-fin\", \"Unknown\",\r\n \"tcp-reuse\", \"Unknown\",\r\n \"decoder\", \"Unknown\",\r\n \"aged-out\", \"Unknown\",\r\n \"unknown\", \"Unknown\",\r\n \"n/a\", \"NA\",\r\n];\r\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\r\n [\r\n \"1\", 20,\r\n \"2\", 40,\r\n \"3\", 60,\r\n \"4\", 80,\r\n \"5\", 100\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\r\n and DeviceEventClassID == \"TRAFFIC\"\r\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\r\n | lookup EventResultDvcActionLookup on DeviceAction\r\n | lookup EventSeverityLookup on LogSeverity\r\n | lookup EventResultDetailsLookup on Reason\r\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\r\n | extend\r\n EventStartTime = todatetime(PanOSSessionStartTime),\r\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\r\n NetworkDuration = toint(FieldDeviceCustomNumber3),\r\n DstBytes = tolong(ReceivedBytes),\r\n SrcBytes = tolong(SentBytes),\r\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\r\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\r\n AdditionalFields = bag_pack(\r\n \"urlcategory\",\r\n DeviceCustomString2,\r\n \"virtualLocation\",\r\n DeviceCustomString3,\r\n \"PanOSApplicationCategory\",\r\n PanOSApplicationCategory,\r\n \"PanOSApplicationSubcategory\",\r\n PanOSApplicationSubcategory,\r\n \"PanOSChunksReceived\",\r\n PanOSChunksReceived,\r\n \"PanOSChunksSent\",\r\n PanOSChunksSent,\r\n \"PanOSChunksTotal\",\r\n PanOSChunksTotal,\r\n \"PanOSApplicationContainer\",\r\n PanOSApplicationContainer,\r\n \"PanOSDestinationDeviceCategory\",\r\n PanOSDestinationDeviceCategory,\r\n \"PanOSIsClienttoServer\",\r\n PanOSIsClienttoServer,\r\n \"PanOSLinkChangeCount\",\r\n PanOSLinkChangeCount,\r\n \"PanOSLinkSwitches\",\r\n PanOSLinkSwitches,\r\n \"PanOSLogSource\",\r\n PanOSLogSource,\r\n \"PanOSNSSAINetworkSliceDifferentiator\",\r\n PanOSNSSAINetworkSliceDifferentiator,\r\n \"PanOSNSSAINetworkSliceType\",\r\n PanOSNSSAINetworkSliceType,\r\n \"PanOSOutboundInterfaceDetailsPort\",\r\n PanOSOutboundInterfaceDetailsPort,\r\n \"PanOSOutboundInterfaceDetailsSlot\",\r\n PanOSOutboundInterfaceDetailsSlot,\r\n \"PanOSOutboundInterfaceDetailsType\",\r\n PanOSOutboundInterfaceDetailsType,\r\n \"PanOSOutboundInterfaceDetailsUnit\",\r\n PanOSOutboundInterfaceDetailsUnit,\r\n \"PanOSParentSessionID\",\r\n PanOSParentSessionID,\r\n \"PanOsRuleUUID\",\r\n PanOsRuleUUID,\r\n \"PanOSSourceDeviceOS\",\r\n PanOSSourceDeviceOS,\r\n \"PanOSSourceDeviceOSFamily\",\r\n PanOSSourceDeviceOSFamily,\r\n \"PanOSSourceDeviceOSVersion\",\r\n PanOSSourceDeviceOSVersion,\r\n \"PanOSSourceDeviceCategory\",\r\n PanOSSourceDeviceCategory,\r\n \"PanOSVirtualSystemID\",\r\n PanOSVirtualSystemID,\r\n \"PanOSVirtualSystemName\",\r\n PanOSVirtualSystemName\r\n )\r\n | project-rename\r\n DvcIpAddr = Computer,\r\n EventUid = _ItemId,\r\n DstDvcId = PanOSDestinationUUID,\r\n DstGeoCountry = PanOSDestinationLocation,\r\n DstMacAddr = PanOSDestinationDeviceMac,\r\n DstNatIpAddr = DestinationTranslatedAddress,\r\n DstNatPortNumber = DestinationTranslatedPort,\r\n DstPackets = PanOSPacketsReceived,\r\n DstPortNumber = DestinationPort,\r\n DstUsername = DestinationUserName,\r\n DvcId = DeviceExternalID,\r\n DvcOriginalAction = DeviceAction,\r\n EventOriginalSeverity = LogSeverity,\r\n DstZone = DeviceCustomString5,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalUid = ExtID,\r\n EventProductVersion = DeviceVersion,\r\n NetworkPackets = FieldDeviceCustomNumber2,\r\n NetworkRuleName = DeviceCustomString1,\r\n SrcDvcId = PanOSSourceUUID,\r\n SrcGeoCountry = PanOSSourceLocation,\r\n SrcMacAddr = PanOSSourceDeviceMac,\r\n SrcNatIpAddr = SourceTranslatedAddress,\r\n SrcNatPortNumber = SourceTranslatedPort,\r\n SrcPackets = PanOSPacketsSent,\r\n SrcPortNumber = SourcePort,\r\n SrcUsername = SourceUserName,\r\n SrcZone = DeviceCustomString4,\r\n DvcScopeId = PanOSCortexDataLakeTenantID,\r\n EventOriginalSubType = Activity,\r\n DstUserId = DestinationUserID,\r\n EventOriginalResultDetails = Reason,\r\n SrcUserId = SourceUserID,\r\n DvcInboundInterface = DeviceInboundInterface,\r\n DvcOutboundInterface = DeviceOutboundInterface,\r\n SrcAppName = ApplicationProtocol,\r\n ThreatOriginalRiskLevel = PanOSApplicationRisk\r\n | extend\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\r\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\r\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\r\n NetworkProtocol = toupper(Protocol),\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\",\r\n \"IPv4\", \r\n DstIpAddr contains \":\",\r\n \"IPv6\", \r\n \"\"\r\n ),\r\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\r\n Rule = NetworkRuleName,\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n Duration = NetworkDuration,\r\n IpAddr = SrcIpAddr,\r\n SessionId = NetworkSessionId,\r\n User = DstUsername,\r\n Hostname = DstHostname,\r\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\r\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\r\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\r\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\r\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\r\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\r\n SrcAppType = case(\r\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\r\n \"SaaS Application\",\r\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\r\n \"Other\",\r\n \"\"\r\n )\r\n | extend\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"NetworkSession\",\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\"\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n EventOutcome,\r\n PanOS*,\r\n PanOs*,\r\n Protocol,\r\n SimplifiedDeviceAction,\r\n ExternalID,\r\n Message,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n StartTime,\r\n TenantId,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Indicator*,\r\n _ResourceId,\r\n ThreatConfidence,\r\n ThreatDescription,\r\n ThreatSeverity\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"cf4579e4-8c1d-575b-8deb-3d0d5ee6406a","name":"_ASim_NetworkSession_SentinelOneV01","body":"let NetworkDirectionLookup = datatable (\r\n alertInfo_netEventDirection_s: string, \r\n NetworkDirection: string\r\n)[\r\n \"OUTGOING\", \"Outbound\",\r\n \"INCOMING\", \"Inbound\",\r\n];\r\nlet DeviceTypeLookup = datatable (\r\n agentDetectionInfo_machineType_s: string,\r\n SrcDeviceType: string\r\n)\r\n [\r\n \"desktop\", \"Computer\",\r\n \"server\", \"Computer\",\r\n \"laptop\", \"Computer\",\r\n \"kubernetes node\", \"Other\",\r\n \"unknown\", \"Other\"\r\n];\r\nlet ThreatConfidenceLookup_undefined = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 5,\r\n \"Undefined\", 15,\r\n \"SUSPICIOUS\", 25,\r\n \"TRUE_POSITIVE\", 33 \r\n];\r\nlet ThreatConfidenceLookup_suspicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 40,\r\n \"Undefined\", 50,\r\n \"SUSPICIOUS\", 60,\r\n \"TRUE_POSITIVE\", 67 \r\n];\r\nlet ThreatConfidenceLookup_malicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n)\r\n [\r\n \"FALSE_POSITIVE\", 75,\r\n \"Undefined\", 80,\r\n \"SUSPICIOUS\", 90,\r\n \"TRUE_POSITIVE\", 100 \r\n];\r\nlet parser = (disabled: bool=false) {\r\n let alldata = SentinelOne_CL\r\n | where not(disabled) \r\n and event_name_s == \"Alerts.\" \r\n and alertInfo_eventType_s == \"TCPV4\"\r\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\r\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\r\n let undefineddata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\r\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\r\n let suspiciousdata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\r\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\r\n let maliciousdata = alldata\r\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\r\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\r\n union undefineddata, suspiciousdata, maliciousdata\r\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\r\n | extend \r\n DstPortNumber = toint(alertInfo_dstPort_s),\r\n SrcPortNumber = toint(alertInfo_srcPort_s),\r\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\r\n | project-rename\r\n EventStartTime = sourceProcessInfo_pidStarttime_t,\r\n DstIpAddr = alertInfo_dstIp_s,\r\n EventUid = _ItemId,\r\n SrcIpAddr = alertInfo_srcIp_s,\r\n DvcId = agentDetectionInfo_uuid_g,\r\n DvcOs = agentDetectionInfo_osName_s,\r\n DvcOsVersion = agentDetectionInfo_osRevision_s,\r\n EventOriginalSeverity = ruleInfo_severity_s,\r\n EventOriginalUid = alertInfo_dvEventId_s,\r\n SrcProcessName = sourceProcessInfo_name_s,\r\n SrcProcessId = sourceProcessInfo_pid_s,\r\n SrcUsername = sourceProcessInfo_user_s,\r\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\r\n | extend\r\n EventEndTime = EventStartTime,\r\n Dst = DstIpAddr,\r\n DvcIpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n SrcHostname = DvcHostname,\r\n SrcDvcId = DvcId,\r\n IpAddr = SrcIpAddr,\r\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\r\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\r\n | extend\r\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\r\n Hostname = SrcHostname\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"SentinelOne\",\r\n EventResult = \"Success\",\r\n DvcAction = \"Allow\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventResultDetails = \"NA\",\r\n EventType = \"EndpointNetworkSession\",\r\n EventVendor = \"SentinelOne\",\r\n NetworkProtocol = \"TCP\",\r\n NetworkProtocolVersion = \"IPv4\"\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n TenantId,\r\n RawData,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n SourceSystem,\r\n ThreatConfidence_*\r\n};\r\nparser(disabled = disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM filtering parser for SentinelOne.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"7e6f7906-9973-5dbb-8483-8dfd15a8c157","name":"_ASim_NetworkSession_SonicWallFirewallV01","body":"let Actions=datatable(fw_action:string,DvcAction:string)\r\n[ \"reset client\",\"Reset Source\"\r\n, \"reset server\",\"Reset Destination\"\r\n, \"reset both\", \"Reset\" \r\n, \"allow\",\"Allow\"\r\n, \"\\\"forward\\\"\",\"Allow\"\r\n, \"\\\"mgmt\\\"\",\"Other\"\r\n, \"\\\"NA\\\"\",\"Other\"\r\n, \"deny\",\"Deny\"\r\n, \"\\\"drop\\\"\", \"Drop\"\r\n, \"drop ICMP\", \"Drop ICMP\"];\r\nlet Parser=(disabled:bool=false){\r\nCommonSecurityLog\r\n| where not(disabled)\r\n| where DeviceVendor == \"SonicWall\"\r\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\r\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n| extend\r\n SourceIP = coalesce(SourceIP, srcV6)\r\n , DestinationIP = coalesce(DestinationIP, dstV6)\r\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\r\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\r\n| lookup Actions on fw_action\r\n// Sets the mandatory EventResult based on the DvcAction.\r\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\r\n DvcAction == \"Management\", \"NA\",\r\n DvcAction == \"NA\", \"NA\",\r\n DvcAction == \"Other\", \"NA\",\r\n \"Failure\"\r\n )\r\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\r\n LogSeverity == 9, \"Alert (1)\",\r\n LogSeverity == 8, \"Critical (2)\",\r\n LogSeverity == 7, \"Error (3)\",\r\n LogSeverity == 6, \"Warning (4)\",\r\n LogSeverity == 5, \"Notice (5)\",\r\n LogSeverity == 4, \"Info (6)/Debug (7)\",\r\n LogSeverity == 3, \"Not Mapped (3)\",\r\n LogSeverity == 2, \"Not Mapped (2)\",\r\n LogSeverity == 1, \"Not Mapped (1)\",\r\n \"Not Mapped\"\r\n )\r\n| extend EventSeverity = case(tolong(LogSeverity) 8, \"High\"\r\n , \"\"\r\n )\r\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\r\n , DestinationIP has \":\", \"IPv6\"\r\n , \"\"\r\n )\r\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\r\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\r\n , EventOriginalType = DeviceEventClassID\r\n| project-rename\r\n DstMacAddr = DestinationMACAddress\r\n , SrcMacAddr = SourceMACAddress\r\n , DstIpAddr = DestinationIP\r\n , SrcIpAddr = SourceIP\r\n , DstPortNumber = DestinationPort\r\n , SrcPortNumber = SourcePort\r\n , EventMessage = Activity\r\n , sosEventMessageDetail = Message\r\n , EventProductVersion = DeviceVersion\r\n , sosSerialNumber = Computer\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\r\n , sosCFSFullString = Reason // CFS Category ID and Name\r\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\r\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\r\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\r\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\r\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\r\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\r\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\r\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\r\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\r\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\r\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\r\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\r\n , SrcUsername = SourceUserName\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\r\n gcat == 2, \"Log (2)\",\r\n gcat == 3, \"Security Services (3)\",\r\n gcat == 4, \"Users (4)\",\r\n gcat == 5, \"Firewall Settings (5)\",\r\n gcat == 6, \"Network (6)\",\r\n gcat == 7, \"VPN (7)\",\r\n gcat == 8, \"High Availability (8)\",\r\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\r\n gcat == 10, \"Firewall (10)\",\r\n gcat == 11, \"Wireless (11)\",\r\n gcat == 12, \"VoIP (12)\",\r\n gcat == 13, \"SSL VPN (13)\",\r\n gcat == 14, \"Anti-Spam (14)\",\r\n gcat == 15, \"WAN Acceleration (15)\",\r\n gcat == 16, \"Object (16)\",\r\n gcat == 17, \"SD-WAN (17)\",\r\n gcat == 18, \"Multi-Instance (18)\",\r\n gcat == 19, \"Unified Policy Engine (19)\",\r\n \"Log Category Not Mapped\"\r\n )\r\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\r\n DeviceEventCategory == 1, \"System Maintenance (1)\",\r\n DeviceEventCategory == 2, \"System Errors (2)\",\r\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\r\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\r\n DeviceEventCategory == 16, \"User Activity (16)\",\r\n DeviceEventCategory == 32, \"Attacks (32)\",\r\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\r\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\r\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\r\n DeviceEventCategory == 512, \"Network Debug (512)\",\r\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\r\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\r\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\r\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\r\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\r\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\r\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\r\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\r\n DeviceEventCategory == 524288, \"System Environment (524288)\",\r\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\r\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\r\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\r\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\r\n \"Legacy Category Not Mapped\"\r\n )\r\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\r\n ipspri == 2, \"Medium (2)\",\r\n ipspri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\r\n spypri == 2, \"Medium (2)\",\r\n spypri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend\r\n EventVendor = \"SonicWall\"\r\n , EventProduct = \"Firewall\"\r\n , DvcOs = \"SonicOS\"\r\n , DvcOsVersion = EventProductVersion\r\n , DvcIdType = \"Other\"\r\n , Dvc = sosSerialNumber\r\n , DvcDescription = DeviceProduct\r\n , ASimMatchingHostname = \"-\"\r\n , ASimMatchingIpAddr = \"-\"\r\n , NetworkIcmpType = tostring(NetworkIcmpType)\r\n , NetworkIcmpCode = toint(NetworkIcmpCode)\r\n , Rule = NetworkRuleName\r\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\r\n , sosIPSFullString = ipscat\r\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\r\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\r\n , FileSize = tolong(coalesce(FileSize, long(null)))\r\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\r\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\r\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\r\n , SrcZone = sosSourceZone\r\n , DstZone = sosDestinationZone\r\n , EventOriginalSeverity = LogSeverity\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , IpAddr = SrcIpAddr\r\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , EventType = \"NetworkSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventSchema = \"NetworkSession\"\r\n , EventCount = toint(1)\r\n , EventUid = _ItemId\r\n , EventResultDetails = \"NA\"\r\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\r\n| extend\r\n SrcUsername = coalesce(susr, SrcUsername)\r\n , FileName = coalesce(FileName, sosAppControlFileName)\r\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\r\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\r\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\r\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\r\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\r\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\r\n , DstZone == \"MULTICAST\", \"NA\"\r\n , DstZone == \"WAN\", \"Outbound\"\r\n , \"Local\"\r\n )\r\n| extend\r\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\r\n SrcUsername has \"\\\\\", \"Windows\",\r\n SrcUsername has \"@\", \"UPN\",\r\n SrcUsername == \"Unknown (external IP)\", \"\",\r\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"\r\n )\r\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\"\r\n )\r\n| extend\r\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\"\r\n )\r\n| extend\r\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\r\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\r\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\r\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\r\n| extend\r\n SrcAppType = case(isempty(SrcAppName), \"\"\r\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n , DstAppType = case(isempty(DstAppName), \"\"\r\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n| project-rename\r\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n| extend\r\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\r\n , tolong(long(null))\r\n )\r\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\r\n , tolong(long(null))\r\n )\r\n| project-rename\r\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\r\n , sosUser = susr // Logged-in username associated with the log event.\r\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\r\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\r\n , sosAppRuleService = af_service // App Rule Service Name.\r\n , sosAppRuleType = af_type // App Rule Policy Type.\r\n , sosAppRuleObject = af_object // App Rule Object Name.\r\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\r\n , sosAppRuleAction = af_action\r\n , sosSourceIPv6Address = srcV6\r\n , sosDestinationIPv6Address = dstV6\r\n , sosAppFullString = appcat // The full \" -- \" string.\r\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\r\n , sosAppID = appid // Application ID from App Control\r\n , sosAppCategoryID = catid // Application Category ID\r\n , sosAppSignatureID = sid // Application Signature ID\r\n , sosIPSCategoryName = ipscat // IPS Category Name\r\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\r\n , sosURLPathName = arg // URL. Represents the URL path name.\r\n , sosFileIdentifier = fileid // File hash or URL\r\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\r\n , DstNatPortNumber = dnpt\r\n , SrcNatPortNumber = snpt\r\n , sosBladeID = bid // Blade ID\r\n , sosUUID = uuid\r\n , sosFileName = FileName\r\n , DvcOriginalAction = fw_action\r\n| extend\r\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\r\n , ThreatId = coalesce(sosAppSignatureID, \"\")\r\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\r\n , DstNatPortNumber = toint(DstNatPortNumber)\r\n , SrcNatPortNumber = toint(SrcNatPortNumber)\r\n| extend AdditionalFields = bag_pack(\r\n \"AppRulePolicyId\", sosAppRulePolicyId\r\n , \"AppRulePolicyName\", sosAppRulePolicyName\r\n , \"AppRuleService\", sosAppRuleService\r\n , \"AppRuleType\", sosAppRuleType\r\n , \"AppRuleObject\", sosAppRuleObject\r\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\r\n , \"AppRuleAction\", sosAppRuleAction\r\n , \"AppID\", sosAppID\r\n , \"AppCategoryID\", sosAppCategoryID\r\n , \"IPSCategoryName\", sosIPSCategoryName\r\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\r\n , \"FileIdentifier\", sosFileIdentifier\r\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\r\n , \"BladeID\", sosBladeID\r\n , \"UUID\", sosUUID\r\n , \"FileName\", sosFileName\r\n , \"FileSize\", FileSize\r\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\r\n , \"CFSCategoryID\", sosCFSCategoryID\r\n , \"CFSCategoryName\", sosCFSCategoryName\r\n , \"CFSPolicyName\", sosCFSPolicyName\r\n , \"AppControlFileName\", sosAppControlFileName\r\n , \"IPSFullString\", sosIPSFullString\r\n , \"IPSSignatureName\", sosIPSSignatureName\r\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\r\n , \"LogMsgCategory\", sosLogMsgCategory\r\n , \"LogMsgNote\", sosLogMsgNote\r\n , \"LogMsgSeverity\", sosLogMsgSeverity\r\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\r\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\r\n , \"EventMessageDetail\", sosEventMessageDetail\r\n , \"UserSessionType\", sosUserSessionType\r\n )\r\n| project-away\r\n DeviceEventCategory\r\n , gcat\r\n , RequestMethod\r\n , ipspri\r\n , spypri\r\n , sos*\r\n , RequestURL\r\n , Protocol\r\n , appName\r\n , AdditionalExtensions\r\n , Flex*\r\n , Indicator*\r\n , Malicious*\r\n , Field*\r\n , DeviceCustom*\r\n , Old*\r\n , File*\r\n , Source*\r\n , Destination*\r\n , Device*\r\n , SimplifiedDeviceAction\r\n , ExternalID\r\n , ExtID\r\n , TenantId\r\n , ProcessName\r\n , ProcessID\r\n , ExtID\r\n , OriginalLogSeverity\r\n , LogSeverity\r\n , EventOutcome\r\n , StartTime\r\n , EndTime\r\n , ReceiptTime\r\n , Remote*\r\n , ThreatDescription\r\n , ThreatSeverity\r\n , RequestContext\r\n , RequestCookies\r\n , CommunicationDirection\r\n , ReportReferenceLink\r\n , ReceivedBytes\r\n , SentBytes\r\n , _ResourceId\r\n , _ItemId\r\n| project-reorder\r\n TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , DvcDescription\r\n , Dvc\r\n , DvcOs\r\n , DvcOsVersion\r\n};\r\nParser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Network Session ASIM parser for SonicWall firewalls.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"1631c13d-6a8b-597b-8440-499670ea27a9","name":"_ASim_NetworkSession_VMConnectionV01","body":"let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\r\n '', 'Informational', \r\n '0', 'Informational',\r\n '1', 'Low',\r\n '2', 'Medium',\r\n '3', 'High'\r\n];\r\nlet outbound = (disabled:bool=false) {\r\n VMConnection\r\n | where not (disabled)\r\n | where Direction == \"outbound\"\r\n | extend\r\n SrcAppType = \"Process\",\r\n SrcHostnameType = \"Simple\",\r\n DstGeoCountry = RemoteCountry,\r\n DstGeoLongitude = RemoteLongitude,\r\n DstGeoLatitude = RemoteLatitude,\r\n SrcAppId = Process,\r\n SrcAppName = ProcessName,\r\n SrcDvcId = Machine\r\n | extend hostelements = split(Computer,'.')\r\n | extend \r\n SrcHostname = tostring(hostelements[0]),\r\n SrcDomain = strcat_array(array_slice(hostelements,1,-1), '.')\r\n | extend\r\n SrcDomainType = iff(SrcDomain != \"\", \"FQDN\", \"\"),\r\n SrcFQDN = iff(SrcDomain != \"\", Computer, \"\")\r\n | extend DstFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\r\n | extend DstDomainType = iff(DstFQDN != \"\", \"FQDN\", \"\")\r\n | extend hostelements = split(DstFQDN,'.')\r\n | extend \r\n DstHostname = iff(DstFQDN != \"\", tostring(hostelements[0]), \"\"),\r\n DstDomain = iff(DstFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\r\n | project-away hostelements\r\n | extend\r\n RemoteFQDN = DstFQDN,\r\n RemoteHostname = DstHostname,\r\n RemoteDomain = DstDomain,\r\n RemoteDomainType = DstDomainType,\r\n LocalFQDN = SrcFQDN,\r\n LocalHostname = SrcHostname,\r\n LocalDomain = SrcDomain,\r\n LocalDomainType = SrcDomainType,\r\n LocalIpAddr = SourceIp\r\n};\r\nlet inbound = (disabled:bool=false) {\r\n VMConnection\r\n | where not (disabled)\r\n | where Direction == \"inbound\"\r\n | extend\r\n DstAppType = \"Process\",\r\n DstDvcIdType = \"VMConnectionId\",\r\n SrcGeoCountry = RemoteCountry,\r\n SrcGeoLongitude = RemoteLongitude,\r\n SrcGeoLatitude = RemoteLatitude,\r\n DstAppId = Process,\r\n DstAppName = ProcessName,\r\n DstDvcId = Machine\r\n | extend hostelements = split(Computer,'.')\r\n | extend \r\n DstHostname = tostring(hostelements[0]),\r\n DstDomain = strcat_array(array_slice(hostelements,1,-1), '.')\r\n | extend\r\n DstDomainType = iff(DstDomain != \"\", \"FQDN\", \"\"),\r\n DstFQDN = iff(DstDomain != \"\", Computer, \"\")\r\n | extend SrcFQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\r\n | extend SrcDomainType = iff(SrcFQDN != \"\", \"FQDN\", \"\")\r\n | extend hostelements = split(SrcFQDN,'.')\r\n | extend \r\n SrcHostname = iff(SrcFQDN != \"\", tostring(hostelements[0]), \"\"),\r\n SrcDomain = iff(SrcFQDN != \"\", strcat_array(array_slice(hostelements,1,-1), '.'), \"\")\r\n | project-away hostelements\r\n | extend\r\n RemoteFQDN = SrcFQDN,\r\n RemoteHostname = SrcHostname,\r\n RemoteDomain = SrcDomain,\r\n RemoteDomainType = SrcDomainType,\r\n LocalFQDN = DstFQDN,\r\n LocalHostname = DstHostname,\r\n LocalDomain = DstDomain,\r\n LocalDomainType = DstDomainType,\r\n LocalIpAddr = DestinationIp\r\n};\r\nlet parser=(disabled:bool=false){\r\n union outbound(disabled), inbound(disabled)\r\n // Event fields\r\n | extend \r\n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"VMConnection\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.2\",\r\n EventType = \"EndpointNetworkSession\",\r\n EventEndTime = TimeGenerated\r\n | project-rename\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort, \r\n SrcIpAddr = SourceIp, \r\n NetworkSessionId = ConnectionId,\r\n ThreatName = IndicatorThreatType,\r\n NetworkDirection = Direction,\r\n RemoteGeoCountry = RemoteCountry,\r\n RemoteGeoLatitude = RemoteLatitude, \r\n RemoteGeoLongitude = RemoteLongitude,\r\n LocalAppId = Process,\r\n LocalAppName = ProcessName,\r\n DvcId = Machine,\r\n RemoteIpAddr = RemoteIp\r\n // -- Calculated fields\r\n | extend EventOriginalSeverity = tostring(Severity)\r\n | lookup SeverityLookup on EventOriginalSeverity\r\n | extend\r\n EventResult = \"Success\",\r\n LocalAppType = \"Process\",\r\n NetworkDuration = toint(ResponseTimeMax),\r\n ThreatRiskLevel = toint(Confidence),\r\n NetworkProtocol = toupper(Protocol),\r\n SrcBytes = tolong(BytesSent),\r\n DstBytes = tolong(BytesReceived)\r\n // -- Aliases\r\n | extend\r\n IpAddr = RemoteIpAddr,\r\n Src = SrcIpAddr,\r\n Local = LocalIpAddr,\r\n DvcIpAddr = LocalIpAddr,\r\n Dst = DstIpAddr,\r\n Remote = RemoteIpAddr,\r\n Dvc = LocalHostname,\r\n DvcHostname = LocalHostname,\r\n DvcDomain = LocalDomain,\r\n DvcDomainType = LocalDomainType,\r\n DvcFQDN = LocalFQDN,\r\n Hostname = RemoteHostname,\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for VM connection information collected using the Log Analytics agent.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"4748f1b3-6d39-5d11-a600-bf03380b3238","name":"_ASim_NetworkSession_VMConnectionV02","body":"let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\r\n '', 'Informational', \r\n '0', 'Informational',\r\n '1', 'Low',\r\n '2', 'Medium',\r\n '3', 'High'\r\n];\r\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\r\nlet outbound = (disabled:bool=false) {\r\n VMConnectionProjected\r\n | where not (disabled)\r\n | where Direction == \"outbound\"\r\n | extend\r\n SrcAppType = \"Process\",\r\n SrcDvcIdType = \"VMConnectionId\",\r\n SrcHostnameType = \"Simple\",\r\n DstGeoCountry = RemoteCountry,\r\n DstGeoLongitude = RemoteLongitude,\r\n DstGeoLatitude = RemoteLatitude,\r\n SrcAppId = Process,\r\n SrcAppName = ProcessName,\r\n SrcDvcId = Machine,\r\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\r\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\r\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\r\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\r\n | project-away Computer, RemoteDnsCanonicalNames\r\n | extend\r\n RemoteFQDN = DstFQDN,\r\n RemoteHostname = DstHostname,\r\n RemoteDomain = DstDomain,\r\n RemoteDomainType = DstDomainType,\r\n LocalFQDN = SrcFQDN,\r\n LocalHostname = SrcHostname,\r\n LocalDomain = SrcDomain,\r\n LocalDomainType = SrcDomainType,\r\n LocalIpAddr = SourceIp\r\n};\r\nlet inbound = (disabled:bool=false) {\r\n VMConnectionProjected\r\n | where not (disabled)\r\n | where Direction == \"inbound\"\r\n | extend\r\n DstAppType = \"Process\",\r\n DstDvcIdType = \"VMConnectionId\",\r\n SrcGeoCountry = RemoteCountry,\r\n SrcGeoLongitude = RemoteLongitude,\r\n SrcGeoLatitude = RemoteLatitude,\r\n DstAppId = Process,\r\n DstAppName = ProcessName,\r\n DstDvcId = Machine,\r\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\r\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\r\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\r\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\r\n | project-away Computer, RemoteDnsCanonicalNames\r\n | extend\r\n RemoteFQDN = SrcFQDN,\r\n RemoteHostname = SrcHostname,\r\n RemoteDomain = SrcDomain,\r\n RemoteDomainType = SrcDomainType,\r\n LocalFQDN = DstFQDN,\r\n LocalHostname = DstHostname,\r\n LocalDomain = DstDomain,\r\n LocalDomainType = DstDomainType,\r\n LocalIpAddr = DestinationIp\r\n};\r\nlet parser=(disabled:bool=false){\r\n union outbound(disabled), inbound(disabled)\r\n // Event fields\r\n | extend \r\n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\r\n EventStartTime = TimeGenerated,\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"VMConnection\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.2\",\r\n EventType = \"EndpointNetworkSession\",\r\n DvcIdType = \"VMConnectionId\",\r\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\r\n EventEndTime = TimeGenerated\r\n | project-rename\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort, \r\n SrcIpAddr = SourceIp, \r\n NetworkSessionId = ConnectionId,\r\n ThreatName = IndicatorThreatType,\r\n RemoteGeoCountry = RemoteCountry,\r\n RemoteGeoLatitude = RemoteLatitude, \r\n RemoteGeoLongitude = RemoteLongitude,\r\n LocalAppId = Process,\r\n LocalAppName = ProcessName,\r\n DvcId = Machine,\r\n RemoteIpAddr = RemoteIp,\r\n EventReportUrl = ReportReferenceLink,\r\n ThreatIpAddr = MaliciousIp\r\n // -- Calculated fields\r\n | extend EventOriginalSeverity = tostring(Severity)\r\n | lookup SeverityLookup on EventOriginalSeverity\r\n | extend\r\n EventResult = \"Success\",\r\n LocalAppType = \"Process\",\r\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished) ,\r\n ThreatRiskLevel = toint(Confidence),\r\n NetworkProtocol = toupper(Protocol),\r\n SrcBytes = tolong(BytesSent),\r\n DstBytes = tolong(BytesReceived)\r\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\r\n // -- Aliases\r\n | extend\r\n IpAddr = RemoteIpAddr,\r\n Src = SrcIpAddr,\r\n Local = LocalIpAddr,\r\n DvcIpAddr = LocalIpAddr,\r\n Dst = DstIpAddr,\r\n Remote = RemoteIpAddr,\r\n Dvc = LocalHostname,\r\n DvcHostname = LocalHostname,\r\n DvcDomain = LocalDomain,\r\n DvcDomainType = LocalDomainType,\r\n DvcFQDN = LocalFQDN,\r\n Hostname = RemoteHostname,\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for VM connection information collected using the Log Analytics agent.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"c8497248-ea1a-5d15-a5fe-92b4bcec0b24","name":"_ASim_NetworkSession_VMwareCarbonBlackCloudV01","body":"let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\r\n [\r\n \"PROTO_TCP\", \"TCP\",\r\n \"PROTO_UDP\", \"UDP\"\r\n ];\r\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\r\n [\r\n \"ACTION_ALLOW\", \"Allow\",\r\n \"ACTION_SUSPEND\", \"Drop\",\r\n \"ACTION_TERMINATE\", \"Drop\",\r\n \"ACTION_BREAK\", \"Drop\",\r\n \"ACTION_BLOCK\", \"Deny\"\r\n ];\r\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\r\n [\r\n \"Allow\", \"Informational\",\r\n \"Drop\", \"Low\",\r\n \"Deny\", \"Low\"\r\n ];\r\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\r\n [\r\n \"1\", 10,\r\n \"2\", 20,\r\n \"3\", 30,\r\n \"4\", 40,\r\n \"5\", 50,\r\n \"6\", 60,\r\n \"7\", 70,\r\n \"8\", 80,\r\n \"9\", 90,\r\n \"10\", 100\r\n ];\r\n let parser=(disabled: bool=false) {\r\n let CarbonBlackEventsSchema = datatable ( \r\n eventType_s: string,\r\n netconn_protocol_s: string,\r\n sensor_action_s: string,\r\n alert_id_g: string,\r\n device_name_s: string,\r\n action_s: string,\r\n createTime_s: string,\r\n netconn_domain_s: string,\r\n remote_ip_s: string,\r\n netconn_inbound_b: bool,\r\n process_guid_s: string,\r\n remote_port_d: real,\r\n local_port_d: real,\r\n process_pid_d: real,\r\n device_external_ip_s: string,\r\n local_ip_s: string,\r\n device_id_s: string,\r\n device_os_s: string,\r\n event_description_s: string,\r\n event_id_g: string,\r\n event_origin_s: string,\r\n process_path_s: string,\r\n process_username_s: string,\r\n org_key_s: string,\r\n )[];\r\n let CarbonBlackNotificationsSchema = datatable (\r\n type_s: string,\r\n threatInfo_incidentId_g: string,\r\n threatInfo_score_d: real,\r\n threatInfo_summary_s: string,\r\n threatInfo_time_d: real,\r\n threatInfo_threatCause_threatCategory_s: string,\r\n threatInfo_threatCause_causeEventId_g: string,\r\n ruleName_s: string,\r\n deviceInfo_deviceVersion_s: string,\r\n threatInfo_threatCause_originSourceType_s: string,\r\n threatInfo_threatCause_reputation_s: string,\r\n threatInfo_threatCause_reason_s: string,\r\n id_g: string,\r\n primary_event_id_g: string,\r\n threat_id_g: string\r\n )[];\r\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\r\n | where not(disabled)\r\n | where eventType_s == \"endpoint.event.netconn\"\r\n | lookup NetworkProtocolLookup on netconn_protocol_s\r\n | lookup DvcActionLookup on sensor_action_s\r\n | lookup EventSeverityLookup on DvcAction;\r\n let alldatawiththreat = alldata \r\n | where isnotempty(alert_id_g)\r\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\r\n | where type_s == \"THREAT\"\r\n | project\r\n threatInfo_incidentId_g,\r\n threatInfo_score_d,\r\n threatInfo_summary_s,\r\n threatInfo_time_d,\r\n threatInfo_threatCause_threatCategory_s,\r\n threatInfo_threatCause_causeEventId_g,\r\n ruleName_s,\r\n deviceInfo_deviceVersion_s,\r\n threatInfo_threatCause_originSourceType_s,\r\n threatInfo_threatCause_reputation_s,\r\n threatInfo_threatCause_reason_s)\r\n on $left.alert_id_g == $right.threatInfo_incidentId_g\r\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\r\n | where type_s == \"CB_ANALYTICS\"\r\n | project\r\n id_g,\r\n deviceInfo_deviceVersion_s,\r\n threat_id_g,\r\n threatInfo_score_d,\r\n threatInfo_summary_s,\r\n threatInfo_threatCause_reason_s)\r\n on $left.alert_id_g == $right.id_g\r\n | extend \r\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\r\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\r\n RuleName = ruleName_s,\r\n AdditionalFields_threat = bag_pack(\r\n \"threatInfo_threatCause_reason\",\r\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\r\n \"threatInfo_threatCause_reputation\",\r\n threatInfo_threatCause_reputation_s,\r\n \"threatInfo_threatCause_originSourceType\",\r\n threatInfo_threatCause_originSourceType_s,\r\n \"threatInfo_summary\",\r\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\r\n ),\r\n ThreatId = threat_id_g,\r\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\r\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\r\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\r\n let alldatawithoutthreat = alldata\r\n | where isempty(alert_id_g);\r\n union alldatawiththreat, alldatawithoutthreat\r\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\r\n | extend temp_action = tostring(split(action_s, \"|\")[0])\r\n | extend\r\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\r\n SrcDomain = case(\r\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\r\n \"\",\r\n netconn_inbound_b,\r\n netconn_domain_s,\r\n \"\"\r\n ),\r\n AdditionalFields_Common = bag_pack(\r\n \"Process Guid\",\r\n process_guid_s\r\n ),\r\n DstPortNumber = toint(remote_port_d),\r\n NetworkDirection = case(\r\n temp_action == \"ACTION_CONNECTION_LISTEN\",\r\n \"Listen\",\r\n netconn_inbound_b == true,\r\n \"Inbound\",\r\n \"Unknown\"\r\n ),\r\n SrcPortNumber = toint(local_port_d),\r\n SrcProcessId = tostring(toint(process_pid_d))\r\n | project-rename\r\n DstIpAddr = remote_ip_s,\r\n DvcIpAddr = device_external_ip_s,\r\n EventUid = _ItemId,\r\n SrcIpAddr = local_ip_s,\r\n DvcId = device_id_s,\r\n DvcOriginalAction = sensor_action_s,\r\n DvcOs = device_os_s,\r\n EventMessage = event_description_s,\r\n EventOriginalType = action_s,\r\n EventOriginalUid = event_id_g,\r\n EventOwner = event_origin_s,\r\n SrcProcessName = process_path_s,\r\n SrcUsername = process_username_s,\r\n DvcScopeId = org_key_s\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"EndpointNetworkSession\",\r\n EventVendor = \"VMware\",\r\n SrcHostname = SrcIpAddr,\r\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\r\n EventResult = case(\r\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\r\n \"Failure\",\r\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\r\n \"Success\",\r\n \"Failure\"\r\n ),\r\n NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\",\r\n \"IPv4\", \r\n DstIpAddr contains \":\",\r\n \"IPv6\", \r\n \"\"\r\n )\r\n | extend\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Dst = coalesce(DstHostname, DstIpAddr),\r\n Src = coalesce(SrcHostname, SrcIpAddr),\r\n IpAddr = SrcIpAddr,\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\r\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\r\n SrcAppName = SrcProcessName,\r\n SrcAppId = SrcProcessId,\r\n SrcAppType = \"Process\",\r\n Hostname = DstHostname\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_g,\r\n *_b,\r\n temp_action,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n AdditionalFields_*\r\n };\r\n parser(disabled = disabled)","parameters":"disabled:bool = false","description":"NetworkSession ASIM Parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"5045a3bb-5eb2-5bd1-82d1-d441e2483389","name":"_ASim_NetworkSession_VectraAIV01","body":"let parser = (disabled:bool=false) \r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'External'];\r\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\r\n \"S1\", 'Start',\r\n \"SF\", 'End'];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n VectraStream_CL\r\n | where metadata_type_s == 'metadata_isession'\r\n | project-rename\r\n DstIpAddr = id_resp_h_s,\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n // -- huid does not seem to be unique per device and not mapped for now\r\n // DstDvcId = resp_huid_s, \r\n // SrcDvcId = orig_huid_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s\r\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\r\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\r\n | extend SplitRespDomain = split(resp_domain_s,\".\")\r\n | extend \r\n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\r\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\r\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\r\n | extend\r\n DstHostname = case (\r\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\r\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\r\n DstDescription)\r\n | project-away SplitRespDomain\r\n | extend\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n NetworkApplicationProtocol = toupper(service_s),\r\n NetworkProtocol = toupper(protoName_s),\r\n NetworkProtocolVersion = toupper(id_ip_ver_s),\r\n Dst = DstIpAddr,\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n DstVlanId = tostring(toint(resp_vlan_id_d)),\r\n EventCount = toint(1),\r\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResult = 'Success',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion='0.2.2',\r\n EventSeverity = 'Informational',\r\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\r\n EventType = 'NetworkSession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\r\n // -- No ID mapped, since huid found not to be unique\r\n // SrcDvcIdType = 'VectraId',\r\n // DstDvcIdType = 'VectraId',\r\n DvcIdType = 'VectraId',\r\n NetworkDuration = toint(duration_d)\r\n | extend \r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n // SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n Dvc = DvcId,\r\n Duration = NetworkDuration,\r\n InnerVlanId = SrcVlanId,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n OuterVlanId = DstVlanId\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup EventSubTypeLookup on conn_state_s\r\n // -- preserving non-normalized important fields\r\n | project-rename \r\n first_orig_resp_data_pkt = first_orig_resp_data_pkt_s,\r\n first_resp_orig_data_pkt = first_resp_orig_data_pkt_s,\r\n orig_sluid = orig_sluid_s, \r\n resp_sluid = resp_sluid_s,\r\n orig_huid = orig_huid_s,\r\n resp_huid = resp_huid_s,\r\n community_id = community_id_s,\r\n resp_multihome = resp_multihomed_b,\r\n host_multihomed = host_multihomed_b\r\n | extend\r\n first_orig_resp_data_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n first_orig_resp_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n first_resp_orig_data_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n first_resp_orig_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Vectra AI Streams.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"8e1ce13e-2ccf-5987-98a5-a8bcd674a6e4","name":"_ASim_NetworkSession_VectraAIV02","body":"let parser = (disabled:bool=false, pack:bool=false) \r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'External'];\r\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\r\n \"S1\", 'Start',\r\n \"SF\", 'End'];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n VectraStream_CL\r\n | where metadata_type_s == 'metadata_isession'\r\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n | project-rename\r\n DstIpAddr = id_resp_h_s,\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n // -- huid does not seem to be unique per device and not mapped for now\r\n // DstDvcId = resp_huid_s, \r\n // SrcDvcId = orig_huid_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s,\r\n EventUid = _ItemId\r\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\r\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\r\n | extend SplitRespDomain = split(resp_domain_s,\".\")\r\n | extend \r\n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\r\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\r\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\r\n | extend\r\n DstHostname = case (\r\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\r\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\r\n DstDescription)\r\n | project-away SplitRespDomain\r\n | extend\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n NetworkApplicationProtocol = toupper(service_s),\r\n NetworkProtocol = toupper(protoName_s),\r\n NetworkProtocolVersion = toupper(id_ip_ver_s),\r\n Dst = DstIpAddr,\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n DstVlanId = tostring(toint(resp_vlan_id_d)),\r\n EventCount = toint(1),\r\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResult = 'Success',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion='0.2.2',\r\n EventSeverity = 'Informational',\r\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\r\n EventType = 'NetworkSession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\r\n // -- No ID mapped, since huid found not to be unique\r\n // SrcDvcIdType = 'VectraId',\r\n // DstDvcIdType = 'VectraId',\r\n DvcIdType = 'VectraId',\r\n NetworkDuration = toint(duration_d)\r\n | extend \r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n // SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n Dvc = DvcId,\r\n Duration = NetworkDuration,\r\n InnerVlanId = SrcVlanId,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n OuterVlanId = DstVlanId\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup EventSubTypeLookup on conn_state_s\r\n // -- preserving non-normalized important fields\r\n | extend AdditionalFields = iff (\r\n pack, \r\n bag_pack (\r\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\r\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\r\n \"orig_sluid\", orig_sluid_s, \r\n \"resp_sluid\", resp_sluid_s,\r\n \"orig_huid\", orig_huid_s,\r\n \"resp_huid\", resp_huid_s,\r\n \"community_id\", community_id_s,\r\n \"resp_multihome\", resp_multihomed_b,\r\n \"host_multihomed\", host_multihomed_b,\r\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n ),\r\n dynamic([])\r\n )\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer\r\n};\r\nparser (disabled=disabled, pack=pack)","parameters":"disabled:bool = false, pack:bool = false","description":"Network Session ASIM parser for Vectra AI Streams.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"7879fedd-58f2-5d1f-bfbe-30175f1214bb","name":"_ASim_NetworkSession_WatchGuardFirewareOSV01","body":"let Parser=(disabled:bool=false){\r\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\r\n [\r\n \"Allow\",\"Success\",\"Informational\"\r\n , \"Deny\",\"Failure\",\"Low\"\r\n ];\r\n let SyslogParser = (T:(SyslogMessage:string)) {\r\n T\r\n | parse-kv SyslogMessage as (geo_src:string\r\n , geo_dst:string\r\n , src_user:string\r\n , dst_user:string\r\n , duration:int\r\n , sent_bytes:long\r\n , rcvd_bytes:long\r\n , fqdn_src_match:string\r\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\r\n | project-rename SrcGeoCountry = geo_src\r\n , DstGeoCountry = geo_dst\r\n , SrcUsername = src_user\r\n , DstUsername = dst_user\r\n , NetworkDuration = duration\r\n , SrcBytes = sent_bytes\r\n , DstBytes = rcvd_bytes\r\n , DstDomain = fqdn_dst_match\r\n , SrcDomain = fqdn_src_match\r\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\r\n | lookup EventLookup on DvcAction\r\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\r\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\r\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\r\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\r\n , countof(SrcUsername, \"@\") == 1, \"UPN\"\r\n , \"Simple\"\r\n )\r\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\r\n , countof(DstUsername, \"@\") == 1, \"UPN\"\r\n , \"Simple\"\r\n )\r\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\r\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\r\n | project-away SyslogMessage\r\n };\r\n let AllSyslog = \r\n Syslog\r\n | where not(disabled)\r\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \r\n , 'msg_id=\"3000-0149\"' \r\n , 'msg_id=\"3000-0150\"'\r\n , 'msg_id=\"3000-0151\"'\r\n , 'msg_id=\"3000-0173\"'\r\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\r\n | project TimeGenerated, SyslogMessage, HostName\r\n ;\r\n let Parse1 = \r\n AllSyslog\r\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\r\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\r\n | invoke SyslogParser()\r\n ;\r\n let Parse2 = \r\n AllSyslog\r\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\r\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\r\n | invoke SyslogParser()\r\n ;\r\n let Parse3 = \r\n AllSyslog\r\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\r\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \r\n | invoke SyslogParser()\r\n ;\r\n let Parse4 = \r\n AllSyslog\r\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\r\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \r\n | invoke SyslogParser()\r\n ;\r\n let Parse5 = \r\n AllSyslog\r\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\r\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \r\n | invoke SyslogParser()\r\n ;\r\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\r\n | extend EventSchema = \"NetworkSession\"\r\n , EventSchemaVersion = \"0.2.4\"\r\n , EventVendor = \"WatchGuard\"\r\n , EventProduct = \"Fireware\"\r\n , EventType = \"NetworkSession\"\r\n , DvcHostname = HostName\r\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkProtocol = toupper(NetworkProtocol)\r\n , NetworkDuration = toint(NetworkDuration * toint(1000))\r\n , NetworkBytes = SrcBytes + DstBytes\r\n , EventEndTime = TimeGenerated\r\n , EventStartTime = TimeGenerated\r\n , Src = SrcIpAddr\r\n , Dst = DstIpAddr\r\n , Duration = NetworkDuration\r\n , User = DstUsername\r\n , IpAddr = SrcIpAddr\r\n | project-rename Dvc = HostName\r\n};\r\nParser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for WatchGuard Fireware OS.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"8042fcb0-0832-5410-b5f0-07f88ffe1542","name":"_ASim_NetworkSession_ZscalerZIAV02","body":"let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\r\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\r\n 'Allow','Allow',\r\n 'Allow due to insufficient app data','Allow',\r\n 'Block/Drop','Drop',\r\n 'Block/ICMP','Drop ICMP',\r\n 'Block/Reset', 'Reset',\r\n 'IPS Drop', 'Drop',\r\n 'IPS Reset', 'Reset',\r\n // Observed in real world events\r\n 'Block ICMP', 'Drop ICMP',\r\n 'Drop', 'Drop'\r\n];\r\nlet parser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSFWlog\"\r\n// Event fields\r\n| extend \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Firewall\", \r\n EventSchema = \"NetworkSession\", \r\n EventSchemaVersion=\"0.2.1\", \r\n EventType = 'NetworkSession', \r\n EventSeverity = 'Informational',\r\n EventEndTime=TimeGenerated \r\n| project-rename\r\n DvcOriginalAction = DeviceAction, \r\n DvcHostname = Computer, \r\n EventProductVersion = DeviceVersion, \r\n NetworkProtocol = Protocol, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n DstNatIpAddr = DestinationTranslatedAddress, \r\n DstNatPortNumber = DestinationTranslatedPort,\r\n DstAppName = DeviceCustomString3, \r\n NetworkApplicationProtocol = DeviceCustomString2, \r\n SrcIpAddr = SourceIP, \r\n SrcPortNumber = SourcePort, \r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress, \r\n SrcNatPortNumber = SourceTranslatedPort, \r\n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\r\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\r\n ThreatName = DeviceCustomString6, \r\n ThreatCategory = DeviceCustomString5, \r\n RuleName = Activity \r\n// -- Calculated fields\r\n| lookup ActionLookup on DvcOriginalAction \r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventCount=coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \r\n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\r\n ),\r\n NetworkDuration = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\r\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\r\n DstBytes = tolong(ReceivedBytes), \r\n SrcBytes = tolong(SentBytes)\r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\r\n DstAppType = \"Service\", \r\n SrcUsernameType = \"UPN\" \r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Duration = NetworkDuration\r\n| project-away \r\n DeviceCustom*\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Zscaler ZIA Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"5d4e8758-105c-57a1-b7f0-94917a97b44d","name":"_ASim_NetworkSession_ZscalerZIAV03","body":"let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\r\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\r\n 'Allow','Allow',\r\n 'Allow due to insufficient app data','Allow',\r\n 'Block/Drop','Drop',\r\n 'Block/ICMP','Drop ICMP',\r\n 'Block/Reset', 'Reset',\r\n 'IPS Drop', 'Drop',\r\n 'IPS Reset', 'Reset',\r\n // Observed in real world events\r\n 'Block ICMP', 'Drop ICMP',\r\n 'Drop', 'Drop'\r\n];\r\nlet parser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSFWlog\"\r\n// Event fields\r\n| extend \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Firewall\", \r\n EventSchema = \"NetworkSession\", \r\n EventSchemaVersion=\"0.2.1\", \r\n EventType = 'NetworkSession', \r\n EventSeverity = 'Informational',\r\n EventEndTime=TimeGenerated \r\n| project-rename\r\n DvcOriginalAction = DeviceAction, \r\n DvcHostname = Computer, \r\n EventProductVersion = DeviceVersion, \r\n NetworkProtocol = Protocol, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n DstNatIpAddr = DestinationTranslatedAddress, \r\n DstNatPortNumber = DestinationTranslatedPort,\r\n DstAppName = DeviceCustomString3, \r\n NetworkApplicationProtocol = DeviceCustomString2, \r\n SrcIpAddr = SourceIP, \r\n SrcPortNumber = SourcePort, \r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress, \r\n SrcNatPortNumber = SourceTranslatedPort, \r\n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\r\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\r\n ThreatName = DeviceCustomString6, \r\n ThreatCategory = DeviceCustomString5, \r\n NetworkRuleName = Activity \r\n// -- Calculated fields\r\n| lookup ActionLookup on DvcOriginalAction \r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventCount=coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber2\", int(null))), \r\n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\r\n ),\r\n NetworkDuration = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\r\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\r\n DstBytes = tolong(ReceivedBytes), \r\n SrcBytes = tolong(SentBytes)\r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\r\n DstAppType = \"Service\", \r\n SrcUsernameType = \"UPN\" \r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = NetworkRuleName,\r\n Duration = NetworkDuration\r\n| project-away \r\n DeviceCustom*\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Zscaler ZIA Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"14780bc9-6124-576d-bb4e-beba8925b1ba","name":"_ASim_NetworkSession_ZscalerZIAV04","body":"let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\r\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\r\n 'Allow','Allow',\r\n 'Allow due to insufficient app data','Allow',\r\n 'Block/Drop','Drop',\r\n 'Block/ICMP','Drop ICMP',\r\n 'Block/Reset', 'Reset',\r\n 'IPS Drop', 'Drop',\r\n 'IPS Reset', 'Reset',\r\n // Observed in real world events\r\n 'Block ICMP', 'Drop ICMP',\r\n 'Drop', 'Drop'\r\n];\r\nlet parser=(disabled:bool=false){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSFWlog\"\r\n// Event fields\r\n| extend \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Firewall\", \r\n EventSchema = \"NetworkSession\", \r\n EventSchemaVersion=\"0.2.1\", \r\n EventType = 'NetworkSession', \r\n EventSeverity = 'Informational',\r\n EventEndTime=TimeGenerated \r\n| project-rename\r\n DvcOriginalAction = DeviceAction, \r\n DvcHostname = Computer, \r\n EventProductVersion = DeviceVersion, \r\n NetworkProtocol = Protocol, \r\n DstIpAddr = DestinationIP, \r\n DstPortNumber = DestinationPort, \r\n DstNatIpAddr = DestinationTranslatedAddress, \r\n DstNatPortNumber = DestinationTranslatedPort,\r\n DstAppName = DeviceCustomString3, \r\n NetworkApplicationProtocol = DeviceCustomString2, \r\n SrcIpAddr = SourceIP, \r\n SrcPortNumber = SourcePort, \r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress, \r\n SrcNatPortNumber = SourceTranslatedPort, \r\n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\r\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\r\n ThreatName = DeviceCustomString6, \r\n ThreatCategory = DeviceCustomString5, \r\n NetworkRuleName = Activity,\r\n EventOriginalSeverity = LogSeverity,\r\n EventMessage = Message\r\n// -- Calculated fields\r\n| lookup ActionLookup on DvcOriginalAction \r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventCount=coalesce(\r\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \r\n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\r\n ),\r\n NetworkDuration = coalesce(\r\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\r\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\r\n DstBytes = tolong(ReceivedBytes), \r\n SrcBytes = tolong(SentBytes)\r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\r\n DstAppType = \"Service\", \r\n SrcUsernameType = \"UPN\" \r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = NetworkRuleName,\r\n Duration = NetworkDuration\r\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Network Session ASIM parser for Zscaler ZIA Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"d8a5216c-6199-50ba-baca-36790a8c67ec","name":"_Im_NetworkSession","body":"union isfuzzy=true\r\n_Im_NetworkSessionBuiltIn(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, pack= pack),\r\nIm_NetworkSessionSolutions(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, pack= pack),\r\nIm_NetworkSessionCustom(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', pack:bool = false","description":"Network Session ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"c965ce5a-9e94-53e4-9c87-fadf4fcb7d34","name":"_Im_NetworkSessionBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_NetworkSession') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_NetworkSessionBuiltIn', 'Exclude_Im_NetworkSession', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_NetworkSession_AppGateSDPV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_AppGateSDP' in (DisabledParsers)))),\r\n_Im_NetworkSession_AWSVPCV03(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_AWSVPC' in (DisabledParsers)))),\r\n_Im_NetworkSession_AzureFirewallV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_AzureFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_AzureNSGV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_AzureNSG' in (DisabledParsers)))),\r\n_Im_NetworkSession_BarracudaCEFV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_BarracudaCEF' in (DisabledParsers)))),\r\n_Im_NetworkSession_BarracudaWAFV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_BarracudaWAF' in (DisabledParsers)))),\r\n_Im_NetworkSession_CheckPointFirewallV12(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CheckPointFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_CheckPointSmartDefenseV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CheckPointSmartDefense' in (DisabledParsers))), pack= pack),\r\n_Im_NetworkSession_CiscoASAV11(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CiscoASA' in (DisabledParsers)))),\r\n_Im_NetworkSession_CiscoFirepowerV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CiscoFirepower' in (DisabledParsers)))),\r\n_Im_NetworkSession_CiscoISEV11(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CiscoISE' in (DisabledParsers)))),\r\n_Im_NetworkSession_CiscoMerakiV12(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CiscoMeraki' in (DisabledParsers)))),\r\n_Im_NetworkSession_CiscoMerakiSyslogV12(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CiscoMerakiSyslog' in (DisabledParsers)))),\r\n_Im_NetworkSession_CorelightZeekV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CorelightZeek' in (DisabledParsers)))),\r\n_Im_NetworkSession_CrowdStrikeFalconHostV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_CrowdStrikeFalconHost' in (DisabledParsers)))),\r\n_Im_NetworkSession_EmptyV04,\r\n_Im_NetworkSession_ForcePointFirewallV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_ForcePointFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_FortinetFortiGateV06(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_FortinetFortiGate' in (DisabledParsers)))),\r\n_Im_NetworkSession_IllumioSaaSCoreV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_IllumioSaaSCore' in (DisabledParsers)))),\r\n_Im_NetworkSession_MD4IoTAgentV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MD4IoTAgent' in (DisabledParsers)))),\r\n_Im_NetworkSession_MD4IoTSensorV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MD4IoTSensor' in (DisabledParsers)))),\r\n_Im_NetworkSession_Microsoft365DefenderV04(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_Microsoft365Defender' in (DisabledParsers)))),\r\n_Im_NetworkSession_LinuxSysmonV04(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_LinuxSysmon' in (DisabledParsers)))),\r\n_Im_NetworkSession_MicrosoftSecurityEventFirewallV05(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MicrosoftSecurityEventFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_MicrosoftSysmonV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MicrosoftSysmon' in (DisabledParsers)))),\r\n_Im_NetworkSession_MicrosoftSysmonWindowsEventV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\r\n_Im_NetworkSession_MicrosoftWindowsEventFirewallV05(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_MicrosoftWindowsEventFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_NativeV03(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_Native' in (DisabledParsers)))),\r\n_Im_NetworkSession_NTANetAnalyticsV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_NTANetAnalytics' in (DisabledParsers)))),\r\n_Im_NetworkSession_PaloAltoCEFV07(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_PaloAltoCEF' in (DisabledParsers)))),\r\n_Im_NetworkSession_PaloAltoCortexDataLakeV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_PaloAltoCortexDataLake' in (DisabledParsers)))),\r\n_Im_NetworkSession_SentinelOneV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_SentinelOne' in (DisabledParsers)))),\r\n_Im_NetworkSession_SonicWallFirewallV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_SonicWallFirewall' in (DisabledParsers)))),\r\n_Im_NetworkSession_VectraAIV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_VectraAI' in (DisabledParsers))), pack= pack),\r\n_Im_NetworkSession_VMConnectionV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_VMConnection' in (DisabledParsers)))),\r\n_Im_NetworkSession_VMwareCarbonBlackCloudV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, dvcaction= dvcaction, hostname_has_any= hostname_has_any, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_VMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_NetworkSession_WatchGuardFirewareOSV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_WatchGuardFirewareOS' in (DisabledParsers)))),\r\n_Im_NetworkSession_ZscalerZIAV04(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, dstipaddr_has_any_prefix= dstipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, dstportnumber= dstportnumber, hostname_has_any= hostname_has_any, dvcaction= dvcaction, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_NetworkSession_ZscalerZIA' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', pack:bool = false","description":"Network Session ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"f9197aaa-d494-5ec6-a8d8-f73e7bcf4813","name":"_Im_NetworkSession_AWSVPCV01","body":"let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\r\n 0,\"HOPOPT\",\r\n 1,\"ICMP\",\r\n 2,\"IGMP\",\r\n 3,\"GGP\",\r\n 4,\"IPv4\",\r\n 5,\"ST\",\r\n 6,\"TCP\",\r\n 7,\"CBT\",\r\n 8,\"EGP\",\r\n 9,\"IGP\",\r\n 10,\"BBN-RCC-MON\",\r\n 11,\"NVP-II\",\r\n 12,\"PUP\",\r\n 13,\"ARGUS (deprecated)\",\r\n 14,\"EMCON\",\r\n 15,\"XNET\",\r\n 16,\"CHAOS\",\r\n 17,\"UDP\",\r\n 18,\"MUX\",\r\n 19,\"DCN-MEAS\",\r\n 20,\"HMP\",\r\n 21,\"PRM\",\r\n 22,\"XNS-IDP\",\r\n 23,\"TRUNK-1\",\r\n 24,\"TRUNK-2\",\r\n 25,\"LEAF-1\",\r\n 26,\"LEAF-2\",\r\n 27,\"RDP\",\r\n 28,\"IRTP\",\r\n 29,\"ISO-TP4\",\r\n 30,\"NETBLT\",\r\n 31,\"MFE-NSP\",\r\n 32,\"MERIT-INP\",\r\n 33,\"DCCP\",\r\n 34,\"3PC\",\r\n 35,\"IDPR\",\r\n 36,\"XTP\",\r\n 37,\"DDP\",\r\n 38,\"IDPR-CMTP\",\r\n 39,\"TP++\",\r\n 40,\"IL\",\r\n 41,\"IPv6\",\r\n 42,\"SDRP\",\r\n 43,\"IPv6-Route\",\r\n 44,\"IPv6-Frag\",\r\n 45,\"IDRP\",\r\n 46,\"RSVP\",\r\n 47,\"GRE\",\r\n 48,\"DSR\",\r\n 49,\"BNA\",\r\n 50,\"ESP\",\r\n 51,\"AH\",\r\n 52,\"I-NLSP\",\r\n 53,\"SWIPE (deprecated)\",\r\n 54,\"NARP\",\r\n 55,\"MOBILE\",\r\n 56,\"TLSP\",\r\n 57,\"SKIP\",\r\n 58,\"IPv6-ICMP\",\r\n 59,\"IPv6-NoNxt\",\r\n 60,\"IPv6-Opts\",\r\n 61,\"\",\r\n 62,\"CFTP\",\r\n 63,\"\",\r\n 64,\"SAT-EXPAK\",\r\n 65,\"KRYPTOLAN\",\r\n 66,\"RVD\",\r\n 67,\"IPPC\",\r\n 68,\"\",\r\n 69,\"SAT-MON\",\r\n 70,\"VISA\",\r\n 71,\"IPCV\",\r\n 72,\"CPNX\",\r\n 73,\"CPHB\",\r\n 74,\"WSN\",\r\n 75,\"PVP\",\r\n 76,\"BR-SAT-MON\",\r\n 77,\"SUN-ND\",\r\n 78,\"WB-MON\",\r\n 79,\"WB-EXPAK\",\r\n 80,\"ISO-IP\",\r\n 81,\"VMTP\",\r\n 82,\"SECURE-VMTP\",\r\n 83,\"VINES\",\r\n 84,\"TTP\",\r\n 84,\"IPTM\",\r\n 85,\"NSFNET-IGP\",\r\n 86,\"DGP\",\r\n 87,\"TCF\",\r\n 88,\"EIGRP\",\r\n 89,\"OSPFIGP\",\r\n 90,\"Sprite-RPC\",\r\n 91,\"LARP\",\r\n 92,\"MTP\",\r\n 93,\"AX.25\",\r\n 94,\"IPIP\",\r\n 95,\"MICP (deprecated)\",\r\n 96,\"SCC-SP\",\r\n 97,\"ETHERIP\",\r\n 98,\"ENCAP\",\r\n 99,\"\",\r\n 100,\"GMTP\",\r\n 101,\"IFMP\",\r\n 102,\"PNNI\",\r\n 103,\"PIM\",\r\n 104,\"ARIS\",\r\n 105,\"SCPS\",\r\n 106,\"QNX\",\r\n 107,\"A/N\",\r\n 108,\"IPComp\",\r\n 109,\"SNP\",\r\n 110,\"Compaq-Peer\",\r\n 111,\"IPX-in-IP\",\r\n 112,\"VRRP\",\r\n 113,\"PGM\",\r\n 114,\"\",\r\n 115,\"L2TP\",\r\n 116,\"DDX\",\r\n 117,\"IATP\",\r\n 118,\"STP\",\r\n 119,\"SRP\",\r\n 120,\"UTI\",\r\n 121,\"SMP\",\r\n 122,\"SM (deprecated)\",\r\n 123,\"PTP\",\r\n 124,\"ISIS over IPv4\",\r\n 125,\"FIRE\",\r\n 126,\"CRTP\",\r\n 127,\"CRUDP\",\r\n 128,\"SSCOPMCE\",\r\n 129,\"IPLT\",\r\n 130,\"SPS\",\r\n 131,\"PIPE\",\r\n 132,\"SCTP\",\r\n 133,\"FC\",\r\n 134,\"RSVP-E2E-IGNORE\",\r\n 135,\"Mobility Header\",\r\n 136,\"UDPLite\",\r\n 137,\"MPLS-in-IP\",\r\n 138,\"manet\",\r\n 139,\"HIP\",\r\n 140,\"Shim6\",\r\n 141,\"WESP\",\r\n 142,\"ROHC\",\r\n 143,\"Ethernet\",\r\n 253,\"\",\r\n 254,\"\",\r\n 255,\"Reserved\"\r\n ];\r\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\r\n 'ingress', 'Inbound',\r\n 'egress', 'Outbound'\r\n ];\r\n let ActionLookup = datatable (Action:string, DvcAction:string) [\r\n 'ACCEPT', 'Allow',\r\n 'REJECT', 'Deny'\r\n ];\r\n let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false\r\n )\r\n {\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n AWSVPCFlow \r\n | where(isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated =starttime) \r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated= starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n // and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated no mapping required, RemainingString will be empty \r\n | parse Message with * \" bytes \" * \" \" RemainingString\r\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\r\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\r\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \r\n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\r\n ReasonString)\r\n // Finally extract the required Reason information from the string to be utilized later\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away DstUsernameSimple, *String, Reason;\r\n let all_302014_parsed = parsedData\r\n | where DeviceEventClassID == \"302014\"\r\n | project-away DvcAction, EventResult\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse Message with * \" bytes \" * \" \" ReasonString\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | extend \r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away Reason, ReasonString;\r\n let all_302016_parsed = parsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\";\r\n let all_302016_unparsed = unparsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\r\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\r\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \r\n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\r\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \r\n temp_isSrcMatch, \"SrcIpAddr\",\r\n temp_isDstMatch, \"DstIpAddr\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\"\r\n | project-away DstUsernameSimple, *InfoString;\r\n let all_302020_302021 = parsedData\r\n | where DeviceEventClassID in (\"302020\",\"302021\")\r\n | parse Message with * \"(\" SrcUsername \")\" *\r\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\r\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\r\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\r\n \"End\");\r\n let all_7_series = parsedData\r\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\r\n | parse Message with * \" to \" DstInterfaceName \":\" *;\r\n let all_106007 = parsedData\r\n | where DeviceEventClassID == \"106007\"\r\n | extend DstAppName = \"DNS\"\r\n | parse Message with * \" due to \" EventOriginalResultDetails;\r\n let all_106017 = parsedData\r\n | where DeviceEventClassID == \"106017\"\r\n | extend ThreatName = \"Land Attack\";\r\n let all_106100_parsed = parsedData\r\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\r\n let all_106100_unparsed = unparsedData\r\n | where DeviceEventClassID == \"106100\"\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \r\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \r\n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\r\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \r\n temp_isSrcMatch, \"SrcIpAddr\",\r\n temp_isDstMatch, \"DstIpAddr\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\";\r\n let remainingLogs = parsedData\r\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\r\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\r\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\r\n | extend \r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = coalesce(EventCount,toint(1)),\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.4\",\r\n SrcInterfaceName = tolower(SrcInterfaceName),\r\n DstInterfaceName = tolower(SrcInterfaceName)\r\n | extend \r\n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\r\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"),\r\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\r\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\r\n isnotempty(DstUsername), \"Simple\",\r\n \"\")\r\n | lookup ProtocolLookup on Protocol\r\n | project-rename \r\n EventProductVersion = DeviceVersion,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalSeverity = OriginalLogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n EventMessage = Message,\r\n Dvc = Computer\r\n | extend\r\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\r\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\r\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\r\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\r\n DstInterfaceName in (externalInterface), \"Outbound\",\r\n SrcInterfaceName in (externalInterface), \"Inbound\",\r\n \"\"),\r\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\r\n NetworkProtocol)\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Duration = NetworkDuration,\r\n IpAddr = SrcIpAddr,\r\n Rule = NetworkRuleName,\r\n User = DstUsername\r\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\r\n };\r\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM parser for Cisco ASA.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"a8bdb9c2-f4fc-5529-a6aa-8b0bb0a7ee6d","name":"_Im_NetworkSession_CiscoASAV11","body":"let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\r\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\r\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\r\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\r\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \r\n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\r\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\r\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \r\n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\r\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\r\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\r\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\r\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\r\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\r\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\r\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\r\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\r\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\r\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\r\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\r\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\r\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \r\n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \r\n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\r\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\r\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\r\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\r\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \r\n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\r\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\r\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\r\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\r\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \r\n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\r\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \r\n 'Xlate Clear', '', '', '', 'A command line was removed.',\r\n];\r\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\r\n \"0\",\"HOPOPT\"\r\n , \"1\",\"ICMP\"\r\n , \"2\",\"IGMP\"\r\n , \"3\",\"GGP\"\r\n , \"4\",\"IPv4\"\r\n , \"5\",\"ST\"\r\n , \"6\",\"TCP\"\r\n , \"7\",\"CBT\"\r\n , \"8\",\"EGP\"\r\n , \"9\",\"IGP\"\r\n , \"10\",\"BBN-RCC-MON\"\r\n , \"11\",\"NVP-II\"\r\n , \"12\",\"PUP\"\r\n , \"13\",\"ARGUS (deprecated)\"\r\n , \"14\",\"EMCON\"\r\n , \"15\",\"XNET\"\r\n , \"16\",\"CHAOS\"\r\n , \"17\",\"UDP\"\r\n , \"18\",\"MUX\"\r\n , \"19\",\"DCN-MEAS\"\r\n , \"20\",\"HMP\"\r\n , \"21\",\"PRM\"\r\n , \"22\",\"XNS-IDP\"\r\n , \"23\",\"TRUNK-1\"\r\n , \"24\",\"TRUNK-2\"\r\n , \"25\",\"LEAF-1\"\r\n , \"26\",\"LEAF-2\"\r\n , \"27\",\"RDP\"\r\n , \"28\",\"IRTP\"\r\n , \"29\",\"ISO-TP4\"\r\n , \"30\",\"NETBLT\"\r\n , \"31\",\"MFE-NSP\"\r\n , \"32\",\"MERIT-INP\"\r\n , \"33\",\"DCCP\"\r\n , \"34\",\"3PC\"\r\n , \"35\",\"IDPR\"\r\n , \"36\",\"XTP\"\r\n , \"37\",\"DDP\"\r\n , \"38\",\"IDPR-CMTP\"\r\n , \"39\",\"TP++\"\r\n , \"40\",\"IL\"\r\n , \"41\",\"IPv6\"\r\n , \"42\",\"SDRP\"\r\n , \"43\",\"IPv6-Route\"\r\n , \"44\",\"IPv6-Frag\"\r\n , \"45\",\"IDRP\"\r\n , \"46\",\"RSVP\"\r\n , \"47\",\"GRE\"\r\n , \"48\",\"DSR\"\r\n , \"49\",\"BNA\"\r\n , \"50\",\"ESP\"\r\n , \"51\",\"AH\"\r\n , \"52\",\"I-NLSP\"\r\n , \"53\",\"SWIPE (deprecated)\"\r\n , \"54\",\"NARP\"\r\n , \"55\",\"MOBILE\"\r\n , \"56\",\"TLSP\"\r\n , \"57\",\"SKIP\"\r\n , \"58\",\"IPv6-ICMP\"\r\n , \"59\",\"IPv6-NoNxt\"\r\n , \"60\",\"IPv6-Opts\"\r\n , \"61\",\"\"\r\n , \"62\",\"CFTP\"\r\n , \"63\",\"\"\r\n , \"64\",\"SAT-EXPAK\"\r\n , \"65\",\"KRYPTOLAN\"\r\n , \"66\",\"RVD\"\r\n , \"67\",\"IPPC\"\r\n , \"68\",\"\"\r\n , \"69\",\"SAT-MON\"\r\n , \"70\",\"VISA\"\r\n , \"71\",\"IPCV\"\r\n , \"72\",\"CPNX\"\r\n , \"73\",\"CPHB\"\r\n , \"74\",\"WSN\"\r\n , \"75\",\"PVP\"\r\n , \"76\",\"BR-SAT-MON\"\r\n , \"77\",\"SUN-ND\"\r\n , \"78\",\"WB-MON\"\r\n , \"79\",\"WB-EXPAK\"\r\n , \"80\",\"ISO-IP\"\r\n , \"81\",\"VMTP\"\r\n , \"82\",\"SECURE-VMTP\"\r\n , \"83\",\"VINES\"\r\n , \"84\",\"TTP\"\r\n , \"84\",\"IPTM\"\r\n , \"85\",\"NSFNET-IGP\"\r\n , \"86\",\"DGP\"\r\n , \"87\",\"TCF\"\r\n , \"88\",\"EIGRP\"\r\n , \"89\",\"OSPFIGP\"\r\n , \"90\",\"Sprite-RPC\"\r\n , \"91\",\"LARP\"\r\n , \"92\",\"MTP\"\r\n , \"93\",\"AX.25\"\r\n , \"94\",\"IPIP\"\r\n , \"95\",\"MICP (deprecated)\"\r\n , \"96\",\"SCC-SP\"\r\n , \"97\",\"ETHERIP\"\r\n , \"98\",\"ENCAP\"\r\n , \"99\",\"\"\r\n , \"100\",\"GMTP\"\r\n , \"101\",\"IFMP\"\r\n , \"102\",\"PNNI\"\r\n , \"103\",\"PIM\"\r\n , \"104\",\"ARIS\"\r\n , \"105\",\"SCPS\"\r\n , \"106\",\"QNX\"\r\n , \"107\",\"A/N\"\r\n , \"108\",\"IPComp\"\r\n , \"109\",\"SNP\"\r\n , \"110\",\"Compaq-Peer\"\r\n , \"111\",\"IPX-in-IP\"\r\n , \"112\",\"VRRP\"\r\n , \"113\",\"PGM\"\r\n , \"114\",\"\"\r\n , \"115\",\"L2TP\"\r\n , \"116\",\"DDX\"\r\n , \"117\",\"IATP\"\r\n , \"118\",\"STP\"\r\n , \"119\",\"SRP\"\r\n , \"120\",\"UTI\"\r\n , \"121\",\"SMP\"\r\n , \"122\",\"SM (deprecated)\"\r\n , \"123\",\"PTP\"\r\n , \"124\",\"ISIS over IPv4\"\r\n , \"125\",\"FIRE\"\r\n , \"126\",\"CRTP\"\r\n , \"127\",\"CRUDP\"\r\n , \"128\",\"SSCOPMCE\"\r\n , \"129\",\"IPLT\"\r\n , \"130\",\"SPS\"\r\n , \"131\",\"PIPE\"\r\n , \"132\",\"SCTP\"\r\n , \"133\",\"FC\"\r\n , \"134\",\"RSVP-E2E-IGNORE\"\r\n , \"135\",\"Mobility Header\"\r\n , \"136\",\"UDPLite\"\r\n , \"137\",\"MPLS-in-IP\"\r\n , \"138\",\"manet\"\r\n , \"139\",\"HIP\"\r\n , \"140\",\"Shim6\"\r\n , \"141\",\"WESP\"\r\n , \"142\",\"ROHC\"\r\n , \"143\",\"Ethernet\"\r\n , \"253\",\"\"\r\n , \"254\",\"\"\r\n , \"255\",\"Reserved\"\r\n ];\r\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\r\n \"106001\", \"Deny\", \"Failure\",\r\n \"106002\", \"Deny\", \"Failure\",\r\n \"106006\", \"Deny\", \"Failure\",\r\n \"106007\", \"Deny\", \"Failure\",\r\n \"106010\", \"Deny\", \"Failure\",\r\n \"106012\", \"Deny\", \"Failure\",\r\n \"106013\", \"Drop\", \"Failure\",\r\n \"106014\", \"Deny\", \"Failure\",\r\n \"106015\", \"Deny\", \"Failure\",\r\n \"106016\", \"Deny\", \"Failure\",\r\n \"106017\", \"Deny\", \"Failure\",\r\n \"106018\", \"Deny\", \"Failure\",\r\n \"106020\", \"Deny\", \"Failure\",\r\n \"106021\", \"Deny\", \"Failure\",\r\n \"106022\", \"Deny\", \"Failure\",\r\n \"106023\", \"Deny\", \"Failure\",\r\n \"106100\", \"\", \"\",\r\n \"302013\", \"Allow\", \"Success\",\r\n \"302014\", \"\", \"\", \r\n \"302015\", \"Allow\", \"Success\",\r\n \"302016\", \"Allow\", \"Success\",\r\n \"302020\", \"Allow\", \"Success\",\r\n \"302021\", \"Allow\", \"Success\",\r\n \"710002\", \"Allow\", \"Success\",\r\n \"710003\", \"Deny\", \"Failure\",\r\n \"710004\", \"Drop\", \"Failure\",\r\n \"710005\", \"Drop\", \"Failure\",\r\n ];\r\n let NWParser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false)\r\n { \r\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n let allLogs = CommonSecurityLog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated no mapping required, RemainingString will be empty \r\n | parse Message with * \" bytes \" * \" \" RemainingString\r\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\r\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\r\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \r\n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\r\n ReasonString)\r\n // Finally extract the required Reason information from the string to be utilized later\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away DstUsernameSimple, *String, Reason;\r\n let all_302014_parsed = parsedData\r\n | where DeviceEventClassID == \"302014\"\r\n | project-away DvcAction, EventResult\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse Message with * \" bytes \" * \" \" ReasonString\r\n | parse ReasonString with Reason \" from \" *\r\n | extend Reason = case(isempty(Reason), ReasonString,\r\n Reason)\r\n | lookup EventResultMapping on Reason\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | extend \r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\",\r\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\r\n | project-away Reason, ReasonString;\r\n let all_302016_parsed = parsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\";\r\n let all_302016_unparsed = unparsedData\r\n | where DeviceEventClassID == \"302016\"\r\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\r\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\r\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\r\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \r\n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\r\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \r\n temp_isSrcMatch, \"SrcIpAddr\",\r\n temp_isDstMatch, \"DstIpAddr\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\r\n | extend \r\n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\r\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\r\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\r\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\r\n SessionId = NetworkSessionId,\r\n EventSubType = \"End\"\r\n | project-away DstUsernameSimple, *InfoString;\r\n let all_302020_302021 = parsedData\r\n | where DeviceEventClassID in (\"302020\",\"302021\")\r\n | parse Message with * \"(\" SrcUsername \")\" *\r\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\r\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\r\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\r\n \"End\");\r\n let all_7_series = parsedData\r\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\r\n | parse Message with * \" to \" DstInterfaceName \":\" *;\r\n let all_106007 = parsedData\r\n | where DeviceEventClassID == \"106007\"\r\n | extend DstAppName = \"DNS\"\r\n | parse Message with * \" due to \" EventOriginalResultDetails;\r\n let all_106017 = parsedData\r\n | where DeviceEventClassID == \"106017\"\r\n | extend ThreatName = \"Land Attack\";\r\n let all_106100_parsed = parsedData\r\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\r\n let all_106100_unparsed = unparsedData\r\n | where DeviceEventClassID == \"106100\"\r\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\r\n \"Allow\")\r\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\r\n \"Success\")\r\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\r\n | where ((eventresult == \"*\") or EventResult == eventresult)\r\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \r\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \r\n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\r\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \r\n temp_isSrcMatch, \"SrcIpAddr\",\r\n temp_isDstMatch, \"DstIpAddr\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\";\r\n let remainingLogs = parsedData\r\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\r\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\r\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\r\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\r\n | extend \r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventVendor = \"Cisco\",\r\n EventProduct = \"ASA\",\r\n EventCount = coalesce(EventCount,toint(1)),\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion = \"0.2.4\",\r\n SrcInterfaceName = tolower(SrcInterfaceName),\r\n DstInterfaceName = tolower(DstInterfaceName)\r\n | extend \r\n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\r\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"),\r\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\r\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\r\n isnotempty(DstUsername), \"Simple\",\r\n \"\")\r\n | lookup ProtocolLookup on Protocol\r\n | project-rename \r\n EventProductVersion = DeviceVersion,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalSeverity = OriginalLogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n EventMessage = Message,\r\n Dvc = Computer\r\n | extend\r\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\r\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\r\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\r\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\r\n DstInterfaceName in (externalInterface), \"Outbound\",\r\n SrcInterfaceName in (externalInterface), \"Inbound\",\r\n \"\"),\r\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\r\n NetworkProtocol)\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Duration = NetworkDuration,\r\n IpAddr = SrcIpAddr,\r\n Rule = NetworkRuleName,\r\n User = DstUsername\r\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\r\n };\r\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM parser for Cisco ASA.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"85642a47-664d-5495-883e-7ae653ff0846","name":"_Im_NetworkSession_CiscoFirepowerV01","body":"let ActionLookup = datatable(\r\n DeviceAction: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)\r\n[\r\n \"Blocked\", \"Deny\", \"Failure\",\r\n \"Alerted\", \"Allow\", \"Success\",\r\n \"Rewritten\", \"Allow\", \"Success\",\r\n \"Would be Rewritten\", \"Allow\", \"Partial\",\r\n \"Would be Blocked\", \"Deny\", \"Partial\",\r\n \"Would Be Blocked\", \"Deny\", \"Partial\",\r\n \"Dropped\", \"Drop\", \"Failure\",\r\n \"Would be Dropped\", \"Drop\", \"Partial\",\r\n \"Partially Dropped\", \"Drop\", \"Partial\",\r\n \"Would be Block\", \"Deny\", \"Partial\",\r\n \"Partial Blocked\", \"Deny\", \"Partial\",\r\n \"Rejected\", \"Deny\", \"Failure\",\r\n \"Would be Rejected\", \"Deny\", \"Partial\",\r\n \"Would Rejected\", \"Deny\", \"Partial\",\r\n \"Block\", \"Deny\", \"Failure\",\r\n \"Partial Block\", \"Deny\", \"Partial\",\r\n \"Drop\", \"Drop\", \"Failure\",\r\n \"Would Drop\", \"Drop\", \"Partial\",\r\n \"Reject\", \"Deny\", \"Failure\",\r\n \"Rewrite\", \"Allow\", \"Success\",\r\n \"Allow\", \"Allow\", \"Success\",\r\n \"Monitor\", \"Allow\", \"Success\"\r\n];\r\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Medium\",\r\n \"5\", \"Medium\",\r\n \"6\", \"Medium\",\r\n \"7\", \"High\",\r\n \"8\", \"High\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\r\n[\r\n \"N/A\", \"NA\",\r\n \"IP Block\", \"Terminated\",\r\n \"IP Monitor\", \"Unknown\",\r\n \"User Bypass\", \"Unknown\",\r\n \"File Monitor\", \"Unknown\",\r\n \"File Block\", \"Terminated\",\r\n \"Intrusion Monitor\", \"Unknown\",\r\n \"Intrusion Block\", \"Terminated\",\r\n \"File Resume Block\", \"Terminated\",\r\n \"File Resume Allow\", \"Unknown\",\r\n \"File Custom Detection\", \"Unknown\"\r\n];\r\nlet parser = (starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix: dynamic=dynamic([]), \r\n ipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dstportnumber: int=int(null), \r\n hostname_has_any: dynamic=dynamic([]), \r\n dvcaction: dynamic=dynamic([]), \r\n eventresult: string='*', \r\n disabled: bool=false) {\r\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n let AllLogs = CommonSecurityLog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated ************************\r\n | extend \r\n Dvc = coalesce(DvcHostname, DvcIpAddr)\r\n , IpAddr = SrcIpAddr\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , User = DstUsername\r\n //********************** ***********************\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n MG,\r\n Computer,\r\n EventTime,\r\n Facility,\r\n HostName,\r\n SeverityLevel,\r\n SyslogMessage,\r\n HostIP,\r\n ProcessName,\r\n ProcessID,\r\n _ResourceId,\r\n FailureReason,\r\n NetworkDeviceName,\r\n ['User-Name'],\r\n UserName,\r\n ['Device IP Address'],\r\n ['Remote-Address'],\r\n ['Calling-Station-ID'],\r\n ['Called-Station-ID']\r\n};\r\nCiscoISENSParser(\r\nstarttime=starttime,\r\nendtime=endtime, \r\nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \r\nipaddr_has_any_prefix=ipaddr_has_any_prefix, \r\ndstportnumber=dstportnumber, \r\nhostname_has_any=hostname_has_any, \r\ndvcaction=dvcaction, \r\neventresult=eventresult, \r\ndisabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Cisco ISE.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"7a73b552-bd0b-5211-9ec7-e44dfabb98d9","name":"_Im_NetworkSession_CiscoMerakiSyslogV12","body":"let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\r\n [\r\n \"0\", \"Unknown\",\r\n \"1\", \"Unknown\",\r\n \"2\", \"Timeout\",\r\n \"3\", \"Terminated\",\r\n \"4\", \"Timeout\",\r\n \"5\", \"Transient error\",\r\n \"6\", \"Invalid Tunnel\",\r\n \"7\", \"Invalid Tunnel\",\r\n \"8\", \"Terminated\",\r\n \"9\", \"Invalid Tunnel\",\r\n \"10\", \"Unknown\",\r\n \"11\", \"Invalid TCP\",\r\n \"12\", \"Unknown\",\r\n \"13\", \"Invalid TCP\",\r\n \"14\", \"Invalid Tunnel\",\r\n \"15\", \"Invalid TCP\",\r\n \"16\", \"Timeout\",\r\n \"17\", \"Invalid Tunnel\",\r\n \"18\", \"Invalid TCP\",\r\n \"19\", \"Invalid TCP\",\r\n \"20\", \"Invalid TCP\",\r\n \"21\", \"Unknown\",\r\n \"22\", \"Invalid TCP\",\r\n \"23\", \"Invalid Tunnel\",\r\n \"24\", \"Invalid Tunnel\",\r\n \"32\", \"Unknown\",\r\n \"33\", \"Invalid TCP\",\r\n \"34\", \"Invalid TCP\",\r\n \"35\", \"Invalid TCP\",\r\n \"36\", \"Unknown\",\r\n \"37\", \"Unknown\",\r\n \"38\", \"Unknown\",\r\n \"39\", \"Timeout\",\r\n \"40\", \"Invalid TCP\",\r\n \"98\", \"Unknown\",\r\n \"99\", \"Unknown\"\r\n];\r\nlet NetworkIcmpTypeLookup = datatable(\r\n NetworkIcmpCode_lookup: int,\r\n NetworkIcmpType_lookup: string\r\n)\r\n [\r\n 0, \"Reserved\",\r\n 1, \"Destination Unreachable\",\r\n 2, \"Packet Too Big\",\r\n 3, \"Time Exceeded\",\r\n 4, \"Parameter Problem\",\r\n 100, \"Private experimentation\",\r\n 101, \"Private experimentation\",\r\n 127, \"Reserved for expansion of ICMPv6 error messages\",\r\n 128, \"Echo Request\",\r\n 129, \"Echo Reply\",\r\n 130, \"Multicast Listener Query\",\r\n 131, \"Multicast Listener Report\",\r\n 132, \"Multicast Listener Done\",\r\n 133, \"Router Solicitation\",\r\n 134, \"Router Advertisement\",\r\n 135, \"Neighbor Solicitation\",\r\n 136, \"Neighbor Advertisement\",\r\n 137, \"Redirect Message\",\r\n 138, \"Router Renumbering\",\r\n 139, \"ICMP Node Information Query\",\r\n 140, \"ICMP Node Information Response\",\r\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\r\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\r\n 143, \"Version 2 Multicast Listener Report\",\r\n 144, \"Home Agent Address Discovery Request Message\",\r\n 145, \"Home Agent Address Discovery Reply Message\",\r\n 146, \"Mobile Prefix Solicitation\",\r\n 147, \"Mobile Prefix Advertisement\",\r\n 148, \"Certification Path Solicitation Message\",\r\n 149, \"Certification Path Advertisement Message\",\r\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\r\n 151, \"Multicast Router Advertisement\",\r\n 152, \"Multicast Router Solicitation\",\r\n 153, \"Multicast Router Termination\",\r\n 154, \"FMIPv6 Messages\",\r\n 155, \"RPL Control Message\",\r\n 156, \"ILNPv6 Locator Update Message\",\r\n 157, \"Duplicate Address Request\",\r\n 158, \"Duplicate Address Confirmation\",\r\n 159, \"MPL Control Message\",\r\n 160, \"Extended Echo Request\",\r\n 161, \"Extended Echo Reply\",\r\n 200, \"Private experimentation\",\r\n 201, \"Private experimentation\",\r\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\r\n];\r\nlet NetworkProtocolLookup = datatable(\r\n protocol: string,\r\n NetworkProtocol_lookup: string,\r\n NetworkProtocolVersion: string\r\n)[\r\n \"tcp\", \"TCP\", \"\",\r\n \"tcp/ip\", \"TCP\", \"\",\r\n \"udp\", \"UDP\", \"\",\r\n \"udp/ip\", \"UDP\", \"\",\r\n \"icmp\", \"ICMP\", \"IPV4\",\r\n \"icmp6\", \"ICMP\", \"IPV6\",\r\n];\r\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\r\n \"1\", \"High\",\r\n \"2\", \"Medium\",\r\n \"3\", \"Low\",\r\n \"4\", \"Informational\"\r\n];\r\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\r\n \"Allow\", \"Informational\",\r\n \"Deny\", \"Low\"\r\n];\r\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\r\n \"ingress\", \"Inbound\",\r\n \"egress\", \"Outbound\",\r\n \"Unknown\", \"NA\"\r\n];\r\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\r\n \"allow\", \"Allow\", \"Success\",\r\n \"deny\", \"Deny\", \"Failure\",\r\n \"Blocked\", \"Deny\", \"Failure\"\r\n];\r\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\r\n \"association\", \"Success\",\r\n \"disassociation\", \"Failure\",\r\n \"Virtual router collision\", \"Failure\",\r\n];\r\nlet parser=(disabled: bool=false, \r\n starttime: datetime=datetime(null), \r\n endtime: datetime=datetime(null), \r\n eventresult: string='*', \r\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\r\n ipaddr_has_any_prefix: dynamic=dynamic([]), \r\n hostname_has_any: dynamic=dynamic([]),\r\n dstportnumber: int=int(null),\r\n dvcaction: dynamic=dynamic([])\r\n ) {\r\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let allData = (\r\n Syslog\r\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\r\n | project-rename LogMessage = SyslogMessage\r\n );\r\n let PreFilteredData = allData\r\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = 25 and toint(reason) = 25 and toint(reason) = starttime) \r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = 25 and toint(reason) = 25 and toint(reason) = starttime)\r\n and (isnull(endtime) or TimeGenerated = 25 and toint(reason) = 25 and toint(reason) =starttime) \r\n and (isnull(endtime) or TimeGenerated= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) \r\n and (isnull(endtime) or TimeGenerated = 200000, \"High\",\r\n MessageCode =starttime) and (isnull(endtime) or TimeGenerated=starttime) and (isnull(endtime) or TimeGenerated=starttime) and (isnull(endtime) or TimeGenerated=starttime) and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated3')\r\n | project-away ProcessName, ProcessID\r\n // *************** Prefilterring *****************************************************************\r\n | where \r\n (eventresult=='*' or eventresult=='Success')\r\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\r\n and (array_length(ip_any)==0 \r\n or has_any_ipv4_prefix(SyslogMessage,ip_any)\r\n ) \r\n and (array_length(hostname_has_any)==0 \r\n or SyslogMessage has_any(hostname_has_any)) \r\n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \r\n // *************** / Prefilterring ***************************************************************\r\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\r\n | where (array_length(srcipaddr_has_any_prefix)==0 \r\n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\r\n ) \r\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\r\n;\r\nlet parser = (T: (SyslogMessage: string)) {\r\n T \r\n | parse SyslogMessage with \r\n *\r\n '' EventOriginalUid:string ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n '' RuleName:string ''\r\n '' EventEndTime:datetime ''\r\n '{' ProcessGuid:string '}'\r\n '' ProcessId:string ''\r\n '' Process:string ''\r\n '' User:string ''\r\n '' Protocol:string '' // -- source is lowercase\r\n '' Initiated:bool '' \r\n '' SourceIsIpv6:bool ''\t\t\r\n '' * ''\r\n '' SrcHostname:string ''\r\n '' SrcPortNumber:int ''\r\n '' SrcPortName:string ''\r\n '' DestinationIsIpv6:bool ''\r\n '' DstIpAddr:string ''\r\n '' DstHostname:string ''\r\n '' DstPortNumber:int ''\r\n '' DstPortName:string ''\r\n *\r\n};\r\nlet OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n| extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\r\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\r\n | extend ASimMatchingHostname = case(\r\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcHostMatch, \"SrcHostname\"\r\n , temp_isDstHostMatch, \"DstHostname\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingHostname != \"No match\"\r\n | project-away temp_*\r\n | extend\r\n SrcUsernameType = 'Simple',\r\n SrcUsername = User,\r\n SrcProcessId = ProcessId, \r\n SrcProcessGuid = ProcessGuid,\r\n SrcProcessName = Process,\r\n SrcAppName = Process,\r\n SrcAppType = 'Process'\r\n | project-away SyslogMessage\r\n;\r\n let InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n // *************** Postfilterring ***************************************************************\r\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\r\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\r\n // *************** Postfilterring ***************************************************************\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n | extend\r\n DstUsernameType = 'Simple',\r\n DstUsername = User,\r\n DstProcessId = ProcessId, \r\n DstProcessGuid = ProcessGuid,\r\n DstProcessName = Process,\r\n DstAppName = Process,\r\n DstAppType = 'Process' \r\n | project-away SyslogMessage\r\n ;\r\n let SysmonForLinuxNetwork=\r\n union OutboundNetworkEvents, InboundNetworkEvents\r\n | extend \r\n EventType = 'NetworkSession',\r\n EventStartTime = EventEndTime,\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.3',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon for Linux',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Linux',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing\r\n | project-rename \r\n DvcIpAddr = HostIP,\r\n DvcHostname = SysmonComputer\r\n | extend // aliases\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n ;\r\n SysmonForLinuxNetwork ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"591de502-56a5-54d6-89ab-4833dd64ed20","name":"_Im_NetworkSession_LinuxSysmonV03","body":"let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet DirectionNetworkEvents =\r\n Syslog \r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated3')\r\n // *************** Prefilterring *****************************************************************\r\n | where \r\n (eventresult=='*' or eventresult=='Success')\r\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\r\n and (array_length(ip_any)==0 \r\n or has_any_ipv4_prefix(SyslogMessage,ip_any)\r\n ) \r\n and (array_length(hostname_has_any)==0 \r\n or SyslogMessage has_any(hostname_has_any)) \r\n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \r\n // *************** / Prefilterring ***************************************************************\r\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\r\n | where (array_length(srcipaddr_has_any_prefix)==0 \r\n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\r\n ) \r\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\r\n;\r\nlet parser = (T: (SyslogMessage: string)) {\r\n T \r\n | parse SyslogMessage with \r\n *\r\n '' EventOriginalUid:string ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n '' RuleName:string ''\r\n '' EventEndTime:datetime ''\r\n '{' ProcessGuid:string '}'\r\n '' ProcessId:string ''\r\n '' Process:string ''\r\n '' User:string ''\r\n '' Protocol:string '' // -- source is lowercase\r\n '' Initiated:bool '' \r\n '' SourceIsIpv6:bool ''\t\t\r\n '' * ''\r\n '' SrcHostname:string ''\r\n '' SrcPortNumber:int ''\r\n '' SrcPortName:string ''\r\n '' DestinationIsIpv6:bool ''\r\n '' DstIpAddr:string ''\r\n '' DstHostname:string ''\r\n '' DstPortNumber:int ''\r\n '' DstPortName:string ''\r\n *\r\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\r\n};\r\nlet OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n| extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\r\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\r\n | extend ASimMatchingHostname = case(\r\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcHostMatch, \"SrcHostname\"\r\n , temp_isDstHostMatch, \"DstHostname\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingHostname != \"No match\"\r\n | project-away temp_*\r\n | extend\r\n SrcUsernameType = 'Simple',\r\n SrcUsername = User,\r\n SrcAppType = 'Process'\r\n | project-rename\r\n SrcProcessId = ProcessId, \r\n SrcProcessGuid = ProcessGuid,\r\n SrcProcessName = Process\r\n | extend\r\n SrcAppName = SrcProcessName\r\n | project-away SyslogMessage\r\n;\r\nlet InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n // *************** Postfilterring ***************************************************************\r\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\r\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\r\n // *************** Postfilterring ***************************************************************\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | project-away temp_*\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | extend\r\n DstUsernameType = 'Simple',\r\n DstAppType = 'Process' \r\n | project-rename\r\n DstUsername = User,\r\n DstProcessId = ProcessId, \r\n DstProcessGuid = ProcessGuid,\r\n DstProcessName = Process\r\n | extend\r\n DstAppName = DstProcessName\r\n | project-away SyslogMessage\r\n;\r\nlet SysmonForLinuxNetwork=\r\n union OutboundNetworkEvents, InboundNetworkEvents\r\n | extend \r\n EventType = 'NetworkSession',\r\n EventStartTime = EventEndTime,\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.3',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon for Linux',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Linux',\r\n NetworkProtocol = toupper(Protocol),\r\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing\r\n | project-away outbound, Protocol\r\n | project-rename \r\n DvcIpAddr = HostIP,\r\n DvcHostname = SysmonComputer\r\n | extend // aliases\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n;\r\nSysmonForLinuxNetwork ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"0b1fbfb4-302a-5732-ba05-92f2d94f1eed","name":"_Im_NetworkSession_LinuxSysmonV04","body":"let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet DirectionNetworkEvents =\r\n Syslog \r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated3')\r\n // *************** Prefilterring *****************************************************************\r\n | where \r\n (eventresult=='*' or eventresult=='Success')\r\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\r\n and (array_length(ip_any)==0 \r\n or has_any_ipv4_prefix(SyslogMessage,ip_any)\r\n ) \r\n and (array_length(hostname_has_any)==0 \r\n or SyslogMessage has_any(hostname_has_any)) \r\n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \r\n // *************** / Prefilterring ***************************************************************\r\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\r\n | where (array_length(srcipaddr_has_any_prefix)==0 \r\n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\r\n ) \r\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\r\n;\r\nlet parser = (T: (SyslogMessage: string)) {\r\n T \r\n | parse SyslogMessage with \r\n *\r\n '' EventOriginalUid:string ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n '' RuleName:string ''\r\n '' EventEndTime:datetime ''\r\n '{' ProcessGuid:string '}'\r\n '' ProcessId:string ''\r\n '' Process:string ''\r\n '' User:string ''\r\n '' Protocol:string '' // -- source is lowercase\r\n '' Initiated:bool '' \r\n '' SourceIsIpv6:bool ''\t\t\r\n '' * ''\r\n '' SrcHostname:string ''\r\n '' SrcPortNumber:int ''\r\n '' SrcPortName:string ''\r\n '' DestinationIsIpv6:bool ''\r\n '' DstIpAddr:string ''\r\n '' DstHostname:string ''\r\n '' DstPortNumber:int ''\r\n '' DstPortName:string ''\r\n *\r\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\r\n};\r\nlet OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n | invoke parser ()\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n| extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\r\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\r\n | extend ASimMatchingHostname = case(\r\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcHostMatch, \"SrcHostname\"\r\n , temp_isDstHostMatch, \"DstHostname\"\r\n , \"No match\"\r\n)\r\n | where ASimMatchingHostname != \"No match\"\r\n | project-away temp_*\r\n | extend\r\n SrcUsernameType = 'Simple',\r\n SrcUsername = User,\r\n SrcAppType = 'Process'\r\n | project-rename\r\n SrcProcessId = ProcessId, \r\n SrcProcessGuid = ProcessGuid,\r\n SrcProcessName = Process\r\n | extend\r\n SrcAppName = SrcProcessName\r\n | project-away SyslogMessage\r\n;\r\nlet InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n | invoke parser ()\r\n // *************** Postfilterring ***************************************************************\r\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\r\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\r\n // *************** Postfilterring ***************************************************************\r\n | extend \r\n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | project-away temp_*\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | extend\r\n DstUsernameType = 'Simple',\r\n DstAppType = 'Process' \r\n | project-rename\r\n DstUsername = User,\r\n DstProcessId = ProcessId, \r\n DstProcessGuid = ProcessGuid,\r\n DstProcessName = Process\r\n | extend\r\n DstAppName = DstProcessName\r\n | project-away SyslogMessage\r\n;\r\nlet SysmonForLinuxNetwork=\r\n union OutboundNetworkEvents, InboundNetworkEvents\r\n | extend \r\n EventType = 'NetworkSession',\r\n EventStartTime = EventEndTime,\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.3',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon for Linux',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Linux',\r\n NetworkProtocol = toupper(Protocol),\r\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing\r\n | project-away outbound, Protocol\r\n | project-rename \r\n DvcIpAddr = HostIP,\r\n DvcHostname = SysmonComputer\r\n | extend // aliases\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n;\r\nSysmonForLinuxNetwork ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"e23a78f6-7d17-54f5-960e-323f884c66a8","name":"_Im_NetworkSession_MD4IoTAgentV02","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix, srcipaddr_has_any_prefix); \r\n let DirectionNetworkEvents =\r\n SecurityIoTRawEvent \r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated RemotePort\r\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \r\n ;\r\n let parser = (T: (EventDetails: string)) {\r\n T \r\n | parse EventDetails with \r\n '{\"LocalAddress\":\"' LocalAddress:string '\",'\r\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\r\n *\r\n '\"BytesIn\":' BytesIn:long ','\r\n '\"BytesOut\":' BytesOut:long ','\r\n '\"Protocol\":\"' Protocol:string '\",'\r\n '\"ProcessId\":' ProcessId:string ','\r\n '\"UserId\":' UserId:string ','\r\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\r\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\r\n '\"DeviceId\":\"' DeviceId:string '\",'\r\n '\"MessageSource\":\"' MessageSource:string '\",'\r\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\r\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\r\n *\r\n }\r\n ; \r\n let OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\r\n // *************** Postfilterring *****************************************************************\r\n | invoke parser ()\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n ) \r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n | project-rename\r\n SrcBytes = BytesOut,\r\n DstBytes = BytesIn,\r\n SrcPortNumber = LocalPort,\r\n DstIpAddr = RemoteAddress,\r\n DstPortNumber = RemotePort,\r\n SrcProcessId = ProcessId\r\n | extend\r\n SrcIpAddr = LocalAddress,\r\n SrcDvcIdType = \"MD4IoTid\",\r\n SrcUserId = UserId,\r\n SrcUserIdType = \"UID\",\r\n SrcDvcId = DeviceId,\r\n Process = SrcProcessId, // alias\r\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n ;\r\n let InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\r\n // *************** Postfilterring *****************************************************************\r\n | invoke parser ()\r\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\r\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\r\n ) \r\n , temp_isDstMatch=(\r\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \r\n ) \r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n ) \r\n | project-away temp_*\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-rename\r\n DstBytes = BytesOut,\r\n SrcBytes = BytesIn,\r\n DstPortNumber = LocalPort,\r\n SrcIpAddr = RemoteAddress,\r\n SrcPortNumber = RemotePort,\r\n DstProcessId = ProcessId\r\n | extend\r\n DstIpAddr = LocalAddress,\r\n DstDvcIdType = \"MD4IoTid\",\r\n DstUserId = UserId,\r\n DstUserIdType = \"UID\",\r\n DstDvcId = DeviceId,\r\n Process = DstProcessId, // alias\r\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n ;\r\n let NetworkSessionMD4IoT = \r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = 'Azure Defender for IoT', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.3',\r\n EventSchema = \"NetworkSession\", \r\n EventType = 'NetworkSession',\r\n EventStartTime = TimeGenerated, \r\n EventEndTime = TimeGenerated, \r\n EventResult = 'Success',\r\n EventSeverity = 'Informational'\r\n | project-rename\r\n EventProductVersion = AgentVersion, // Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId, \r\n EventOriginalUid = OriginalEventId, // OK pending question\r\n DvcOs = MessageSource,\r\n NetworkProtocol = Protocol,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n DvcId = DeviceId,\r\n DvcIpAddr = LocalAddress\r\n | project-away outbound\r\n | extend\r\n Dvc = DvcId,\r\n DvcIdType = \"MD4IoTid\",\r\n User = UserId,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n ;\r\n NetworkSessionMD4IoT};\r\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Defender for IoT micro agent.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"d81086d3-e6da-5654-bde5-dae00abcebeb","name":"_Im_NetworkSession_MD4IoTSensorV02","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n DefenderIoTRawEvent\r\n | where RawEventName == \"NetworkConnectionData\"\r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated RemotePort\r\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \r\n ;\r\n let parser = (T: (EventDetails: string)) {\r\n T \r\n | parse EventDetails with \r\n '{\"LocalAddress\":\"' LocalAddress:string '\",'\r\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\r\n *\r\n '\"BytesIn\":' BytesIn:long ','\r\n '\"BytesOut\":' BytesOut:long ','\r\n '\"Protocol\":\"' Protocol:string '\",'\r\n '\"ProcessId\":' ProcessId:string ','\r\n '\"UserId\":' UserId:string ','\r\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\r\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\r\n '\"DeviceId\":\"' DeviceId:string '\",'\r\n '\"MessageSource\":\"' MessageSource:string '\",'\r\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\r\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\r\n *\r\n }\r\n ; \r\n let OutboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where outbound\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\r\n // *************** Postfilterring *****************************************************************\r\n | invoke parser ()\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n ) \r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n | project-rename\r\n SrcBytes = BytesOut,\r\n DstBytes = BytesIn,\r\n SrcPortNumber = LocalPort,\r\n DstIpAddr = RemoteAddress,\r\n DstPortNumber = RemotePort,\r\n SrcProcessId = ProcessId\r\n | extend\r\n SrcIpAddr = LocalAddress,\r\n SrcDvcIdType = \"MD4IoTid\",\r\n SrcUserId = UserId,\r\n SrcUserIdType = \"UID\",\r\n SrcDvcId = DeviceId,\r\n Process = SrcProcessId, // alias\r\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n ;\r\n let InboundNetworkEvents = \r\n DirectionNetworkEvents\r\n | where not(outbound)\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\r\n // *************** Postfilterring *****************************************************************\r\n | invoke parser ()\r\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\r\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\r\n ) \r\n , temp_isDstMatch=(\r\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \r\n ) \r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n ) \r\n | project-away temp_*\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-rename\r\n DstBytes = BytesOut,\r\n SrcBytes = BytesIn,\r\n DstPortNumber = LocalPort,\r\n SrcIpAddr = RemoteAddress,\r\n SrcPortNumber = RemotePort,\r\n DstProcessId = ProcessId\r\n | extend\r\n DstIpAddr = LocalAddress,\r\n DstDvcIdType = \"MD4IoTid\",\r\n DstUserId = UserId,\r\n DstUserIdType = \"UID\",\r\n DstDvcId = DeviceId,\r\n Process = DstProcessId, // alias\r\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\r\n ;\r\n let NetworkSessionMD4IoT = \r\n union InboundNetworkEvents, OutboundNetworkEvents\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = 'Azure Defender for IoT', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.3',\r\n EventSchema = \"NetworkSession\", \r\n EventType = 'NetworkSession',\r\n EventStartTime = TimeGenerated, \r\n EventEndTime = TimeGenerated, \r\n EventResult = 'Success',\r\n EventSeverity = 'Informational'\r\n | project-rename\r\n EventProductVersion = AgentVersion, // Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId, \r\n EventOriginalUid = OriginalEventId, // OK pending question\r\n DvcOs = MessageSource,\r\n NetworkProtocol = Protocol,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n DvcId = DeviceId,\r\n DvcIpAddr = LocalAddress\r\n | project-away outbound\r\n | extend\r\n Dvc = DvcId,\r\n DvcIdType = \"MD4IoTid\",\r\n User = UserId,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr\r\n ;\r\n NetworkSessionMD4IoT};\r\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Defender for IoT.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"09585ee7-9d88-5777-bc4a-cbae33245b13","name":"_Im_NetworkSession_Microsoft365DefenderV02","body":"let M365Defender=\r\n (starttime:datetime=datetime(null)\r\n , endtime:datetime=datetime(null)\r\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\r\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\r\n , ipaddr_has_any_prefix:dynamic=dynamic([])\r\n , dstportnumber:int=int(null)\r\n , hostname_has_any:dynamic=dynamic([])\r\n , dvcaction:dynamic=dynamic([])\r\n , eventresult:string='*'\r\n , disabled:bool=false\r\n ){\r\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\r\n 'ConnectionSuccess','Outbound', true\r\n ,'ConnectionFailed', 'Outbound', true\r\n ,'ConnectionRequest','Outbound', true\r\n ,'InboundConnectionAccepted', 'Inbound', false\r\n ,'ConnectionFound', 'Unknown', false\r\n ,'ListeningConnectionCreated', 'Listen', false \r\n];\r\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n// -- Common preprocessing to both input and outbound events\r\nlet RawNetworkEvents = (select_outbound:boolean) {\r\n DeviceNetworkEvents \r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstHostname = UrlHostname\r\n | project-rename\r\n DstDomain = UrlDomain,\r\n DstFQDN = UrlFQDN,\r\n DstDomainType = UrlDomainType\r\n | extend \r\n SrcHostname = DvcHostname,\r\n SrcDomain = DvcDomain,\r\n SrcFQDN = DvcFQDN,\r\n SrcDomainType = DvcDomainType\r\n // Processes\r\n | extend\r\n SrcProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n SrcProcessName = InitiatingProcessFileName,\r\n SrcProcessCommandLine = InitiatingProcessCommandLine,\r\n SrcProcessCreationTime = InitiatingProcessCreationTime,\r\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n | extend\r\n Process = SrcProcessName,\r\n ProcessId = SrcProcessId,\r\n SrcAppName = SrcProcessName,\r\n SrcAppType = \"Process\"\r\n;\r\nlet InboundNetworkEvents = \r\n RawNetworkEvents (false)\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\r\n // *************** /Postfilterring *****************************************************************\r\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\r\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\r\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingHostname != \"No match\"\r\n | project-rename\r\n SrcIpAddr = RemoteIP,\r\n DstIpAddr = LocalIP,\r\n SrcPortNumber = RemotePort,\r\n DstPortNumber = LocalPort,\r\n DstUsernameType = UsernameType,\r\n DstUserAadId = InitiatingProcessAccountObjectId,\r\n DstUserId = InitiatingProcessAccountSid,\r\n DstUserUpn = InitiatingProcessAccountUpn,\r\n SrcDomain = UrlDomain,\r\n SrcFQDN = UrlFQDN,\r\n SrcDomainType = UrlDomainType\r\n | extend\r\n DstUsername = User,\r\n DstDvcId = DvcId,\r\n DstDvcIdType = 'MDEid',\r\n DstUserIdType = 'SID',\r\n SrcHostname = UrlHostname\r\n | extend \r\n DstHostname = DvcHostname,\r\n DstDomain = DvcDomain,\r\n DstFQDN = DvcFQDN\r\n // Processes\r\n | extend\r\n DstProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId)\r\n | project-rename\r\n DstProcessName = InitiatingProcessFileName,\r\n DstProcessCommandLine = InitiatingProcessCommandLine,\r\n DstProcessCreationTime = InitiatingProcessCreationTime,\r\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\r\n | extend\r\n Process = DstProcessName,\r\n DstAppName = DstProcessName,\r\n DstAppType = \"Process\"\r\n;\r\nunion InboundNetworkEvents, OutboundNetworkEvents\r\n| project-rename \r\n Hostname = UrlHostname\r\n| extend // aliases\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr \r\n};\r\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for M365 Defender for Endpoint.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"b6d17033-720a-5de2-9a90-519f75b8416a","name":"_Im_NetworkSession_MicrosoftSecurityEventFirewallV05","body":"let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n///////////////////////////////////////////////////////\r\n// this query extract data fields from EventData column from SecurityEvent table\r\n///////////////////////////////////////////////////////\r\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\r\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\r\n) { \r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n let SecurityEventProjected =\r\n SecurityEvent\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n ;\r\n // Event IDs between (5151 .. 5159)\r\n // will be extracting Event specific fields from 'EventData' field\r\n let SecurityEvent_5152 = \r\n SecurityEventProjected \r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*, EventData\r\n ;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected \r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string'' \r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=false\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_* , EventData\r\n ;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected\r\n | where not(disabled) \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated 5156)\r\n )\r\n and (array_length(hostname_has_any)==0 )\r\n and (eventresult=='*' or EventResult==eventresult) \r\n // *************** / Prefilterring *****************************************************************\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID:string''\r\n '\\x0d\\x0a 'RemoteMachineID:string''*\r\n | project-away EventData\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n ;\r\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\r\n // *************** / Postfilterring *****************************************************************\r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.3\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\r\n // -- Aliases\r\n | extend \r\n Dvc = DvcHostname,\r\n Hostname = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring(NetworkRuleNumber),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\r\n };\r\n parser(starttime=starttime, \r\n endtime=endtime, \r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \r\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\r\n dstportnumber=dstportnumber,\r\n hostname_has_any=hostname_has_any, \r\n dvcaction=dvcaction,\r\n eventresult=eventresult, \r\n disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Windows Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"541bc2b4-1f59-5bd1-bd1e-bf4a12b9eabf","name":"_Im_NetworkSession_MicrosoftSysmonV01","body":"let parser = (\r\nstarttime: datetime=datetime(null), \r\nendtime: datetime=datetime(null), \r\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \r\ndstipaddr_has_any_prefix: dynamic=dynamic([]), \r\nipaddr_has_any_prefix: dynamic=dynamic([]),\r\ndstportnumber: int=int(null), \r\nhostname_has_any: dynamic=dynamic([]), \r\ndvcaction: dynamic=dynamic([]), \r\neventresult: string='*', \r\ndisabled: bool=false\r\n) {\r\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\nlet Sysmon3_Event=Event\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated {?([^>]*?)}?')\r\n | where (array_length(ip_any) == 0 \r\n or has_any_ipv4_prefix(EventData, ip_any)\r\n ) \r\n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\r\n and (array_length(hostname_has_any) == 0) or SourceHostname has_any (hostname_has_any) or DestinationHostname has_any (hostname_has_any)\r\n | extend\r\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\r\n ,\r\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\r\n \"-\" // match not requested: probably most common case\r\n ,\r\n (temp_isSrcMatch and temp_isDstMatch),\r\n \"Both\" // has to be checked before the individual \r\n ,\r\n temp_isSrcMatch,\r\n \"SrcIpAddr\"\r\n ,\r\n temp_isDstMatch,\r\n \"DstIpAddr\"\r\n ,\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away EventData\r\n | project-rename\r\n SrcHostname = SourceHostname,\r\n DstHostname = DestinationHostname\r\n | project-away\r\n Source,\r\n EventLog,\r\n EventCategory,\r\n UserName,\r\n Message,\r\n ParameterXml,\r\n RenderedDescription,\r\n MG,\r\n AzureDeploymentID,\r\n Role; \r\nSysmon3_Event\r\n| extend\r\n AppName = tostring(split(Image, \"\\\\\")[-1])\r\n| extend\r\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\r\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\r\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\r\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\r\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\r\n SrcAppName = iff(not(Initiated), AppName, \"\"),\r\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\r\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\r\n DstUsername = iff(Initiated, tostring(User), \"\"),\r\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\r\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\r\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\r\n DstAppName = iff(Initiated, AppName, \"\"),\r\n DstAppType = iff(Initiated, 'Process', \"\")\r\n| project-away ProcessId, ProcessGuid, Image, AppName\r\n| project-rename \r\n EventStartTime = UtcTime,\r\n Dvc = Computer,\r\n SrcIpAddr = SourceIp,\r\n DstIpAddr = DestinationIp,\r\n DstPortNumber = DestinationPort,\r\n SrcPortNumber = SourcePort,\r\n NetworkRuleName = RuleName\r\n| extend \r\n EventEndTime = EventStartTime,\r\n Hostname = case(\r\n Initiated,\r\n DstHostname,\r\n not(Initiated),\r\n SrcHostname,\r\n Dvc\r\n ),\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\r\n IpAddr = SrcIpAddr,\r\n EventType = 'EndpointNetworkSession',\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.5',\r\n EventSchema = 'NetworkSession', \r\n EventProduct = 'Sysmon',\r\n EventResult = 'Success',\r\n EventSeverity = 'Informational',\r\n DvcOs = 'Windows',\r\n Protocol = toupper(Protocol),\r\n EventOriginalType = '3' // Set with a constant value to avoid parsing \r\n| extend\r\n DvcHostname = Hostname\r\n| extend\r\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\r\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\r\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\r\n| project-rename\r\n TmpSrcHostname = SrcHostname,\r\n TmpDvcHostname = DvcHostname,\r\n TmpDstHostname = DstHostname\r\n| invoke \r\n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\r\n| invoke \r\n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\r\n| invoke \r\n _ASIM_ResolveDstFQDN('TmpDstHostname')\r\n| project-away\r\n TmpSrcHostname,\r\n TmpDvcHostname,\r\n TmpDstHostname\r\n| extend \r\n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\r\n NetworkProtocol = toupper(Protocol)\r\n| project-away \r\n Destination*,\r\n Initiated,\r\n ManagementGroupName,\r\n TenantId,\r\n Protocol,\r\n Source*,\r\n EventID,\r\n EventLevelName,\r\n EventLevel,\r\n _ResourceId\r\n};\r\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), dvcaction:dynamic = dynamic([]), hostname_has_any:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session Event ASIM parser for Sysmon (Event 3).","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"cefbbe26-cc18-5c86-9bfc-6dcab2180042","name":"_Im_NetworkSession_MicrosoftSysmonWindowsEventV01","body":"let parser = (\r\nstarttime: datetime=datetime(null), \r\nendtime: datetime=datetime(null), \r\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \r\ndstipaddr_has_any_prefix: dynamic=dynamic([]), \r\nipaddr_has_any_prefix: dynamic=dynamic([]),\r\ndstportnumber: int=int(null), \r\nhostname_has_any: dynamic=dynamic([]), \r\ndvcaction: dynamic=dynamic([]), \r\neventresult: string='*', \r\ndisabled: bool=false\r\n) {\r\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\nlet Sysmon3_WindowsEvent=WindowsEvent\r\n | where not(disabled) \r\n | where (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated =starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*, EventData\r\n ;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string'' \r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=false\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_* , EventData\r\n ;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated 5156)\r\n )\r\n and (array_length(hostname_has_any)==0 )\r\n and (eventresult=='*' or EventResult==eventresult) \r\n // *************** / Prefilterring *****************************************************************\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID:string''\r\n '\\x0d\\x0a 'RemoteMachineID:string''*\r\n | project-away EventData\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n ;\r\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\r\n // *************** / Postfilterring *****************************************************************\r\n };\r\n//////////////////////////////////////////////////////\r\n// this query extract the data from WindowsEvent table\r\n//////////////////////////////////////////////////////\r\nlet WindowsFirewall_WindowsEvent=(starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\r\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\r\n ){ \r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n WindowsEvent \r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated outputs both schemas as one normalized table\r\nunion isfuzzy=true\r\n WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n DstUserIdType = \"SID\",\r\n SrcAppType = \"Process\",\r\n SrcUserIdType = \"SID\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.3\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\r\n // -- Aliases\r\n | extend \r\n Dvc = DvcHostname,\r\n Hostname = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring(NetworkRuleNumber),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Windows Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"d3be83df-5cb8-50de-9621-8e57ad13d0b4","name":"_Im_NetworkSession_MicrosoftWindowsEventFirewallV04","body":"// Data tables for mapping raw values into string\r\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n///////////////////////////////////////////////////////\r\n// this query extract data fields from EventData column from SecurityEvent table\r\n///////////////////////////////////////////////////////\r\nlet WindowsFirewall_SecurityEvent=\r\n (starttime:datetime=datetime(null)\r\n , endtime:datetime=datetime(null)\r\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\r\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\r\n , ipaddr_has_any_prefix:dynamic=dynamic([])\r\n , dstportnumber:int=int(null)\r\n , hostname_has_any:dynamic=dynamic([])\r\n , dvcaction:dynamic=dynamic([])\r\n , eventresult:string='*'\r\n , disabled:bool=false\r\n )\r\n { \r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n let SecurityEventProjected =\r\n SecurityEvent\r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n ;\r\n // Event IDs between (5151 .. 5159)\r\n // will be extracting Event specific fields from 'EventData' field\r\n let SecurityEvent_5152 = \r\n SecurityEventProjected \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string''\r\n '\\x0d\\x0a 'Application''\r\n '\\x0d\\x0a 'DirectionCode''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*, EventData\r\n ;\r\n let SecurityEvent_5154_5155_5158_5159 =\r\n SecurityEventProjected \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated'ProcessId:string'' \r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''*\r\n | extend DirectionCode = \"%%14609\"\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=false\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_* , EventData\r\n ;\r\n let SecurityEvent_5156_5157 =\r\n SecurityEventProjected \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated 5156)\r\n )\r\n and (array_length(hostname_has_any)==0 )\r\n and (eventresult=='*' or EventResult==eventresult) \r\n // *************** / Prefilterring *****************************************************************\r\n | parse EventData with * ''ProcessId:string''\r\n '\\x0d\\x0a 'Application:string''\r\n '\\x0d\\x0a 'DirectionCode:string''\r\n '\\x0d\\x0a 'SrcIpAddr:string''\r\n '\\x0d\\x0a 'SrcPortNumber:int''\r\n '\\x0d\\x0a 'DstIpAddr:string''\r\n '\\x0d\\x0a 'DstPortNumber:int''\r\n '\\x0d\\x0a 'Protocol:int''\r\n '\\x0d\\x0a 'NetworkRuleNumber:int''\r\n '\\x0d\\x0a 'LayerCode''\r\n '\\x0d\\x0a 'LayerRTID''\r\n '\\x0d\\x0a 'RemoteUserID:string''\r\n '\\x0d\\x0a 'RemoteMachineID:string''*\r\n | project-away EventData\r\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\r\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \r\n , temp_isSrcMatch, \"SrcIpAddr\"\r\n , temp_isDstMatch, \"DstIpAddr\"\r\n , \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | project-away temp_*\r\n ;\r\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\r\n | lookup Directions on DirectionCode\r\n | project-rename DvcHostname = Computer\r\n | extend\r\n SrcAppName = iff(isOutBound, Application, \"\"),\r\n DstAppName = iff(not(isOutBound), Application, \"\"),\r\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\r\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\r\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\r\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\r\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\r\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\r\n DstHostname = iff(isOutBound, \"\", DvcHostname),\r\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\r\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\r\n // *************** Postfilterring *****************************************************************\r\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\r\n // *************** / Postfilterring *****************************************************************\r\n };\r\n//////////////////////////////////////////////////////\r\n// this query extract the data from WindowsEvent table\r\n//////////////////////////////////////////////////////\r\nlet WindowsFirewall_WindowsEvent=(starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\r\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\r\n ){ \r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n WindowsEvent \r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated outputs both schemas as one normalized table\r\nunion isfuzzy=true\r\n WindowsFirewall_SecurityEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n | extend \r\n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\r\n DvcOs = 'Windows',\r\n DstAppType = \"Process\",\r\n SrcUserIdType = iff (SrcUserId \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.3\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\r\n // -- Aliases\r\n | extend \r\n Dvc = DvcHostname,\r\n Hostname = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring(NetworkRuleNumber),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Windows Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"bbe13f75-3038-553f-b8bf-7c479bc22d04","name":"_Im_NetworkSession_MicrosoftWindowsEventFirewallV05","body":"// Data tables for mapping raw values into string\r\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\r\n '%%14596', 'IP Packet',\r\n '%%14597', 'Transport',\r\n '%%14598', 'Forward',\r\n '%%14599', 'Stream',\r\n '%%14600', 'Datagram Data',\r\n '%%14601', 'ICMP Error',\r\n '%%14602', 'MAC 802.3',\r\n '%%14603', 'MAC Native',\r\n '%%14604', 'vSwitch',\r\n '%%14608', 'Resource Assignment',\r\n '%%14609', 'Listen',\r\n '%%14610', 'Receive/Accept',\r\n '%%14611', 'Connect',\r\n '%%14612', 'Flow Established',\r\n '%%14614', 'Resource Release',\r\n '%%14615', 'Endpoint Closure',\r\n '%%14616', 'Connect Redirect',\r\n '%%14617', 'Bind Redirect',\r\n '%%14624', 'Stream Packet'];\r\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\r\n 1, 'ICMP',\r\n 3, 'GGP',\r\n 6, 'TCP',\r\n 8, 'EGP',\r\n 12, 'PUP',\r\n 17, 'UDP',\r\n 20, 'HMP',\r\n 27, 'RDP',\r\n 46, 'RSVP',\r\n 47, 'PPTP data over GRE',\r\n 50, 'ESP',\r\n 51, 'AH',\r\n 66, 'RVD',\r\n 88, 'IGMP',\r\n 89, 'OSPF'];\r\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\r\n '%%14592', 'Inbound', false,\r\n '%%14593', 'Outbound', true,\r\n '%%14594', 'Forward',false,\r\n '%%14595', 'Bidirectional', false,\r\n '%%14609', 'Listen', false];\r\n//////////////////////////////////////////////////////\r\n// this query extract the data from WindowsEvent table\r\n//////////////////////////////////////////////////////\r\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\r\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\r\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n WindowsEvent \r\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\r\n | where (isnull(starttime) or TimeGenerated>=starttime) \r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n SrcUserId = iff (SrcUserId \"S-1-0-0\", SrcUserId, \"\"),\r\n DstUserIdType = iff (DstUserId \"S-1-0-0\", \"SID\", \"\"),\r\n DstUserId = iff (DstUserId \"S-1-0-0\", DstUserId, \"\"),\r\n SrcAppType = \"Process\",\r\n EventType = \"NetworkSession\",\r\n EventSchema = \"NetworkSession\",\r\n EventSchemaVersion=\"0.2.3\",\r\n EventCount=toint(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Windows Firewall\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\r\n // -- Aliases\r\n | extend \r\n Dvc = DvcHostname,\r\n Hostname = DvcHostname,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n Rule = tostring(NetworkRuleNumber),\r\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\r\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\r\n | lookup LayerCodeTable on LayerCode\r\n | lookup ProtocolTable on Protocol\r\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\r\n };\r\n parser(\r\n starttime=starttime, \r\n endtime=endtime, \r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \r\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\r\n dstportnumber=dstportnumber,\r\n hostname_has_any=hostname_has_any, \r\n dvcaction=dvcaction,\r\n eventresult=eventresult, \r\n disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for Microsoft Windows Firewall.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"8028ab03-8201-5a4f-9972-89356634aa79","name":"_Im_NetworkSession_NTANetAnalyticsV01","body":"let parser = (\r\n disabled: bool = false,\r\n starttime: datetime = datetime(null),\r\n endtime: datetime = datetime(null),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n dstipaddr_has_any_prefix: dynamic = dynamic([]),\r\n ipaddr_has_any_prefix: dynamic = dynamic([]),\r\n dstportnumber: int = int(null),\r\n hostname_has_any: dynamic = dynamic([]),\r\n dvcaction: dynamic = dynamic([]),\r\n eventresult: string = \"*\"\r\n) {\r\n// Pre-filter: Check if parser is disabled\r\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\nlet DvcActionLookup=datatable(FlowStatus:string, DvcAction:string, EventResult: string, EventSeverity: string)\r\n[\r\n \"Allowed\", \"Allow\", \"Success\", \"Informational\",\r\n \"Denied\", \"Deny\", \"Failure\", \"Low\",\r\n];\r\nlet ProtocolLookup=datatable(L4Protocol:string, NetworkProtocol:string)\r\n[\r\n \"T\", \"TCP\",\r\n \"U\", \"UDP\",\r\n \"TCP\", \"TCP\",\r\n \"UDP\", \"UDP\",\r\n \"ICMP\", \"ICMP\",\r\n];\r\nNTANetAnalytics\r\n| where not(disabled)\r\n// Pre-filter Time\r\n| where isnull(starttime) or FlowStartTime >= starttime\r\n| where isnull(endtime) or FlowStartTime = 7 // Max string length of a IPv4 address is 7 (1.2.3.4)\r\n | summarize DestPublicIpsList = make_list(Ips)\r\n)\r\n| extend SrcPublicIpsList = split(replace_string(SrcPublicIps, \" \", \"|\"), \"|\")\r\n| mv-apply Ips = SrcPublicIpsList to typeof(string) on (\r\n extend length = strlen(Ips)\r\n | where length >= 7 // Max string length of a IPv4 address is 7 (1.2.3.4)\r\n | summarize SrcPublicIpsList = make_list(Ips)\r\n)\r\n| extend AdditionalFields = bag_pack(\r\n \"SrcIpAddresses\", SrcPublicIpsList,\r\n \"DstIpAddresses\", DestPublicIpsList)\r\n| extend\r\n SrcIpAddr = iff(isnotempty(SrcIp), SrcIp, SrcPublicIpsList[0]),\r\n DstIpAddr = iff(isnotempty(DestIp), DestIp, DestPublicIpsList[0])\r\n| extend \r\n NetworkPackets = SrcPackets + DstPackets,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n EventOriginalResultDetails = case(\r\n FlowType == \"Malicious\", \"Malicious\",\r\n FlowType == \"Unknown\", \"Unknown\",\r\n FlowType == \"Unknown Private\", \"Unknown\",\r\n \"\"),\r\n DstHostname = coalesce(DstHostname, DstIpAddr),\r\n SrcHostname = coalesce(SrcHostname, SrcIpAddr),\r\n NetworkApplicationProtocol = toupper(L7Protocol),\r\n Src = coalesce(SrcHostname, SrcIpAddr),\r\n Dst = coalesce(DstHostname, DstIpAddr),\r\n DstDvcScopeId = DstSubscriptionId,\r\n SrcDvcScopeId = SrcSubscriptionId,\r\n SrcZone = case(\r\n FlowType == \"IntraVNet\", \"Internal\",\r\n FlowType == \"ExternalPublic\", \"Internet\",\r\n FlowType == \"AzurePublic\", \"Azure\",\r\n FlowType == \"InterVNet\", \"Internal\",\r\n FlowType == \"S2S\", \"S2S\",\r\n FlowType == \"P2S\", \"P2S\",\r\n \"Unknown\"\r\n ),\r\n DstDvcId = case(NetworkDirection == \"Inbound\", TargetResourceId, \"\"),\r\n DstDvcIdType = case(NetworkDirection == \"Inbound\", \"AzureResourceId\", \"\"),\r\n SrcDvcId = case(NetworkDirection == \"Outbound\", TargetResourceId, \"\"),\r\n SrcDvcIdType = case(NetworkDirection == \"Outbound\", \"AzureResourceId\", \"\"),\r\n DstMacAddr = case(NetworkDirection == \"Inbound\", MacAddress, \"\"),\r\n SrcMacAddr = case(NetworkDirection == \"Outbound\", MacAddress, \"\"),\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr\r\n| project \r\n EventStartTime,\r\n EventEndTime,\r\n EventSchema,\r\n TimeGenerated,\r\n AdditionalFields,\r\n SrcIpAddr,\r\n DstIpAddr,\r\n SrcHostname,\r\n DstHostname,\r\n DstPortNumber,\r\n NetworkDirection,\r\n SrcSubscriptionId,\r\n DstSubscriptionId,\r\n DstDvcScopeId,\r\n DstDvcScope = DstSubscriptionId,\r\n SrcDvcScopeId,\r\n SrcDvcScope = SrcSubscriptionId,\r\n SrcInterfaceName,\r\n DstInterfaceName,\r\n SrcGeoCountry,\r\n DstPackets,\r\n SrcPackets,\r\n NetworkPackets,\r\n DstBytes,\r\n SrcBytes,\r\n NetworkBytes,\r\n NetworkRuleName,\r\n Type,\r\n EventUid,\r\n ASimMatchingIpAddr,\r\n ASimMatchingHostname,\r\n DvcAction,\r\n EventResult,\r\n EventSeverity,\r\n SrcPortNumber,\r\n NetworkProtocol,\r\n EventCount,\r\n EventType,\r\n EventSchemaVersion,\r\n EventProduct,\r\n EventVendor,\r\n Dvc,\r\n NetworkApplicationProtocol,\r\n Src,\r\n Dst,\r\n DstMacAddr,\r\n SrcMacAddr,\r\n Hostname,\r\n IpAddr,\r\n DstDvcId,\r\n DstDvcIdType,\r\n SrcDvcId,\r\n SrcDvcIdType,\r\n SrcZone\r\n};\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \r\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \r\n dstportnumber=dstportnumber, \r\n hostname_has_any=hostname_has_any, \r\n dvcaction=dvcaction,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for NTANetAnalytics.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"c2d9e50d-0cdd-593e-9a14-f2d2f1cca848","name":"_Im_NetworkSession_NativeV01","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n ASimNetworkSessionLogs \r\n | where (isnull(starttime) or TimeGenerated>=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated=starttime)\r\n and (isnull(endtime) or TimeGenerated= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated 8, \"High\"\r\n , \"\"\r\n )\r\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\r\n , DestinationIP has \":\", \"IPv6\"\r\n , \"\"\r\n )\r\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\r\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\r\n , EventOriginalType = DeviceEventClassID\r\n| project-rename\r\n DstMacAddr = DestinationMACAddress\r\n , SrcMacAddr = SourceMACAddress\r\n , DstIpAddr = DestinationIP\r\n , SrcIpAddr = SourceIP\r\n , DstPortNumber = DestinationPort\r\n , SrcPortNumber = SourcePort\r\n , EventMessage = Activity\r\n , sosEventMessageDetail = Message\r\n , EventProductVersion = DeviceVersion\r\n , sosSerialNumber = Computer\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\r\n , sosCFSFullString = Reason // CFS Category ID and Name\r\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\r\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\r\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\r\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\r\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\r\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\r\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\r\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\r\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\r\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\r\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\r\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\r\n , SrcUsername = SourceUserName\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\r\n gcat == 2, \"Log (2)\",\r\n gcat == 3, \"Security Services (3)\",\r\n gcat == 4, \"Users (4)\",\r\n gcat == 5, \"Firewall Settings (5)\",\r\n gcat == 6, \"Network (6)\",\r\n gcat == 7, \"VPN (7)\",\r\n gcat == 8, \"High Availability (8)\",\r\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\r\n gcat == 10, \"Firewall (10)\",\r\n gcat == 11, \"Wireless (11)\",\r\n gcat == 12, \"VoIP (12)\",\r\n gcat == 13, \"SSL VPN (13)\",\r\n gcat == 14, \"Anti-Spam (14)\",\r\n gcat == 15, \"WAN Acceleration (15)\",\r\n gcat == 16, \"Object (16)\",\r\n gcat == 17, \"SD-WAN (17)\",\r\n gcat == 18, \"Multi-Instance (18)\",\r\n gcat == 19, \"Unified Policy Engine (19)\",\r\n \"Log Category Not Mapped\"\r\n )\r\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\r\n DeviceEventCategory == 1, \"System Maintenance (1)\",\r\n DeviceEventCategory == 2, \"System Errors (2)\",\r\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\r\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\r\n DeviceEventCategory == 16, \"User Activity (16)\",\r\n DeviceEventCategory == 32, \"Attacks (32)\",\r\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\r\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\r\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\r\n DeviceEventCategory == 512, \"Network Debug (512)\",\r\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\r\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\r\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\r\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\r\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\r\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\r\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\r\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\r\n DeviceEventCategory == 524288, \"System Environment (524288)\",\r\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\r\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\r\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\r\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\r\n \"Legacy Category Not Mapped\"\r\n )\r\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\r\n ipspri == 2, \"Medium (2)\",\r\n ipspri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\r\n spypri == 2, \"Medium (2)\",\r\n spypri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend\r\n EventVendor = \"SonicWall\"\r\n , EventProduct = \"Firewall\"\r\n , DvcOs = \"SonicOS\"\r\n , DvcOsVersion = EventProductVersion\r\n , DvcIdType = \"Other\"\r\n , Dvc = sosSerialNumber\r\n , DvcDescription = DeviceProduct\r\n , NetworkIcmpType = tostring(NetworkIcmpType)\r\n , NetworkIcmpCode = toint(NetworkIcmpCode)\r\n , Rule = NetworkRuleName\r\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\r\n , sosIPSFullString = ipscat\r\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\r\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\r\n , FileSize = tolong(coalesce(FileSize, long(null)))\r\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\r\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\r\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\r\n , SrcZone = sosSourceZone\r\n , DstZone = sosDestinationZone\r\n , EventOriginalSeverity = LogSeverity\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , IpAddr = SrcIpAddr\r\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\r\n , EventStartTime = coalesce(todatetime(StartTime), TimeGenerated)\r\n , EventEndTime = coalesce(todatetime(EndTime), TimeGenerated)\r\n , EventType = \"NetworkSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventSchema = \"NetworkSession\"\r\n , EventCount = toint(1)\r\n , EventUid = _ItemId\r\n , EventResultDetails = \"NA\"\r\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\r\n| extend\r\n SrcUsername = coalesce(susr, SrcUsername)\r\n , FileName = coalesce(FileName, sosAppControlFileName)\r\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\r\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\r\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\r\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\r\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\r\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\r\n , DstZone == \"MULTICAST\", \"NA\"\r\n , DstZone == \"WAN\", \"Outbound\"\r\n , \"Local\"\r\n )\r\n| extend\r\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\r\n SrcUsername has \"\\\\\", \"Windows\",\r\n SrcUsername has \"@\", \"UPN\",\r\n SrcUsername == \"Unknown (external IP)\", \"\",\r\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"\r\n )\r\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\"\r\n )\r\n| extend\r\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\"\r\n )\r\n| extend\r\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\r\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\r\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\r\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\r\n| extend\r\n SrcAppType = case(isempty(SrcAppName), \"\"\r\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n , DstAppType = case(isempty(DstAppName), \"\"\r\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n| project-rename\r\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n| extend\r\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\r\n , tolong(long(null))\r\n )\r\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\r\n , tolong(long(null))\r\n )\r\n| project-rename\r\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\r\n , sosUser = susr // Logged-in username associated with the log event.\r\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\r\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\r\n , sosAppRuleService = af_service // App Rule Service Name.\r\n , sosAppRuleType = af_type // App Rule Policy Type.\r\n , sosAppRuleObject = af_object // App Rule Object Name.\r\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\r\n , sosAppRuleAction = af_action\r\n , sosSourceIPv6Address = srcV6\r\n , sosDestinationIPv6Address = dstV6\r\n , sosAppFullString = appcat // The full \" -- \" string.\r\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\r\n , sosAppID = appid // Application ID from App Control\r\n , sosAppCategoryID = catid // Application Category ID\r\n , sosAppSignatureID = sid // Application Signature ID\r\n , sosIPSCategoryName = ipscat // IPS Category Name\r\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\r\n , sosURLPathName = arg // URL. Represents the URL path name.\r\n , sosFileIdentifier = fileid // File hash or URL\r\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\r\n , DstNatPortNumber = dnpt\r\n , SrcNatPortNumber = snpt\r\n , sosBladeID = bid // Blade ID\r\n , sosUUID = uuid\r\n , sosFileName = FileName\r\n , DvcOriginalAction = fw_action\r\n| extend\r\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\r\n , ThreatId = coalesce(sosAppSignatureID, \"\")\r\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\r\n , DstNatPortNumber = toint(DstNatPortNumber)\r\n , SrcNatPortNumber = toint(SrcNatPortNumber)\r\n| extend AdditionalFields = bag_pack(\r\n \"AppRulePolicyId\", sosAppRulePolicyId\r\n , \"AppRulePolicyName\", sosAppRulePolicyName\r\n , \"AppRuleService\", sosAppRuleService\r\n , \"AppRuleType\", sosAppRuleType\r\n , \"AppRuleObject\", sosAppRuleObject\r\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\r\n , \"AppRuleAction\", sosAppRuleAction\r\n , \"AppID\", sosAppID\r\n , \"AppCategoryID\", sosAppCategoryID\r\n , \"IPSCategoryName\", sosIPSCategoryName\r\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\r\n , \"FileIdentifier\", sosFileIdentifier\r\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\r\n , \"BladeID\", sosBladeID\r\n , \"UUID\", sosUUID\r\n , \"FileName\", sosFileName\r\n , \"FileSize\", FileSize\r\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\r\n , \"CFSCategoryID\", sosCFSCategoryID\r\n , \"CFSCategoryName\", sosCFSCategoryName\r\n , \"CFSPolicyName\", sosCFSPolicyName\r\n , \"AppControlFileName\", sosAppControlFileName\r\n , \"IPSFullString\", sosIPSFullString\r\n , \"IPSSignatureName\", sosIPSSignatureName\r\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\r\n , \"LogMsgCategory\", sosLogMsgCategory\r\n , \"LogMsgNote\", sosLogMsgNote\r\n , \"LogMsgSeverity\", sosLogMsgSeverity\r\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\r\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\r\n , \"EventMessageDetail\", sosEventMessageDetail\r\n , \"UserSessionType\", sosUserSessionType\r\n )\r\n| project-away\r\n DeviceEventCategory\r\n , gcat\r\n , RequestMethod\r\n , ipspri\r\n , spypri\r\n , sos*\r\n , RequestURL\r\n , Protocol\r\n , appName\r\n , AdditionalExtensions\r\n , Flex*\r\n , Indicator*\r\n , Malicious*\r\n , Field*\r\n , DeviceCustom*\r\n , Old*\r\n , File*\r\n , Source*\r\n , Destination*\r\n , Device*\r\n , SimplifiedDeviceAction\r\n , ExternalID\r\n , ExtID\r\n , TenantId\r\n , ProcessName\r\n , ProcessID\r\n , ExtID\r\n , OriginalLogSeverity\r\n , LogSeverity\r\n , EventOutcome\r\n , StartTime\r\n , EndTime\r\n , ReceiptTime\r\n , Remote*\r\n , ThreatDescription\r\n , ThreatSeverity\r\n , RequestContext\r\n , RequestCookies\r\n , CommunicationDirection\r\n , ReportReferenceLink\r\n , ReceivedBytes\r\n , SentBytes\r\n , _ResourceId\r\n , _ItemId\r\n| project-reorder\r\n TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , DvcDescription\r\n , Dvc\r\n , DvcOs\r\n , DvcOsVersion\r\n};\r\nParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Network Session ASIM filtering parser for SonicWall firewalls.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"6f171db5-d77b-574f-8a92-2ef49c27dc84","name":"_Im_NetworkSession_VMConnectionV01","body":"let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\r\n '', 'Informational', \r\n '0', 'Informational',\r\n '1', 'Low',\r\n '2', 'Medium',\r\n '3', 'High'\r\n];\r\nlet parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null), \r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n dstportnumber:int=int(null), \r\n hostname_has_any:dynamic=dynamic([]), \r\n dvcaction:dynamic=dynamic([]), \r\n eventresult:string='*', \r\n disabled:bool=false)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let outbound = \r\n VMConnection\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (endtime == datetime(null) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (endtime == datetime(null) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated =starttime)\r\n and (isnull(endtime) or TimeGenerated 1, resp_domain_s, ''),\r\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\r\n | extend\r\n DstHostname = case (\r\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\r\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\r\n DstDescription)\r\n | project-away SplitRespDomain\r\n | extend\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n NetworkApplicationProtocol = toupper(service_s),\r\n NetworkProtocol = toupper(protoName_s),\r\n NetworkProtocolVersion = toupper(id_ip_ver_s),\r\n Dst = DstIpAddr,\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n DstVlanId = tostring(toint(resp_vlan_id_d)),\r\n EventCount = toint(1),\r\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResult = 'Success',\r\n EventSchema = 'NetworkSession',\r\n EventSchemaVersion='0.2.2',\r\n EventSeverity = 'Informational',\r\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\r\n EventType = 'NetworkSession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\r\n // -- No ID mapped, since huid found not to be unique\r\n // SrcDvcIdType = 'VectraId',\r\n // DstDvcIdType = 'VectraId',\r\n DvcIdType = 'VectraId',\r\n NetworkDuration = toint(duration_d)\r\n | extend \r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n // SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n Dvc = DvcId,\r\n Duration = NetworkDuration,\r\n InnerVlanId = SrcVlanId,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n OuterVlanId = DstVlanId\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup EventSubTypeLookup on conn_state_s\r\n // -- preserving non-normalized important fields\r\n | extend AdditionalFields = iff (\r\n pack, \r\n bag_pack (\r\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\r\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\r\n \"orig_sluid\", orig_sluid_s, \r\n \"resp_sluid\", resp_sluid_s,\r\n \"orig_huid\", orig_huid_s,\r\n \"resp_huid\", resp_huid_s,\r\n \"community_id\", community_id_s,\r\n \"resp_multihome\", resp_multihomed_b,\r\n \"host_multihomed\", host_multihomed_b,\r\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n ),\r\n dynamic([])\r\n )\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer\r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled, pack=pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), dstipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), dstportnumber:int = int(null), hostname_has_any:dynamic = dynamic([]), dvcaction:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false, pack:bool = false","description":"Network Session ASIM filtering parser for Vectra AI Streams.","related":{"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"3ce73260-a1e1-582d-a8fa-7e4c1fbb75af","name":"_Im_NetworkSession_WatchGuardFirewareOSV01","body":"let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\r\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\r\n [\r\n \"Allow\",\"Success\",\"Informational\"\r\n , \"Deny\",\"Failure\",\"Low\"\r\n ];\r\n let SyslogParser = (Syslog:(SyslogMessage:string)) {\r\n Syslog\r\n | parse-kv SyslogMessage as (geo_src:string\r\n , geo_dst:string\r\n , src_user:string\r\n , dst_user:string\r\n , duration:int\r\n , sent_bytes:long\r\n , rcvd_bytes:long\r\n , fqdn_src_match:string\r\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\r\n | project-rename SrcGeoCountry = geo_src\r\n , DstGeoCountry = geo_dst\r\n , SrcUsername = src_user\r\n , DstUsername = dst_user\r\n , NetworkDuration = duration\r\n , SrcBytes = sent_bytes\r\n , DstBytes = rcvd_bytes\r\n , DstDomain = fqdn_dst_match\r\n , SrcDomain = fqdn_src_match\r\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\r\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\r\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\r\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\r\n , SrcUsername contains \"@\" , \"UPN\"\r\n , \"Simple\"\r\n )\r\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\r\n , DstUsername contains \"@\" , \"UPN\"\r\n , \"Simple\"\r\n )\r\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\r\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\r\n | project-away SyslogMessage\r\n };\r\n let IPParser = (T:(SrcIpAddr:string,DstIpAddr:string)){\r\n T\r\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\r\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr,dst_or_any)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\",\r\n temp_SrcMatch and temp_DstMatch, \"Both\",\r\n temp_SrcMatch, \"SrcIpAddr\",\r\n temp_DstMatch, \"DstIpAddr\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingIpAddr != \"No match\" \r\n | project-away temp_*\r\n };\r\n let HostParser = (Syslog:(SrcDomain:string,DstDomain:string)){\r\n Syslog\r\n | extend temp_SrcMatch = SrcDomain has_any(hostname_has_any)\r\n , temp_DstMatch= DstDomain has_any(hostname_has_any)\r\n | extend ASimMatchingHostname =case(\r\n array_length(hostname_has_any) == 0, \"-\",\r\n temp_SrcMatch and temp_DstMatch, \"Both\",\r\n temp_SrcMatch, \"SrcDomain\",\r\n temp_DstMatch, \"DstDomain\",\r\n \"No match\"\r\n )\r\n | where ASimMatchingHostname != \"No match\" \r\n | project-away temp_*\r\n };\r\n let AllSyslog = \r\n Syslog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated =starttime) \r\n and (isnull(endtime) or TimeGenerated=starttime) \r\n and (isnull(endtime) or TimeGenerated1')\r\n | parse SyslogMessage with \r\n *\r\n '' EventRecordId:int ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n ''RuleName // parsing the XML using the original fields name - for readability \r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId:string\r\n ''Image\r\n ''FileVersion\r\n ''Description\r\n ''Product\r\n ''Company'' *\r\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^'CommandLine''\r\n ''CurrentDirectory\r\n ''User\r\n '{'LogonGuid\r\n '}'LogonId\r\n ''TerminalSessionId\r\n ''IntegrityLevel\r\n ''Hashes\r\n '{'ParentProcessGuid\r\n '}'ParentProcessId:string\r\n ''ParentImage\r\n ''ParentCommandLine ''*\r\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \r\n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\r\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\r\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\r\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\r\n // End of XML parse\r\n | project-away SyslogMessage, Hashes\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventProduct = \"Sysmon for Linux\",\r\n EventResult = 'Success',\r\n EventOriginalUid = tostring(EventRecordId),\r\n DvcOs = \"Linux\",\r\n TargetUserSessionId = tostring(LogonId) , \r\n TargetUsernameType = \"Simple\",\r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n ActorUsernameType = \"Simple\",\r\n EventOriginalType = '1' // Set with a constant value to avoid parsing\r\n | project-rename \r\n // EventMessage = RenderedDescription, // field not available in Linux\r\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \r\n DvcIpAddr = HostIP, \r\n TargetUserSessionGuid = LogonGuid, \r\n TargetProcessId = ProcessId,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessIntegrityLevel = IntegrityLevel,\r\n TargetProcessCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product,\r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostName,\r\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\r\n | project-away\r\n ProcessName, ProcessID\r\n}; ParsedProcessEvent","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"254ced33-035d-5472-8a2e-7d4824d4fcab","name":"_ASim_ProcessEvent_CreateMicrosoftSecurityEventsV01","body":"let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\r\n [\r\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\r\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\r\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\r\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\r\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\r\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\r\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\r\n ];\r\n// Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\r\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\r\n [\r\n 'S-1-5-18', 'Local System', 'Simple',\r\n 'S-1-0-0', 'Nobody', 'Simple'\r\n ];\r\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\r\n [\r\n 'User', 'Regular',\r\n 'Machine', 'Machine'\r\n ];\r\nlet parser=(disabled:bool=false){\r\nSecurityEvent\r\n| where not(disabled)\r\n// -- Filter\r\n| where EventID == 4688\r\n// -- Map\r\n| extend\r\n // Event\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventProduct = 'Security Events',\r\n EventSchemaVersion = '0.1.3',\r\n EventSchema = 'ProcessEvent',\r\n EventResult = 'Success',\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventType = 'ProcessCreated',\r\n EventOriginalType = tostring(EventID),\r\n DvcOs = 'Windows'\r\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\r\n| extend\r\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\r\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\r\n| lookup KnownSIDs on $left.TargetUserSid == $right.sid\r\n| extend\r\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\r\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\r\n| lookup UserTypeLookup on AccountType\r\n| extend\r\n ActorUserIdType = 'SID',\r\n TargetUserIdType = 'SID',\r\n // Processes\r\n ActingProcessId = tostring(toint(ProcessId)),\r\n TargetProcessId = tostring(toint(NewProcessId)),\r\n TargetProcessCommandLine = CommandLine\r\n | project-rename\r\n DvcId = SourceComputerId,\r\n DvcHostname = Computer,\r\n ActingProcessName = ParentProcessName,\r\n TargetProcessName = NewProcessName,\r\n ActorDomainName = SubjectDomainName,\r\n ActorUserId = SubjectUserSid,\r\n ActorSessionId = SubjectLogonId,\r\n TargetUserId =TargetUserSid,\r\n TargetUserSessionId = TargetLogonId,\r\n EventOriginalUid = EventOriginId,\r\n TargetProcessTokenElevation = TokenElevationType\r\n | lookup MandatoryLabelLookup on MandatoryLabel\r\n // -- Aliases\r\n | extend\r\n User = TargetUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName\r\n // -- Remove potentially confusing\r\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\r\n | project-away\r\n TargetDomainName,\r\n TargetUserName,\r\n TargetAccount,\r\n EventID\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"19c7a3a2-0074-56fd-8c77-01417d1b69a5","name":"_ASim_ProcessEvent_CreateMicrosoftSysmonV03","body":"let parser = (disabled:bool = false) {\r\n // this is the parser for sysmon from Event table\r\n let parser_Event = (disabled:bool=false) {\r\n Event \r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==1\r\n | parse-kv EventData as (\r\n ProcessGuid:string, \r\n ProcessId:string,\r\n Image:string,\r\n FileVersion:string,\r\n Description:string,\r\n Product:string,\r\n Company:string,\r\n OriginalFileName:string,\r\n CommandLine:string,\r\n CurrentDirectory:string,\r\n User:string,\r\n LogonGuid:string, \r\n LogonId:string,\r\n IntegrityLevel:string,\r\n Hashes:string,\r\n ParentProcessGuid:string, \r\n ParentProcessId:string,\r\n ParentImage:string,\r\n ParentCommandLine:string,\r\n ParentUser:string\r\n ) \r\n with (regex=@'{?([^')\r\n | parse-kv Hashes as (MD5:string, SHA1:string, SHA256:string, IMPHASH:string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5),Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | project-away Hashes\r\n | extend \r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine\r\n | project-rename \r\n DvcHostname = Computer,\r\n TargetUserSessionGuid = LogonGuid,\r\n TargetProcessId = ProcessId,\r\n TargetUserSessionId = LogonId, \r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessFilename = OriginalFileName,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n TargetProcessIntegrityLevel = IntegrityLevel, \r\n TargetProcessFileCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product, \r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage,\r\n ActorUsername = ParentUser\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername),'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n EventProduct = \"Sysmon\",\r\n // aliases\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventData, ParameterXml, AzureDeploymentID, EventCategory, EventID, EventLevel, EventLevelName, TenantId, EventLog, MG, ManagementGroupName, Message, Role, SourceSystem, Source, UserName, RenderedDescription\r\n };\r\n // this is the parser for sysmon from WindowsEvent table\r\n let parser_WindowsEvent=(disabled:bool=false){\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID==1\r\n | parse-kv tostring(EventData.Hashes) as (MD5:string, SHA1:string, SHA256:string, IMPHASH:string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5),Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | extend \r\n EventOriginalType = tostring(EventID),\r\n TargetUserSessionId = tostring(EventData.LogonId), \r\n TargetUsername = tostring(EventData.User),\r\n TargetProcessCommandLine = tostring(EventData.CommandLine),\r\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\r\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\r\n TargetProcessId = tostring(EventData.ProcessId),\r\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n TargetProcessName = tostring(EventData.Image),\r\n TargetProcessFilename = tostring(EventData.OriginalFileName),\r\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\r\n TargetProcessFileCompany = tostring(EventData.Company),\r\n TargetProcessFileDescription = tostring(EventData.Description),\r\n TargetProcessFileVersion = tostring(EventData.FileVersion),\r\n TargetProcessFileProduct = tostring(EventData.Product),\r\n ActingProcessId = tostring(EventData.ParentProcessId), \r\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \r\n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\r\n ActingProcessName = tostring(EventData.ParentImage),\r\n ActorUsername = tostring(EventData.ParentUser)\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername),'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n EventProduct = \"Security Events\"\r\n | project-rename\r\n DvcHostname = Computer,\r\n EventOriginalUid = EventOriginId\r\n | extend // aliases \r\n Dvc = DvcHostname,\r\n User = TargetUsername,\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName\r\n | project-away EventData, Provider, ManagementGroupName, RawEventData, SourceSystem, Task, TenantId, EventID, Data, Channel, EventLevel, EventLevelName\r\n }; \r\n union isfuzzy=true parser_Event(disabled=disabled), parser_WindowsEvent(disabled=disabled)\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventOriginalType = \"1\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventProduct = \"Sysmon\",\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n TargetUsernameType = \"Windows\",\r\n ActorUsernameType = \"Windows\"\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"6278495d-5353-535f-bc22-88360e92c8c0","name":"_ASim_ProcessEvent_CreateMicrosoftSysmonV04","body":"let parser = (disabled: bool = false) {\r\n // this is the parser for sysmon from Event table\r\n let parser_Event =\r\n Event \r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 1\r\n | parse-kv EventData as (\r\n ProcessGuid: string, \r\n ProcessId: string,\r\n Image: string,\r\n FileVersion: string,\r\n Description: string,\r\n Product: string,\r\n Company: string,\r\n OriginalFileName: string,\r\n CommandLine: string,\r\n CurrentDirectory: string,\r\n User: string,\r\n LogonGuid: string, \r\n LogonId: string,\r\n IntegrityLevel: string,\r\n Hashes: string,\r\n ParentProcessGuid: string, \r\n ParentProcessId: string,\r\n ParentImage: string,\r\n ParentCommandLine: string,\r\n ParentUser: string\r\n ) \r\n with (regex=@'{?([^')\r\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | project-away Hashes\r\n | extend \r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine\r\n | project-rename \r\n DvcHostname = Computer,\r\n TargetUserSessionGuid = LogonGuid,\r\n TargetProcessId = ProcessId,\r\n TargetUserSessionId = LogonId, \r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessFilename = OriginalFileName,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n TargetProcessIntegrityLevel = IntegrityLevel, \r\n TargetProcessFileCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product, \r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage,\r\n ActorUsername = ParentUser\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\r\n EventProduct = \"Sysmon\",\r\n // aliases\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname,\r\n EventUid = _ItemId\r\n | project-away\r\n EventData,\r\n ParameterXml,\r\n AzureDeploymentID,\r\n EventCategory,\r\n EventID,\r\n EventLevel,\r\n EventLevelName,\r\n TenantId,\r\n EventLog,\r\n MG,\r\n ManagementGroupName,\r\n Message,\r\n Role,\r\n SourceSystem,\r\n Source,\r\n UserName,\r\n RenderedDescription,\r\n _ResourceId,\r\n _ItemId\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventOriginalType = \"1\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventProduct = \"Sysmon\",\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n TargetUsernameType = \"Windows\",\r\n ActorUsernameType = \"Windows\"\r\n ;\r\n parser_Event \r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"bc0f4951-ac01-5f72-a974-0d3b042fd931","name":"_ASim_ProcessEvent_CreateMicrosoftSysmonWindowsEventV04","body":"let parser = (disabled: bool = false) {\r\n // this is the parser for sysmon from WindowsEvent table\r\n let parser_WindowsEvent=\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\r\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | extend \r\n EventOriginalType = tostring(EventID),\r\n TargetUserSessionId = tostring(EventData.LogonId), \r\n TargetUsername = tostring(EventData.User),\r\n TargetProcessCommandLine = tostring(EventData.CommandLine),\r\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\r\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\r\n TargetProcessId = tostring(EventData.ProcessId),\r\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\r\n TargetProcessName = tostring(EventData.Image),\r\n TargetProcessFilename = tostring(EventData.OriginalFileName),\r\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\r\n TargetProcessFileCompany = tostring(EventData.Company),\r\n TargetProcessFileDescription = tostring(EventData.Description),\r\n TargetProcessFileVersion = tostring(EventData.FileVersion),\r\n TargetProcessFileProduct = tostring(EventData.Product),\r\n ActingProcessId = tostring(EventData.ParentProcessId), \r\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \r\n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\r\n ActingProcessName = tostring(EventData.ParentImage),\r\n ActorUsername = tostring(EventData.ParentUser)\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\r\n EventProduct = \"Security Events\"\r\n | project-rename\r\n DvcHostname = Computer,\r\n EventOriginalUid = EventOriginId\r\n | extend // aliases \r\n Dvc = DvcHostname,\r\n User = TargetUsername,\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n EventUid = _ItemId\r\n | project-away\r\n EventData,\r\n Provider,\r\n ManagementGroupName,\r\n RawEventData,\r\n SourceSystem,\r\n Task,\r\n TenantId,\r\n EventID,\r\n Data,\r\n Channel,\r\n EventLevel,\r\n EventLevelName,\r\n Correlation,\r\n EventRecordId,\r\n Keywords,\r\n Opcode,\r\n SystemProcessId,\r\n SystemThreadId,\r\n SystemUserId,\r\n TimeCreated,\r\n Version,\r\n _ResourceId,\r\n _ItemId\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventOriginalType = \"1\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventProduct = \"Sysmon\",\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n TargetUsernameType = \"Windows\",\r\n ActorUsernameType = \"Windows\";\r\n parser_WindowsEvent\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"7e5a666f-961c-55cb-9e4a-fdf89c099447","name":"_ASim_ProcessEvent_CreateMicrosoftWindowsEventsV03","body":"let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\r\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \r\n T \r\n | extend \r\n type = case (\r\n username == \"-\", \"\",\r\n domain == \"-\", \"Simple\",\r\n \"Windows\"\r\n ),\r\n username = case (\r\n username == \"-\", \"\",\r\n domain == '-', username,\r\n strcat(domain, @\"\\\" , username)\r\n )\r\n};\r\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\r\n[\r\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\r\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\r\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\r\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\r\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\r\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\r\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\r\n ];\r\nlet parser=(disabled:boolean=false){\r\nWindowsEvent\r\n| where not(disabled)\r\n| where EventID == 4688\r\n| project-rename\r\n DvcHostname = Computer\r\n| extend\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventProduct = 'Security Events',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'ProcessEvent',\r\n EventResult = 'Success',\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventType = 'ProcessCreated',\r\n EventOriginalType = tostring(EventID),\r\n DvcOs = 'Windows'\r\n| extend \r\n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \r\n ActorUserId = tostring(EventData.SubjectUserSid)\r\n| extend\r\n ActorUserIdType = iff (ActorUserId \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\"), \r\n ActorUsernameType = \"Windows\",\r\n username = tostring(EventData.TargetUserName)\r\n| extend\r\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username)),\r\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\r\n| extend\r\n TargetUserIdType = iff (TargetUserId \"S-1-0-0\", \"SID\", \"\"),\r\n TargetUserId = iff (TargetUserId \"S-1-0-0\", TargetUserId, \"\"), \r\n TargetUsernameType = \"Windows\"\r\n| project-away\r\n username\r\n| extend \r\n TargetUserSid = TargetUserId,\r\n ActorUserSid = ActorUserId,\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\r\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\r\n| extend\r\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\r\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \r\n // Processes \r\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\r\n ActingProcessName = tostring(EventData.ParentProcessName),\r\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\r\n TargetProcessName = tostring(EventData.NewProcessName),\r\n TargetProcessCommandLine = tostring(EventData.CommandLine),\r\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\r\n MandatoryLabel = tostring(EventData.MandatoryLabel)\r\n| extend \r\n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\r\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\r\n| lookup MandatoryLabelLookup on MandatoryLabel\r\n// -- Aliases\r\n| extend\r\n User = TargetUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName,\r\n CommandLine = TargetProcessCommandLine\r\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\r\n}; \r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for WEF Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"de7edaa1-fac2-506c-98d7-1dbf1257755a","name":"_ASim_ProcessEvent_CreateTrendMicroVisionOneV01","body":"let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\r\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\r\n \"low\", \"Low\",\r\n \"medium\", \"Medium\",\r\n \"high\", \"High\",\r\n \"info\", \"Informational\",\r\n \"critical\", \"High\"\r\n];\r\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\r\n [\r\n 0, \"Untrusted\",\r\n 4096, \"Low\",\r\n 8192, \"Medium\",\r\n 12288, \"High\",\r\n 16384, \"System\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n TrendMicro_XDR_OAT_CL\r\n | where not(disabled)\r\n | where detail_eventId_s == \"TELEMETRY_PROCESS\"\r\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\r\n | parse filters_s with * \"[\" filters: string \"]\"\r\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\r\n | extend\r\n ActingProcessId = tostring(toint(detail_processPid_d)),\r\n TargetProcessId = tostring(toint(detail_objectPid_d)),\r\n ParentProcessId = tostring(toint(detail_parentPid_d)),\r\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\r\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\r\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\r\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\r\n ParentProcessName = detail_parentName_s,\r\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\r\n ActingProcessFileSize = tolong(detail_processFileSize_d),\r\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\r\n ActorSessionId = tostring(toint(detail_authId_d)),\r\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\r\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\r\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\r\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\r\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\r\n AdditionalFields = bag_pack(\r\n \"name\", name,\r\n \"tags\", detail_tags_s\r\n )\r\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\r\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\r\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\r\n | project-rename ParentProcessIntegrityLevel = IntegrityType\r\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\r\n | project-rename TargetProcessIntegrityLevel = IntegrityType\r\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\r\n | project-rename ActingProcessIntegrityLevel = IntegrityType\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Vision One\",\r\n EventResult = \"Success\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventType = \"ProcessCreated\",\r\n EventVendor = \"Trend Micro\",\r\n EventSchema = \"ProcessEvent\",\r\n DvcAction = \"Allowed\"\r\n | project-rename\r\n ActorUsername = detail_processUser_s,\r\n EventStartTime = detail_eventTimeDT_t,\r\n TargetProcessName = detail_objectName_s,\r\n TargetUsername = detail_objectUser_s,\r\n ActingProcessName = detail_processName_s,\r\n ActingProcessSHA1 = detail_processFileHashSha1_s,\r\n ActingProcessSHA256 = detail_processFileHashSha256_s,\r\n DvcId = detail_endpointGuid_g,\r\n DvcOs = detail_osName_s,\r\n DvcOsVersion = detail_osVer_s,\r\n EventOriginalSubType = detail_eventSubId_s,\r\n EventOriginalType = detail_eventId_s,\r\n EventOriginalUid = detail_uuid_g,\r\n EventOriginalSeverity = detail_filterRiskLevel_s,\r\n EventProductVersion = detail_pver_s,\r\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\r\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\r\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\r\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\r\n EventUid = _ItemId,\r\n EventMessage = description\r\n | extend \r\n Dvc = DvcHostname,\r\n EventEndTime = EventStartTime,\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n User = TargetUsername,\r\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\r\n | extend\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\r\n HashType = case(\r\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\r\n \"TargetProcessSHA256\",\r\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\r\n \"TargetProcessSHA1\",\r\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\r\n \"TargetProcessMD5\",\r\n \"\"\r\n )\r\n | project-away\r\n *_d,\r\n *_s,\r\n *_g,\r\n *_t,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n filters,\r\n name\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Process Create ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"12eb8e3f-749c-5427-a64f-e7a6af3faf0a","name":"_ASim_ProcessEvent_CreateVMwareCarbonBlackCloudV01","body":"let EventFieldsLookup = datatable(\r\n sensor_action_s: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)[\r\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\r\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\r\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\r\n \"ACTION_BREAK\", \"Break\", \"Failure\",\r\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\r\n \"\", \"\", \"Success\"\r\n];\r\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\r\n [\r\n \"1\", 10,\r\n \"2\", 20,\r\n \"3\", 30,\r\n \"4\", 40,\r\n \"5\", 50,\r\n \"6\", 60,\r\n \"7\", 70,\r\n \"8\", 80,\r\n \"9\", 90,\r\n \"10\", 100\r\n];\r\nlet parser = (disabled: bool=false) {\r\n let CarbonBlackEventsSchema = datatable (\r\n eventType_s: string,\r\n childproc_pid_d: real,\r\n process_hash_s: string,\r\n parent_hash_s: string,\r\n childproc_hash_s: string,\r\n sensor_action_s: string,\r\n alert_id_g: string,\r\n event_id_g: string,\r\n createTime_s: string,\r\n process_pid_d: real,\r\n parent_pid_d: real,\r\n org_key_s: string,\r\n parent_cmdline_s: string,\r\n process_reputation_s: string,\r\n childproc_reputation_s: string,\r\n parent_reputation_s: string,\r\n process_guid_s: string,\r\n childproc_guid_s: string,\r\n parent_guid_s: string,\r\n process_username_s: string,\r\n target_cmdline_s: string,\r\n childproc_name_s: string,\r\n childproc_username_s: string,\r\n device_external_ip_s: string,\r\n device_group_s: string,\r\n process_cmdline_s: string,\r\n process_path_s: string,\r\n device_id_s: string,\r\n device_os_s: string,\r\n event_description_s: string,\r\n action_s: string,\r\n event_origin_s: string,\r\n parent_path_s: string,\r\n device_name_s: string\r\n)[];\r\n let CarbonBlackNotificationsSchema = datatable (\r\n type_s: string,\r\n threatInfo_incidentId_g: string,\r\n threatInfo_score_d: real,\r\n threatInfo_summary_s: string,\r\n threatInfo_time_d: real,\r\n threatInfo_threatCause_threatCategory_s: string,\r\n threatInfo_threatCause_causeEventId_g: string,\r\n ruleName_s: string,\r\n deviceInfo_deviceVersion_s: string,\r\n threatInfo_threatCause_originSourceType_s: string,\r\n threatInfo_threatCause_reputation_s: string,\r\n threatInfo_threatCause_reason_s: string,\r\n id_g: string,\r\n primary_event_id_g: string,\r\n threat_id_g: string\r\n)[];\r\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\r\n | where not(disabled)\r\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\r\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\r\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\r\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\r\n | lookup EventFieldsLookup on sensor_action_s;\r\n let processdatawiththreat = processdata\r\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\r\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\r\n | where type_s == \"THREAT\"\r\n | project\r\n threatInfo_incidentId_g,\r\n threatInfo_score_d,\r\n threatInfo_summary_s,\r\n threatInfo_time_d,\r\n threatInfo_threatCause_threatCategory_s,\r\n threatInfo_threatCause_causeEventId_g,\r\n ruleName_s,\r\n deviceInfo_deviceVersion_s,\r\n threatInfo_threatCause_originSourceType_s,\r\n threatInfo_threatCause_reputation_s,\r\n threatInfo_threatCause_reason_s)\r\n on\r\n $left.alert_id_g == $right.threatInfo_incidentId_g,\r\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\r\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\r\n | where type_s == \"CB_ANALYTICS\"\r\n | project\r\n id_g,\r\n primary_event_id_g,\r\n deviceInfo_deviceVersion_s,\r\n threat_id_g,\r\n threatInfo_score_d,\r\n threatInfo_summary_s,\r\n threatInfo_threatCause_reason_s)\r\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\r\n | extend \r\n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\r\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\r\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\r\n RuleName = ruleName_s,\r\n AdditionalFields_threat = bag_pack(\r\n \"threatInfo_threatCause_reason\",\r\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\r\n \"threatInfo_threatCause_reputation\",\r\n threatInfo_threatCause_reputation_s,\r\n \"threatInfo_threatCause_originSourceType\",\r\n threatInfo_threatCause_originSourceType_s\r\n ),\r\n ThreatId = threat_id_g,\r\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\r\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\r\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\r\n | extend Rule = RuleName;\r\n let processdatawithoutthreat = processdata\r\n | where isempty(alert_id_g) or isempty(event_id_g);\r\n union processdatawithoutthreat, processdatawiththreat\r\n | extend\r\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\r\n TargetProcessId = tostring(toint(childproc_pid_d)),\r\n ActingProcessId = tostring(toint(process_pid_d)),\r\n ParentProcessId = tostring(toint(parent_pid_d)),\r\n AdditionalFields_Common = bag_pack(\r\n \"org_key\",\r\n org_key_s,\r\n \"alert_id\",\r\n alert_id_g,\r\n \"parent_cmdline\",\r\n parent_cmdline_s,\r\n \"process_reputation\",\r\n process_reputation_s,\r\n \"childproc_reputation\",\r\n childproc_reputation_s,\r\n \"parent_reputation\",\r\n parent_reputation_s,\r\n \"process_guid\",\r\n process_guid_s,\r\n \"childproc_guid\",\r\n childproc_guid_s,\r\n \"parent_guid\",\r\n parent_guid_s\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\r\n | project-rename \r\n ActorUsername = process_username_s,\r\n TargetProcessCommandLine = target_cmdline_s,\r\n TargetProcessName = childproc_name_s,\r\n TargetUsername = childproc_username_s,\r\n DvcIpAddr = device_external_ip_s,\r\n DvcScope = device_group_s,\r\n ActingProcessCommandLine = process_cmdline_s,\r\n ActingProcessName = process_path_s,\r\n DvcId = device_id_s,\r\n DvcOriginalAction = sensor_action_s,\r\n DvcOs = device_os_s,\r\n EventMessage = event_description_s,\r\n EventOriginalType = action_s,\r\n EventOriginalUid = event_id_g,\r\n EventOwner = event_origin_s,\r\n ParentProcessName = parent_path_s,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventType = \"ProcessCreated\",\r\n EventVendor = \"VMware\",\r\n EventSchema = \"ProcessEvent\",\r\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\r\n | extend \r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n User = TargetUsername,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n HashType = case(\r\n isnotempty(TargetProcessSHA256),\r\n \"TargetProcessSHA256\",\r\n isnotempty(TargetProcessMD5),\r\n \"TargetProcessMD5\",\r\n \"\"\r\n ),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\r\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\r\n | project-away\r\n *_s,\r\n *_d,\r\n *_g,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId,\r\n AdditionalFields_*\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Process Create ASIM parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"26baf752-5748-51f5-8eb7-83d85adf2cb8","name":"_ASim_ProcessEvent_MD4IoTV01","body":"let ProcessEvents_MD4IoT=()\r\n{\r\n SecurityIoTRawEvent | where not(disabled)\r\n | where RawEventName == \"Process\"\r\n | extend\r\n EventDetails = todynamic(EventDetails)\r\n | extend \r\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\r\n | extend \r\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \r\n EventCount = toint(EventDetails.HitCount), \r\n EventProduct = 'Azure Defender for IoT', \r\n EventVendor = 'Microsoft', \r\n EventSchemaVersion = '0.1.0', \r\n EventSchema = 'ProcessEvent',\r\n EventStartTime = todatetime(EventDetails.TimestampUTC), \r\n EventEndTime = todatetime(TimeGenerated), \r\n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \r\n EventSubType = tostring(EventDetails.EventType),\r\n EventResult = 'Success', \r\n TargetProcessId = tostring(EventDetails.ProcessId), \r\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \r\n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\r\n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \r\n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\"), \r\n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \r\n | project-rename\r\n DvcHostname = DeviceId,\r\n EventProductVersion = AgentVersion, // Not available in Windows\r\n _ResourceId = AssociatedResourceId, \r\n _SubscriptionId = AzureSubscriptionId \r\n | extend \r\n // -- aliases\r\n User = TargetUsername, \r\n CommandLine = TargetProcessCommandLine, \r\n Process = TargetProcessName, \r\n Dvc = DvcHostname \r\n };\r\n ProcessEvents_MD4IoT\r\n","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Microsoft Defender for IoT.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"e05b7046-f392-500f-9804-bea9748c51c1","name":"_ASim_ProcessEvent_Microsoft365DV01","body":"let parser=(disabled:boolean=false)\r\n {\r\n DeviceProcessEvents \r\n | where not(disabled)\r\n | extend\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'ProcessEvent',\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventResult = 'Success'\r\n | extend\r\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\r\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\r\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n ActorUserIdType = 'SID',\r\n TargetUserIdType = 'SID',\r\n ActorSessionId = tostring(InitiatingProcessLogonId),\r\n TargetUserSessionId = tostring(LogonId),\r\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\r\n TargetProcessId = tostring(ProcessId),\r\n ActingProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId),\r\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\r\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | project-rename\r\n DvcId = DeviceId,\r\n EventType = ActionType,\r\n ActorUserId = InitiatingProcessAccountSid,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn,\r\n TargetUserId = AccountSid,\r\n TargetUserAadId = AccountObjectId,\r\n TargetUserUpn = AccountUpn,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n TargetProcessFilename = FileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\r\n TargetProcessName = FolderPath,\r\n TargetProcessCommandLine = ProcessCommandLine,\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\r\n TargetProcessTokenElevation = ProcessTokenElevation,\r\n TargetProcessCreationTime = ProcessCreationTime,\r\n ActingProcessName = InitiatingProcessFolderPath, \r\n ActingProcessFilename = InitiatingProcessFileName,\r\n ActingProcessCommandLine = InitiatingProcessCommandLine, \r\n ActingProcessMD5 = InitiatingProcessMD5, \r\n ActingProcessSHA1 = InitiatingProcessSHA1, \r\n ActingProcessSHA256 = InitiatingProcessSHA256, \r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime,\r\n MDE_MachineGroup = MachineGroup\r\n | extend // -- aliases\r\n User = coalesce(TargetUsername, ActorUsername),\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId \r\n };\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Microsoft 365 Defender for endpoint.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"3c05ca86-de65-5921-916a-9b9dac58b3c6","name":"_ASim_ProcessEvent_Microsoft365DV02","body":"let parser=(disabled:boolean=false)\r\n {\r\n DeviceProcessEvents \r\n | where not(disabled)\r\n | extend\r\n Type = \"DeviceProcessEvents\",\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.4',\r\n EventSchema = 'ProcessEvent',\r\n EventStartTime = todatetime(Timestamp),\r\n EventEndTime = todatetime(Timestamp),\r\n EventResult = 'Success'\r\n | extend\r\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\r\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\r\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n ActorUserIdType = 'SID',\r\n TargetUserIdType = 'SID',\r\n ActorSessionId = tostring(InitiatingProcessLogonId),\r\n TargetUserSessionId = tostring(LogonId),\r\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\r\n TargetProcessId = tostring(ProcessId),\r\n ActingProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId),\r\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | project-rename\r\n DvcId = DeviceId,\r\n EventType = ActionType,\r\n ActorUserId = InitiatingProcessAccountSid,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn,\r\n TargetUserId = AccountSid,\r\n TargetUserAadId = AccountObjectId,\r\n TargetUserUpn = AccountUpn,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n TargetProcessFilename = FileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\r\n TargetProcessName = FolderPath,\r\n TargetProcessCommandLine = ProcessCommandLine,\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\r\n TargetProcessTokenElevation = ProcessTokenElevation,\r\n TargetProcessCreationTime = ProcessCreationTime,\r\n ActingProcessName = InitiatingProcessFolderPath, \r\n ActingProcessFilename = InitiatingProcessFileName,\r\n ActingProcessCommandLine = InitiatingProcessCommandLine, \r\n ActingProcessMD5 = InitiatingProcessMD5, \r\n ActingProcessSHA1 = InitiatingProcessSHA1, \r\n ActingProcessSHA256 = InitiatingProcessSHA256, \r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n | extend // -- aliases\r\n User = coalesce(TargetUsername, ActorUsername),\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventOriginalUid,\r\n EventCount,\r\n EventProduct,\r\n EventVendor,\r\n EventSchemaVersion,\r\n EventSchema,\r\n EventStartTime,\r\n EventEndTime,\r\n EventResult,\r\n ActorUsername,\r\n ActorUserIdType,\r\n TargetUserIdType,\r\n ActorUsernameType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n ActorSessionId,\r\n Hash,\r\n TargetProcessId,\r\n ActingProcessId,\r\n ParentProcessId,\r\n DvcOs,\r\n HashType,\r\n DvcId,\r\n EventType,\r\n ActorUserId,\r\n ActorUserAadId,\r\n ActorUserUpn,\r\n TargetUserId,\r\n TargetUserAadId,\r\n TargetUserUpn,\r\n ParentProcessName,\r\n TargetProcessFilename,\r\n ParentProcessCreationTime,\r\n TargetProcessName,\r\n TargetProcessCommandLine,\r\n TargetProcessMD5,\r\n TargetProcessSHA1,\r\n TargetProcessSHA256,\r\n TargetProcessIntegrityLevel,\r\n TargetProcessTokenElevation,\r\n TargetProcessCreationTime,\r\n ActingProcessName,\r\n ActingProcessFilename,\r\n ActingProcessCommandLine,\r\n ActingProcessMD5,\r\n ActingProcessSHA1,\r\n ActingProcessSHA256,\r\n ActingProcessIntegrityLevel,\r\n ActingProcessTokenElevation,\r\n ActingProcessCreationTime,\r\n User,\r\n CommandLine,\r\n Process,\r\n Dvc \r\n };\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Microsoft 365 Defender for endpoint.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"43307d74-4e34-5cd9-a9f0-ee381f0b347f","name":"_ASim_ProcessEvent_Microsoft365DV03","body":"let parser=(disabled:boolean=false)\r\n {\r\n DeviceProcessEvents \r\n | where not(disabled)\r\n | extend\r\n Type = \"DeviceProcessEvents\",\r\n EventOriginalUid = tostring(ReportId),\r\n EventCount = int(1),\r\n EventProduct = 'M365 Defender for Endpoint',\r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.1.4',\r\n EventSchema = 'ProcessEvent',\r\n EventStartTime = todatetime(Timestamp),\r\n EventEndTime = todatetime(Timestamp),\r\n EventResult = 'Success'\r\n | extend\r\n EventUid = EventOriginalUid,\r\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\r\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\r\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\r\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\r\n ActorUserIdType = 'SID',\r\n TargetUserIdType = 'SID',\r\n ActorSessionId = tostring(InitiatingProcessLogonId),\r\n TargetUserSessionId = tostring(LogonId),\r\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\r\n TargetProcessId = tostring(ProcessId),\r\n ActingProcessId = tostring(InitiatingProcessId),\r\n ParentProcessId = tostring(InitiatingProcessParentId),\r\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\"),\r\n TargetProcessFileSize = iif(FileSize != 0, FileSize, dynamic(null)),\r\n ActingProcessFileSize = iif(InitiatingProcessFileSize != 0, InitiatingProcessFileSize, dynamic(null))\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | project-rename\r\n DvcId = DeviceId,\r\n EventType = ActionType,\r\n ActorUserId = InitiatingProcessAccountSid,\r\n ActorUserAadId = InitiatingProcessAccountObjectId,\r\n ActorUserUpn = InitiatingProcessAccountUpn,\r\n TargetUserId = AccountSid,\r\n TargetUserAadId = AccountObjectId,\r\n TargetUserUpn = AccountUpn,\r\n ParentProcessName = InitiatingProcessParentFileName,\r\n TargetProcessFilename = FileName,\r\n TargetProcessFileCompany = ProcessVersionInfoCompanyName,\r\n TargetProcessFileDescription = ProcessVersionInfoFileDescription,\r\n TargetProcessFileProduct = ProcessVersionInfoProductName,\r\n TargetProcessFileVersion = ProcessVersionInfoProductVersion,\r\n TargetProcessFileInternalName = ProcessVersionInfoInternalFileName,\r\n TargetProcessFileOriginalName = ProcessVersionInfoOriginalFileName,\r\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\r\n TargetProcessName = FolderPath,\r\n TargetProcessCommandLine = ProcessCommandLine,\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\r\n TargetProcessTokenElevation = ProcessTokenElevation,\r\n TargetProcessCreationTime = ProcessCreationTime,\r\n ActingProcessName = InitiatingProcessFolderPath, \r\n ActingProcessFilename = InitiatingProcessFileName,\r\n ActingProcessFileCompany = InitiatingProcessVersionInfoCompanyName,\r\n ActingProcessFileDescription = InitiatingProcessVersionInfoFileDescription,\r\n ActingProcessFileProduct = InitiatingProcessVersionInfoProductName,\r\n ActingProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\r\n ActingProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\r\n ActingProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\r\n ActingProcessCommandLine = InitiatingProcessCommandLine, \r\n ActingProcessMD5 = InitiatingProcessMD5, \r\n ActingProcessSHA1 = InitiatingProcessSHA1, \r\n ActingProcessSHA256 = InitiatingProcessSHA256, \r\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\r\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\r\n ActingProcessCreationTime = InitiatingProcessCreationTime\r\n | extend\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\r\n | extend // -- aliases\r\n User = coalesce(TargetUsername, ActorUsername),\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project\r\n TimeGenerated,\r\n Type,\r\n EventUid,\r\n EventOriginalUid,\r\n EventCount,\r\n EventProduct,\r\n EventVendor,\r\n EventSchemaVersion,\r\n EventSchema,\r\n EventStartTime,\r\n EventEndTime,\r\n EventResult,\r\n ActorUsername,\r\n ActorUserIdType,\r\n TargetUserIdType,\r\n ActorUsernameType,\r\n TargetUsername,\r\n TargetUsernameType,\r\n ActorSessionId,\r\n TargetUserSessionId,\r\n Hash,\r\n TargetProcessId,\r\n ActingProcessId,\r\n ParentProcessId,\r\n DvcOs,\r\n HashType,\r\n DvcId,\r\n DvcHostname,\r\n DvcDomain,\r\n DvcDomainType,\r\n EventType,\r\n ActorUserId,\r\n ActorUserAadId,\r\n ActorUserUpn,\r\n TargetUserId,\r\n TargetUserAadId,\r\n TargetUserUpn,\r\n ParentProcessName,\r\n TargetProcessFilename,\r\n ParentProcessCreationTime,\r\n TargetProcessName,\r\n TargetProcessCommandLine,\r\n TargetProcessMD5,\r\n TargetProcessSHA1,\r\n TargetProcessSHA256,\r\n TargetProcessIntegrityLevel,\r\n TargetProcessTokenElevation,\r\n TargetProcessCreationTime,\r\n TargetProcessFileCompany,\r\n TargetProcessFileDescription,\r\n TargetProcessFileProduct,\r\n TargetProcessFileVersion,\r\n TargetProcessFileInternalName,\r\n TargetProcessFileOriginalName,\r\n TargetProcessFileSize,\r\n ActingProcessName,\r\n ActingProcessFilename,\r\n ActingProcessCommandLine,\r\n ActingProcessMD5,\r\n ActingProcessSHA1,\r\n ActingProcessSHA256,\r\n ActingProcessIntegrityLevel,\r\n ActingProcessTokenElevation,\r\n ActingProcessCreationTime,\r\n ActingProcessFileCompany,\r\n ActingProcessFileDescription,\r\n ActingProcessFileProduct,\r\n ActingProcessFileVersion,\r\n ActingProcessFileInternalName,\r\n ActingProcessFileOriginalName,\r\n ActingProcessFileSize,\r\n User,\r\n CommandLine,\r\n Process,\r\n Dvc,\r\n AdditionalFields\r\n };\r\n parser (disabled = disabled)","parameters":"disabled:bool = false","description":"Process Create Event ASIM parser for Microsoft 365 Defender for endpoint.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"7a91f3e8-0c29-57e1-b380-da2a801882e6","name":"_ASim_ProcessEvent_NativeV01","body":"let parser=(disabled: bool=false) {\r\n ASimProcessEventLogs \r\n | where not(disabled)\r\n | project-rename\r\n EventUid = _ItemId\r\n | extend \r\n EventSchema = \"ProcessEvent\",\r\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\r\n // -- Aliases\r\n | extend\r\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\r\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\r\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n User = TargetUsername,\r\n Process = TargetProcessName,\r\n CommandLine = TargetProcessCommandLine,\r\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\r\n | project-away\r\n TenantId,\r\n SourceSystem,\r\n _SubscriptionId,\r\n _ResourceId\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Process Event ASIM parser for Microsoft Sentinel native Process Event table.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"b34c18bf-43d0-5e28-83ed-deee72ee74ff","name":"_ASim_ProcessEvent_Terminate","body":"union isfuzzy=true\r\n_ASim_ProcessEvent_TerminateBuiltIn,\r\nASim_ProcessEvent_TerminateSolutions,\r\nASim_ProcessEvent_TerminateCustom\r\n","description":"Process Terminate ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"5c84f668-05ab-5d6e-b390-c97ba4d10d34","name":"_ASim_ProcessEvent_TerminateBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_ProcessEvent_Terminate') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_ProcessEvent_TerminateBuiltIn', 'Exclude_ASim_ProcessEvent_Terminate', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_ProcessEvent_MD4IoTV01(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_MD4IoT' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_Microsoft365DV03(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_Microsoft365D' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_Native' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_TerminateLinuxSysmonV01(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_TerminateLinuxSysmon' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_TerminateMicrosoftSecurityEventsV02(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_TerminateMicrosoftSecurityEvents' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_TerminateMicrosoftSysmonV03(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_TerminateMicrosoftSysmon' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_TerminateMicrosoftWindowsEventsV02(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_TerminateMicrosoftWindowsEvents' in (DisabledParsers)))),\r\n_ASim_ProcessEvent_TerminateVMwareCarbonBlackCloudV01(disabled= (builtInDisabled or('Exclude_ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_Process_EmptyV02\r\n","description":"Process Terminate ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"d0c84fb1-70c4-5f05-b9ea-ea264d3f91b8","name":"_ASim_ProcessEvent_TerminateLinuxSysmonV01","body":"let ParsedProcessEvent=(){\r\nSyslog\r\n| where not(disabled)\r\n| where SyslogMessage has_all ('5')\r\n| parse SyslogMessage with * ''RuleName''\r\n ''UtcTime''\r\n '{'ProcessGuid'}'\r\n ''ProcessId:string''\r\n ''Image''*\r\n| parse SyslogMessage with *''ActorUsername '' *\r\n| project-away SyslogMessage\r\n| extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType='5',\r\n EventProduct = \"Sysmon\",\r\n EventResult = 'Success',\r\n DvcOs = \"Linux\"\r\n | project-rename\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessId = ProcessId\r\n | extend\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n TargetProcessGuid = ProcessGuid,\r\n //***** Aliases ******\r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n}; ParsedProcessEvent\r\n","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"a981fd67-71ab-5e13-b87e-3632666d745f","name":"_ASim_ProcessEvent_TerminateMicrosoftSecurityEventsV02","body":"let ProcessEvents=(){\r\n SecurityEvent\r\n | where not(disabled)\r\n // -- Filter\r\n | where EventID == 4689\r\n // -- Map\r\n | extend\r\n // Event\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventProduct = \"Security Events\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventType = \"ProcessTerminated\",\r\n EventResult = 'Success',\r\n EventOriginalType = tostring(EventID),\r\n EventOriginalUid = EventOriginId,\r\n EventResultDetails = Status,\r\n EventOriginalResultDetails = Status, \r\n // Device\r\n DvcId = SourceComputerId,\r\n DvcHostname = Computer,\r\n DvcOs = \"Windows\",\r\n // Users\r\n ActorUserIdType = iff (SubjectUserSid \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (SubjectUserSid \"S-1-0-0\", SubjectUserSid, \"\"), \r\n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\r\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\r\n ActorSessionId = SubjectLogonId,\r\n ActorDomainName = SubjectDomainName,\r\n // Processes \r\n TargetProcessId = tostring(toint(ProcessId)),\r\n TargetProcessName = ProcessName,\r\n TargetProcessCommandLine = CommandLine,\r\n TargetProcessTokenElevation = TokenElevationType,\r\n Process = ProcessName\r\n // Aliases\r\n | extend \r\n User = ActorUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName\r\n }; ProcessEvents\r\n","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"18e56d86-053e-549f-9c0d-c3970f46d478","name":"_ASim_ProcessEvent_TerminateMicrosoftSysmonV02","body":"let parser = (disabled:bool = false) {\r\n // this is the parser for sysmon from Event table\r\n let parser_Event = (disabled:bool=false) {\r\n Event \r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\r\n | parse-kv EventData as (\r\n ProcessId:string,\r\n ProcessGuid:string,\r\n Image:string,\r\n User:string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename\r\n ActorUsername = User,\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessId = ProcessId\r\n | extend \r\n EventProduct = \"Sysmon\"\r\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName\r\n };\r\n let parser_WindowsEvent=(disabled:bool=false){\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\r\n | extend\r\n EventProduct = \"Security Events\",\r\n ActorUsername = tostring(EventData.User),\r\n TargetProcessName = tostring(EventData.Image),\r\n TargetProcessId = tostring(EventData.ProcessId),\r\n TargetProcessGuid = tostring(EventData.ProcessGuid)\r\n | project-rename\r\n DvcHostname = Computer,\r\n EventOriginalUid = EventOriginId\r\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId\r\n };\r\n union isfuzzy=true parser_Event(disabled=disabled) // , parser_WindowsEvent(disabled=disabled)\r\n | extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType=tostring(EventID),\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n // -- Aliases \r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventID\r\n};\r\nparser (disabled = disabled) \r\n","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for Microsoft Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"495ed966-fdd2-5238-9cc4-eeb576e459b3","name":"_ASim_ProcessEvent_TerminateMicrosoftSysmonV03","body":"let parser = (disabled: bool = false) {\r\n// this is the parser for sysmon from Event table\r\nlet parser_Event =\r\n Event \r\n | where not(disabled)\r\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\r\n | parse-kv EventData as (\r\n ProcessId: string,\r\n ProcessGuid: string,\r\n Image: string,\r\n User: string\r\n ) \r\n with (regex=@'{?([^')\r\n | project-rename\r\n ActorUsername = User,\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessId = ProcessId\r\n | extend \r\n EventProduct = \"Sysmon\"\r\n | project-away\r\n EventData,\r\n ParameterXml,\r\n RenderedDescription,\r\n MG,\r\n ManagementGroupName,\r\n Message,\r\n AzureDeploymentID,\r\n SourceSystem,\r\n EventCategory,\r\n EventLevelName,\r\n EventLevel,\r\n EventLog,\r\n Role,\r\n TenantId,\r\n UserName,\r\n Source,\r\n _ResourceId\r\n | extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType=tostring(EventID),\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\r\n // -- Aliases \r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventID\r\n;\r\nparser_Event\r\n};\r\nparser (disabled = disabled)","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for Microsoft Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"3b46381c-04ce-522a-8a52-72625636d689","name":"_ASim_ProcessEvent_TerminateMicrosoftSysmonWindowsEventV04","body":"let parser = (disabled:bool = false) {\r\n let parser_WindowsEvent=\r\n WindowsEvent\r\n | where not(disabled)\r\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\r\n | extend\r\n EventProduct = \"Security Events\",\r\n ActorUsername = tostring(EventData.User),\r\n TargetProcessName = tostring(EventData.Image),\r\n TargetProcessId = tostring(EventData.ProcessId),\r\n TargetProcessGuid = tostring(EventData.ProcessGuid)\r\n | project-rename\r\n DvcHostname = Computer,\r\n EventOriginalUid = EventOriginId\r\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,Version,_ResourceId\r\n | extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType=tostring(EventID),\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n // -- Aliases \r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventID\r\n ;\r\n parser_WindowsEvent\r\n};\r\nparser (disabled = disabled) ","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for Microsoft Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"7c617f08-970c-5884-9ea5-e07dd5c3dfe8","name":"_ASim_ProcessEvent_TerminateMicrosoftWindowsEventsV02","body":"let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\r\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \r\n T \r\n | extend \r\n type = case (\r\n username == \"-\", \"\",\r\n domain == \"-\", \"Simple\",\r\n \"Windows\"\r\n ),\r\n username = case (\r\n username == \"-\", \"\",\r\n domain == '-', username,\r\n strcat(domain, @\"\\\" , username)\r\n )\r\n};\r\nlet parser=(disabled:boolean=false){\r\nWindowsEvent\r\n| where not(disabled)\r\n| where EventID == 4689\r\n| project-rename\r\n DvcHostname = Computer\r\n| extend\r\n EventCount = int(1),\r\n EventVendor = 'Microsoft',\r\n EventProduct = 'Security Events',\r\n EventSchemaVersion = '0.1.0',\r\n EventSchema = 'ProcessEvent',\r\n EventResult = 'Success',\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventType = 'ProcessTerminated',\r\n EventOriginalType = tostring(EventID),\r\n DvcOs = 'Windows'\r\n| extend \r\n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \r\n SubjectUserSid = tostring(EventData.SubjectUserSid)\r\n| extend\r\n ActorUserIdType = iff (SubjectUserSid \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (SubjectUserSid \"S-1-0-0\", SubjectUserSid, \"\"), \r\n ActorUsernameType = \"Windows\"\r\n| extend \r\n ActorUserSid = ActorUserId,\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n| extend\r\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\r\n // Processes \r\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\r\n TargetProcessName = tostring(EventData.NewProcessName),\r\n TargetProcessStatusCode = tostring(EventData.Status)\r\n| extend \r\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\r\n// -- Aliases\r\n| extend\r\n User = ActorUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName\r\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId, SubjectUserSid\r\n}; \r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Process Terminate Event ASIM parser for WEF Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"7be9bc58-2ebe-58d2-9923-08fc23e4f679","name":"_ASim_ProcessEvent_TerminateVMwareCarbonBlackCloudV01","body":"let EventFieldsLookup = datatable(\r\n sensor_action_s: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)[\r\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\r\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\r\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\r\n \"ACTION_BREAK\", \"Break\", \"Failure\",\r\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\r\n \"\", \"\", \"Success\"\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CarbonBlackEvents_CL\r\n | where not(disabled)\r\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\r\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\r\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\r\n | lookup EventFieldsLookup on sensor_action_s\r\n | extend\r\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\r\n TargetProcessId = tostring(toint(process_pid_d)),\r\n ActingProcessId = tostring(toint(parent_pid_d)),\r\n ActorUsername = process_username_s,\r\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\r\n AdditionalFields = bag_pack(\r\n \"org_key\", org_key_s,\r\n \"alert_id\", alert_id_g,\r\n \"process_reputation\", process_reputation_s,\r\n \"parent_reputation\", parent_reputation_s,\r\n \"parent_guid\", parent_guid_s,\r\n \"process_guid\", process_guid_s\r\n )\r\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\r\n | project-rename \r\n TargetProcessName = process_path_s,\r\n DvcIpAddr = device_external_ip_s,\r\n DvcScope = device_group_s,\r\n ActingProcessCommandLine = parent_cmdline_s,\r\n DvcId = device_id_s,\r\n DvcOriginalAction = sensor_action_s,\r\n DvcOs = device_os_s,\r\n EventOriginalType = action_s,\r\n EventOriginalUid = event_id_g,\r\n EventOwner = event_origin_s,\r\n ActingProcessName = parent_path_s,\r\n EventUid = _ItemId\r\n | extend\r\n EventCount = int(1),\r\n EventProduct = \"Carbon Black Cloud\",\r\n EventSchemaVersion = \"0.1.4\",\r\n EventType = \"ProcessTerminated\",\r\n EventVendor = \"VMware\",\r\n EventSchema = \"ProcessEvent\"\r\n | extend \r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\r\n CommandLine = TargetProcessCommandLine,\r\n Process = TargetProcessName,\r\n User = ActorUsername,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\r\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\r\n HashType = case(\r\n isnotempty(TargetProcessSHA256),\r\n \"TargetProcessSHA256\",\r\n isnotempty(TargetProcessMD5),\r\n \"TargetProcessMD5\",\r\n \"\"\r\n )\r\n | project-away\r\n *_s,\r\n *_d,\r\n *_g,\r\n *_b,\r\n _ResourceId,\r\n Computer,\r\n MG,\r\n ManagementGroupName,\r\n RawData,\r\n SourceSystem,\r\n TenantId\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Process Terminate ASIM parser for VMware Carbon Black Cloud.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"9bb77b98-9da2-55c3-895c-c27feaccf670","name":"_Im_ProcessCreate","body":"let targetusername_parameter = iif(isempty(targetusername_has), targetusername, targetusername_has); \r\nunion isfuzzy=true\r\n_Im_ProcessCreateBuiltIn(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_parameter, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, hashes_has_any= hashes_has_any, eventtype= eventtype),\r\nIm_ProcessCreateSolutions(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_parameter, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, hashes_has_any= hashes_has_any, eventtype= eventtype),\r\nIm_ProcessCreateCustom(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_parameter, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, hashes_has_any= hashes_has_any, eventtype= eventtype)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), targetusername_has:string = '', targetusername:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), eventtype:string = '*'","description":"Process Create ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"92130422-ba25-5b51-b0b0-5b9b790e6ebb","name":"_Im_ProcessCreateBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_ProcessCreate') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_ProcessCreateBuiltIn', 'Exclude_Im_ProcessCreate', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_ProcessCreate_LinuxSysmonV03(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_LinuxSysmon' in (DisabledParsers)))),\r\n_Im_ProcessCreate_MD4IoTV01(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_MD4IoT' in (DisabledParsers)))),\r\n_Im_ProcessCreate_MicrosoftSecurityEventsV02(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_MicrosoftSecurityEvents' in (DisabledParsers)))),\r\n_Im_ProcessEvent_CreateMicrosoftSysmonV05(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_ProcessEvent_CreateMicrosoftSysmon' in (DisabledParsers)))),\r\n_Im_ProcessCreate_MicrosoftWindowsEventsV03(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, hashes_has_any= hashes_has_any, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_MicrosoftWindowsEvents' in (DisabledParsers)))),\r\n_Im_ProcessCreate_SentinelOneV01(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, hashes_has_any= hashes_has_any, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_SentinelOne' in (DisabledParsers)))),\r\n_Im_ProcessCreate_VMwareCarbonBlackCloudV01(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, hashes_has_any= hashes_has_any, eventtype= eventtype, disabled= (builtInDisabled or('Exclude_Im_ProcessCreate_VMwareCarbonBlackCloud' in (DisabledParsers)))),\r\n_Im_Process_EmptyV02,\r\n_Im_ProcessEvent_Microsoft365DV04(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, hashes_has_any= hashes_has_any, disabled= (builtInDisabled or('Exclude_Im_ProcessEvent_Microsoft365D' in (DisabledParsers)))),\r\n_Im_ProcessEvent_NativeV01(starttime= starttime, endtime= endtime, commandline_has_any= commandline_has_any, commandline_has_all= commandline_has_all, commandline_has_any_ip_prefix= commandline_has_any_ip_prefix, actingprocess_has_any= actingprocess_has_any, targetprocess_has_any= targetprocess_has_any, parentprocess_has_any= parentprocess_has_any, targetusername_has= targetusername_has, actorusername_has= actorusername_has, dvcipaddr_has_any_prefix= dvcipaddr_has_any_prefix, dvchostname_has_any= dvchostname_has_any, eventtype= eventtype, hashes_has_any= hashes_has_any, disabled= (builtInDisabled or('Exclude_Im_ProcessEvent_Native' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), targetusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), hashes_has_any:dynamic = dynamic([]), eventtype:string = '*'","description":"Process Create ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"c5f1b49b-1dfe-5d35-8ed5-09a816424ddf","name":"_Im_ProcessCreate_LinuxSysmonV03","body":"let ParsedProcessEvent=(){\r\n Syslog\r\n // --------------------------------------------------------------------------------------\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated 1')\r\n | parse SyslogMessage with \r\n *\r\n '' EventRecordId:int ''\r\n *\r\n '' SysmonComputer:string ''\r\n *\r\n ''RuleName // parsing the XML using the original fields name - for readability \r\n ''UtcTime\r\n '{'ProcessGuid\r\n '}'ProcessId:string\r\n ''Image\r\n ''FileVersion\r\n ''Description\r\n ''Product\r\n ''Company'' *\r\n // --------------------------------------------------------------------------------------\r\n | where \r\n (array_length(dvchostname_has_any)==0 or SysmonComputer has_any (dvchostname_has_any))\r\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\r\n // --------------------------------------------------------------------------------------\r\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^'CommandLine''\r\n ''CurrentDirectory\r\n ''User\r\n '{'LogonGuid\r\n '}'LogonId\r\n ''TerminalSessionId\r\n ''IntegrityLevel\r\n ''Hashes\r\n '{'ParentProcessGuid\r\n '}'ParentProcessId:string\r\n ''ParentImage\r\n ''ParentCommandLine ''*\r\n // --------------------------------------------------------------------------------------\r\n | where \r\n (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\r\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) // \r\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\r\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any))\r\n and (targetusername_has=='*' or User has targetusername_has)\r\n // --------------------------------------------------------------------------------------\r\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \r\n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\r\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\r\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\r\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\r\n // End of XML parse\r\n | project-away SyslogMessage, Hashes\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventProduct = \"Sysmon for Linux\",\r\n EventResult = 'Success',\r\n EventOriginalUid = tostring(EventRecordId),\r\n DvcOs = \"Linux\",\r\n TargetUserSessionId = tostring(LogonId) , \r\n TargetUsernameType = \"Simple\",\r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n ActorUsernameType = \"Simple\",\r\n EventOriginalType = '1' // Set with a constant value to avoid parsing\r\n | project-rename \r\n // EventMessage = RenderedDescription, // field not available in Linux\r\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \r\n DvcIpAddr = HostIP, \r\n TargetUserSessionGuid = LogonGuid, \r\n TargetProcessId = ProcessId,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessIntegrityLevel = IntegrityLevel,\r\n TargetProcessCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product,\r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage\r\n | extend // aliases\r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostName,\r\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\r\n | project-away\r\n ProcessName, ProcessID\r\n}; ParsedProcessEvent","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), targetusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', disabled:bool = false","description":"Process Create Event ASIM filtering parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"2f31c831-b45d-50f9-b4ef-fe4f5f39c044","name":"_Im_ProcessCreate_MD4IoTV01","body":"let ProcessEvents_MD4IoT=()\r\n{\r\n SecurityIoTRawEvent \r\n | where RawEventName == \"Process\" // TODO: exclude entries where segment EventType is \"EXIT\" by full segment structure\r\n // --------------------------------------------------------------------------------------\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n // -- post-filtering\r\n | where (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) \r\n and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) \r\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) \r\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any)) \r\n and (targetusername_has=='*' or User has targetusername_has) \r\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\r\n // --\r\n | parse-kv Hashes as (MD5:string, SHA1:string, SHA256:string, IMPHASH:string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5),Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | project-away Hashes\r\n | extend \r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine\r\n | project-rename \r\n DvcHostname = Computer,\r\n TargetUserSessionGuid = LogonGuid,\r\n TargetProcessId = ProcessId,\r\n TargetUserSessionId = LogonId, \r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessFilename = OriginalFileName,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n TargetProcessIntegrityLevel = IntegrityLevel, \r\n TargetProcessFileCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product, \r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage,\r\n ActorUsername = ParentUser\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername),'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n EventProduct = \"Sysmon\",\r\n // aliases\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventData, ParameterXml, AzureDeploymentID, EventCategory, EventID, EventLevel, EventLevelName, TenantId, EventLog, MG, ManagementGroupName, Message, Role, SourceSystem, Source, UserName, RenderedDescription\r\n };\r\n // this is the parser for sysmon from WindowsEvent table\r\n let parser_WindowsEvent=(\r\n starttime:datetime=datetime(null),\r\n endtime:datetime=datetime(null),\r\n commandline_has_any:dynamic=dynamic([]),\r\n commandline_has_all:dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\r\n actingprocess_has_any:dynamic=dynamic([]),\r\n targetprocess_has_any:dynamic=dynamic([]),\r\n parentprocess_has_any:dynamic=dynamic([]),\r\n targetusername_has:string='*',\r\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dvchostname_has_any:dynamic=dynamic([]),\r\n eventtype:string='*',\r\n disabled:bool=false\r\n ){\r\n WindowsEvent\r\n | where\r\n // -- pre-filtering\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\"), \r\n ActorUsernameType = \"Windows\",\r\n username = tostring(EventData.TargetUserName)\r\n| extend\r\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username))\r\n| where // -- post filtering\r\n (targetusername_has=='*' or TargetUsername has targetusername_has) \r\n| extend\r\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\r\n| extend\r\n TargetUserIdType = iff (TargetUserId \"S-1-0-0\", \"SID\", \"\"),\r\n TargetUserId = iff (TargetUserId \"S-1-0-0\", TargetUserId, \"\"), \r\n TargetUsernameType = \"Windows\"\r\n| project-away\r\n username\r\n| extend \r\n TargetUserSid = TargetUserId,\r\n ActorUserSid = ActorUserId,\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\r\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\r\n| extend\r\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\r\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \r\n // Processes \r\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\r\n ActingProcessName = tostring(EventData.ParentProcessName),\r\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\r\n TargetProcessName = tostring(EventData.NewProcessName),\r\n TargetProcessCommandLine = tostring(EventData.CommandLine),\r\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\r\n MandatoryLabel = tostring(EventData.MandatoryLabel)\r\n| extend \r\n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\r\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\r\n| lookup MandatoryLabelLookup on MandatoryLabel\r\n// -- Aliases\r\n| extend\r\n User = TargetUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName,\r\n CommandLine = TargetProcessCommandLine\r\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\r\n}; \r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n commandline_has_any=commandline_has_any,\r\n commandline_has_all=commandline_has_all,\r\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\r\n actingprocess_has_any=actingprocess_has_any,\r\n targetprocess_has_any=targetprocess_has_any,\r\n parentprocess_has_any=parentprocess_has_any,\r\n targetusername_has=targetusername_has,\r\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\r\n dvchostname_has_any=dvchostname_has_any,\r\n eventtype=eventtype,\r\n hashes_has_any=hashes_has_any,\r\n disabled=disabled\r\n)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), targetusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', hashes_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Process Create Event ASIM parser for WEF Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"aae50b80-5462-5d2d-a6c2-663e11d4cb1f","name":"_Im_ProcessCreate_SentinelOneV01","body":"let ThreatConfidenceLookup_undefined = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_undefined: int\r\n)\r\n[\r\n \"FALSE_POSITIVE\", 5,\r\n \"Undefined\", 15,\r\n \"SUSPICIOUS\", 25,\r\n \"TRUE_POSITIVE\", 33 \r\n];\r\nlet ThreatConfidenceLookup_suspicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_suspicious: int\r\n)\r\n[\r\n \"FALSE_POSITIVE\", 40,\r\n \"Undefined\", 50,\r\n \"SUSPICIOUS\", 60,\r\n \"TRUE_POSITIVE\", 67 \r\n];\r\nlet ThreatConfidenceLookup_malicious = datatable(\r\n alertInfo_analystVerdict_s: string,\r\n ThreatConfidence_malicious: int\r\n)\r\n[\r\n \"FALSE_POSITIVE\", 75,\r\n \"Undefined\", 80,\r\n \"SUSPICIOUS\", 90,\r\n \"TRUE_POSITIVE\", 100 \r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n commandline_has_any: dynamic=dynamic([]),\r\n commandline_has_all: dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\r\n actingprocess_has_any: dynamic=dynamic([]),\r\n targetprocess_has_any: dynamic=dynamic([]),\r\n parentprocess_has_any: dynamic=dynamic([]),\r\n targetusername_has: string='*',\r\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n eventtype: string='*',\r\n hashes_has_any: dynamic=dynamic([]),\r\n disabled: bool=false) {\r\n let alldata = SentinelOne_CL\r\n | where not(disabled)\r\n and (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n // -- post-filtering\r\n | where (array_length(commandline_has_any) == 0 or CommandLine has_any (commandline_has_any)) \r\n and (array_length(commandline_has_all) == 0 or CommandLine has_all (commandline_has_all)) \r\n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix)) \r\n and (array_length(actingprocess_has_any) == 0 or ParentImage has_any (actingprocess_has_any)) \r\n and (targetusername_has == '*' or User has targetusername_has) \r\n and (array_length(targetprocess_has_any) == 0 or Image has_any (targetprocess_has_any))\r\n // --\r\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\r\n | extend\r\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\r\n | extend\r\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\r\n | project-rename\r\n TargetProcessMD5 = MD5,\r\n TargetProcessSHA1 = SHA1,\r\n TargetProcessSHA256 = SHA256,\r\n TargetProcessIMPHASH = IMPHASH\r\n | project-away Hashes\r\n | extend \r\n TargetUsername = User,\r\n TargetProcessCommandLine = CommandLine\r\n | project-rename \r\n DvcHostname = Computer,\r\n TargetUserSessionGuid = LogonGuid,\r\n TargetProcessId = ProcessId,\r\n TargetUserSessionId = LogonId, \r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessName = Image,\r\n TargetProcessFilename = OriginalFileName,\r\n TargetProcessCurrentDirectory = CurrentDirectory,\r\n TargetProcessIntegrityLevel = IntegrityLevel, \r\n TargetProcessFileCompany = Company,\r\n TargetProcessFileDescription = Description,\r\n TargetProcessFileVersion = FileVersion,\r\n TargetProcessFileProduct = Product, \r\n ActingProcessId = ParentProcessId,\r\n ActingProcessGuid = ParentProcessGuid, \r\n ActingProcessCommandLine = ParentCommandLine,\r\n ActingProcessName = ParentImage,\r\n ActorUsername = ParentUser\r\n | extend \r\n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\r\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\r\n EventProduct = \"Sysmon\",\r\n // aliases\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname,\r\n EventUid = _ItemId\r\n | project-away\r\n EventData,\r\n ParameterXml,\r\n AzureDeploymentID,\r\n EventCategory,\r\n EventID,\r\n EventLevel,\r\n EventLevelName,\r\n TenantId,\r\n EventLog,\r\n MG,\r\n ManagementGroupName,\r\n Message,\r\n Role,\r\n SourceSystem,\r\n Source,\r\n UserName,\r\n RenderedDescription,\r\n _ResourceId,\r\n _ItemId\r\n | extend \r\n EventType = \"ProcessCreated\",\r\n EventOriginalType = \"1\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n TargetUsernameType = \"Windows\",\r\n ActorUsernameType = \"Windows\";\r\n parser_Event\r\n};\r\nparser (\r\n starttime=starttime,\r\n endtime=endtime,\r\n commandline_has_any=commandline_has_any,\r\n commandline_has_all=commandline_has_all,\r\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\r\n actingprocess_has_any=actingprocess_has_any,\r\n targetprocess_has_any=targetprocess_has_any,\r\n parentprocess_has_any=parentprocess_has_any,\r\n targetusername_has=targetusername_has,\r\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\r\n dvchostname_has_any=dvchostname_has_any,\r\n eventtype=eventtype,\r\n disabled=disabled\r\n ) ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), targetusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', disabled:bool = false","description":"Process Create Event ASIM parser for Sysmon.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"97aaca87-4943-5a1d-ad15-18351f032864","name":"_Im_ProcessEvent_CreateMicrosoftSysmonWindowsEventV05","body":"let parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n commandline_has_any: dynamic=dynamic([]),\r\n commandline_has_all: dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\r\n actingprocess_has_any: dynamic=dynamic([]),\r\n targetprocess_has_any: dynamic=dynamic([]),\r\n parentprocess_has_any: dynamic=dynamic([]),\r\n targetusername_has: string='*',\r\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n eventtype: string='*',\r\n disabled: bool=false\r\n ) {\r\n // this is the parser for sysmon from WindowsEvent table\r\n let parser_WindowsEvent=\r\n WindowsEvent\r\n | where\r\n // -- pre-filtering\r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated 5')\r\n// --------------------------------------------------------------------------------------\r\n| where\r\n(isnull(starttime) or TimeGenerated >= starttime )\r\nand (isnull(endtime) or TimeGenerated 'ActorUsername '' *\r\n// --------------------------------------------------------------------------------------\r\n| where\r\n (actorusername_has=='*' or ActorUsername has actorusername_has) \r\n// --------------------------------------------------------------------------------------\r\n| parse SyslogMessage with * ''RuleName''\r\n ''UtcTime''\r\n '{'ProcessGuid'}'\r\n ''ProcessId:string''\r\n ''Image''*\r\n// --------------------------------------------------------------------------------------\r\n| where\r\n (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any)) \r\n// --------------------------------------------------------------------------------------\r\n| project-away SyslogMessage\r\n| extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType='5',\r\n EventProduct = \"Sysmon\",\r\n EventResult = 'Success',\r\n DvcOs = \"Linux\"\r\n| project-rename\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessId = ProcessId\r\n| extend\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n TargetProcessGuid = ProcessGuid,\r\n //***** Aliases ******\r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n}; ParsedProcessEvent\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), actorusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', disabled:bool = false","description":"Process Terminate Event ASIM parser for Sysmon for Linux.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"703b746a-1815-5a4f-b932-239289d4fa4f","name":"_Im_ProcessTerminate_MD4IoTV02","body":"let ProcessEvents_MD4IoT=()\r\n{\r\n SecurityIoTRawEvent \r\n | where RawEventName == \"Process\" and EventDetails has_cs 'EXIT'\r\n // --------------------------------------------------------------------------------------\r\n | where\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\nand (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (SubjectUserSid \"S-1-0-0\", SubjectUserSid, \"\"), \r\n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\r\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\r\n ActorSessionId = SubjectLogonId,\r\n ActorDomainName = SubjectDomainName,\r\n // Processes \r\n TargetProcessId = tostring(toint(ProcessId)),\r\n TargetProcessName = ProcessName,\r\n TargetProcessCommandLine = CommandLine,\r\n TargetProcessTokenElevation = TokenElevationType,\r\n Process = ProcessName\r\n // Aliases\r\n | extend \r\n User = ActorUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName\r\n}; ProcessEvents\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), actorusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', disabled:bool = false","description":"Process Terminate Event ASIM parser for Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"8126a19b-9eec-59a4-aa68-ca3199401d87","name":"_Im_ProcessTerminate_MicrosoftSysmonV03","body":"let parser = (\r\n starttime:datetime=datetime(null),\r\n endtime:datetime=datetime(null),\r\n commandline_has_any:dynamic=dynamic([]),\r\n commandline_has_all:dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\r\n actingprocess_has_any:dynamic=dynamic([]),\r\n targetprocess_has_any:dynamic=dynamic([]),\r\n parentprocess_has_any:dynamic=dynamic([]),\r\n actorusername_has:string='*',\r\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dvchostname_has_any:dynamic=dynamic([]),\r\n eventtype:string='*',\r\n disabled:bool=false\r\n ) {\r\n // this is the parser for sysmon from Event table\r\n let parser_Event = (\r\n starttime:datetime=datetime(null),\r\n endtime:datetime=datetime(null),\r\n commandline_has_any:dynamic=dynamic([]),\r\n commandline_has_all:dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\r\n actingprocess_has_any:dynamic=dynamic([]),\r\n targetprocess_has_any:dynamic=dynamic([]),\r\n parentprocess_has_any:dynamic=dynamic([]),\r\n actorusername_has:string='*',\r\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dvchostname_has_any:dynamic=dynamic([]),\r\n eventtype:string='*',\r\n disabled:bool=false\r\n ) {\r\n Event\r\n | where // pre-filtering\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename\r\n ActorUsername = User,\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessId = ProcessId\r\n | where // post-filtering\r\n (actorusername_has=='*' or ActorUsername has actorusername_has) \r\n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \r\n | extend \r\n EventProduct = \"Sysmon\"\r\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\r\n };\r\n let parser_WindowsEvent=(\r\n starttime:datetime=datetime(null),\r\n endtime:datetime=datetime(null),\r\n commandline_has_any:dynamic=dynamic([]),\r\n commandline_has_all:dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\r\n actingprocess_has_any:dynamic=dynamic([]),\r\n targetprocess_has_any:dynamic=dynamic([]),\r\n parentprocess_has_any:dynamic=dynamic([]),\r\n actorusername_has:string='*',\r\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\r\n dvchostname_has_any:dynamic=dynamic([]),\r\n eventtype:string='*',\r\n disabled:bool=false\r\n ){\r\n WindowsEvent\r\n | where // pre-filtering\r\n (isnull(starttime) or TimeGenerated >= starttime )\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated {?([^')\r\n | project-rename\r\n ActorUsername = User,\r\n DvcHostname = Computer,\r\n TargetProcessName = Image,\r\n TargetProcessGuid = ProcessGuid,\r\n TargetProcessId = ProcessId\r\n | where // post-filtering\r\n (actorusername_has=='*' or ActorUsername has actorusername_has) \r\n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \r\n | extend \r\n EventProduct = \"Sysmon\"\r\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\r\n | extend \r\n EventType = \"ProcessTerminated\",\r\n EventStartTime = todatetime(TimeGenerated),\r\n EventEndTime = todatetime(TimeGenerated),\r\n EventCount = int(1),\r\n EventVendor = \"Microsoft\",\r\n EventSchemaVersion = \"0.1.0\",\r\n EventSchema = 'ProcessEvent',\r\n EventOriginalType=tostring(EventID),\r\n EventResult = 'Success',\r\n DvcOs = \"Windows\",\r\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\r\n // -- Aliases \r\n User = ActorUsername,\r\n Process = TargetProcessName,\r\n Dvc = DvcHostname\r\n | project-away EventID,_ResourceId\r\n ;\r\n parser_Event\r\n };\r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n commandline_has_any=commandline_has_any,\r\n commandline_has_all=commandline_has_all,\r\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\r\n actingprocess_has_any=actingprocess_has_any,\r\n targetprocess_has_any=targetprocess_has_any,\r\n parentprocess_has_any=parentprocess_has_any,\r\n actorusername_has=actorusername_has,\r\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\r\n dvchostname_has_any=dvchostname_has_any,\r\n eventtype=eventtype,\r\n disabled=disabled\r\n) ","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), actorusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', disabled:bool = false","description":"Process Terminate Event ASIM parser for Microsoft Windows Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"0fa6b099-3f32-58e5-b97e-2ab6c5f0c6c0","name":"_Im_ProcessTerminate_MicrosoftSysmonWindowsEventV04","body":"let parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n commandline_has_any: dynamic=dynamic([]),\r\n commandline_has_all: dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\r\n actingprocess_has_any: dynamic=dynamic([]),\r\n targetprocess_has_any: dynamic=dynamic([]),\r\n parentprocess_has_any: dynamic=dynamic([]),\r\n actorusername_has: string='*',\r\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n eventtype: string='*',\r\n disabled: bool=false\r\n ) {\r\n let parser_WindowsEvent=\r\n WindowsEvent\r\n | where // pre-filtering\r\n (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime )\r\n and (isnull(endtime) or TimeGenerated \"S-1-0-0\", \"SID\", \"\"),\r\n ActorUserId = iff (ActorUserId \"S-1-0-0\", ActorUserId, \"\"), \r\n ActorUsernameType = \"Windows\"\r\n| where // -- post filtering\r\n (actorusername_has=='*' or ActorUsername has actorusername_has) \r\n| extend \r\n ActorUserSid = ActorUserId,\r\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\r\n| extend\r\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\r\n // Processes \r\n TargetProcessId = tostring(toint(tolong(EventData.ProcessId))),\r\n TargetProcessName = tostring(EventData.ProcessName),\r\n TargetProcessStatusCode = tostring(EventData.Status)\r\n| extend \r\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\r\n// -- Aliases\r\n| extend\r\n User = ActorUsername,\r\n Dvc = DvcHostname,\r\n Process = TargetProcessName\r\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\r\n}; \r\nparser (\r\n starttime=starttime, \r\n endtime=endtime, \r\n commandline_has_any=commandline_has_any,\r\n commandline_has_all=commandline_has_all,\r\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\r\n actingprocess_has_any=actingprocess_has_any,\r\n targetprocess_has_any=targetprocess_has_any,\r\n parentprocess_has_any=parentprocess_has_any,\r\n actorusername_has=actorusername_has,\r\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\r\n dvchostname_has_any=dvchostname_has_any,\r\n eventtype=eventtype,\r\n hashes_has_any=hashes_has_any,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), commandline_has_any:dynamic = dynamic([]), commandline_has_all:dynamic = dynamic([]), commandline_has_any_ip_prefix:dynamic = dynamic([]), actingprocess_has_any:dynamic = dynamic([]), targetprocess_has_any:dynamic = dynamic([]), parentprocess_has_any:dynamic = dynamic([]), actorusername_has:string = '*', dvcipaddr_has_any_prefix:dynamic = dynamic([]), dvchostname_has_any:dynamic = dynamic([]), eventtype:string = '*', hashes_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Process Terminate Event ASIM parser for WEF Security Events.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"073534ec-5b44-5933-91a1-3b0fc64f23c0","name":"_Im_ProcessTerminate_VMwareCarbonBlackCloudV01","body":"let EventFieldsLookup = datatable(\r\n sensor_action_s: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)[\r\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\r\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\r\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\r\n \"ACTION_BREAK\", \"Break\", \"Failure\",\r\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\r\n \"\", \"\", \"Success\"\r\n];\r\nlet parser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n commandline_has_any: dynamic=dynamic([]),\r\n commandline_has_all: dynamic=dynamic([]),\r\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\r\n actingprocess_has_any: dynamic=dynamic([]),\r\n targetprocess_has_any: dynamic=dynamic([]),\r\n parentprocess_has_any: dynamic=dynamic([]),\r\n actorusername_has: string='*',\r\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\r\n dvchostname_has_any: dynamic=dynamic([]),\r\n eventtype: string='*',\r\n disabled: bool=false) {\r\n CarbonBlackEvents_CL\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated EventEndTime\r\n _ResourceId:string,\r\n Type:string,\r\n // ****** Event fields ******\r\n EventType:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventCount:int,\r\n EventMessage:string,\r\n EventVendor:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventSubType:string,\r\n EventOriginalUid:string,\r\n EventOriginalType:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventStartTime:datetime,\r\n EventEndTime:datetime,\r\n EventReportUrl:string,\r\n EventResult: string,\r\n EventResultDetails: string,\r\n AdditionalFields:dynamic,\r\n EventOwner:string,\r\n // ****** Device fields ******\r\n DvcId:string,\r\n DvcHostname:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcIpAddr:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcMacAddr:string,\r\n DvcAction:string,\r\n DvcOriginalAction:string,\r\n DvcDescription: string,\r\n DvcIdType: string,\r\n DvcInterface: string,\r\n DvcZone: string,\r\n DvcScopeId:string,\r\n DvcScope:string,\r\n // ****** Target fields ******\r\n TargetUsername:string,\r\n TargetUsernameType:string,\r\n TargetOriginalUserType:string,\r\n TargetUserId:string,\r\n TargetUserIdType:string,\r\n TargetUserType:string,\r\n TargetUserSessionId:string,\r\n TargetUserUid:string,\r\n TargetUserScopeId:string,\r\n TargetUserScope:string,\r\n TargetProcessName:string,\r\n TargetProcessFileDescription:string,\r\n TargetProcessFileProduct:string,\r\n TargetProcessFileVersion:string,\r\n TargetProcessFileCompany: string,\r\n TargetProcessFileInternalName: string,\r\n TargetProcessFileOriginalName: string,\r\n TargetProcessFileSize: long,\r\n TargetProcessCurrentDirectory: string,\r\n TargetProcessIsHidden:bool,\r\n TargetProcessInjectedAddress:string,\r\n TargetProcessMD5:string,\r\n TargetProcessSHA1:string,\r\n TargetProcessSHA256:string,\r\n TargetProcessSHA512:string,\r\n TargetProcessIMPHASH:string,\r\n TargetProcessCommandLine:string,\r\n TargetProcessCreationTime:datetime,\r\n TargetProcessId:string,\r\n TargetProcessGuid:string,\r\n TargetProcessIntegrityLevel:string,\r\n TargetProcessTokenElevation:string,\r\n // ****** Process fields ******\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUserType:string,\r\n ActorOriginalUserType:string,\r\n ActorSessionId:string,\r\n ActorUserAadId:string,\r\n ActorUserSid:string,\r\n ActorScopeId:string,\r\n ActorScope:string,\r\n ActingProcessCommandLine:string,\r\n ActingProcessName:string,\r\n ActingProcessFileDescription:string,\r\n ActingProcessFileProduct:string,\r\n ActingProcessFileCompany: string,\r\n ActingProcessFileInternalName: string,\r\n ActingProcessFileOriginalName: string,\r\n ActingProcessFileSize: long,\r\n ActingProcessFileVersion:string,\r\n ActingProcessIsHidden:bool,\r\n ActingProcessTokenElevation: string,\r\n ActingProcessInjectedAddress:string,\r\n ActingProcessId:string,\r\n ActingProcessGuid:string,\r\n ActingProcessIntegrityLevel:string,\r\n ActingProcessMD5:string,\r\n ActingProcessSHA1:string,\r\n ActingProcessSHA256:string,\r\n ActingProcessSHA512:string,\r\n ActingProcessIMPHASH:string,\r\n ActingProcessCreationTime:datetime,\r\n ParentProcessName:string,\r\n ParentProcessFileDescription:string,\r\n ParentProcessFileProduct:string,\r\n ParentProcessFileVersion:string,\r\n ParentProcessFileCompany: string,\r\n ParentProcessTokenElevation:string,\r\n ParentProcessIsHidden:bool,\r\n ParentProcessInjectedAddress:string,\r\n ParentProcessId:string,\r\n ParentProcessGuid:string,\r\n ParentProcessIntegrityLevel:string,\r\n ParentProcessMD5:string,\r\n ParentProcessSHA1:string,\r\n ParentProcessSHA256:string,\r\n ParentProcessSHA512:string,\r\n ParentProcessIMPHASH:string,\r\n ParentProcessCreationTime:datetime,\r\n ParentProcessCommandLine:string,\r\n ParentProcessFileInternalName: string,\r\n ParentProcessFileOriginalName: string,\r\n ParentProcessFileSize: long,\r\n //****** Inspection fields ******\r\n RuleName:string,\r\n RuleNumber:int,\r\n ThreatId:string,\r\n ThreatName:string,\r\n ThreatCategory:string,\r\n ThreatRiskLevel:int,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatConfidence:int,\r\n ThreatOriginalConfidence:string,\r\n ThreatIsActive:bool,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatLastReportedTime:datetime,\r\n ThreatField:string,\r\n //****** aliases ******\r\n Dvc:string,\r\n Src:string,\r\n Dst:string,\r\n User:string,\r\n Process:string,\r\n CommandLine:string,\r\n Hash:string,\r\n HashType:string\r\n )[];\r\n EmptyNewProcessEvents\r\n","description":"Process Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"c37f494d-410c-51dd-82b5-b9c2b2d0760c","name":"_Im_Process_EmptyV02","body":"let EmptyNewProcessEvents = datatable(\r\n TimeGenerated:datetime,\r\n _ResourceId:string,\r\n Type:string,\r\n ActingProcessCommandLine:string,\r\n ActingProcessCreationTime:datetime,\r\n ActingProcessFileCompany:string,\r\n ActingProcessFileDescription:string,\r\n ActingProcessFileInternalName:string,\r\n ActingProcessFilename:string,\r\n ActingProcessFileOriginalName:string,\r\n ActingProcessFileProduct:string,\r\n ActingProcessFileSize:long,\r\n ActingProcessFileVersion:string,\r\n ActingProcessGuid:string,\r\n ActingProcessIMPHASH:string,\r\n ActingProcessId:string,\r\n ActingProcessInjectedAddress:string,\r\n ActingProcessIntegrityLevel:string,\r\n ActingProcessIsHidden:bool,\r\n ActingProcessMD5:string,\r\n ActingProcessName:string,\r\n ActingProcessSHA1:string,\r\n ActingProcessSHA256:string,\r\n ActingProcessSHA512:string,\r\n ActingProcessTokenElevation:string,\r\n ActorDNUsername:string,\r\n ActorOriginalUserType:string,\r\n ActorScope:string,\r\n ActorScopeId:string,\r\n ActorSessionId:string,\r\n ActorSimpleUsername:string,\r\n ActorUserAadId:string,\r\n ActorUserAWSId:string,\r\n ActorUserId:string,\r\n ActorUserIdType:string,\r\n ActorUsername:string,\r\n ActorUsernameType:string,\r\n ActorUserOktaId:string,\r\n ActorUserPuid:string,\r\n ActorUserSid:string,\r\n ActorUserType:string,\r\n ActorUserUid:string,\r\n ActorUserUpn:string,\r\n ActorWindowsUsername:string,\r\n AdditionalFields:dynamic,\r\n CommandLine:string,\r\n Dst:string,\r\n Dvc:string,\r\n DvcAction:string,\r\n DvcDescription:string,\r\n DvcDomain:string,\r\n DvcDomainType:string,\r\n DvcFQDN:string,\r\n DvcHostname:string,\r\n DvcId:string,\r\n DvcIdType:string,\r\n DvcInterface:string,\r\n DvcIpAddr:string,\r\n DvcMacAddr:string,\r\n DvcOriginalAction:string,\r\n DvcOs:string,\r\n DvcOsVersion:string,\r\n DvcScope:string,\r\n DvcScopeId:string,\r\n DvcZone:string,\r\n EventCount:int,\r\n EventEndTime:datetime,\r\n EventMessage:string,\r\n EventOriginalResultDetails:string,\r\n EventOriginalSeverity:string,\r\n EventOriginalSubType:string,\r\n EventOriginalType:string,\r\n EventOriginalUid:string,\r\n EventOwner:string,\r\n EventProduct:string,\r\n EventProductVersion:string,\r\n EventReportUrl:string,\r\n EventResult:string,\r\n EventResultDetails:string,\r\n EventSchema:string,\r\n EventSchemaVersion:string,\r\n EventSeverity:string,\r\n EventStartTime:datetime,\r\n EventSubType:string,\r\n EventType:string,\r\n EventUid:string,\r\n EventVendor:string,\r\n Hash:string,\r\n HashType:string,\r\n ParentProcessCreationTime:datetime,\r\n ParentProcessFileCompany:string,\r\n ParentProcessFileDescription:string,\r\n ParentProcessFileProduct:string,\r\n ParentProcessFileVersion:string,\r\n ParentProcessGuid:string,\r\n ParentProcessIMPHASH:string,\r\n ParentProcessId:string,\r\n ParentProcessInjectedAddress:string,\r\n ParentProcessIntegrityLevel:string,\r\n ParentProcessIsHidden:bool,\r\n ParentProcessMD5:string,\r\n ParentProcessName:string,\r\n ParentProcessSHA1:string,\r\n ParentProcessSHA256:string,\r\n ParentProcessSHA512:string,\r\n ParentProcessTokenElevation:string,\r\n Process:string,\r\n Rule:string,\r\n RuleName:string,\r\n RuleNumber:int,\r\n Src:string,\r\n TargetDNUsername:string,\r\n TargetOriginalUserType:string,\r\n TargetProcessCommandLine:string,\r\n TargetProcessCreationTime:datetime,\r\n TargetProcessCurrentDirectory:string,\r\n TargetProcessFileCompany:string,\r\n TargetProcessFileDescription:string,\r\n TargetProcessFileInternalName:string,\r\n TargetProcessFilename:string,\r\n TargetProcessFileOriginalName:string,\r\n TargetProcessFileProduct:string,\r\n TargetProcessFileSize:long,\r\n TargetProcessFileVersion:string,\r\n TargetProcessGuid:string,\r\n TargetProcessId:string,\r\n TargetProcessIMPHASH:string,\r\n TargetProcessInjectedAddress:string,\r\n TargetProcessIntegrityLevel:string,\r\n TargetProcessIsHidden:bool,\r\n TargetProcessMD5:string,\r\n TargetProcessName:string,\r\n TargetProcessSHA1:string,\r\n TargetProcessSHA256:string,\r\n TargetProcessSHA512:string,\r\n TargetProcessStatusCode:string,\r\n TargetProcessTokenElevation:string,\r\n TargetSimpleUsername:string,\r\n TargetUserAadId:string,\r\n TargetUserAWSId:string,\r\n TargetUserId:string,\r\n TargetUserIdType:string,\r\n TargetUsername:string,\r\n TargetUsernameType:string,\r\n TargetUserOktaId:string,\r\n TargetUserPuid:string,\r\n TargetUserScope:string,\r\n TargetUserScopeId:string,\r\n TargetUserSessionGuid:string,\r\n TargetUserSessionId:string,\r\n TargetUserSid:string,\r\n TargetUserType:string,\r\n TargetUserUid:string,\r\n TargetUserUpn:string,\r\n TargetWindowsUsername:string,\r\n ThreatCategory:string,\r\n ThreatConfidence:int,\r\n ThreatField:string,\r\n ThreatFirstReportedTime:datetime,\r\n ThreatId:string,\r\n ThreatIsActive:bool,\r\n ThreatLastReportedTime:datetime,\r\n ThreatName:string,\r\n ThreatOriginalConfidence:string,\r\n ThreatOriginalRiskLevel:string,\r\n ThreatRiskLevel:int,\r\n User:string\r\n )[];\r\n EmptyNewProcessEvents\r\n","description":"Process Event ASIM schema function.","related":{"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"842563f8-c0c6-564b-b70a-8eb0cf3cc5ab","name":"_ASim_WebSession","body":"union isfuzzy=true\r\n_ASim_WebSessionBuiltIn(pack= pack),\r\nASim_WebSessionSolutions(pack= pack),\r\nASim_WebSessionCustom(pack= pack)\r\n","parameters":"pack:bool = false","description":"Web Session ASIM parser.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"56a8defd-3b2a-5281-81c9-24522c51052f","name":"_ASim_WebSessionBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_ASim_WebSession') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_ASim_WebSessionBuiltIn', 'Exclude_ASim_WebSession', 'Any'])));\r\nunion isfuzzy=true\r\n_ASim_WebSession_ApacheHTTPServerV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_ApacheHTTPServer' in (DisabledParsers)))),\r\n_ASim_WebSession_AzureFirewallV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_AzureFirewall' in (DisabledParsers)))),\r\n_ASim_WebSession_BarracudaCEFV02(disabled= (builtInDisabled or('Exclude_ASim_WebSession_BarracudaCEF' in (DisabledParsers)))),\r\n_ASim_WebSession_BarracudaWAFV02(disabled= (builtInDisabled or('Exclude_ASim_WebSession_BarracudaWAF' in (DisabledParsers)))),\r\n_ASim_WebSession_CiscoFirepowerV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_CiscoFirepower' in (DisabledParsers)))),\r\n_ASim_WebSession_CiscoMerakiV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_CiscoMeraki' in (DisabledParsers)))),\r\n_ASim_WebSession_CiscoUmbrellaV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_CiscoUmbrella' in (DisabledParsers))), pack= pack),\r\n_ASim_WebSession_CitrixNetScalerV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_CitrixNetScaler' in (DisabledParsers)))),\r\n_ASim_WebSession_F5ASMV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_F5ASM' in (DisabledParsers)))),\r\n_ASim_WebSession_FortinetFortiGateV03(disabled= (builtInDisabled or('Exclude_ASim_WebSession_FortinetFortiGate' in (DisabledParsers)))),\r\n_ASim_WebSession_IISV02(disabled= (builtInDisabled or('Exclude_ASim_WebSession_IIS' in (DisabledParsers)))),\r\n_ASim_WebSession_NativeV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_Native' in (DisabledParsers)))),\r\n_ASim_WebSession_PaloAltoCEFV02(disabled= (builtInDisabled or('Exclude_ASim_WebSession_PaloAltoCEF' in (DisabledParsers)))),\r\n_ASim_WebSession_PaloAltoCortexDataLakeV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_PaloAltoCortexDataLake' in (DisabledParsers)))),\r\n_ASim_WebSession_SonicWallFirewallV01(disabled= (builtInDisabled or('Exclude_ASim_WebSession_SonicWallFirewall' in (DisabledParsers)))),\r\n_ASim_WebSession_SquidProxyV04(disabled= (builtInDisabled or('Exclude_ASim_WebSession_SquidProxy' in (DisabledParsers)))),\r\n_ASim_WebSession_VectraAIV02(disabled= (builtInDisabled or('Exclude_ASim_WebSession_VectraAI' in (DisabledParsers))), pack= pack),\r\n_ASim_WebSession_ZscalerZIAV04(disabled= (builtInDisabled or('Exclude_ASim_WebSession_ZscalerZIA' in (DisabledParsers)))),\r\n_Im_WebSession_EmptyV04\r\n","parameters":"pack:bool = false","description":"Web Session ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"29bae92d-e879-5c1c-b702-dda9f4953353","name":"_ASim_WebSession_ApacheHTTPServerV01","body":"let Parser=(disabled:bool=false){\r\n ApacheHTTPServer_CL\r\n | where not(disabled)\r\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\r\n | where not (RawData startswith \"[\") \r\n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\r\n | parse RawData with * '] ' Temp'\"' *\r\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\r\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\r\n | project-away RawData, Date, ClientIdentity, Temp\r\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\r\n | project-rename \r\n DvcHostname = Computer,\r\n DvcId = _ResourceId,\r\n EventUid = _ItemId\r\n | extend \r\n HttpVersion = tostring(split(Protocol,\"/\")[1]),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\r\n | extend \r\n HttpStatusCode = EventResultDetails,\r\n UserAgent = HttpUserAgent,\r\n EventResult = iff (\r\n toint(EventResultDetails) = 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\"),\r\n HttpStatusCode = EventResultDetails,\r\n AdditionalFields = bag_pack(\r\n \"Full Request\", DeviceCustomString3, \r\n \"Policy Name\", DeviceCustomString1,\r\n \"Attack Type\", DeviceCustomString4,\r\n \"Policy Apply Date\", DeviceCustomDate1,\r\n \"Web Application Name\", DeviceCustomString2\r\n ),\r\n Dst = DstIpAddr;\r\n let AnomalyDetectionData = AllData\r\n | where DeviceEventClassID in (DeviceEventClassIDList)\r\n | extend\r\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\"),\r\n AdditionalFields = bag_pack(\r\n \"Detection Average\", FieldDeviceCustomNumber1,\r\n \"Dropped Requests\", FieldDeviceCustomNumber2,\r\n \"Attack Status\", DeviceCustomString4,\r\n \"Detection Mode\", DeviceCustomString5,\r\n \"Web Application Name\", DeviceCustomString2\r\n ),\r\n ThreatId = tostring(FieldDeviceCustomNumber3)\r\n | project-away ApplicationProtocol, ExtID;\r\n union GeneralEnforcementData, AnomalyDetectionData\r\n | lookup DvcActionLookup on DeviceAction\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend \r\n EventStartTime = todatetime(ReceiptTime),\r\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\r\n | extend\r\n EventCount = int(1),\r\n EventSchema = \"WebSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"HTTPsession\"\r\n | project-rename \r\n EventProduct = DeviceProduct,\r\n EventVendor = DeviceVendor,\r\n EventUid = _ItemId,\r\n EventOriginalSeverity = LogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n Url = RequestURL,\r\n SrcIpAddr = SourceIP,\r\n SrcGeoCountry = DeviceCustomString6,\r\n SrcPortNumber = SourcePort,\r\n SrcUserId = SourceUserID,\r\n SrcUsername = SourceUserName,\r\n EventMessage = Message,\r\n EventProductVersion = DeviceVersion,\r\n RuleName = DeviceCustomString1\r\n | extend \r\n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\r\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n Rule = RuleName\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n Activity,\r\n CommunicationDirection,\r\n Computer,\r\n EndTime,\r\n EventOutcome,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n IndicatorThreatType,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n ThreatDescription,\r\n ThreatSeverity,\r\n ThreatConfidence,\r\n Reason,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n rest,\r\n _ResourceId\r\n};\r\nparser(disabled=disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM).","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"6766a411-0a1d-5300-ab9b-e47bcf39b630","name":"_ASim_WebSession_FortinetFortiGateV01","body":"let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\r\n[\r\n \"passthrough\",\"Allow\",\"Success\"\r\n , \"blocked\",\"Deny\",\"Failure\"\r\n];\r\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\r\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\r\n[\r\n \"1\", \"Informational\", // Debug\r\n \"2\", \"Informational\", // Information\r\n \"3\", \"Informational\", // Notification\r\n \"4\", \"Low\", // Warning\r\n \"5\", \"Low\", // Error\r\n \"6\", \"High\", // Critical\r\n \"7\", \"Medium\", // Alert\r\n \"8\", \"High\" // Emergency\r\n];\r\nlet parser=(disabled:bool=false){\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Fortinet\" \r\n and DeviceProduct startswith \"Fortigate\"\r\n and Activity has_all ('webfilter', 'utm')\r\n | extend \r\n EventResultDetails = \"NA\"\r\n | lookup EventLookup on DeviceAction \r\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName\r\n | project-rename \r\n Url = RequestURL\r\n , UrlCategory = RequestContext\r\n , DstBytes = ReceivedBytes\r\n , DstInterfaceName = DeviceOutboundInterface\r\n , DstIpAddr = DestinationIP\r\n , DstPortNumber = DestinationPort\r\n , DvcHostname = Computer\r\n , EventMessage = Activity\r\n , EventOriginalSeverity = LogSeverity\r\n , EventProduct = DeviceProduct\r\n , EventProductVersion = DeviceVersion\r\n , SrcBytes = SentBytes\r\n , SrcInterfaceName = DeviceInboundInterface\r\n , SrcIpAddr = SourceIP\r\n , SrcPortNumber = SourcePort\r\n , DvcId = DeviceExternalID\r\n , EventUid = _ItemId\r\n , DstHostname = DestinationHostName\r\n , SrcHostname = SourceHostName\r\n , SrcUsername = SourceUserName\r\n , DstUsername = DestinationUserName\r\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\r\n | extend \r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\r\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\r\n | project-rename DvcOriginalAction = DeviceAction\r\n | parse-kv AdditionalExtensions as (\r\n FortinetFortiGatestart:datetime,\r\n FortinetFortiGatesrcintfrole:string,\r\n FortinetFortiGatedstintfrole:string,\r\n FortinetFortiGateexternalID:string,\r\n FortinetFortiGatepolicyid:int,\r\n FortinetFortiGatedstcountry:string,\r\n FortinetFortiGatesrccountry:string,\r\n FortinetFortiGatecrscore:string,\r\n FortinetFortiGateduration:int,\r\n FortinetFortiGatesentpkt:long,\r\n FortinetFortiGatercvdpkt:long,\r\n ['ad.referralurl']:string,\r\n ['ad.httpmethod']:string,\r\n ['ad.agent']:string\r\n ) with (pair_delimiter=';', kv_delimiter='=')\r\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\r\n | project-rename\r\n HttpReferrer = ['ad.referralurl'],\r\n HttpRequestMethod = ['ad.httpmethod'],\r\n HttpUserAgent = ['ad.agent'],\r\n EventStartTime = FortinetFortiGatestart,\r\n SrcZone = FortinetFortiGatesrcintfrole,\r\n DstZone = FortinetFortiGatedstintfrole,\r\n NetworkSessionId = FortinetFortiGateexternalID,\r\n RuleNumber = FortinetFortiGatepolicyid,\r\n NetworkDuration = FortinetFortiGateduration,\r\n DstGeoCountry = FortinetFortiGatedstcountry,\r\n SrcGeoCountry = FortinetFortiGatesrccountry,\r\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\r\n SrcPackets = FortinetFortiGatesentpkt,\r\n DstPackets = FortinetFortiGatercvdpkt\r\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\r\n | extend \r\n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\r\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\r\n | project-away temp_*\r\n | extend \r\n EventCount = int(1)\r\n , EventSchema = \"WebSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventType = \"HTTPsession\"\r\n , EventVendor = \"Fortinet\"\r\n , DvcIdType = \"Other\"\r\n , NetworkBytes = DstBytes + SrcBytes\r\n , EventEndTime = TimeGenerated\r\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\r\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkPackets = DstPackets + SrcPackets\r\n , UserAgent = HttpUserAgent\r\n , Dvc = DvcHostname\r\n , User = SrcUsername\r\n , Hostname = DstHostname\r\n | lookup SeverityLookup on EventOriginalSeverity\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n SessionId = NetworkSessionId,\r\n IpAddr = SrcIpAddr,\r\n Duration = NetworkDuration,\r\n Rule = tostring(RuleNumber)\r\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Fortinet FortiGate.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"594302dd-80b9-53d0-9fd7-931c395b0ba5","name":"_ASim_WebSession_FortinetFortiGateV02","body":"let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\r\n[\r\n \"passthrough\",\"Allow\",\"Success\"\r\n , \"blocked\",\"Deny\",\"Failure\"\r\n];\r\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\r\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\r\n[\r\n \"1\", \"Informational\", // Debug\r\n \"2\", \"Informational\", // Information\r\n \"3\", \"Informational\", // Notification\r\n \"4\", \"Low\", // Warning\r\n \"5\", \"Low\", // Error\r\n \"6\", \"High\", // Critical\r\n \"7\", \"Medium\", // Alert\r\n \"8\", \"High\" // Emergency\r\n];\r\nlet parser=(disabled:bool=false){\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Fortinet\" \r\n and DeviceProduct startswith \"Fortigate\"\r\n and Activity has_all ('webfilter', 'utm')\r\n | lookup EventLookup on DeviceAction \r\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol\r\n | project-rename \r\n Url = RequestURL\r\n , UrlCategory = RequestContext\r\n , DstBytes = ReceivedBytes\r\n , DstInterfaceName = DeviceOutboundInterface\r\n , DstIpAddr = DestinationIP\r\n , DstPortNumber = DestinationPort\r\n , DvcHostname = Computer\r\n , EventMessage = Activity\r\n , EventOriginalSeverity = LogSeverity\r\n , EventProduct = DeviceProduct\r\n , EventProductVersion = DeviceVersion\r\n , SrcBytes = SentBytes\r\n , SrcInterfaceName = DeviceInboundInterface\r\n , SrcIpAddr = SourceIP\r\n , SrcPortNumber = SourcePort\r\n , NetworkApplicationProtocol = ApplicationProtocol\r\n , DvcId = DeviceExternalID\r\n , EventUid = _ItemId\r\n , SrcHostname = SourceHostName\r\n , SrcUsername = SourceUserName\r\n , DstUsername = DestinationUserName\r\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\r\n | extend \r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\r\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\r\n | project-rename DvcOriginalAction = DeviceAction\r\n | parse-kv AdditionalExtensions as (\r\n FortinetFortiGatestart:datetime,\r\n FortinetFortiGatesrcintfrole:string,\r\n FortinetFortiGatedstintfrole:string,\r\n FortinetFortiGateexternalID:string,\r\n FortinetFortiGatepolicyid:int,\r\n FortinetFortiGatedstcountry:string,\r\n FortinetFortiGatesrccountry:string,\r\n FortinetFortiGatecrscore:string,\r\n FortinetFortiGateduration:int,\r\n FortinetFortiGatesentpkt:long,\r\n FortinetFortiGatercvdpkt:long,\r\n ['ad.referralurl']:string,\r\n ['ad.httpmethod']:string,\r\n ['ad.agent']:string\r\n ) with (pair_delimiter=';', kv_delimiter='=')\r\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\r\n | invoke _ASIM_ResolveDstFQDN('DestinationHostName')\r\n | project-rename\r\n HttpReferrer = ['ad.referralurl'],\r\n HttpRequestMethod = ['ad.httpmethod'],\r\n HttpUserAgent = ['ad.agent'],\r\n EventStartTime = FortinetFortiGatestart,\r\n SrcZone = FortinetFortiGatesrcintfrole,\r\n DstZone = FortinetFortiGatedstintfrole,\r\n NetworkSessionId = FortinetFortiGateexternalID,\r\n RuleNumber = FortinetFortiGatepolicyid,\r\n NetworkDuration = FortinetFortiGateduration,\r\n DstGeoCountry = FortinetFortiGatedstcountry,\r\n SrcGeoCountry = FortinetFortiGatesrccountry,\r\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\r\n SrcPackets = FortinetFortiGatesentpkt,\r\n DstPackets = FortinetFortiGatercvdpkt\r\n | extend\r\n temp_HttpRequestMethod = extract(@\"rawdata=.*?Method=(.*?)(?:\\||\\;|$)\", 1, AdditionalExtensions),\r\n temp_HttpUserAgent = extract(@\"rawdata=.*?User-Agent=(.*?)(?:\\||\\;|$)\", 1, AdditionalExtensions)\r\n | extend \r\n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\r\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\r\n | project-away temp_*\r\n | extend \r\n EventCount = int(1)\r\n , EventSchema = \"WebSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventType = \"HTTPsession\"\r\n , EventVendor = \"Fortinet\"\r\n , EventProduct = \"Fortigate\"\r\n , DvcIdType = \"Other\"\r\n , NetworkBytes = DstBytes + SrcBytes\r\n , EventEndTime = TimeGenerated\r\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\r\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkPackets = DstPackets + SrcPackets\r\n , UserAgent = HttpUserAgent\r\n , Dvc = DvcHostname\r\n , User = SrcUsername\r\n , Hostname = DstHostname\r\n | lookup SeverityLookup on EventOriginalSeverity\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n SessionId = NetworkSessionId,\r\n IpAddr = SrcIpAddr,\r\n Duration = NetworkDuration,\r\n Rule = tostring(RuleNumber)\r\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\r\n};\r\nparser (disabled=disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Fortinet FortiGate.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"09473163-8c9a-57f9-9ecd-00df0c71b862","name":"_ASim_WebSession_FortinetFortiGateV03","body":"let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\r\n[\r\n \"passthrough\",\"Allow\",\"Success\"\r\n , \"blocked\",\"Deny\",\"Failure\"\r\n];\r\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\r\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\r\n[\r\n \"1\", \"Informational\", // Debug\r\n \"2\", \"Informational\", // Information\r\n \"3\", \"Informational\", // Notification\r\n \"4\", \"Low\", // Warning\r\n \"5\", \"Low\", // Error\r\n \"6\", \"High\", // Critical\r\n \"7\", \"Medium\", // Alert\r\n \"8\", \"High\" // Emergency\r\n];\r\nlet parser=(disabled:bool=false){\r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where DeviceVendor == \"Fortinet\" \r\n and DeviceProduct startswith \"Fortigate\"\r\n and (Activity has_all ('webfilter', 'utm') or Activity has_all ('ips', 'utm'))\r\n | lookup EventLookup on DeviceAction \r\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol\r\n | project-rename \r\n Url = RequestURL\r\n , UrlCategory = RequestContext\r\n , DstBytes = ReceivedBytes\r\n , DstInterfaceName = DeviceOutboundInterface\r\n , DstIpAddr = DestinationIP\r\n , DstPortNumber = DestinationPort\r\n , DvcHostname = Computer\r\n , EventMessage = Activity\r\n , EventOriginalSeverity = LogSeverity\r\n , EventProductVersion = DeviceVersion\r\n , SrcBytes = SentBytes\r\n , SrcInterfaceName = DeviceInboundInterface\r\n , SrcIpAddr = SourceIP\r\n , SrcPortNumber = SourcePort\r\n , DvcId = DeviceExternalID\r\n , EventUid = _ItemId\r\n , DstHostname = DestinationHostName\r\n , SrcHostname = SourceHostName\r\n , SrcUsername = SourceUserName\r\n , DstUsername = DestinationUserName\r\n , NetworkApplicationProtocol = ApplicationProtocol\r\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\r\n | extend \r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\r\n | project-rename DvcOriginalAction = DeviceAction\r\n | parse-kv AdditionalExtensions as (\r\n start:datetime,\r\n srcintfrole:string,\r\n dstintfrole:string,\r\n externalID:string,\r\n policyid:int,\r\n dstcountry:string,\r\n srccountry:string,\r\n crscore:string,\r\n duration:int,\r\n sentpkt:long,\r\n rcvdpkt:long,\r\n ['ad.referralurl']:string,\r\n ['ad.httpmethod']:string,\r\n ['ad.agent']:string,\r\n deviceSeverity:string,\r\n ref:string,\r\n msg:string,\r\n profile:string,\r\n incidentserialno:string,\r\n policytype:string,\r\n attack:string,\r\n attackid:string,\r\n logid:string,\r\n direction:string,\r\n subtype:string,\r\n severity: string,\r\n vd:string,\r\n FTNTFGTattack:string,\r\n FTNTFGTattackid:string,\r\n FTNTFGTlogid:string,\r\n FTNTFGTsubtype:string,\r\n FTNTFGTvd:string,\r\n FTNTFGTstart:datetime,\r\n FTNTFGTsrcintfrole:string,\r\n FTNTFGTdstintfrole:string,\r\n FTNTFGTexternalID:string,\r\n FTNTFGTpolicyid:int,\r\n FTNTFGTdstcountry:string,\r\n FTNTFGTsrccountry:string,\r\n FTNTFGTcrscore:string,\r\n FTNTFGTduration:int,\r\n FTNTFGTsentpkt:long,\r\n FTNTFGTrcvdpkt:long\r\n ) with (pair_delimiter=';', kv_delimiter='=')\r\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\r\n | project-rename \r\n HttpReferrer = ['ad.referralurl'],\r\n HttpRequestMethod = ['ad.httpmethod'],\r\n HttpUserAgent = ['ad.agent']\r\n | extend \r\n ThreatName = coalesce(attack,FTNTFGTattack),\r\n ThreatId = coalesce(attackid,FTNTFGTattackid),\r\n EventOriginalUid = coalesce(logid,FTNTFGTlogid),\r\n EventOriginalSubType = coalesce(subtype,FTNTFGTsubtype),\r\n EventStartTime = coalesce(start,FTNTFGTstart),\r\n SrcZone = coalesce(srcintfrole,FTNTFGTsrcintfrole),\r\n DstZone = coalesce(dstintfrole,FTNTFGTdstintfrole),\r\n NetworkSessionId = coalesce(externalID,FTNTFGTexternalID),\r\n RuleNumber = coalesce(policyid,FTNTFGTpolicyid),\r\n NetworkDuration = coalesce(duration, FTNTFGTduration),\r\n DstGeoCountry = coalesce(dstcountry,FTNTFGTdstcountry),\r\n SrcGeoCountry = coalesce(srccountry,FTNTFGTsrccountry),\r\n ThreatOriginalRiskLevel = coalesce(crscore,FTNTFGTcrscore),\r\n SrcPackets = coalesce(sentpkt,FTNTFGTsentpkt),\r\n DstPackets = coalesce(rcvdpkt,FTNTFGTrcvdpkt)\r\n | project-away FTNTFGT*, attack, attackid, logid, subtype, start, srcintfrole, dstintfrole, externalID, policyid, dstcountry, srccountry, crscore, duration, sentpkt, rcvdpkt\r\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\r\n | extend \r\n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\r\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\r\n | project-away temp_*\r\n | extend AdditionalFields = bag_pack(\r\n \"incidentserialno\",incidentserialno, \r\n \"policytype\",policytype,\r\n \"profile\",profile,\r\n \"ref\",ref,\r\n \"vd\",vd,\r\n \"Message\",msg,\r\n \"deviceSeverity\", deviceSeverity\r\n )\r\n | extend \r\n EventCount = int(1)\r\n , EventSchema = \"WebSession\"\r\n , EventSchemaVersion = \"0.2.6\"\r\n , EventType = \"HTTPsession\"\r\n , EventVendor = \"Fortinet\"\r\n , EventProduct = \"Fortigate\"\r\n , DvcIdType = \"Other\"\r\n , NetworkBytes = DstBytes + SrcBytes\r\n , EventEndTime = TimeGenerated\r\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\r\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkPackets = DstPackets + SrcPackets\r\n , UserAgent = HttpUserAgent\r\n , Dvc = DvcHostname\r\n , User = SrcUsername\r\n , Hostname = DstHostname\r\n | lookup SeverityLookup on EventOriginalSeverity\r\n | extend ipsseverity = case(\r\n severity == \"low\", \"Low\",\r\n severity == \"high\", \"High\",\r\n severity == \"medium\", \"Medium\",\r\n severity == \"info\", \"Informational\",\r\n \"\"\r\n )\r\n | extend EventSeverity = iff(EventMessage has_all ('ips', 'utm'), ipsseverity, EventSeverity)\r\n | extend \r\n Src = SrcIpAddr,\r\n Dst = DstIpAddr,\r\n SessionId = NetworkSessionId,\r\n IpAddr = SrcIpAddr,\r\n Duration = NetworkDuration,\r\n Rule = tostring(RuleNumber)\r\n | extend NetworkDirection = case(\r\n direction == \"incoming\", \"Inbound\",\r\n direction == \"outgoing\", \"Outbound\",\r\n \"\")\r\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber, severity, incidentserialno, policytype, profile, ref, msg, deviceSeverity, direction, vd, ipsseverity\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Fortinet FortiGate.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"d3856611-8bd1-52a1-bd43-d74c4d401ca3","name":"_ASim_WebSession_IISV01","body":"let parser = (disabled: bool = false)\r\n {\r\n W3CIISLog\r\n | extend\r\n EventResult = iff ( toint(scStatus) \"\", Dst, \"\"),\r\n EventType = 'WebServerSession', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.5',\r\n EventSchema = 'WebSession', \r\n EventProduct = 'IIS',\r\n DvcOs = 'Windows',\r\n EventCount = int(1),\r\n SrcIpAddr = Src,\r\n IpAddr = Src,\r\n HttpUserAgent = UserAgent,\r\n HttpStatusCode = tostring(EventResultDetails),\r\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\r\n tempURLconstruct = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\r\n sPort = tostring(sPort),\r\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\r\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\r\n EventOriginalResultDetails = iff(scSubStatus \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\r\n | extend \r\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\r\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\r\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\r\n | extend \r\n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\r\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\r\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\r\n | project-away ipv4_parts, ipv6_parts, host_parts \r\n | extend \r\n port = strcat (\":\", sPort),\r\n host = case ( \r\n HttpHost == \"Default Web Site\", Dst,\r\n HttpHost \"\" and HttpHost \"Default Web Site\", HttpHost,\r\n Dst\r\n )\r\n | extend \r\n Url = strcat (host, port, tempURLconstruct)\r\n | project-away host, port, tempURLconstruct\r\n | extend \r\n ThreatField = case(\r\n ThreatIpAddr \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\r\n ,ThreatIpAddr \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\r\n ,\"\")\r\n | project-rename\r\n DstHostname = sComputerName\r\n | project-away \r\n AdditionalInformation,\r\n AzureDeploymentID,\r\n Date,\r\n Description,\r\n DvcOs,\r\n FileOffset,\r\n FileUri,\r\n MG, \r\n ManagementGroupName,\r\n Role*,\r\n SourceSystem,\r\n TLPLevel,\r\n TenantId,\r\n TimeTaken,\r\n Time,\r\n cs*,\r\n sPort,\r\n sc*,\r\n StorageAccount\r\n };\r\n parser (disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Windows IIS logs.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"9d82073d-6b2d-5959-ac70-34fc8915545a","name":"_ASim_WebSession_IISV02","body":"let parser = (disabled: bool = false)\r\n {\r\n W3CIISLog\r\n | where not(disabled)\r\n | extend\r\n EventResult = iff ( toint(scStatus) \"\", Dst, \"\"),\r\n EventType = 'WebServerSession', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.6',\r\n EventSchema = 'WebSession', \r\n EventProduct = 'IIS',\r\n DvcOs = 'Windows',\r\n EventCount = int(1),\r\n SrcIpAddr = Src,\r\n IpAddr = Src,\r\n HttpUserAgent = UserAgent,\r\n HttpStatusCode = tostring(EventResultDetails),\r\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\r\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\r\n sPort = tostring(sPort),\r\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\r\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\r\n EventOriginalResultDetails = iff(scSubStatus \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\r\n | extend \r\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\r\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\r\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\r\n | extend \r\n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\r\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\r\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\r\n | project-away ipv4_parts, ipv6_parts, host_parts \r\n | extend\r\n DstHostname = HttpHost,\r\n Hostname = HttpHost\r\n | extend \r\n ThreatField = case(\r\n ThreatIpAddr \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\r\n ,ThreatIpAddr \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\r\n ,\"\")\r\n | project-away \r\n AdditionalInformation,\r\n AzureDeploymentID,\r\n Date,\r\n Description,\r\n DvcOs,\r\n FileOffset,\r\n FileUri,\r\n MG, \r\n ManagementGroupName,\r\n Role*,\r\n sComputerName,\r\n SourceSystem,\r\n TLPLevel,\r\n TenantId,\r\n TimeTaken,\r\n Time,\r\n cs*,\r\n sPort,\r\n sc*,\r\n StorageAccount\r\n };\r\n parser (disabled=disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Windows IIS logs.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"942f7015-0858-50dd-b3a1-ea23bc395e0b","name":"_ASim_WebSession_NativeV01","body":"let parser=(disabled:bool=false) \r\n{\r\n ASimWebSessionLogs | where not(disabled)\r\n // \r\n // -- Schema fixed\r\n | extend\r\n FileSize = tolong(FileSize)\r\n //\r\n // -- Log Analytics global fields renaming\r\n | project-rename\r\n EventUid = _ItemId,\r\n DvcScopeId = _SubscriptionId\r\n //\r\n // -- ASIM Global fields\r\n | extend \r\n EventSchema = \"WebSession\"\r\n | extend\r\n //\r\n // -- Default values\r\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\r\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\r\n //\r\n // -- Multi-source aliases\r\n Dvc = iff (EventType == 'HTTPSession',\r\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\r\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\r\n ),\r\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\r\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\r\n Rule = coalesce(RuleName, tostring(RuleNumber)),\r\n //\r\n // -- Aliases which depend on EventType\r\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\r\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\r\n //\r\n // -- Simple aliases\r\n Duration = NetworkDuration,\r\n SessionId = NetworkSessionId,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n UserAgent = HttpUserAgent\r\n // --\r\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \r\n //InnerVlanId = SrcVlanId,\r\n //OuterVlanId = DstVlanId,\r\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \r\n | project-away\r\n TenantId, SourceSystem, _ResourceId\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Microsoft Sentinel native Network Session table.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"0a1a141b-2243-5275-87ad-5f5ba0a0a818","name":"_ASim_WebSession_PaloAltoCEFV01","body":"let parser=(disabled:bool=false){\r\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\r\n [\r\n \"alert\", \"Allow\", \"Success\",\"200\"\r\n , \"allow\", \"Allow\", \"Success\", \"200\"\r\n , \"continue\", \"Allow\", \"Success\", \"200\"\r\n , \"override\", \"Allow\", \"Success\", \"200\"\r\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\r\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\r\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\r\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\r\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\r\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\r\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\r\n , \"deny\", \"Deny\", \"Failure\", \"503\"\r\n , \"drop\", \"Drop\", \"Failure\", \"503\"\r\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\r\n ];\r\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\r\n [ 1, \"Informational\" \r\n , 2, \"Low\" \r\n , 3, \"Medium\"\r\n , 4, \"Medium\" \r\n , 5, \"High\"\r\n ];\r\n CommonSecurityLog\r\n | where DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"PAN-OS\"\r\n and Activity == \"THREAT\"\r\n and DeviceEventClassID == \"url\"\r\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\r\n | extend \r\n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\r\n | lookup EventLookup on DeviceAction\r\n | lookup SeverityLookup on LogSeverity\r\n | project-rename \r\n DvcHostname = Computer\r\n , HttpReferrer = PanOSReferer\r\n , DstMacAddr = PanDstMac\r\n , SrcMacAddr = PanSrcMac\r\n , DstHostname = PanDstHostname\r\n , SrcHostname = PanSrcHostname\r\n , Url = RequestURL\r\n , DvcId = DeviceExternalID\r\n , SrcZone = DeviceCustomString4\r\n , DstZone = DeviceCustomString5\r\n , UrlCategory = DeviceCustomString2\r\n , DvcOriginalAction = DeviceAction\r\n , EventUid = _ItemId\r\n , EventOriginalSeverity = LogSeverity\r\n , EventProductVersion = DeviceVersion\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DstIpAddr = DestinationIP\r\n , DstPortNumber = DestinationPort\r\n , SrcIpAddr = SourceIP\r\n , SrcPortNumber = SourcePort\r\n , SrcUsername = SourceUserName\r\n , DstUsername = DestinationUserName\r\n , NetworkRuleName = DeviceCustomString1\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n , DstNatIpAddr = DestinationTranslatedAddress\r\n , DstNatPortNumber = DestinationTranslatedPort\r\n , SrcNatIpAddr = SourceTranslatedAddress\r\n , SrcNatPortNumber = SourceTranslatedPort\r\n | extend\r\n Dvc = DvcHostname\r\n , DvcIdType = \"Other\"\r\n , EventType = \"HTTPsession\"\r\n , EventSchema = \"WebSession\"\r\n , EventSchemaVersion = \"0.2.5\"\r\n , EventProduct = \"Palo Alto\"\r\n , EventVendor = \"PanOS\"\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , HttpRequestMethod = toupper(RequestMethod)\r\n , EventResultDetails = \"NA\"\r\n , HttpContentFormat = RequestContext\r\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\r\n , DstDomainType = \"FQDN\"\r\n , Src = SrcIpAddr\r\n , SrcUsernameType = \"Windows\"\r\n , DstUsernameType = \"Windows\"\r\n , NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\" , \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkDirection = case(\r\n FlexString2 == \"client-to-server\", \"Outbound\"\r\n , FlexString2 == \"server-to-client\", \"Inbound\"\r\n , \"\")\r\n , IpAddr = SrcIpAddr\r\n , NetworkProtocol = toupper(Protocol)\r\n , User = SrcUsername\r\n , Rule = NetworkRuleName\r\n , NetworkSessionId = tostring(DeviceCustomNumber1)\r\n , DvcInterface = DvcInboundInterface\r\n , Hostname = DstHostname\r\n | extend \r\n SessionId = NetworkSessionId\r\n , ThreatField = case(\r\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\")\r\n , Dst = DstFQDN\r\n | extend \r\n ThreatIpAddr = case(\r\n ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\")\r\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Palo Alto Networks URL Filtering.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"3f8b03e0-e95c-585d-a6c1-72cb23058c63","name":"_ASim_WebSession_PaloAltoCEFV02","body":"let parser=(disabled:bool=false){\r\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\r\n [\r\n \"alert\", \"Allow\", \"Success\",\"200\"\r\n , \"allow\", \"Allow\", \"Success\", \"200\"\r\n , \"continue\", \"Allow\", \"Success\", \"200\"\r\n , \"override\", \"Allow\", \"Success\", \"200\"\r\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\r\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\r\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\r\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\r\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\r\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\r\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\r\n , \"deny\", \"Deny\", \"Failure\", \"503\"\r\n , \"drop\", \"Drop\", \"Failure\", \"503\"\r\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\r\n ];\r\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\r\n [ 1, \"Informational\" \r\n , 2, \"Low\" \r\n , 3, \"Medium\"\r\n , 4, \"Medium\" \r\n , 5, \"High\"\r\n ];\r\n CommonSecurityLog\r\n | where DeviceVendor == \"Palo Alto Networks\"\r\n and DeviceProduct == \"PAN-OS\"\r\n and Activity == \"THREAT\"\r\n and DeviceEventClassID == \"url\"\r\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\r\n | extend \r\n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\r\n | lookup EventLookup on DeviceAction\r\n | lookup SeverityLookup on LogSeverity\r\n | project-rename \r\n DvcHostname = Computer\r\n , HttpReferrer = PanOSReferer\r\n , DstMacAddr = PanDstMac\r\n , SrcMacAddr = PanSrcMac\r\n , DstHostname = PanDstHostname\r\n , SrcHostname = PanSrcHostname\r\n , Url = RequestURL\r\n , DvcId = DeviceExternalID\r\n , SrcZone = DeviceCustomString4\r\n , DstZone = DeviceCustomString5\r\n , UrlCategory = DeviceCustomString2\r\n , DvcOriginalAction = DeviceAction\r\n , EventUid = _ItemId\r\n , EventOriginalSeverity = LogSeverity\r\n , EventProductVersion = DeviceVersion\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DstIpAddr = DestinationIP\r\n , DstPortNumber = DestinationPort\r\n , SrcIpAddr = SourceIP\r\n , SrcPortNumber = SourcePort\r\n , SrcUsername = SourceUserName\r\n , DstUsername = DestinationUserName\r\n , NetworkRuleName = DeviceCustomString1\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n , DstNatIpAddr = DestinationTranslatedAddress\r\n , DstNatPortNumber = DestinationTranslatedPort\r\n , SrcNatIpAddr = SourceTranslatedAddress\r\n , SrcNatPortNumber = SourceTranslatedPort\r\n , HttpUserAgent = RequestClientApplication\r\n | extend\r\n Dvc = DvcHostname\r\n , DvcIdType = \"Other\"\r\n , EventType = \"HTTPsession\"\r\n , EventSchema = \"WebSession\"\r\n , EventSchemaVersion = \"0.2.5\"\r\n , EventVendor = \"Palo Alto\"\r\n , EventProduct = \"PanOS\"\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , HttpRequestMethod = toupper(RequestMethod)\r\n , EventResultDetails = \"NA\"\r\n , HttpContentFormat = RequestContext\r\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\r\n , DstDomainType = \"FQDN\"\r\n , Src = SrcIpAddr\r\n , SrcUsernameType = \"Windows\"\r\n , DstUsernameType = \"Windows\"\r\n , NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\" , \"IPv4\"\r\n , DstIpAddr contains \":\", \"IPv6\"\r\n , \"\")\r\n , NetworkDirection = case(\r\n FlexString2 == \"client-to-server\", \"Outbound\"\r\n , FlexString2 == \"server-to-client\", \"Inbound\"\r\n , \"\")\r\n , IpAddr = SrcIpAddr\r\n , NetworkProtocol = toupper(Protocol)\r\n , User = SrcUsername\r\n , Rule = NetworkRuleName\r\n , NetworkSessionId = tostring(DeviceCustomNumber1)\r\n , DvcInterface = DvcInboundInterface\r\n , Hostname = DstHostname\r\n , UserAgent = HttpUserAgent\r\n | extend \r\n SessionId = NetworkSessionId\r\n , ThreatField = case(\r\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\")\r\n , Dst = DstFQDN\r\n | extend \r\n ThreatIpAddr = case(\r\n ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\")\r\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Palo Alto Networks URL Filtering.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"0f0bfea6-c81f-5b2d-ae10-6042c2fae264","name":"_ASim_WebSession_PaloAltoCortexDataLakeV01","body":"let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\r\n[\r\n \"0\", \"Low\",\r\n \"1\", \"Low\",\r\n \"2\", \"Low\",\r\n \"3\", \"Low\",\r\n \"4\", \"Low\",\r\n \"5\", \"Low\",\r\n \"6\", \"Medium\",\r\n \"7\", \"Medium\",\r\n \"8\", \"Medium\",\r\n \"9\", \"High\",\r\n \"10\", \"High\"\r\n];\r\nlet EventLookup=datatable(\r\n DeviceAction: string,\r\n DvcAction: string,\r\n EventResult: string\r\n)\r\n [\r\n \"alert\", \"Allow\", \"Success\",\r\n \"continue\", \"Allow\", \"Success\",\r\n \"override\", \"Allow\", \"Success\",\r\n \"block-continue\", \"Allow\", \"Partial\",\r\n \"block-url\", \"Deny\", \"Failure\",\r\n \"block-override\", \"Deny\", \"Failure\",\r\n \"override-lockout\", \"Deny\", \"Failure\",\r\n];\r\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\r\n [\r\n \"1\", 20,\r\n \"2\", 40,\r\n \"3\", 60,\r\n \"4\", 80,\r\n \"5\", 100\r\n];\r\nlet parser = (disabled: bool=false) {\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\r\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\r\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\r\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\r\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\r\n | lookup EventSeverityLookup on LogSeverity\r\n | lookup EventLookup on DeviceAction\r\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\r\n | extend\r\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\r\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\r\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\r\n HttpRequestMethod = toupper(RequestMethod),\r\n NetworkProtocol = toupper(Protocol),\r\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\r\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\r\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\r\n AdditionalFields = bag_pack(\r\n \"DirectionOfAttack\",\r\n FlexString2,\r\n \"VirtualLocation\",\r\n DeviceCustomString3,\r\n \"PanOSApplicationCategory\",\r\n PanOSApplicationCategory,\r\n \"PanOSApplicationSubcategory\",\r\n PanOSApplicationSubcategory,\r\n \"PanOSApplicationTechnology\",\r\n PanOSApplicationTechnology,\r\n \"PanOSDestinationDeviceOS\",\r\n PanOSDestinationDeviceOS,\r\n \"PanOSDestinationDeviceOSFamily\",\r\n PanOSDestinationDeviceOSFamily,\r\n \"PanOSDestinationDeviceOSVersion\",\r\n PanOSDestinationDeviceOSVersion,\r\n \"PanOSHostID\",\r\n PanOSHostID,\r\n \"PanOSHTTPHeaders\",\r\n PanOSHTTPHeaders,\r\n \"PanOSInlineMLVerdict\",\r\n PanOSInlineMLVerdict,\r\n \"PanOSInboundInterfaceDetailsType\",\r\n PanOSInboundInterfaceDetailsType,\r\n \"PanOSOutboundInterfaceDetailsType\",\r\n PanOSOutboundInterfaceDetailsType,\r\n \"PanOSParentSessionID\",\r\n PanOSParentSessionID,\r\n \"PanOSContainerName\",\r\n PanOSContainerName,\r\n \"PanOSContainerNameSpace\",\r\n PanOSContainerNameSpace,\r\n \"PanOSHTTPRefererFQDN\",\r\n PanOSHTTPRefererFQDN,\r\n \"PanOSHTTPRefererPort\",\r\n PanOSHTTPRefererPort,\r\n \"PanOSHTTPRefererProtocol\",\r\n PanOSHTTPRefererProtocol,\r\n \"PanOSHTTPRefererURLPath\",\r\n PanOSHTTPRefererURLPath,\r\n \"PanOSRuleUUID\",\r\n PanOSRuleUUID,\r\n \"PanOSURLCategoryList\",\r\n PanOSURLCategoryList,\r\n \"PanOSURLDomain\",\r\n PanOSURLDomain,\r\n \"PanOSURLCounter\",\r\n PanOSURLCounter,\r\n \"PanOSUsers\",\r\n PanOSUsers,\r\n \"PanOSVendorSeverity\",\r\n PanOSVendorSeverity,\r\n \"PanOSX-Forwarded-For\",\r\n [\"PanOSX-Forwarded-For\"],\r\n \"PanOSX-Forwarded-ForIP\",\r\n [\"PanOSX-Forwarded-ForIP\"],\r\n \"PanOSLogSource\",\r\n PanOSLogSource\r\n ),\r\n HttpContentType = RequestContext\r\n | project-rename\r\n DvcIpAddr = Computer,\r\n EventUid = _ItemId,\r\n DstDvcId = PanOSDestinationUUID,\r\n DstGeoCountry = PanOSDestinationLocation,\r\n DstMacAddr = PanOSDestinationDeviceMac,\r\n DstNatIpAddr = DestinationTranslatedAddress,\r\n DstNatPortNumber = DestinationTranslatedPort,\r\n DstPortNumber = DestinationPort,\r\n DstUsername = DestinationUserName,\r\n DstZone = DeviceCustomString5,\r\n DvcId = DeviceExternalID,\r\n DvcOriginalAction = DeviceAction,\r\n EventOriginalSeverity = LogSeverity,\r\n EventOriginalType = DeviceEventClassID,\r\n EventOriginalUid = ExtID,\r\n EventProductVersion = DeviceVersion,\r\n HttpContentFormat = RequestContext,\r\n HttpReferrer = PanOSReferer,\r\n RuleName = DeviceCustomString1,\r\n SrcDvcId = PanOSSourceUUID,\r\n SrcMacAddr = PanOSSourceDeviceMac,\r\n SrcNatIpAddr = SourceTranslatedAddress,\r\n SrcNatPortNumber = SourceTranslatedPort,\r\n SrcPortNumber = SourcePort,\r\n SrcUsername = SourceUserName,\r\n SrcZone = DeviceCustomString4,\r\n Url = RequestURL,\r\n UrlCategory = DeviceCustomString2,\r\n EventOriginalSubType = Activity,\r\n DvcOutboundInterface = DeviceOutboundInterface,\r\n DvcInboundInterface = DeviceInboundInterface,\r\n DstUserId = DestinationUserID,\r\n SrcUserId = SourceUserID,\r\n HttpUserAgent = RequestClientApplication,\r\n SrcGeoCountry = PanOSSourceLocation,\r\n DvcScopeId = PanOSCortexDataLakeTenantID,\r\n SrcAppName = ApplicationProtocol,\r\n ThreatOriginalRiskLevel = PanOSApplicationRisk\r\n | extend\r\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\r\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\r\n NetworkProtocolVersion = case(\r\n DstIpAddr contains \".\",\r\n \"IPv4\", \r\n DstIpAddr contains \":\",\r\n \"IPv6\", \r\n \"\"\r\n ),\r\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\r\n Rule = RuleName,\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\r\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\r\n User = SrcUsername,\r\n Hostname = DstHostname,\r\n IpAddr = SrcIpAddr,\r\n SessionId = NetworkSessionId,\r\n UserAgent = HttpUserAgent,\r\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\r\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\r\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\r\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\r\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\r\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\r\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\r\n SrcAppType = case(\r\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\r\n \"SaaS Application\",\r\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\r\n \"Other\",\r\n \"\"\r\n )\r\n | extend\r\n EventProduct = \"Cortex Data Lake\",\r\n EventVendor = \"Palo Alto\",\r\n EventSchema = \"WebSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"HTTPsession\"\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n CommunicationDirection,\r\n EventOutcome,\r\n PanOS*,\r\n Protocol,\r\n ExternalID,\r\n Message,\r\n start,\r\n EndTime,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n Reason,\r\n Indicator*,\r\n _ResourceId,\r\n ThreatConfidence,\r\n ThreatDescription,\r\n ThreatSeverity\r\n};\r\nparser(disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Palo Alto Cortex Data Lake.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"342c83a1-c87d-5f13-84c1-f5b241c4d244","name":"_ASim_WebSession_SonicWallFirewallV01","body":"let parser=(disabled:bool=false){\r\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\r\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\r\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\r\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\r\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\r\n ];\r\n CommonSecurityLog\r\n | where not(disabled)\r\n and DeviceVendor == \"SonicWall\"\r\n and DeviceEventClassID in (14, 97)\r\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\r\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\r\n | extend\r\n SrcIpAddr = coalesce(SourceIP, srcV6)\r\n , DstIpAddr = coalesce(DestinationIP, dstV6)\r\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\r\n and isnotempty(fw_action)\r\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\r\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\r\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\r\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\r\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\r\n | where isnotempty(RequestURL)\r\n | lookup Actions on fw_action\r\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\r\n DvcAction == \"Management\", \"NA\",\r\n DvcAction == \"NA\", \"NA\",\r\n DvcAction == \"Other\", \"NA\",\r\n \"Failure\"\r\n )\r\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\r\n LogSeverity == 9, \"Alert (1)\",\r\n LogSeverity == 8, \"Critical (2)\",\r\n LogSeverity == 7, \"Error (3)\",\r\n LogSeverity == 6, \"Warning (4)\",\r\n LogSeverity == 5, \"Notice (5)\",\r\n LogSeverity == 4, \"Info (6)/Debug (7)\",\r\n LogSeverity == 3, \"Not Mapped (3)\",\r\n LogSeverity == 2, \"Not Mapped (2)\",\r\n LogSeverity == 1, \"Not Mapped (1)\",\r\n \"Not Mapped\"\r\n )\r\n | extend EventSeverity = case(tolong(LogSeverity) 8, \"High\"\r\n , \"\"\r\n )\r\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\r\n , tolong(RequestMethod) == 1, \"GET\"\r\n , tolong(RequestMethod) == 2, \"POST\"\r\n , tolong(RequestMethod) == 3, \"HEAD\"\r\n , tolong(RequestMethod) == 4, \"PUT\"\r\n , tolong(RequestMethod) == 5, \"CONNECT\"\r\n , tolong(RequestMethod) == 6, \"\"\r\n , \"\"\r\n )\r\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\r\n , DestinationIP has \":\", \"IPv6\"\r\n , \"\"\r\n )\r\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\r\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\r\n , EventOriginalType = DeviceEventClassID\r\n | project-rename\r\n DstMacAddr = DestinationMACAddress\r\n , SrcMacAddr = SourceMACAddress\r\n , DstPortNumber = DestinationPort\r\n , SrcPortNumber = SourcePort\r\n , EventMessage = Activity\r\n , sosEventMessageDetail = Message\r\n , EventProductVersion = DeviceVersion\r\n , Dvc = Computer\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\r\n , sosCFSFullString = Reason // CFS Block Category ID and Name\r\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\r\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\r\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\r\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\r\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\r\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\r\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\r\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\r\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\r\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\r\n , SrcUsername = SourceUserName\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n , HttpUserAgent = RequestClientApplication\r\n , Url = RequestURL\r\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\r\n gcat == 2, \"Log (2)\",\r\n gcat == 3, \"Security Services (3)\",\r\n gcat == 4, \"Users (4)\",\r\n gcat == 5, \"Firewall Settings (5)\",\r\n gcat == 6, \"Network (6)\",\r\n gcat == 7, \"VPN (7)\",\r\n gcat == 8, \"High Availability (8)\",\r\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\r\n gcat == 10, \"Firewall (10)\",\r\n gcat == 11, \"Wireless (11)\",\r\n gcat == 12, \"VoIP (12)\",\r\n gcat == 13, \"SSL VPN (13)\",\r\n gcat == 14, \"Anti-Spam (14)\",\r\n gcat == 15, \"WAN Acceleration (15)\",\r\n gcat == 16, \"Object (16)\",\r\n gcat == 17, \"SD-WAN (17)\",\r\n gcat == 18, \"Multi-Instance (18)\",\r\n gcat == 19, \"Unified Policy Engine (19)\",\r\n \"Log Category Not Mapped\"\r\n )\r\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\r\n DeviceEventCategory == 1, \"System Maintenance (1)\",\r\n DeviceEventCategory == 2, \"System Errors (2)\",\r\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\r\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\r\n DeviceEventCategory == 16, \"User Activity (16)\",\r\n DeviceEventCategory == 32, \"Attacks (32)\",\r\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\r\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\r\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\r\n DeviceEventCategory == 512, \"Network Debug (512)\",\r\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\r\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\r\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\r\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\r\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\r\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\r\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\r\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\r\n DeviceEventCategory == 524288, \"System Environment (524288)\",\r\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\r\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\r\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\r\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\r\n \"Legacy Category Not Mapped\"\r\n )\r\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\r\n ipspri == 2, \"Medium (2)\",\r\n ipspri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\r\n spypri == 2, \"Medium (2)\",\r\n spypri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend\r\n EventVendor = \"SonicWall\"\r\n , EventProduct = \"Firewall\"\r\n , DvcOs = \"SonicOS\"\r\n , DvcOsVersion = EventProductVersion\r\n , DvcIdType = \"Other\"\r\n , DvcDescription = DeviceProduct\r\n , Rule = RuleName\r\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\r\n , sosIPSFullString = ipscat\r\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\r\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\r\n , FileSize = tolong(coalesce(FileSize, long(null)))\r\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\r\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\r\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\r\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\r\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\r\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\r\n , EventOriginalSeverity = LogSeverity\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , IpAddr = SrcIpAddr\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , EventType = \"HTTPsession\"\r\n , EventSchemaVersion = \"0.2.5\"\r\n , EventSchema = \"WebSession\"\r\n , EventCount = toint(1)\r\n , EventUid = _ItemId\r\n , ASimMatchingIpAddr = \"-\"\r\n , UserAgent = HttpUserAgent\r\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\r\n| extend\r\n UrlCategory = sosCFSCategoryName\r\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\r\n , SrcUsername = coalesce(susr, SrcUsername)\r\n , FileName = coalesce(FileName, sosAppControlFileName)\r\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\r\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\r\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\r\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\r\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\r\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\r\n , DstZone == \"MULTICAST\", \"NA\"\r\n , DstZone == \"WAN\", \"Outbound\"\r\n , \"Local\"\r\n )\r\n| extend\r\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\r\n SrcUsername has \"\\\\\", \"Windows\",\r\n SrcUsername has \"@\", \"UPN\",\r\n SrcUsername == \"Unknown (external IP)\", \"\",\r\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"\r\n )\r\n , User = SrcUsername\r\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\"\r\n )\r\n| extend\r\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\"\r\n )\r\n| extend\r\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\r\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\r\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\r\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\r\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\r\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\r\n , tolong(long(null))\r\n )\r\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\r\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\r\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\r\n , tolong(long(null))\r\n )\r\n| extend\r\n SrcAppType = case(isempty(SrcAppName), \"\"\r\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n , DstAppType = case(isempty(DstAppName), \"\"\r\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n| project-rename\r\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n| extend\r\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\r\n , tolong(long(null))\r\n )\r\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\r\n , tolong(long(null))\r\n )\r\n| project-rename\r\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\r\n , sosUser = susr // Logged-in username associated with the log event.\r\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\r\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\r\n , sosAppRuleService = af_service // App Rule Service Name.\r\n , sosAppRuleType = af_type // App Rule Policy Type.\r\n , sosAppRuleObject = af_object // App Rule Object Name.\r\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\r\n , sosAppRuleAction = af_action\r\n , sosSourceIPv6Address = srcV6\r\n , sosDestinationIPv6Address = dstV6\r\n , sosAppFullString = appcat // The full \" -- \" string.\r\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\r\n , sosAppID = appid // Application ID from App Control\r\n , sosAppCategoryID = catid // Application Category ID\r\n , sosAppSignatureID = sid // Application Signature ID\r\n , sosIPSCategoryName = ipscat // IPS Category Name\r\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\r\n , sosURLPathName = arg // URL. Represents the URL path name.\r\n , sosFileIdentifier = fileid // File hash or URL\r\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\r\n , DstNatPortNumber = dnpt\r\n , SrcNatPortNumber = snpt\r\n , sosBladeID = bid // Blade ID\r\n , sosUUID = uuid\r\n , sosFileName = FileName\r\n , DvcOriginalAction = fw_action\r\n| extend\r\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\r\n , ThreatId = coalesce(sosAppSignatureID, \"\")\r\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\r\n , DstNatPortNumber = toint(DstNatPortNumber)\r\n , SrcNatPortNumber = toint(SrcNatPortNumber)\r\n| extend AdditionalFields = bag_pack(\r\n \"AppRulePolicyId\", sosAppRulePolicyId\r\n , \"AppRulePolicyName\", sosAppRulePolicyName\r\n , \"AppRuleService\", sosAppRuleService\r\n , \"AppRuleType\", sosAppRuleType\r\n , \"AppRuleObject\", sosAppRuleObject\r\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\r\n , \"AppRuleAction\", sosAppRuleAction\r\n , \"AppID\", sosAppID\r\n , \"AppCategoryID\", sosAppCategoryID\r\n , \"IPSCategoryName\", sosIPSCategoryName\r\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\r\n , \"URLPathName\", sosURLPathName\r\n , \"FileIdentifier\", sosFileIdentifier\r\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\r\n , \"BladeID\", sosBladeID\r\n , \"UUID\", sosUUID\r\n , \"FileName\", sosFileName\r\n , \"FileSize\", FileSize\r\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\r\n , \"CFSCategoryID\", sosCFSCategoryID\r\n , \"CFSCategoryName\", sosCFSCategoryName\r\n , \"CFSPolicyName\", sosCFSPolicyName\r\n , \"AppControlFileName\", sosAppControlFileName\r\n , \"IPSFullString\", sosIPSFullString\r\n , \"IPSSignatureName\", sosIPSSignatureName\r\n , \"LogMsgCategory\", sosLogMsgCategory\r\n , \"LogMsgNote\", sosLogMsgNote\r\n , \"LogMsgSeverity\", sosLogMsgSeverity\r\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\r\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\r\n , \"EventMessageDetail\", sosEventMessageDetail\r\n , \"UserSessionType\", sosUserSessionType\r\n , \"UserSessionDuration\", sosUserSessionDuration\r\n )\r\n| project-away\r\n DeviceEventCategory\r\n , gcat\r\n , RequestMethod\r\n , RequestURL_\r\n , ipspri\r\n , spypri\r\n , sos*\r\n , Protocol\r\n , appName\r\n , AdditionalExtensions\r\n , Flex*\r\n , Indicator*\r\n , Malicious*\r\n , Field*\r\n , DeviceCustom*\r\n , Old*\r\n , File*\r\n , Source*\r\n , Destination*\r\n , Device*\r\n , SimplifiedDeviceAction\r\n , ExternalID\r\n , ExtID\r\n , TenantId\r\n , ProcessName\r\n , ProcessID\r\n , ExtID\r\n , OriginalLogSeverity\r\n , LogSeverity\r\n , EventOutcome\r\n , StartTime\r\n , EndTime\r\n , ReceiptTime\r\n , Remote*\r\n , ThreatDescription\r\n , ThreatSeverity\r\n , RequestContext\r\n , RequestCookies\r\n , CommunicationDirection\r\n , ReportReferenceLink\r\n , ReceivedBytes\r\n , SentBytes\r\n , _ResourceId\r\n , _ItemId\r\n| project-reorder\r\n TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , DvcDescription\r\n , Dvc\r\n , DvcOs\r\n , DvcOsVersion\r\n};\r\nparser(disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for SonicWall firewalls.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"45483341-e59d-565f-8c67-3b6b920374f3","name":"_ASim_WebSession_SquidProxyV02","body":"let parser=(disabled:bool=false){\r\nSquidProxy_CL | where not(disabled)\r\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \r\n EventResultDetails = tostring(AccessRawLog[4]), \r\n DstBytes = toint(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n UsernameType = \"Unknown\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\r\n DstFQDNparts = split (DstFQDN, \".\")\r\n | extend \r\n DstHostname = tostring(DstFQDNparts[0]),\r\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\r\n DstDomainType = \"FQDN\"\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData\r\n};\r\nparser (disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"d4b6ca42-6305-5094-b814-ffdbd22663fb","name":"_ASim_WebSession_SquidProxyV03","body":"let parser=(disabled:bool=false){\r\nSquidProxy_CL | where not(disabled)\r\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\r\n | project-rename\r\n Dvc = Computer\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \r\n EventResultDetails = tostring(AccessRawLog[4]), \r\n DstBytes = tolong(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n SrcUsernameType = \"Unknown\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\r\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"3c6c1d83-f581-5604-949a-ba64d7949fa7","name":"_ASim_WebSession_SquidProxyV04","body":"let parser=(disabled:bool=false){\r\nSquidProxy_CL | where not(disabled)\r\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\r\n | extend Computer = columnifexists(\"Computer\", \"\")\r\n | project-rename\r\n Dvc = Computer\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \r\n EventResultDetails = tostring(AccessRawLog[4]), \r\n DstBytes = tolong(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n SrcUsernameType = \"Simple\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\r\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData, *_s, DstIpAddrIsHost\r\n};\r\nparser (disabled=disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"460926e6-800a-577e-86a9-799bb8d375ca","name":"_ASim_WebSession_VectraAIV01","body":"let parser = (disabled: bool = false)\r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\r\n [\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'Local'\r\n ];\r\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\r\n [\r\n 'ipv4', 'IPv4',\r\n 'ipv6', 'IPv6'\r\n ];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n VectraStream_CL\r\n | where metadata_type_s == 'metadata_httpsessioninfo'\r\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\r\n | project-rename\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n DstIpAddr = id_resp_h_s,\r\n EventOriginalUid = uid_s,\r\n HttpContentType = resp_mime_types_s,\r\n HttpReferrer = referrer_s,\r\n HttpRequestMethod = method_s,\r\n HttpUserAgent = user_agent_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s,\r\n SrcSessionId = orig_sluid_s,\r\n DstSessionId = resp_sluid_s,\r\n HttpResponseCacheControl = response_cache_control_s,\r\n HttpRequestCacheControl = request_cache_control_s,\r\n HttpCookie = cookie_s,\r\n HttpResponseExpires = response_expires_s,\r\n HttpIsProxied = is_proxied_b,\r\n EventOriginalStatusDetails = status_msg_s\r\n | extend\r\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n EventCount = toint(1),\r\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResultDetails = tostring(toint(status_code_d)),\r\n HttpRequestBodyBytes = tolong(request_body_len_d),\r\n HttpResponseBodyBytes = tolong(response_body_len_d),\r\n HttpRequestHeaderCount = toint(request_header_count_d),\r\n HttpResponseHeaderCount = toint(response_header_count_d),\r\n EventSchema = 'WebSession',\r\n EventSchemaVersion='0.2.3',\r\n DvcIdType = 'VectraId',\r\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\r\n EventType = 'HTTPsession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n Url = strcat('http://', host_s, uri_s)\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\r\n // -- preserving non-normalized important fields\r\n | project-rename \r\n first_orig_resp_data_pkt = first_orig_resp_data_pkt_s,\r\n first_resp_orig_data_pkt = first_resp_orig_data_pkt_s,\r\n orig_huid = orig_huid_s,\r\n resp_huid = resp_huid_s,\r\n community_id = community_id_s,\r\n resp_multihome = resp_multihomed_b,\r\n host_multihomed = host_multihomed_b\r\n | extend\r\n first_orig_resp_data_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n first_orig_resp_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n first_resp_orig_data_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n first_resp_orig_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem\r\n | extend\r\n Dst = DstIpAddr,\r\n Dvc = DvcId,\r\n EventEndTime = EventStartTime,\r\n Hostname = DstHostname,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcIpAddr,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n //SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n UserAgent = HttpUserAgent \r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Vectra AI streams.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"2424ad34-e613-5906-a22e-59666a3b13c8","name":"_ASim_WebSession_VectraAIV02","body":"let parser = (disabled: bool = false, pack:bool = false)\r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\r\n [\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'Local'\r\n ];\r\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\r\n [\r\n 'ipv4', 'IPv4',\r\n 'ipv6', 'IPv6'\r\n ];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n VectraStream_CL\r\n | where metadata_type_s == 'metadata_httpsessioninfo'\r\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\r\n | project-rename\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n DstIpAddr = id_resp_h_s,\r\n EventOriginalUid = uid_s,\r\n HttpContentType = resp_mime_types_s,\r\n HttpReferrer = referrer_s,\r\n HttpRequestMethod = method_s,\r\n HttpUserAgent = user_agent_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s,\r\n SrcSessionId = orig_sluid_s,\r\n DstSessionId = resp_sluid_s,\r\n HttpResponseCacheControl = response_cache_control_s,\r\n HttpRequestCacheControl = request_cache_control_s,\r\n HttpCookie = cookie_s,\r\n HttpResponseExpires = response_expires_s,\r\n HttpIsProxied = is_proxied_b,\r\n EventOriginalResultDetails = status_msg_s\r\n | extend\r\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n EventCount = toint(1),\r\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResultDetails = tostring(toint(status_code_d)),\r\n HttpRequestBodyBytes = tolong(request_body_len_d),\r\n HttpResponseBodyBytes = tolong(response_body_len_d),\r\n HttpRequestHeaderCount = toint(request_header_count_d),\r\n HttpResponseHeaderCount = toint(response_header_count_d),\r\n EventSchema = 'WebSession',\r\n EventSchemaVersion='0.2.3',\r\n DvcIdType = 'VectraId',\r\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\r\n EventType = 'HTTPsession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n Url = strcat('http://', host_s, uri_s)\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\r\n // -- preserving non-normalized important fields\r\n | extend AdditionalFields = iff (\r\n pack, \r\n bag_pack (\r\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\r\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\r\n \"orig_huid\", orig_huid_s,\r\n \"resp_huid\", resp_huid_s,\r\n \"community_id\", community_id_s,\r\n \"resp_multihome\", resp_multihomed_b,\r\n \"host_multihomed\", host_multihomed_b,\r\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n ),\r\n dynamic([])\r\n )\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n | extend\r\n Dst = DstIpAddr,\r\n Dvc = DvcId,\r\n EventEndTime = EventStartTime,\r\n Hostname = DstHostname,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcIpAddr,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n //SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n UserAgent = HttpUserAgent \r\n};\r\nparser (disabled=disabled, pack=pack)","parameters":"disabled:bool = false, pack:bool = false","description":"Web Session ASIM parser for Vectra AI streams.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"98dc2b4a-9239-527e-b5e1-518d926a0c87","name":"_ASim_WebSession_ZscalerZIAV02","body":"let parser=(disabled:bool=false){\r\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// Event fields\r\n| extend \r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6\r\n// -- Parse\r\n| parse AdditionalExtensions with \r\n * \"rulelabel=\" RuleName:string \";\"\r\n \"ruletype=\" ruletype:string \";\"\r\n \"urlclass=\" urlclass:string \";\"\r\n \"devicemodel=\" * \r\n// -- Calculated fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n EventResultDetails = coalesce(\r\n column_ifexists(\"EventOutcome\", \"\"),\r\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n DvcHostname = tostring(Computer),\r\n SrcBytes = toint(SentBytes),\r\n DstBytes = toint(ReceivedBytes),\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Hash = FileMD5,\r\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away \r\n DstFQDNparts, AdditionalExtensions, DeviceCustom*\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"9a241dc1-9a8a-5810-a3f7-f1229fb1f2a5","name":"_ASim_WebSession_ZscalerZIAV03","body":"let parser=(disabled:bool=false){\r\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// Event fields\r\n| extend \r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6\r\n// -- Parse\r\n| parse AdditionalExtensions with \r\n * \"rulelabel=\" RuleName:string \";\"\r\n \"ruletype=\" ruletype:string \";\"\r\n \"urlclass=\" urlclass:string \";\"\r\n \"devicemodel=\" * \r\n// -- Calculated fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n EventResultDetails = coalesce(\r\n column_ifexists(\"EventOutcome\", \"\"),\r\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n DvcHostname = tostring(Computer),\r\n SrcBytes = tolong(SentBytes),\r\n DstBytes = tolong(ReceivedBytes),\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Hash = FileMD5,\r\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away \r\n DstFQDNparts, AdditionalExtensions, DeviceCustom*\r\n};\r\nparser (disabled)","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"d5ffffe3-6545-5e38-9547-ba42d802963f","name":"_ASim_WebSession_ZscalerZIAV04","body":"let parser=(disabled:bool=false){\r\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// Event fields\r\n| extend \r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6,\r\n EventOriginalSeverity = LogSeverity,\r\n EventMessage = Message\r\n// -- Parse\r\n| parse AdditionalExtensions with \r\n * \"rulelabel=\" RuleName:string \";\"\r\n \"ruletype=\" ruletype:string \";\"\r\n \"urlclass=\" urlclass:string \";\"\r\n \"devicemodel=;\" devicemodel:string \",\" * \r\n // \"devicemodel=\" * \r\n // -- Post filtering\r\n// -- Calculated fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend\r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n EventResultDetails = coalesce(\r\n column_ifexists(\"EventOutcome\", \"\"),\r\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n DvcHostname = tostring(Computer),\r\n SrcBytes = tolong(SentBytes),\r\n DstBytes = tolong(ReceivedBytes),\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Hash = FileMD5,\r\n Dst = DstFQDN,\r\n Rule = RuleName,\r\n HashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away DstFQDNparts\r\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\r\n};\r\nparser (disabled)\r\n","parameters":"disabled:bool = false","description":"Web Session ASIM parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"1e4a9783-ebfa-548d-950a-dcebdeff40fd","name":"_Im_WebSession","body":"union isfuzzy=true\r\n_Im_WebSessionBuiltIn(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, eventresultdetails_has_any= eventresultdetails_has_any, disabled= disabled, pack= pack),\r\nIm_WebSessionSolutions(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, eventresultdetails_has_any= eventresultdetails_has_any, disabled= disabled, pack= pack),\r\nIm_WebSessionCustom(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, eventresultdetails_has_any= eventresultdetails_has_any, disabled= disabled, pack= pack)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', eventresultdetails_has_any:dynamic = dynamic([]), disabled:bool = false, pack:bool = false","description":"Web Session ASIM filtering parser.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"6a32c22d-1617-5ab9-9868-8bda79135cbe","name":"_Im_WebSessionBuiltIn","body":"let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') \r\n| where SearchKey in ('Any', 'Exclude_Im_WebSession') \r\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') \r\n| where isnotempty(SourceSpecificParser) \r\n| summarize list = make_set(SourceSpecificParser));\r\nlet builtInDisabled = 0 != array_length(set_intersect(toscalar(DisabledParsers),dynamic(['Exclude_Im_WebSessionBuiltIn', 'Exclude_Im_WebSession', 'Any'])));\r\nunion isfuzzy=true\r\n_Im_WebSession_ApacheHTTPServerV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_ApacheHTTPServer' in (DisabledParsers)))),\r\n_Im_WebSession_AzureFirewallV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_AzureFirewall' in (DisabledParsers)))),\r\n_Im_WebSession_BarracudaCEFV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_BarracudaCEF' in (DisabledParsers)))),\r\n_Im_WebSession_BarracudaWAFV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_BarracudaWAF' in (DisabledParsers)))),\r\n_Im_WebSession_CiscoFirepowerV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_CiscoFirepower' in (DisabledParsers)))),\r\n_Im_WebSession_CiscoMerakiV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_CiscoMeraki' in (DisabledParsers)))),\r\n_Im_WebSession_CiscoUmbrellaV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_CiscoUmbrella' in (DisabledParsers))), pack= pack),\r\n_Im_WebSession_CitrixNetScalerV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_CitrixNetScaler' in (DisabledParsers)))),\r\n_Im_WebSession_EmptyV04,\r\n_Im_WebSession_F5ASMV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_F5ASM' in (DisabledParsers)))),\r\n_Im_WebSession_FortinetFortiGateV03(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_FortinetFortiGate' in (DisabledParsers)))),\r\n_Im_WebSession_IISV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_IIS' in (DisabledParsers)))),\r\n_Im_WebSession_NativeV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_Native' in (DisabledParsers)))),\r\n_Im_WebSession_PaloAltoCEFV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_PaloAltoCEF' in (DisabledParsers)))),\r\n_Im_WebSession_PaloAltoCortexDataLakeV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_PaloAltoCortexDataLake' in (DisabledParsers)))),\r\n_Im_WebSession_SonicWallFirewallV01(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_SonicWallFirewall' in (DisabledParsers)))),\r\n_Im_WebSession_SquidProxyV07(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_SquidProxy' in (DisabledParsers)))),\r\n_Im_WebSession_VectraAIV02(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_VectraAI' in (DisabledParsers))), pack= pack),\r\n_Im_WebSession_ZscalerZIAV06(starttime= starttime, endtime= endtime, srcipaddr_has_any_prefix= srcipaddr_has_any_prefix, ipaddr_has_any_prefix= ipaddr_has_any_prefix, url_has_any= url_has_any, httpuseragent_has_any= httpuseragent_has_any, eventresultdetails_in= eventresultdetails_in, eventresult= eventresult, disabled= (builtInDisabled or('Exclude_Im_WebSession_ZscalerZIA' in (DisabledParsers))))\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', eventresultdetails_has_any:dynamic = dynamic([]), disabled:bool = false, pack:bool = false","description":"Web Session ASIM built-in union parser.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"d6c30943-04b8-5e10-ba49-d2bf86f18362","name":"_Im_WebSession_ApacheHTTPServerV01","body":"let Parser=(\r\n starttime:datetime = datetime(null), \r\n endtime:datetime = datetime(null),\r\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\r\n ipaddr_has_any_prefix:dynamic = dynamic([]), \r\n url_has_any:dynamic = dynamic([]),\r\n httpuseragent_has_any:dynamic = dynamic([]),\r\n eventresultdetails_in:dynamic = dynamic([]),\r\n eventresult:string = '*',\r\n disabled:bool = false\r\n){\r\n let src_or_any = set_union(\r\n srcipaddr_has_any_prefix,\r\n ipaddr_has_any_prefix\r\n ); \r\n let remove_protocol_from_list = (list:dynamic)\r\n {\r\n print list\r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = substring(l,indexof(l,@'//')+2))\r\n | project l\r\n };\r\n ApacheHTTPServer_CL\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or Timestamp_t = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\")\r\n | where eventresult == '*' or EventResult =~ eventresult\r\n | project-rename \r\n DstIpAddr = DestinationIP,\r\n DstPortNumber = DestinationPort,\r\n EventOriginalUid = ExtID,\r\n HttpRequestMethod = RequestMethod,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpCookie = Cookie,\r\n HttpHost = Host,\r\n HttpReferrer = Referer,\r\n HttpUserAgent = ['User-Agent'],\r\n HttpRequestXff = DeviceCustomString5\r\n | extend\r\n HttpStatusCode = EventResultDetails,\r\n AdditionalFields = bag_pack(\r\n \"Full Request\", DeviceCustomString3,\r\n \"Attack Type\", DeviceCustomString4,\r\n \"Policy Apply Date\", DeviceCustomDate1,\r\n \"Web Application Name\",\r\n DeviceCustomString2\r\n ),\r\n Dst = DstIpAddr;\r\n let AnomalyDetectionData = AllData\r\n | where DeviceEventClassID in (DeviceEventClassIDList)\r\n | where array_length(httpuseragent_has_any) == 0 \r\n | where array_length(eventresultdetails_in) == 0\r\n | extend temp_DstMatch2 = has_any_ipv4_prefix(DvcIpAddr, ipaddr_has_any_prefix)\r\n | extend ASimMatchingIpAddr = case(\r\n array_length(src_or_any) == 0,\r\n \"-\",\r\n temp_SrcMatch and temp_DstMatch2,\r\n \"Both\",\r\n temp_SrcMatch,\r\n \"SrcIpAddr\",\r\n temp_DstMatch2,\r\n \"DstIpAddr\",\r\n \"No match\"\r\n ),\r\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\")\r\n | where ASimMatchingIpAddr != \"No match\"\r\n | where eventresult == '*' or EventResult =~ eventresult\r\n | extend\r\n AdditionalFields = bag_pack(\r\n \"Detection Average\",\r\n FieldDeviceCustomNumber1,\r\n \"Dropped Requests\",\r\n FieldDeviceCustomNumber2,\r\n \"Attack Status\",\r\n DeviceCustomString4,\r\n \"Detection Mode\",\r\n DeviceCustomString5,\r\n \"Web Application Name\",\r\n DeviceCustomString2\r\n ),\r\n ThreatId = tostring(FieldDeviceCustomNumber3)\r\n | project-away ApplicationProtocol, ExtID;\r\n union GeneralEnforcementData, AnomalyDetectionData\r\n | lookup DvcActionLookup on DeviceAction\r\n | lookup EventSeverityLookup on LogSeverity\r\n | extend \r\n EventStartTime = todatetime(ReceiptTime),\r\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\r\n | extend\r\n EventCount = int(1),\r\n EventSchema = \"WebSession\",\r\n EventSchemaVersion = \"0.2.6\",\r\n EventType = \"HTTPsession\"\r\n | project-rename \r\n EventProduct = DeviceProduct,\r\n EventVendor = DeviceVendor,\r\n EventUid = _ItemId,\r\n EventOriginalSeverity = LogSeverity,\r\n DvcOriginalAction = DeviceAction,\r\n Url = RequestURL,\r\n SrcIpAddr = SourceIP,\r\n SrcGeoCountry = DeviceCustomString6,\r\n SrcPortNumber = SourcePort,\r\n SrcUserId = SourceUserID,\r\n SrcUsername = SourceUserName,\r\n EventMessage = Message,\r\n EventProductVersion = DeviceVersion,\r\n RuleName = DeviceCustomString1\r\n | extend \r\n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\r\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\r\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\r\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\r\n EventEndTime = EventStartTime,\r\n Src = SrcIpAddr,\r\n IpAddr = SrcIpAddr,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n Rule = RuleName\r\n | project-away\r\n Source*,\r\n Destination*,\r\n Device*,\r\n AdditionalExtensions,\r\n Activity,\r\n CommunicationDirection,\r\n Computer,\r\n EndTime,\r\n EventOutcome,\r\n FieldDevice*,\r\n Flex*,\r\n File*,\r\n Old*,\r\n IndicatorThreatType,\r\n MaliciousIP*,\r\n OriginalLogSeverity,\r\n Process*,\r\n Protocol,\r\n ReceivedBytes,\r\n SentBytes,\r\n Remote*,\r\n Request*,\r\n SimplifiedDeviceAction,\r\n StartTime,\r\n TenantId,\r\n ThreatDescription,\r\n ThreatSeverity,\r\n ThreatConfidence,\r\n Reason,\r\n ExternalID,\r\n ReportReferenceLink,\r\n ReceiptTime,\r\n rest,\r\n temp_*,\r\n _ResourceId\r\n};\r\nparser(\r\n starttime=starttime, \r\n endtime=endtime,\r\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \r\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \r\n url_has_any=url_has_any,\r\n httpuseragent_has_any=httpuseragent_has_any,\r\n eventresultdetails_in=eventresultdetails_in,\r\n eventresult=eventresult,\r\n disabled=disabled\r\n)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM).","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"b6375b9f-7ca6-5f77-be85-3631c19242a2","name":"_Im_WebSession_FortinetFortiGateV01","body":"let parser=(\r\n starttime:datetime = datetime(null), \r\n endtime:datetime = datetime(null),\r\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\r\n ipaddr_has_any_prefix:dynamic = dynamic([]), \r\n url_has_any:dynamic = dynamic([]),\r\n httpuseragent_has_any:dynamic = dynamic([]),\r\n eventresultdetails_in:dynamic = dynamic([]),\r\n eventresult:string = '*',\r\n disabled:bool = false\r\n){\r\n let src_or_any = set_union(\r\n srcipaddr_has_any_prefix,\r\n ipaddr_has_any_prefix\r\n ); \r\n let remove_protocol_from_list = (list:dynamic)\r\n {\r\n print list\r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = substring(l,indexof(l,@'//')+2))\r\n | project l\r\n };\r\n let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\r\n [\r\n \"passthrough\",\"Allow\",\"Success\"\r\n , \"blocked\",\"Deny\",\"Failure\"\r\n ];\r\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\r\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\r\n [\r\n \"1\", \"Informational\", // Debug\r\n \"2\", \"Informational\", // Information\r\n \"3\", \"Informational\", // Notification\r\n \"4\", \"Low\", // Warning\r\n \"5\", \"Low\", // Error\r\n \"6\", \"High\", // Critical\r\n \"7\", \"Medium\", // Alert\r\n \"8\", \"High\" // Emergency\r\n ]; \r\n CommonSecurityLog\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated=starttime) and (isnull(endtime) or TimeGenerated=starttime) and (isnull(endtime) or TimeGenerated= starttime)\r\n and (isnull(endtime) or TimeGenerated \"\", Dst, \"\"),\r\n EventType = 'WebServerSession', \r\n EventVendor = 'Microsoft',\r\n EventSchemaVersion = '0.2.6',\r\n EventSchema = 'WebSession', \r\n EventProduct = 'IIS',\r\n DvcOs = 'Windows',\r\n EventCount = int(1),\r\n SrcIpAddr = Src,\r\n IpAddr = Src,\r\n HttpUserAgent = UserAgent,\r\n HttpStatusCode = tostring(EventResultDetails),\r\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \r\n EventEndTime = TimeGenerated,\r\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\r\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\r\n sPort = tostring(sPort),\r\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\r\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\r\n EventOriginalResultDetails = iff(scSubStatus \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\r\n | extend \r\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\r\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\r\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\r\n | extend \r\n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\r\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\r\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\r\n | project-away ipv4_parts, ipv6_parts, host_parts \r\n | extend\r\n DstHostname = HttpHost,\r\n Hostname = HttpHost\r\n | extend \r\n ThreatField = case(\r\n ThreatIpAddr \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\r\n ,ThreatIpAddr \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\r\n ,\"\")\r\n | project-away \r\n AdditionalInformation,\r\n AzureDeploymentID,\r\n Date,\r\n Description,\r\n DvcOs,\r\n FileOffset,\r\n FileUri,\r\n MG, \r\n ManagementGroupName,\r\n Role*,\r\n sComputerName,\r\n SourceSystem,\r\n TLPLevel,\r\n TenantId,\r\n TimeTaken,\r\n Time,\r\n cs*,\r\n sPort,\r\n sc*,\r\n StorageAccount\r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Windows IIS logs.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"577d78f4-8a19-5485-b2d0-2d76804d3a9b","name":"_Im_WebSession_NativeV01","body":"let parser=(\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n url_has_any:dynamic=dynamic([]),\r\n httpuseragent_has_any:dynamic=dynamic([]),\r\n eventresultdetails_in:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n)\r\n{\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n ASimWebSessionLogs\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime)\r\n and (isnull(endtime) or TimeGenerated = starttime) and (isnull(endtime) or TimeGenerated [a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\r\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\r\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\r\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\r\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\r\n | where isnotempty(RequestURL)\r\n | lookup Actions on fw_action\r\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\r\n DvcAction == \"Management\", \"NA\",\r\n DvcAction == \"NA\", \"NA\",\r\n DvcAction == \"Other\", \"NA\",\r\n \"Failure\"\r\n )\r\n | where (eventresult == \"*\" or EventResult =~ eventresult)\r\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\r\n LogSeverity == 9, \"Alert (1)\",\r\n LogSeverity == 8, \"Critical (2)\",\r\n LogSeverity == 7, \"Error (3)\",\r\n LogSeverity == 6, \"Warning (4)\",\r\n LogSeverity == 5, \"Notice (5)\",\r\n LogSeverity == 4, \"Info (6)/Debug (7)\",\r\n LogSeverity == 3, \"Not Mapped (3)\",\r\n LogSeverity == 2, \"Not Mapped (2)\",\r\n LogSeverity == 1, \"Not Mapped (1)\",\r\n \"Not Mapped\"\r\n )\r\n | extend EventSeverity = case(tolong(LogSeverity) 8, \"High\"\r\n , \"\"\r\n )\r\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\r\n , tolong(RequestMethod) == 1, \"GET\"\r\n , tolong(RequestMethod) == 2, \"POST\"\r\n , tolong(RequestMethod) == 3, \"HEAD\"\r\n , tolong(RequestMethod) == 4, \"PUT\"\r\n , tolong(RequestMethod) == 5, \"CONNECT\"\r\n , tolong(RequestMethod) == 6, \"\"\r\n , \"\"\r\n )\r\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\r\n , DestinationIP has \":\", \"IPv6\"\r\n , \"\"\r\n )\r\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\r\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\r\n , EventOriginalType = DeviceEventClassID\r\n | project-rename\r\n DstMacAddr = DestinationMACAddress\r\n , SrcMacAddr = SourceMACAddress\r\n , DstPortNumber = DestinationPort\r\n , SrcPortNumber = SourcePort\r\n , EventMessage = Activity\r\n , sosEventMessageDetail = Message\r\n , EventProductVersion = DeviceVersion\r\n , Dvc = Computer\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\r\n , sosCFSFullString = Reason // CFS Block Category ID and Name\r\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\r\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\r\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\r\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\r\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\r\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\r\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\r\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\r\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\r\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\r\n , SrcUsername = SourceUserName\r\n , ThreatOriginalConfidence = ThreatConfidence\r\n , HttpUserAgent = RequestClientApplication\r\n , Url = RequestURL\r\n| where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\r\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\r\n gcat == 2, \"Log (2)\",\r\n gcat == 3, \"Security Services (3)\",\r\n gcat == 4, \"Users (4)\",\r\n gcat == 5, \"Firewall Settings (5)\",\r\n gcat == 6, \"Network (6)\",\r\n gcat == 7, \"VPN (7)\",\r\n gcat == 8, \"High Availability (8)\",\r\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\r\n gcat == 10, \"Firewall (10)\",\r\n gcat == 11, \"Wireless (11)\",\r\n gcat == 12, \"VoIP (12)\",\r\n gcat == 13, \"SSL VPN (13)\",\r\n gcat == 14, \"Anti-Spam (14)\",\r\n gcat == 15, \"WAN Acceleration (15)\",\r\n gcat == 16, \"Object (16)\",\r\n gcat == 17, \"SD-WAN (17)\",\r\n gcat == 18, \"Multi-Instance (18)\",\r\n gcat == 19, \"Unified Policy Engine (19)\",\r\n \"Log Category Not Mapped\"\r\n )\r\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\r\n DeviceEventCategory == 1, \"System Maintenance (1)\",\r\n DeviceEventCategory == 2, \"System Errors (2)\",\r\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\r\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\r\n DeviceEventCategory == 16, \"User Activity (16)\",\r\n DeviceEventCategory == 32, \"Attacks (32)\",\r\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\r\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\r\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\r\n DeviceEventCategory == 512, \"Network Debug (512)\",\r\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\r\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\r\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\r\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\r\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\r\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\r\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\r\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\r\n DeviceEventCategory == 524288, \"System Environment (524288)\",\r\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\r\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\r\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\r\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\r\n \"Legacy Category Not Mapped\"\r\n )\r\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\r\n ipspri == 2, \"Medium (2)\",\r\n ipspri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\r\n spypri == 2, \"Medium (2)\",\r\n spypri == 3, \"Low (3)\",\r\n \"\"\r\n )\r\n| extend\r\n EventVendor = \"SonicWall\"\r\n , EventProduct = \"Firewall\"\r\n , DvcOs = \"SonicOS\"\r\n , DvcOsVersion = EventProductVersion\r\n , DvcIdType = \"Other\"\r\n , DvcDescription = DeviceProduct\r\n , Rule = RuleName\r\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\r\n , sosIPSFullString = ipscat\r\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\r\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\r\n , FileSize = tolong(coalesce(FileSize, long(null)))\r\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\r\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\r\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\r\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\r\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\r\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\r\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\r\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\r\n , EventOriginalSeverity = LogSeverity\r\n , Dst = DstIpAddr\r\n , Src = SrcIpAddr\r\n , IpAddr = SrcIpAddr\r\n , EventStartTime = TimeGenerated\r\n , EventEndTime = TimeGenerated\r\n , EventType = \"HTTPsession\"\r\n , EventSchemaVersion = \"0.2.5\"\r\n , EventSchema = \"WebSession\"\r\n , EventCount = toint(1)\r\n , EventUid = _ItemId\r\n , UserAgent = HttpUserAgent\r\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\r\n| extend\r\n UrlCategory = sosCFSCategoryName\r\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\r\n , SrcUsername = coalesce(susr, SrcUsername)\r\n , FileName = coalesce(FileName, sosAppControlFileName)\r\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\r\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\r\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\r\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\r\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\r\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\r\n , DstZone == \"MULTICAST\", \"NA\"\r\n , DstZone == \"WAN\", \"Outbound\"\r\n , \"Local\"\r\n )\r\n , User = SrcUsername\r\n| extend\r\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\r\n SrcUsername has \"\\\\\", \"Windows\",\r\n SrcUsername has \"@\", \"UPN\",\r\n SrcUsername == \"Unknown (external IP)\", \"\",\r\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\r\n isnotempty(SrcUsername), \"Simple\",\r\n \"\"\r\n )\r\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\r\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\r\n , \"\"\r\n )\r\n| extend\r\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\r\n , ThreatField == \"DstIpAddr\", DstIpAddr\r\n , \"\"\r\n )\r\n| extend\r\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\r\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\r\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\r\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\r\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\r\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\r\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\r\n , tolong(long(null))\r\n )\r\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\r\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\r\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\r\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\r\n , tolong(long(null))\r\n )\r\n| extend\r\n SrcAppType = case(isempty(SrcAppName), \"\"\r\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n , DstAppType = case(isempty(DstAppName), \"\"\r\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\r\n| project-rename\r\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\r\n| extend\r\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\r\n , tolong(long(null))\r\n )\r\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\r\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\r\n , tolong(long(null))\r\n )\r\n| project-rename\r\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\r\n , sosUser = susr // Logged-in username associated with the log event.\r\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\r\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\r\n , sosAppRuleService = af_service // App Rule Service Name.\r\n , sosAppRuleType = af_type // App Rule Policy Type.\r\n , sosAppRuleObject = af_object // App Rule Object Name.\r\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\r\n , sosAppRuleAction = af_action // App Rule Action.\r\n , sosSourceIPv6Address = srcV6 // Source IPv6 IP\r\n , sosDestinationIPv6Address = dstV6 // Destination IPv6 IP\r\n , sosAppFullString = appcat // The full \" -- \" string.\r\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\r\n , sosAppID = appid // Application ID from App Control\r\n , sosAppCategoryID = catid // Application Category ID\r\n , sosAppSignatureID = sid // Application Signature ID\r\n , sosIPSCategoryName = ipscat // IPS Category Name\r\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\r\n , sosURLPathName = arg // URL. Represents the URL path name.\r\n , sosFileIdentifier = fileid // File hash or URL\r\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\r\n , DstNatPortNumber = dnpt\r\n , SrcNatPortNumber = snpt\r\n , sosBladeID = bid // Blade ID\r\n , sosUUID = uuid\r\n , sosFileName = FileName\r\n , DvcOriginalAction = fw_action\r\n| extend\r\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\r\n , ThreatId = coalesce(sosAppSignatureID, \"\")\r\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\r\n , DstNatPortNumber = toint(DstNatPortNumber)\r\n , SrcNatPortNumber = toint(SrcNatPortNumber)\r\n| extend AdditionalFields = bag_pack(\r\n \"AppRulePolicyId\", sosAppRulePolicyId\r\n , \"AppRulePolicyName\", sosAppRulePolicyName\r\n , \"AppRuleService\", sosAppRuleService\r\n , \"AppRuleType\", sosAppRuleType\r\n , \"AppRuleObject\", sosAppRuleObject\r\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\r\n , \"AppRuleAction\", sosAppRuleAction\r\n , \"AppID\", sosAppID\r\n , \"AppCategoryID\", sosAppCategoryID\r\n , \"IPSCategoryName\", sosIPSCategoryName\r\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\r\n , \"URLPathName\", sosURLPathName\r\n , \"FileIdentifier\", sosFileIdentifier\r\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\r\n , \"BladeID\", sosBladeID\r\n , \"UUID\", sosUUID\r\n , \"FileName\", sosFileName\r\n , \"FileSize\", FileSize\r\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\r\n , \"CFSCategoryID\", sosCFSCategoryID\r\n , \"CFSCategoryName\", sosCFSCategoryName\r\n , \"CFSPolicyName\", sosCFSPolicyName\r\n , \"AppControlFileName\", sosAppControlFileName\r\n , \"IPSFullString\", sosIPSFullString\r\n , \"IPSSignatureName\", sosIPSSignatureName\r\n , \"LogMsgCategory\", sosLogMsgCategory\r\n , \"LogMsgNote\", sosLogMsgNote\r\n , \"LogMsgSeverity\", sosLogMsgSeverity\r\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\r\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\r\n , \"EventMessageDetail\", sosEventMessageDetail\r\n , \"UserSessionType\", sosUserSessionType\r\n , \"UserSessionDuration\", sosUserSessionDuration\r\n )\r\n| project-away\r\n DeviceEventCategory\r\n , gcat\r\n , RequestMethod\r\n , RequestURL_\r\n , ipspri\r\n , spypri\r\n , sos*\r\n , Protocol\r\n , appName\r\n , AdditionalExtensions\r\n , Flex*\r\n , Indicator*\r\n , Malicious*\r\n , Field*\r\n , DeviceCustom*\r\n , Old*\r\n , File*\r\n , Source*\r\n , Destination*\r\n , Device*\r\n , SimplifiedDeviceAction\r\n , ExternalID\r\n , ExtID\r\n , TenantId\r\n , ProcessName\r\n , ProcessID\r\n , ExtID\r\n , OriginalLogSeverity\r\n , LogSeverity\r\n , EventOutcome\r\n , StartTime\r\n , EndTime\r\n , ReceiptTime\r\n , Remote*\r\n , ThreatDescription\r\n , ThreatSeverity\r\n , RequestContext\r\n , RequestCookies\r\n , CommunicationDirection\r\n , ReportReferenceLink\r\n , ReceivedBytes\r\n , SentBytes\r\n , _ResourceId\r\n , _ItemId\r\n| project-reorder\r\n TimeGenerated\r\n , EventVendor\r\n , EventProduct\r\n , DvcDescription\r\n , Dvc\r\n , DvcOs\r\n , DvcOsVersion\r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for SonicWall firewalls.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"d367d573-36bf-5820-8a87-6e0f51c229f6","name":"_Im_WebSession_SquidProxyV04","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n url_has_any:dynamic=dynamic([]),\r\n httpuseragent_has_any:dynamic=dynamic([]),\r\n eventresultdetails_in:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n ){\r\nSquidProxy_CL | where not(disabled)\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where eventresult == \"*\" or eventresult == EventResultDetails\r\n // -- Map\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n DstBytes = toint(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Apache', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.1.0', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n UsernameType = \"Unknown\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\r\n DstFQDNparts = split (DstFQDN, \".\")\r\n | extend \r\n DstHostname = tostring(DstFQDNparts[0]),\r\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\r\n DstDomainType = \"FQDN\"\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData\r\n};\r\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', eventresultdetails_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Web Session ASIM filtering parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"33f7b64a-a938-5d12-a1e5-9457e688e9b9","name":"_Im_WebSession_SquidProxyV05","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n url_has_any:dynamic=dynamic([]),\r\n httpuseragent_has_any:dynamic=dynamic([]),\r\n eventresultdetails_in:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n ){\r\nSquidProxy_CL | where not(disabled)\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where eventresult == \"*\" or eventresult == EventResult\r\n // -- Map\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n DstBytes = toint(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n //\r\n | extend \r\n ASimMatchingIpAddr = case( \r\n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\r\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\r\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\r\n , \"No match\"\r\n )\r\n // Post Filter\r\n | where \r\n (\r\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n and (ASimMatchingIpAddr != \"No match\")\r\n )\r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n UsernameType = \"Unknown\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n DstFQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\"),\r\n DstFQDNparts = split (DstFQDN, \".\")\r\n | extend \r\n DstHostname = tostring(DstFQDNparts[0]),\r\n DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\"),\r\n DstDomainType = \"FQDN\"\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData\r\n};\r\nparser (starttime, endtime, srcipaddr_has_any_prefix, ipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"2420a4b3-1758-54af-bb7f-906f762865fa","name":"_Im_WebSession_SquidProxyV06","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n url_has_any:dynamic=dynamic([]),\r\n httpuseragent_has_any:dynamic=dynamic([]),\r\n eventresultdetails_in:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n ){\r\nSquidProxy_CL | where not(disabled)\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where eventresult == \"*\" or eventresult == EventResult\r\n // -- Map\r\n | project-rename\r\n Dvc = Computer\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n DstBytes = tolong(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n //\r\n | extend \r\n ASimMatchingIpAddr = case( \r\n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\r\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\r\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\r\n , \"No match\"\r\n )\r\n // Post Filter\r\n | where \r\n (\r\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n and (ASimMatchingIpAddr != \"No match\")\r\n )\r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n SrcUsernameType = \"Unknown\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\r\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"8052c91c-d8f8-5f92-8a2a-82a7710dd73e","name":"_Im_WebSession_SquidProxyV07","body":"let parser = (\r\n starttime:datetime=datetime(null), \r\n endtime:datetime=datetime(null),\r\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \r\n ipaddr_has_any_prefix:dynamic=dynamic([]), \r\n url_has_any:dynamic=dynamic([]),\r\n httpuseragent_has_any:dynamic=dynamic([]),\r\n eventresultdetails_in:dynamic=dynamic([]),\r\n eventresult:string='*',\r\n disabled:bool=false\r\n ){\r\nSquidProxy_CL | where not(disabled)\r\n // -- Pre filtering\r\n | where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where eventresult == \"*\" or eventresult == EventResult\r\n // -- Map\r\n | extend Computer = columnifexists(\"Computer\", \"\")\r\n | project-rename\r\n Dvc = Computer\r\n | extend\r\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \r\n NetworkDuration = toint(AccessRawLog[1]), \r\n SrcIpAddr = tostring(AccessRawLog[2]), \r\n DstBytes = tolong(AccessRawLog[5]), \r\n HttpRequestMethod = tostring(AccessRawLog[6]), \r\n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\r\n Url = tostring(AccessRawLog[7]), \r\n SrcUsername = tostring(AccessRawLog[8]), \r\n DstIpAddr = tostring(AccessRawLog[10]), \r\n HttpContentType = tostring(AccessRawLog[11]) \r\n //\r\n | extend \r\n ASimMatchingIpAddr = case( \r\n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\r\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\r\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\r\n , \"No match\"\r\n )\r\n // Post Filter\r\n | where \r\n (\r\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\r\n and (ASimMatchingIpAddr != \"No match\")\r\n )\r\n // -- Constant fields\r\n | extend \r\n EventCount = int(1), \r\n EventProduct = 'Squid Proxy', \r\n EventVendor = 'Squid', \r\n EventSchema = 'WebSession', \r\n EventSchemaVersion = '0.2.3', \r\n EventType = 'HTTPsession' \r\n // -- Value normalization\r\n | extend\r\n SrcUsernameType = \"Simple\",\r\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \r\n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \r\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\r\n | extend \r\n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\r\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\r\n | extend \r\n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\r\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\r\n // -- aliases\r\n | extend \r\n EventStartTime = EventEndTime,\r\n Duration = NetworkDuration,\r\n HttpStatusCode = EventResultDetails,\r\n User = SrcUsername,\r\n IpAddr = SrcIpAddr,\r\n Src = SrcIpAddr,\r\n Dst = DstHostname,\r\n Hostname = DstHostname\r\n | project-away AccessRawLog, RawData, *_s, DstIpAddrIsHost\r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Squid Proxy.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"e3e500c9-c7ee-5711-bdd4-75d16e835a87","name":"_Im_WebSession_VectraAIV01","body":"let parser = (starttime: datetime = datetime(null),\r\n endtime: datetime = datetime(null),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n ipaddr_has_any_prefix: dynamic = dynamic([]),\r\n url_has_any: dynamic = dynamic([]),\r\n httpuseragent_has_any: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool = false)\r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\r\n [\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'Local'\r\n ];\r\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\r\n [\r\n 'ipv4', 'IPv4',\r\n 'ipv6', 'IPv6'\r\n ];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n let remove_protocol_from_urls = \r\n materialize (\r\n print url_has_any \r\n | mv-apply l = print_0 to typeof(string) on ( \r\n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\r\n ) \r\n | project l\r\n );\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n VectraStream_CL\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where (eventresult == '*' or EventResult =~ eventresult)\r\n | project-rename\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n DstIpAddr = id_resp_h_s,\r\n EventOriginalUid = uid_s,\r\n HttpContentType = resp_mime_types_s,\r\n HttpReferrer = referrer_s,\r\n HttpRequestMethod = method_s,\r\n HttpUserAgent = user_agent_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s,\r\n SrcSessionId = orig_sluid_s,\r\n DstSessionId = resp_sluid_s,\r\n HttpResponseCacheControl = response_cache_control_s,\r\n HttpRequestCacheControl = request_cache_control_s,\r\n HttpCookie = cookie_s,\r\n HttpResponseExpires = response_expires_s,\r\n HttpIsProxied = is_proxied_b,\r\n EventOriginalStatusDetails = status_msg_s\r\n | extend\r\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n EventCount = toint(1),\r\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResultDetails = tostring(toint(status_code_d)),\r\n HttpRequestBodyBytes = tolong(request_body_len_d),\r\n HttpResponseBodyBytes = tolong(response_body_len_d),\r\n HttpRequestHeaderCount = toint(request_header_count_d),\r\n HttpResponseHeaderCount = toint(response_header_count_d),\r\n EventSchema = 'WebSession',\r\n EventSchemaVersion='0.2.3',\r\n DvcIdType = 'VectraId',\r\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\r\n EventType = 'HTTPsession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n Url = strcat('http://', host_s, uri_s)\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\r\n // -- preserving non-normalized important fields\r\n | project-rename \r\n first_orig_resp_data_pkt = first_orig_resp_data_pkt_s,\r\n first_resp_orig_data_pkt = first_resp_orig_data_pkt_s,\r\n orig_huid = orig_huid_s,\r\n resp_huid = resp_huid_s,\r\n community_id = community_id_s,\r\n resp_multihome = resp_multihomed_b,\r\n host_multihomed = host_multihomed_b\r\n | extend\r\n first_orig_resp_data_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n first_orig_resp_pkt_time = unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n first_resp_orig_data_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n first_resp_orig_pkt_time = unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem\r\n | extend\r\n Dst = DstIpAddr,\r\n Dvc = DvcId,\r\n EventEndTime = EventStartTime,\r\n Hostname = DstHostname,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcIpAddr,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n //SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n UserAgent = HttpUserAgent \r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Vectra AI streams.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"82d93f1a-1917-5897-bbda-a1dd80c6ba0e","name":"_Im_WebSession_VectraAIV02","body":"let parser = (starttime: datetime = datetime(null),\r\n endtime: datetime = datetime(null),\r\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\r\n ipaddr_has_any_prefix: dynamic = dynamic([]),\r\n url_has_any: dynamic = dynamic([]),\r\n httpuseragent_has_any: dynamic = dynamic([]),\r\n eventresultdetails_in: dynamic = dynamic([]),\r\n eventresult: string = '*',\r\n disabled: bool = false,\r\n pack:bool = false)\r\n{\r\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\r\n [\r\n false, true, 'Inbound',\r\n true, false, 'Outbound',\r\n true, true, 'Local',\r\n false, false, 'Local'\r\n ];\r\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\r\n [\r\n 'ipv4', 'IPv4',\r\n 'ipv6', 'IPv6'\r\n ];\r\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\r\n let remove_protocol_from_urls = \r\n materialize (\r\n print url_has_any \r\n | mv-apply l = print_0 to typeof(string) on ( \r\n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\r\n ) \r\n | project l\r\n );\r\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \r\n VectraStream_CL\r\n | where not(disabled)\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n | where (eventresult == '*' or EventResult =~ eventresult)\r\n | project-rename\r\n DvcDescription = hostname_s,\r\n DstDescription = resp_hostname_s,\r\n SrcDescription = orig_hostname_s,\r\n DstIpAddr = id_resp_h_s,\r\n EventOriginalUid = uid_s,\r\n HttpContentType = resp_mime_types_s,\r\n HttpReferrer = referrer_s,\r\n HttpRequestMethod = method_s,\r\n HttpUserAgent = user_agent_s,\r\n DvcId = sensor_uid_s,\r\n // -- community id is just a hash of addresses and ports, and not unique for the session\r\n // NetworkSessionId = community_id_s,\r\n SrcIpAddr = id_orig_h_s,\r\n SrcSessionId = orig_sluid_s,\r\n DstSessionId = resp_sluid_s,\r\n HttpResponseCacheControl = response_cache_control_s,\r\n HttpRequestCacheControl = request_cache_control_s,\r\n HttpCookie = cookie_s,\r\n HttpResponseExpires = response_expires_s,\r\n HttpIsProxied = is_proxied_b,\r\n EventOriginalStatusDetails = status_msg_s\r\n | extend\r\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\r\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\r\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\r\n DstBytes = tolong(resp_ip_bytes_d),\r\n DstPackets = tolong(resp_pkts_d),\r\n DstPortNumber = toint(id_resp_p_d),\r\n EventCount = toint(1),\r\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\r\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\r\n EventProduct = 'Vectra Stream',\r\n EventResultDetails = tostring(toint(status_code_d)),\r\n HttpRequestBodyBytes = tolong(request_body_len_d),\r\n HttpResponseBodyBytes = tolong(response_body_len_d),\r\n HttpRequestHeaderCount = toint(request_header_count_d),\r\n HttpResponseHeaderCount = toint(response_header_count_d),\r\n EventSchema = 'WebSession',\r\n EventSchemaVersion='0.2.3',\r\n DvcIdType = 'VectraId',\r\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\r\n EventType = 'HTTPsession',\r\n EventVendor = 'Vectra AI',\r\n SrcBytes = tolong(orig_ip_bytes_d),\r\n SrcPackets = tolong(orig_pkts_d),\r\n SrcPortNumber = toint(id_orig_p_d),\r\n Url = strcat('http://', host_s, uri_s)\r\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\r\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\r\n // -- preserving non-normalized important fields\r\n | extend AdditionalFields = iff (\r\n pack, \r\n bag_pack (\r\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\r\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\r\n \"orig_huid\", orig_huid_s,\r\n \"resp_huid\", resp_huid_s,\r\n \"community_id\", community_id_s,\r\n \"resp_multihome\", resp_multihomed_b,\r\n \"host_multihomed\", host_multihomed_b,\r\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\r\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\r\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\r\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\r\n ),\r\n dynamic([])\r\n )\r\n | project-away\r\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\r\n | extend\r\n Dst = DstIpAddr,\r\n Dvc = DvcId,\r\n EventEndTime = EventStartTime,\r\n Hostname = DstHostname,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcIpAddr,\r\n NetworkBytes = SrcBytes + DstBytes,\r\n NetworkPackets = SrcPackets + DstPackets,\r\n //SessionId = NetworkSessionId,\r\n Src = SrcIpAddr,\r\n UserAgent = HttpUserAgent \r\n};\r\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled, pack=pack)","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false, pack:bool = false","description":"Web Session ASIM filtering parser for Vectra AI streams.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"046cb5bd-2e6f-5d88-8791-1e0c3de4b327","name":"_Im_WebSession_ZscalerZIAV03","body":"let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nlet remove_protocol_from_list = (list:dynamic) \r\n{\r\n print list \r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \r\n | project l\r\n};\r\nlet parser = (\r\nstarttime:datetime=datetime(null), \r\nendtime:datetime=datetime(null),\r\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \r\nurl_has_any:dynamic=dynamic([]),\r\nhttpuseragent_has_any:dynamic=dynamic([]),\r\neventresultdetails_in:dynamic=dynamic([]),\r\neventresult:string='*',\r\ndisabled:bool=false\r\n){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n // -- Pre filtering\r\n| where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\"),\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Src = SrcNatIpAddr,\r\n Dst = DstFQDN,\r\n Hash = FileMD5,\r\n Hostname = DstHostname,\r\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away \r\n DstFQDNparts, AdditionalExtensions, DeviceCustom*\r\n};\r\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', eventresultdetails_has_any:dynamic = dynamic([]), disabled:bool = false","description":"Web Session ASIM filtering parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"065e3f27-1508-5603-ad00-f05ee67778a1","name":"_Im_WebSession_ZscalerZIAV04","body":"let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nlet remove_protocol_from_list = (list:dynamic) \r\n{\r\n print list \r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \r\n | project l\r\n};\r\nlet parser = (\r\nstarttime:datetime=datetime(null), \r\nendtime:datetime=datetime(null),\r\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \r\nipaddr_has_any_prefix:dynamic=dynamic([]), \r\nurl_has_any:dynamic=dynamic([]),\r\nhttpuseragent_has_any:dynamic=dynamic([]),\r\neventresultdetails_in:dynamic=dynamic([]),\r\neventresult:string='*',\r\ndisabled:bool=false\r\n){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// -- Pre filtering\r\n| where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n| where eventresult == \"*\" or eventresult == EventResult\r\n// -- Event fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend \r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n// -- Field mapping\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6\r\n// -- Calculated fields\r\n| extend\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\r\n DstBytes = toint(ReceivedBytes),\r\n SrcBytes = toint(SentBytes),\r\n DvcHostname = tostring(Computer)\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Src = SrcNatIpAddr,\r\n Dst = DstFQDN,\r\n Hash = FileMD5,\r\n Hostname = DstHostname,\r\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away \r\n DstFQDNparts, AdditionalExtensions, DeviceCustom*\r\n};\r\nparser (starttime, endtime\r\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\r\n , url_has_any, httpuseragent_has_any\r\n , eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"b7fb35fe-659f-5db8-b204-e8da026493c5","name":"_Im_WebSession_ZscalerZIAV05","body":"let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nlet remove_protocol_from_list = (list:dynamic) \r\n{\r\n print list \r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \r\n | project l\r\n};\r\nlet parser = (\r\nstarttime:datetime=datetime(null), \r\nendtime:datetime=datetime(null),\r\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \r\nipaddr_has_any_prefix:dynamic=dynamic([]), \r\nurl_has_any:dynamic=dynamic([]),\r\nhttpuseragent_has_any:dynamic=dynamic([]),\r\neventresultdetails_in:dynamic=dynamic([]),\r\neventresult:string='*',\r\ndisabled:bool=false\r\n){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// -- Pre filtering\r\n| where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n| where eventresult == \"*\" or eventresult == EventResult\r\n// -- Event fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend \r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"fieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n// -- Field mapping\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6\r\n// -- Calculated fields\r\n| extend\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\r\n DstBytes = tolong(ReceivedBytes),\r\n SrcBytes = tolong(SentBytes),\r\n DvcHostname = tostring(Computer)\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Src = SrcNatIpAddr,\r\n Dst = DstFQDN,\r\n Hash = FileMD5,\r\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away \r\n DstFQDNparts, AdditionalExtensions, DeviceCustom*\r\n};\r\nparser (starttime, endtime\r\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\r\n , url_has_any, httpuseragent_has_any\r\n , eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"3e729a7c-5a0b-5fe2-91c2-24283b90a16b","name":"_Im_WebSession_ZscalerZIAV06","body":"let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \r\n[\r\n 'Allowed', 'Allow',\r\n 'Blocked', 'Deny'\r\n]; \r\nlet remove_protocol_from_list = (list:dynamic) \r\n{\r\n print list \r\n | mv-apply l = print_0 to typeof(string) on\r\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \r\n | project l\r\n};\r\nlet parser = (\r\nstarttime:datetime=datetime(null), \r\nendtime:datetime=datetime(null),\r\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \r\nipaddr_has_any_prefix:dynamic=dynamic([]), \r\nurl_has_any:dynamic=dynamic([]),\r\nhttpuseragent_has_any:dynamic=dynamic([]),\r\neventresultdetails_in:dynamic=dynamic([]),\r\neventresult:string='*',\r\ndisabled:bool=false\r\n){\r\nCommonSecurityLog | where not(disabled)\r\n| where DeviceVendor == \"Zscaler\"\r\n| where DeviceProduct == \"NSSWeblog\"\r\n// -- Pre filtering\r\n| where \r\n (isnull(starttime) or TimeGenerated >= starttime) \r\n and (isnull(endtime) or TimeGenerated = 400, \"Failure\", \"Success\")\r\n| where eventresult == \"*\" or eventresult == EventResult\r\n// -- Event fields\r\n| lookup DvcActionLookup on DeviceAction\r\n| extend \r\n // -- Adjustment to support both old and new CSL fields.\r\n EventOriginalResultDetails = coalesce(\r\n column_ifexists(\"Reason\", \"\"),\r\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\r\n ),\r\n ThreatRiskLevel = coalesce(\r\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\r\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\r\n ),\r\n EventCount=int(1), \r\n EventStartTime=TimeGenerated, \r\n EventVendor = \"Zscaler\", \r\n EventProduct = \"ZIA Proxy\", \r\n EventSchema = \"WebSession\", \r\n EventSchemaVersion=\"0.2.3\", \r\n EventType = 'HTTPsession',\r\n EventEndTime=TimeGenerated\r\n// -- Field mapping\r\n| project-rename\r\n EventProductVersion = DeviceVersion,\r\n NetworkApplicationProtocol = ApplicationProtocol,\r\n HttpContentType = FileType,\r\n HttpUserAgent = RequestClientApplication,\r\n HttpRequestMethod = RequestMethod,\r\n DstAppName = DestinationServiceName,\r\n DstIpAddr = DestinationIP,\r\n DstFQDN = DestinationHostName,\r\n SrcIpAddr = SourceIP,\r\n SrcUsername = SourceUserName,\r\n SrcNatIpAddr= SourceTranslatedAddress,\r\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\r\n UrlCategory = DeviceCustomString2,\r\n ThreatName = DeviceCustomString5,\r\n FileMD5 = DeviceCustomString6,\r\n EventOriginalSeverity = LogSeverity,\r\n EventMessage = Message\r\n// -- Calculated fields\r\n| extend\r\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\r\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\r\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\r\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\r\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\r\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\r\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\r\n DstFQDNparts = split (DstFQDN, \".\"),\r\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\r\n DstBytes = tolong(ReceivedBytes),\r\n SrcBytes = tolong(SentBytes),\r\n DvcHostname = tostring(Computer)\r\n| extend\r\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\r\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\r\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \r\n// -- Enrichment\r\n| extend\r\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\r\n DstAppType = \"SaaS application\",\r\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\r\n SrcUsernameType = \"UPN\"\r\n// -- Aliases\r\n| extend\r\n Dvc = DvcHostname,\r\n Hostname = DstHostname,\r\n UserAgent = HttpUserAgent,\r\n User = SrcUsername,\r\n HttpStatusCode = EventResultDetails,\r\n IpAddr = SrcNatIpAddr,\r\n Src = SrcNatIpAddr,\r\n Dst = DstFQDN,\r\n Hash = FileMD5,\r\n Rule = RuleName,\r\n HashType = iff(FileMD5 == \"\", \"\", \"MD5\")\r\n| project-away DstFQDNparts\r\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\r\n};\r\nparser (starttime, endtime\r\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\r\n , url_has_any, httpuseragent_has_any\r\n , eventresultdetails_in, eventresult, disabled)\r\n","parameters":"starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic([]), ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false","description":"Web Session ASIM filtering parser for Zscaler ZIA.","related":{"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"16c5d5c6-fa53-4d0d-ae83-58a7cb4bc442","name":"_GetWatchlistAlias","body":"union Watchlist, ConfidentialWatchlist | where _DTItemType == 'watchlist' | summarize hint.shufflekey=_DTItemId arg_max(_DTTimestamp, _DTItemStatus, WatchlistAlias) by _DTItemId | where _DTItemStatus != 'Delete' | distinct WatchlistAlias","description":"Get all distinct watchlists aliases","related":{"solutions":["SecurityInsights"]}},{"id":"b880122e-8c7b-4409-9713-8a63d66b7e17","name":"_GetWatchlist","body":"union Watchlist, ConfidentialWatchlist | where TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId = VaultUniqueId, Name = VaultName, Id = ResourceId, SubscriptionId, Location = AzureDataCenter, VaultStore_StorageReplicationType = StorageReplicationType, Tags = VaultTags, TimeGenerated, Type = \"Microsoft.RecoveryServices/vaults\"\r\n};\r\nlet VaultHistoryUnderResourceSpecificForDPP = ()\r\n{\r\nCoreAzureBackup\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId, Id, Name, SubscriptionId, Location, VaultStore_StorageReplicationType, ArchiveStore_StorageReplicationType, Tags, TimeGenerated, Type\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nunion (FinalTable_DPP | where \"Microsoft.DataProtection/backupVaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)), (FinalTable_V1Vault | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList))\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", ExcludeLegacyEvent:bool=True","displayName":"_AzureBackup_GetVaults","description":"Returns the list of Recovery Sevices vaults in your Azure environment that are associated with the workspace","related":{"categories":["Management"],"solutions":["LogManagement"],"tables":["AzureDiagnostics","CoreAzureBackup"]}},{"id":"19551c5e-1e3e-4425-a1d7-c846a0bca2a2","name":"_AzureBackup_GetPolicies","body":"// Params\r\nlet _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), startofday(now()), startofday(RangeEnd) + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _BackupSolutionList = split(BackupSolutionList, ',');\r\nlet _ExcludeLegacyEvent = ExcludeLegacyEvent;\r\n// Other Vars\r\nlet AsonDay = _RangeEnd-1d;\r\nlet AzureStorageCutoffDate = datetime(6/01/2020, 12:00:00.000 AM);\r\n// HelperFunctions\r\nlet Extend_BackupSolution = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend BackupSolution = iff(BackupManagementType == \"IaaSVM\", \"Azure Virtual Machine Backup\", \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", \"Azure Storage (Azure Files) Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQL in Azure VM Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAP HANA in Azure VM Backup\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAP ASE (Sybase) in Azure VM\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Azure Database for PostgreSQL flexible servers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Azure Data Lake Storage Backup\",\"\"))))))))))\r\n};\r\nlet ConvertDataSourceTypeToBackupSolution = (DataSourceType:string)\r\n{\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/servers/databases\",\"Azure Database for PostgreSQL Server Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/blobServices\", \"Azure Blob Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Compute/disks\",\"Azure Disk Backup\",\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/flexibleServers\",\"Azure Database for PostgreSQL flexible servers\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"Azure Data Lake Storage Backup\",\"\")))))\r\n};\r\n// Source Tables\r\nlet VaultUnderAzureDiagnostics = ()\r\n{\r\nAzureDiagnostics\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId = PolicyUniqueId, Name = PolicyName, TimeZone = PolicyTimeZone, Id = strcat(ResourceId, \"/backupPolicies/\", PolicyName), \r\nBackupFrequency = iff(isnotempty(BackupFrequency), pack(\"BackupFrequency\", BackupFrequency), dynamic(null)),\r\nDiffBackupFormat = iff(isnotempty(DiffBackupFormat), pack(\"DiffBackupFormat\", DiffBackupFormat), dynamic(null)),\r\nLogBackupFrequency = iff(isnotempty(LogBackupFrequency), pack(\"LogBackupFrequency\", LogBackupFrequency), dynamic(null)),\r\nDailyRetentionDuration = iff(isnotempty(DailyRetentionDuration), pack(\"DailyRetentionDuration\", DailyRetentionDuration), dynamic(null)),\r\nWeeklyRetentionDuration = iff(isnotempty(WeeklyRetentionDuration), pack(\"WeeklyRetentionDuration\", WeeklyRetentionDuration), dynamic(null)),\r\nMonthlyRetentionDuration = iff(isnotempty(MonthlyRetentionDuration), pack(\"MonthlyRetentionDuration\", MonthlyRetentionDuration), dynamic(null)),\r\nYearlyRetentionDuration = iff(isnotempty(YearlyRetentionDuration), pack(\"YearlyRetentionDuration\", YearlyRetentionDuration), dynamic(null)),\r\nDiffBackupRetentionDuration = iff(isnotempty(DiffBackupRetentionDuration), pack(\"DiffBackupRetentionDuration\", DiffBackupRetentionDuration), dynamic(null)),\r\nLogBackupRetentionDuration = iff(isnotempty(LogBackupRetentionDuration), pack(\"LogBackupRetentionDuration\", LogBackupRetentionDuration), dynamic(null)),\r\nBackupSolution, TimeGenerated, VaultUniqueId, VaultResourceId = ResourceId, VaultName, VaultTags, VaultLocation = AzureDataCenter, VaultSubscriptionId = SubscriptionId, VaultStore_StorageReplicationType = StorageReplicationType,VaultType = \"Microsoft.Recoveryservices/vaults\"\r\n| project UniqueId, Name, TimeZone, Id, BackupSolution, TimeGenerated, VaultUniqueId, VaultResourceId, VaultName, VaultTags, VaultLocation, VaultSubscriptionId, VaultStore_StorageReplicationType, VaultType, ExtendedProperties = bag_merge(BackupFrequency, DiffBackupFormat, LogBackupFrequency, DailyRetentionDuration, WeeklyRetentionDuration, MonthlyRetentionDuration, YearlyRetentionDuration, DiffBackupRetentionDuration, LogBackupRetentionDuration)\r\n};\r\nlet PolicyHistoryUnderResourceSpecificForDPP = ()\r\n{\r\nAddonAzureBackupPolicy\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId, Name, TimeZone, Id, BackupSolution, TimeGenerated, VaultUniqueId, VaultResourceId, VaultName, VaultTags, VaultLocation, VaultSubscriptionId, VaultStore_StorageReplicationType, ArchiveStore_StorageReplicationType, VaultType, ExtendedProperties\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nunion (FinalTable_DPP |where \"Microsoft.DataProtection/backupVaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)), (FinalTable_V1Vault | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList))\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", ExcludeLegacyEvent:bool=True, BackupSolutionList:string=\"*\"","displayName":"_AzureBackup_GetPolicies","description":"Returns the list of backup policies that are being used in your Azure environment along with detailed information about each policy such as the datasource type, storage replication type, etc.","related":{"categories":["Management"],"solutions":["LogManagement"],"tables":["AddonAzureBackupPolicy","AzureDiagnostics","CoreAzureBackup"]}},{"id":"19551c5e-1e3e-4425-a1d7-c846a0bca2a3","name":"_AzureBackup_GetBackupInstances","body":"// Params\r\nlet _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), startofday(now()), startofday(RangeEnd) + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _ExcludeLegacyEvent = ExcludeLegacyEvent;\r\nlet _BackupSolutionList = split(BackupSolutionList, ',');\r\nlet _ProtectionInfoList = split(ProtectionInfoList, ',');\r\nlet _DatasourceSetName = DatasourceSetName;\r\nlet _BackupInstanceName = BackupInstanceName;\r\nlet _DisplayAllFields = DisplayAllFields;\r\n// Other Vars\r\nlet AsonDay = _RangeEnd-1d;\r\nlet AzureStorageCutoffDate = datetime(6/01/2020, 12:00:00.000 AM);\r\n// HelperFunctions\r\nlet ConvertDataSourceTypeToBackupSolution = (DataSourceType:string)\r\n{\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/servers/databases\",\"Azure Database for PostgreSQL Server Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/blobServices\", \"Azure Blob Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Compute/disks\",\"Azure Disk Backup\",\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/flexibleServers\",\"Azure Database for PostgreSQL flexible servers\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"Azure Data Lake Storage Backup\",\"\")))))\r\n};\r\n\r\nlet ConvertBackupItemProtectionStateToProtectionInfo = (ProtectionState:string)\r\n{\r\n\tiff(ProtectionState == \"ProtectionConfigured\", \"Protected\", iff(ProtectionState == \"ConfiguringProtection\", \"ConfiguringProtection\", iff(ProtectionState == \"ConfiguringProtectionFailed\", \"ConfiguringProtectionFailed\", iff(ProtectionState == \"UpdatingProtection\", \"UpdatingProtection\", iff(ProtectionState == \"ProtectionError\", \"ProtectionError\", iff(ProtectionState == \"ProtectionStopped\", \"ProtectionStopped\", iff(ProtectionState == \"BackupsSuspended\", \"ProtectionStopped\", iff(ProtectionState == \"SoftDeleted\", \"ProtectionStopped\",\"\"))))))))\r\n};\r\nlet Extend_BackupSolution = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend BackupSolution = iff(BackupManagementType == \"IaaSVM\", \"Azure Virtual Machine Backup\", \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", \"Azure Storage (Azure Files) Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQL in Azure VM Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAP HANA in Azure VM Backup\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAP ASE (Sybase) in Azure VM\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Azure Database for PostgreSQL flexible servers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Azure Data Lake Storage Backup\",\"\"))))))))))\r\n};\r\nlet Extend_DatasourceType = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend DatasourceType = iff(BackupManagementType == \"IaaSVM\", \"Microsoft.Compute/virtualMachines\", \r\niff(BackupManagementType == \"MAB\", BackupItemType, \r\niff(BackupManagementType == \"DPM\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureBackupServer\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureStorage\", \"Microsoft.Storage/storageAccounts/fileServices/shares\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQLDataBase\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAPHanaDatabase\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAPAseDatabase\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Microsoft.DBforPostgreSQL/flexibleServers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"\"))))))))))\r\n};\r\nlet Extend_BackupInstanceId = (T:(ResourceId:string, BackupManagementType:string, BackupItemType:string, ProtectedContainerName:string, BackupItemName:string))\r\n{\r\nT | extend BackupInstanceId = toupper(iff ((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/IaasVMContainer;\", ProtectedContainerName, \"/protectedItems/VM;\", ProtectedContainerName),\r\niff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/StorageContainer;\", ProtectedContainerName, \"/protectedItems/AzureFileShare;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SQLDataBase;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPHanaDatabase;\", BackupItemName),\r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPAseDatabase;\", BackupItemName), \"\"))))))\r\n};\r\nlet Extend_DatasourceSetResourceId_DatasourceSetType_DatasourceResourceId = (T:(ResourceId:string, ProtectedContainerName:string, BackupManagementType:string, BackupItemType:string, BackupItemUniqueId:string, BackupItemName:string, BackupItemFriendlyName:string))\r\n{\r\nT | extend prefix = array_strcat(array_split(split(ResourceId,\"/\"), 4)[0] ,\"/\")\r\n| extend container_array = split(ProtectedContainerName,\";\")\r\n| extend container_arraylen = array_length(container_array)\r\n| extend containerNameString = iff(container_arraylen == 3, ProtectedContainerName, \"\")\r\n| parse containerNameString with entityType:string \";\" rgName:string \";\" entityName:string\r\n| extend entityURL = iff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), iff(entityType == \"storage\", \"/Microsoft.Storage/storageAccounts/\", \"/Microsoft.ClassicStorage/storageAccounts/\"), iff((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), iff(entityType =~ \"iaasvmcontainerv2\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), iff(((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\")), iff(entityType =~ \"compute\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), \"\")))\r\n| extend DatasourceSetResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), \"\" , iff(containerNameString != \"\", strcat(prefix, \"/\", rgName, \"/providers\", entityURL, entityName), \"\")))\r\n// DatasourceSetType\r\n| extend DatasourceSetType = iff(BackupManagementType == \"IaaSVM\", iff(entityType =~ \"iaasvmcontainerv2\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", iff(entityType == \"storage\", \"Microsoft.Storage/storageAccounts\", \"Microsoft.ClassicStorage/storageAccounts\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \"\"))))))))\r\n| extend DatasourceResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), BackupItemUniqueId, \r\niff(BackupManagementType == \"IaaSVM\", DatasourceSetResourceId, \r\niff(BackupManagementType == \"AzureStorage\", strcat(DatasourceSetResourceId, \"/fileServices/default/shares/\", BackupItemFriendlyName),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SQLDataBase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPHanaDatabase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPAseDatabase;\", BackupItemName),\"\"),\"\")))))))\r\n| project-away prefix, container_array, container_arraylen, containerNameString, entityURL \r\n};\r\n// Source Tables\r\nlet VaultUnderAzureDiagnostics = ()\r\n{\r\nAzureDiagnostics\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project BackupItemName, BackupItemFriendlyName, BackupItemProtectionState, PolicyUniqueId, PolicyName = iff(BackupItemProtectionState == \"ProtectionStopped\", \"(none)\", PolicyName), SubscriptionId, ResourceGroupName, AzureDataCenter, VaultUniqueId, VaultName, VaultTags, BackupManagementType, BackupItemType, BackupSolution, BackupItemFrontEndSize, StorageConsumedInMBs = iff(isempty(StorageConsumedInMBs), todouble(0), StorageConsumedInMBs), ResourceId, ProtectedContainerUniqueId, ProtectedContainerName, ProtectedContainerFriendlyName, BackupItemUniqueId, StorageReplicationType, OldestRecoveryPointTime, LatestRecoveryPointTime, TimeGenerated\r\n};\r\nlet FinalTable_V1Vault = () {Extend_DatasourceType(Extend_BackupInstanceId(Extend_DatasourceSetResourceId_DatasourceSetType_DatasourceResourceId(FinalTable)))\r\n| extend container_array = split(ProtectedContainerName,\";\")\r\n| extend container_arraylen = array_length(container_array)\r\n| project UniqueId = BackupItemUniqueId, Id = BackupInstanceId, FriendlyName = BackupItemFriendlyName, ProtectionInfo = BackupItemProtectionState, LatestRecoveryPoint = LatestRecoveryPointTime, OldestRecoveryPoint = OldestRecoveryPointTime, SourceSizeInMBs = BackupItemFrontEndSize, VaultStore_StorageConsumptionInMBs = StorageConsumedInMBs, DataSourceFriendlyName = BackupItemFriendlyName, BackupSolution, DatasourceType, DatasourceResourceId, DatasourceSetFriendlyName = ProtectedContainerFriendlyName, DatasourceSetResourceId, DatasourceSetType, PolicyName, PolicyUniqueId, PolicyId = strcat(ResourceId, \"/backupPolicies/\", PolicyName), VaultResourceId = ResourceId, VaultUniqueId, VaultName, VaultTags, VaultStore_StorageReplicationType = StorageReplicationType, VaultSubscriptionId = SubscriptionId, VaultLocation = AzureDataCenter, VaultType = \"Microsoft.RecoveryServices/vaults\", TimeGenerated\r\n};\r\nlet BackupItemHistoryUnderResourceSpecificForDPP = ()\r\n{\r\nCoreAzureBackup\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId,Id,FriendlyName,ProtectionInfo,LatestRecoveryPoint,OldestRecoveryPoint,SourceSizeInMBs,VaultStore_StorageConsumptionInMBs,DataSourceFriendlyName,BackupSolution,DatasourceType,DatasourceResourceId,DatasourceSetFriendlyName,DatasourceSetResourceId,DatasourceSetType,PolicyName,PolicyUniqueId,PolicyId,VaultResourceId,VaultUniqueId,VaultName,VaultTags,VaultSubscriptionId,VaultLocation,VaultStore_StorageReplicationType,ArchiveStore_StorageReplicationType,VaultType,TimeGenerated\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nunion (FinalTable_DPP |where \"Microsoft.DataProtection/backupVaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)), (FinalTable_V1Vault | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList))\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", ExcludeLegacyEvent:bool=True, BackupSolutionList:string=\"*\", ProtectionInfoList:string=\"*\", DatasourceSetName:string=\"*\", BackupInstanceName:string=\"*\", DisplayAllFields:bool=True","displayName":"_AzureBackup_GetBackupInstances","description":"Returns the list of backup instances that are associated with your Recovery Services vaults, along with detailed information about each backup instance, such as cloud storage consumption, associated policy etc.","related":{"categories":["Management"],"solutions":["LogManagement"],"tables":["AddonAzureBackupPolicy","AddonAzureBackupStorage","AzureDiagnostics","CoreAzureBackup"]}},{"id":"19551c5e-1e3e-4425-a1d7-c846a0bca2a4","name":"_AzureBackup_GetBillingGroups","body":"// Params\r\nlet _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), startofday(now()), startofday(RangeEnd) + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _ExcludeLegacyEvent = ExcludeLegacyEvent;\r\nlet _BackupSolutionList = split(BackupSolutionList, ',');\r\nlet _BillingGroupName = BillingGroupName;\r\n//Other Vars\r\nlet AsonDay = _RangeEnd-1d;\r\nlet AzureStorageCutoffDate = datetime(6/01/2020, 12:00:00.000 AM);\r\nlet AzureStorageProtectedInstanceCountCutoffDate = datetime(2/01/2021, 12:00:00.000 AM);\r\n// HelperFunctions\r\nlet ConvertDataSourceTypeToBackupSolution = (DataSourceType:string)\r\n{\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/servers/databases\",\"Azure Database for PostgreSQL Server Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/blobServices\", \"Azure Blob Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Compute/disks\",\"Azure Disk Backup\",\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/flexibleServers\",\"Azure Database for PostgreSQL flexible servers\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"Azure Data Lake Storage Backup\",\"\")))))\r\n};\r\nlet Extend_BackupSolution = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend BackupSolution = iff(BackupManagementType == \"IaaSVM\", \"Azure Virtual Machine Backup\", \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", \"Azure Storage (Azure Files) Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQL in Azure VM Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAP HANA in Azure VM Backup\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAP ASE (Sybase) in Azure VM\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Azure Database for PostgreSQL flexible servers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Azure Data Lake Storage Backup\",\"\"))))))))))\r\n};\r\n// Source Tables\r\nlet VaultUnderAzureDiagnostics = ()\r\n{\r\nAzureDiagnostics\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 0)\r\n| join kind= leftanti (LatestProtectedContainerHistoryInfoTableExcludingDPMVMs ) on ProtectedContainerUniqueId, TimeRangeEndDay\r\n| project ProtectedContainerUniqueId, BackupManagementType, ResourceId, TimeGenerated, ProtectedInstanceCount, TimeRangeEndDay)\r\n| join (\r\nunion isfuzzy = true \r\n(ProtectedContainerUnderAzureDiagnostics() | where _ExcludeLegacyEvent == false),\r\n(ProtectedContainerUnderResourceSpecific())\r\n| where BackupManagementType in (\"DPM\",\"AzureBackupServer\")\r\n| where isempty(_BillingGroupName) or _BillingGroupName == \"*\" or ProtectedContainerFriendlyName contains (_BillingGroupName)\r\n| summarize arg_max(TimeGenerated, *) by ProtectedContainerUniqueId)\r\n on ProtectedContainerUniqueId\r\n // BackupItemFrontEndSize and StorageConsumed will be 0.0 as the same will be calculated at cluster level \r\n // As it is DPM or AzureBackupServer, no extra handling needed for AzureWorkload\r\n // Ideally the TimeGenerated field should come from BackupItem/ProtectedContainer. This is a special case and we are getting the container properties from latest table and not from history table.\r\n| project TimeRangeEndDay, TimeGenerated, ProtectedInstanceCount, BackupItemFrontEndSize = 0.0, StorageConsumedInMBs = 0.0, BackupManagementType, CustomBackupManagementType = BackupManagementType, \r\nBackupSolution = iff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \"DPM\"), BillingGroupType = \"DatasourceSet\", BillingGroupFriendlyName = ProtectedContainerFriendlyName, \r\n BillingGroupUniqueId = ProtectedContainerUniqueId, BillingGroupName = ProtectedContainerName, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\n// Special handling for DPM, AzureBackupServer Cluster scenario - Node PS has ProtectedInstance, whereas Cluster PS has storage Consumption\r\nlet LatestProtectedInstanceTableFromDPMNodeProtectedContainerUniqueId = ()\r\n{ \r\n(\r\n(LatestProtectedInstanceTable(true)\r\n| where BackupManagementType in (\"DPM\",\"AzureBackupServer\")\r\n| where ProtectedInstanceCount > 0)\r\n| join kind= leftanti (LatestProtectedContainerInfoTableExcludingDPMVMs ) on ProtectedContainerUniqueId\r\n| project ProtectedContainerUniqueId, BackupManagementType, ResourceId, TimeGenerated, ProtectedInstanceCount, TimeRangeEndDay)\r\n| join (\r\nunion isfuzzy = true \r\n(ProtectedContainerUnderAzureDiagnostics() | where _ExcludeLegacyEvent == false),\r\n(ProtectedContainerUnderResourceSpecific())\r\n| where BackupManagementType in (\"DPM\",\"AzureBackupServer\")\r\n| where isempty(_BillingGroupName) or _BillingGroupName == \"*\" or ProtectedContainerFriendlyName contains (_BillingGroupName)\r\n| summarize arg_max(TimeGenerated, *) by ProtectedContainerUniqueId)\r\n on ProtectedContainerUniqueId\r\n // BackupItemFrontEndSize and StorageConsumed will be 0.0 as the same will be calculated at cluster level \r\n // As it is DPM or AzureBackupServer, no extra handling needed for AzureWorkload\r\n // Ideally the TimeGenerated field should come from BackupItem/ProtectedContainer. This is a special case and we are getting the container properties from latest table and not from history table.\r\n| project TimeRangeEndDay, TimeGenerated, ProtectedInstanceCount, BackupItemFrontEndSize = 0.0, StorageConsumedInMBs = 0.0, BackupManagementType, CustomBackupManagementType = BackupManagementType,\r\n BackupSolution = iff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \"DPM\"), BillingGroupType = \"DatasourceSet\", BillingGroupFriendlyName = ProtectedContainerFriendlyName, \r\n BillingGroupUniqueId = ProtectedContainerUniqueId, BillingGroupName = ProtectedContainerName, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\nlet ProtectedInstanceHistoryMetric = ( )\r\n{ union \r\n(LatestProtectedInstanceHistoryTableFromProtectedContainerUniqueId()),\r\n(LatestProtectedInstanceHistoryTableFromBackupItemUniqueId()),\r\n(LatestProtectedInstanceHistoryTableFromDPMNodeProtectedContainerUniqueId)\r\n| where BackupSolution in~ (_BackupSolutionList) or '*' in (_BackupSolutionList)\r\n| project CustomBackupManagementType, BackupItemFrontEndSize, StorageConsumedInMBs, BillingGroupUniqueId, BillingGroupFriendlyName, BillingGroupName, ProtectedInstanceCount, BillingGroupType, TimeRangeEndDay, TimeGenerated, BackupManagementType, BackupSolution, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\nlet ProtectedInstanceMetric = ( ) \r\n{ union \r\n(LatestProtectedInstanceTableFromBackupItemUniqueId() ),\r\n(LatestProtectedInstanceTableFromProtectedContainerUniqueId()),\r\n(LatestProtectedInstanceTableFromDPMNodeProtectedContainerUniqueId)\r\n| where BackupSolution in~ (_BackupSolutionList) or '*' in (_BackupSolutionList)\r\n| project CustomBackupManagementType, BackupManagementType, BackupSolution, BackupItemFrontEndSize, StorageConsumedInMBs, ProtectedInstanceCount, BillingGroupUniqueId, BillingGroupFriendlyName, BillingGroupName, BillingGroupType, TimeRangeEndDay, TimeGenerated, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\nlet FinalTable = () {union (ProtectedInstanceMetric | where (_RangeEnd-_RangeStart == 1d)), (ProtectedInstanceHistoryMetric | where (_RangeEnd-_RangeStart > 1d))\r\n};\r\n// Display Tweaks for AFS and null ProtectedInstanceCount\r\n// Billing Entity is at BackupManagementType level and not at DS level. \r\nlet FinalTable_V1Vault = () {FinalTable\r\n| project CustomBackupManagementType, BackupManagementType, BackupSolution, ProtectedInstanceCount = iff(isempty(ProtectedInstanceCount), 0.0 ,todouble(ProtectedInstanceCount)/10), StorageConsumedInMBs = iff(isempty(StorageConsumedInMBs), todouble(0), todouble(StorageConsumedInMBs)), BackupItemFrontEndSize = iff(isempty(BackupItemFrontEndSize), todouble(0), todouble(BackupItemFrontEndSize)), BillingGroupUniqueId, BillingGroupType, BillingGroupName, BillingGroupFriendlyName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, ResourceId, StorageReplicationType, ProtectedContainerName, TimeGenerated\r\n| project UniqueId = BillingGroupUniqueId, Name = BillingGroupName, Type = BillingGroupType, FriendlyName = BillingGroupFriendlyName, SourceSizeInMBs = BackupItemFrontEndSize, ExtendedProperties = pack(\"ProtectedInstanceCount\", ProtectedInstanceCount), VaultStore_StorageConsumptionInMBs = StorageConsumedInMBs, BackupSolution, VaultUniqueId, VaultName, VaultResourceId = ResourceId, VaultSubscriptionId = SubscriptionId, VaultLocation = AzureDataCenter, VaultStore_StorageReplicationType = StorageReplicationType, VaultTags, VaultType = \"Microsoft.RecoveryServices/vaults\", TimeGenerated};\r\nlet BillingGroupHistoryUnderResourceSpecificForDPP = ()\r\n{\r\nAddonAzureBackupProtectedInstance\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId, Name,FriendlyName, ResourceGroupName, Type, SourceSizeInMBs, VaultStore_StorageConsumptionInMBs, ArchiveStore_StorageConsumptionInMBs, BackupSolution, VaultResourceId, VaultUniqueId, VaultName, VaultTags, VaultSubscriptionId, VaultLocation, VaultStore_StorageReplicationType, ArchiveStore_StorageReplicationType, VaultType, TimeGenerated, ExtendedProperties\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nunion (FinalTable_DPP |where \"Microsoft.DataProtection/backupVaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)), (FinalTable_V1Vault | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList))\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", ExcludeLegacyEvent:bool=True, BackupSolutionList:string=\"*\", BillingGroupName:string=\"*\"","displayName":"_AzureBackup_GetBillingGroups","description":"Returns a list of all backup-related billing entities along with information on key billing components such as frontend size and total cloud storage","related":{"categories":["Management"],"solutions":["LogManagement"],"tables":["AddonAzureBackupProtectedInstance","AddonAzureBackupStorage","AzureDiagnostics","CoreAzureBackup"]}},{"id":"19551c5e-1e3e-4425-a1d7-c846a0bca2a5","name":"_AzureBackup_GetJobs","body":"// Parameters\r\nlet _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), startofday(now()), startofday(RangeEnd) + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _ExcludeLegacyEvent = ExcludeLegacyEvent;\r\nlet _BackupSolutionList = split(BackupSolutionList, ',');\r\nlet _DatasourceSetName = DatasourceSetName;\r\nlet _BackupInstanceName = BackupInstanceName;\r\nlet _JobOperationList = split(JobOperationList, ',');\r\nlet _JobStatusList = split(JobStatusList, ',');\r\nlet _JobFailureCodeList = split(JobFailureCodeList, ',');\r\nlet _ExcludeLog = ExcludeLog;\r\n// Other Vars\r\nlet ExtRangeStart = _RangeStart - 2d;\r\nlet ExtRangeEnd = _RangeEnd + 2d;\r\nlet AsonDay = _RangeEnd-1d;\r\nlet AzureStorageCutoffDate = datetime(6/01/2020, 12:00:00.000 AM);\r\n// HelperFunctions\r\nlet ConvertDataSourceTypeToBackupSolution = (DataSourceType:string)\r\n{\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/servers/databases\",\"Azure Database for PostgreSQL Server Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/blobServices\", \"Azure Blob Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Compute/disks\",\"Azure Disk Backup\",\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/flexibleServers\",\"Azure Database for PostgreSQL flexible servers\",\r\n iff(DataSourceType == \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"Azure Data Lake Storage Backup\",\"\")))))\r\n};\r\nlet Extend_BackupSolution = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend BackupSolution = iff(BackupManagementType == \"IaaSVM\", \"Azure Virtual Machine Backup\", \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", \"Azure Storage (Azure Files) Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQL in Azure VM Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAP HANA in Azure VM Backup\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAP ASE (Sybase) in Azure VM\", \r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Azure Database for PostgreSQL flexible servers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Azure Data Lake Storage Backup\",\"\"))))))))))\r\n};\r\nlet Extend_DatasourceType = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend DatasourceType = iff(BackupManagementType == \"IaaSVM\", \"Microsoft.Compute/virtualMachines\", \r\niff(BackupManagementType == \"MAB\", BackupItemType, \r\niff(BackupManagementType == \"DPM\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureBackupServer\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureStorage\", \"Microsoft.Storage/storageAccounts/fileServices/shares\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQLDataBase\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAPHanaDatabase\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAPAseDatabase\", \"\"))))))))\r\n};\r\nlet Extend_BackupInstanceId = (T:(ResourceId:string, BackupManagementType:string, BackupItemType:string, ProtectedContainerName:string, BackupItemName:string))\r\n{\r\nT | extend BackupInstanceId = toupper(iff ((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/IaasVMContainer;\", ProtectedContainerName, \"/protectedItems/VM;\", ProtectedContainerName),\r\niff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/StorageContainer;\", ProtectedContainerName, \"/protectedItems/AzureFileShare;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SQLDataBase;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPHanaDatabase;\", BackupItemName),\r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPAseDatabase;\", BackupItemName), \"\"))))))\r\n};\r\nlet Extend_DatasourceSetResourceId_DatasourceSetType_DatasourceResourceId = (T:(ResourceId:string, ProtectedContainerName:string, BackupManagementType:string, BackupItemType:string, BackupItemUniqueId:string, BackupItemName:string, BackupItemFriendlyName:string))\r\n{\r\nT | extend prefix = array_strcat(array_split(split(ResourceId,\"/\"), 4)[0] ,\"/\")\r\n| extend container_array = split(ProtectedContainerName,\";\")\r\n| extend container_arraylen = array_length(container_array)\r\n| extend containerNameString = iff(container_arraylen == 3, ProtectedContainerName, \"\")\r\n| parse containerNameString with entityType:string \";\" rgName:string \";\" entityName:string\r\n| extend entityURL = iff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), iff(entityType == \"storage\", \"/Microsoft.Storage/storageAccounts/\", \"/Microsoft.ClassicStorage/storageAccounts/\"), iff((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), iff(entityType =~ \"iaasvmcontainerv2\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), iff(((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\")), iff(entityType =~ \"compute\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), \"\")))\r\n| extend DatasourceSetResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), \"\" , iff(containerNameString != \"\", strcat(prefix, \"/\", rgName, \"/providers\", entityURL, entityName), \"\")))\r\n//BackupSolution\r\n| extend DatasourceSetType = iff(BackupManagementType == \"IaaSVM\", iff(entityType =~ \"iaasvmcontainerv2\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", iff(entityType == \"storage\", \"Microsoft.Storage/storageAccounts\", \"Microsoft.ClassicStorage/storageAccounts\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \"\"))))))))\r\n| extend DatasourceResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), BackupItemUniqueId, \r\niff(BackupManagementType == \"IaaSVM\", DatasourceSetResourceId, \r\niff(BackupManagementType == \"AzureStorage\", strcat(DatasourceSetResourceId, \"/fileServices/default/shares/\", BackupItemFriendlyName),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SQLDataBase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPHanaDatabase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPAseDatabase;\", BackupItemName),\"\"),\"\")))))))\r\n| project-away prefix, container_array, container_arraylen, containerNameString, entityURL \r\n};\r\n// Source Tables\r\nlet VaultUnderAzureDiagnostics = ()\r\n{\r\nAzureDiagnostics\r\n// Take records until previous day\r\n| where TimeGenerated >= ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = ExtRangeStart and TimeGenerated = _RangeStart and JobStartDateTime = ExtRangeStart and TimeGenerated = _RangeStart and JobStartDateTime = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 1d))\r\n| project UniqueId, OperationCategory, Operation,BackupInstanceFriendlyName, Status, ErrorTitle, StartTime, DurationInSecs, DataTransferredInMBs, RestoreJobRPDateTime, RestoreJobRPLocation, BackupInstanceUniqueId, BackupInstanceId, DatasourceResourceId, DatasourceFriendlyName, DatasourceType, BackupSolution, DatasourceSetResourceId, DatasourceSetType,DatasourceSetFriendlyName, VaultResourceId, VaultUniqueId, VaultName, VaultTags, VaultSubscriptionId, VaultLocation, VaultStore_StorageReplicationType, ArchiveStore_StorageReplicationType, VaultType, TimeGenerated\r\n};\r\nlet FinalTable_Reporting = ()\r\n{\r\nunion (FinalTable_DPP |where \"Microsoft.DataProtection/backupVaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList)), (FinalTable_V1Vault | where \"Microsoft.RecoveryServices/vaults\" in~ (_VaultTypeList) or '*' in (_VaultTypeList))\r\n};\r\nFinalTable_Reporting","parameters":"RangeStart:datetime = datetime(null), RangeEnd:datetime = datetime(null), VaultSubscriptionList:string=\"*\", VaultLocationList:string=\"*\", VaultList:string=\"*\", VaultTypeList:string=\"*\", ExcludeLegacyEvent:bool=True, BackupSolutionList:string=\"*\", JobOperationList:string=\"*\", JobStatusList:string=\"*\", JobFailureCodeList:string=\"*\", DatasourceSetName:string=\"*\", BackupInstanceName:string=\"*\", ExcludeLog:bool=True","displayName":"_AzureBackup_GetJobs","description":"Returns a list of all backup and restore related jobs that were triggered in a specified time range, along with detailed information about each job, such as job status, job duration, data transferred, etc.","related":{"categories":["Management"],"solutions":["LogManagement"],"tables":["AddonAzureBackupJobs","AddonAzureBackupPolicy","AzureDiagnostics","CoreAzureBackup"]}},{"id":"19551c5e-1e3e-4425-a1d7-c846a0bca2a6","name":"_AzureBackup_GetBackupInstancesTrends","body":"// Params\r\nlet _RangeStart = iff((isnull(RangeStart)), startofday(ago(1d)), startofday(RangeStart));\r\nlet _RangeEnd = iff((isnull(RangeEnd)), startofday(now()), startofday(RangeEnd) + 1d);\r\nlet _VaultSubscriptionList = split(VaultSubscriptionList, ',');\r\nlet _VaultLocationList = split(VaultLocationList, ',');\r\nlet _VaultList = split(VaultList, ',');\r\nlet _VaultTypeList = split(VaultTypeList, ',');\r\nlet _ExcludeLegacyEvent = ExcludeLegacyEvent;\r\nlet _BackupSolutionList = split(BackupSolutionList, ',');\r\nlet _ProtectionInfoList = split(ProtectionInfoList, ',');\r\nlet _DatasourceSetName = DatasourceSetName;\r\nlet _BackupInstanceName = BackupInstanceName;\r\nlet _DisplayAllFields = DisplayAllFields;\r\nlet _AggregationType = AggregationType;\r\n// Other Vars\r\nlet AsonDay = _RangeEnd-1d;\r\nlet AzureStorageCutoffDate = datetime(6/01/2020, 12:00:00.000 AM);\r\n// HelperFunctions\r\nlet ConvertDataSourceTypeToBackupSolution = (DataSourceType:string)\r\n{\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/servers/databases\",\"Azure Database for PostgreSQL Server Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/blobServices\", \"Azure Blob Backup\",\r\n\tiff(DataSourceType == \"Microsoft.Compute/disks\",\"Azure Disk Backup\",\r\n\tiff(DataSourceType == \"Microsoft.DBforPostgreSQL/flexibleServers\",\"Azure Database for PostgreSQL flexible servers\",\r\n\tiff(DataSourceType == \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"Azure Data Lake Storage Backup\",\"\")))))\r\n};\r\nlet ConvertBackupItemProtectionStateToProtectionInfo = (ProtectionState:string)\r\n{\r\n\tiff(ProtectionState == \"ProtectionConfigured\", \"Protected\", iff(ProtectionState == \"ConfiguringProtection\", \"ConfiguringProtection\", iff(ProtectionState == \"ConfiguringProtectionFailed\", \"ConfiguringProtectionFailed\", iff(ProtectionState == \"UpdatingProtection\", \"UpdatingProtection\", iff(ProtectionState == \"ProtectionError\", \"ProtectionError\", iff(ProtectionState == \"ProtectionStopped\", \"ProtectionStopped\", iff(ProtectionState == \"BackupsSuspended\", \"ProtectionStopped\", iff(ProtectionState == \"SoftDeleted\", \"ProtectionStopped\",\"\"))))))))\r\n};\r\nlet Extend_BackupSolution = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend BackupSolution = iff(BackupManagementType == \"IaaSVM\", \"Azure Virtual Machine Backup\", \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", \"Azure Storage (Azure Files) Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQL in Azure VM Backup\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAP HANA in Azure VM Backup\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAP ASE (Sybase) in Azure VM\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Azure Database for PostgreSQL flexible servers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Azure Data Lake Storage Backup\",\"\"))))))))))\r\n};\r\nlet Extend_DatasourceType = (T:(BackupManagementType:string, BackupItemType:string))\r\n{\r\nT | extend DatasourceType = iff(BackupManagementType == \"IaaSVM\", \"Microsoft.Compute/virtualMachines\", \r\niff(BackupManagementType == \"MAB\", BackupItemType, \r\niff(BackupManagementType == \"DPM\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureBackupServer\", iff(BackupItemType == \"SQLDB\",\"SQLDataBase\",BackupItemType), \r\niff(BackupManagementType == \"AzureStorage\", \"Microsoft.Storage/storageAccounts/fileServices/shares\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", \"SQLDataBase\", \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", \"SAPHanaDatabase\",\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", \"SAPAseDatabase\",\r\niff(BackupItemType == \"AzurePostgres_FlexibleServer\", \"Microsoft.DBforPostgreSQL/flexibleServers\",\r\niff(BackupItemType == \"AzureDataLakeStorage\", \"Microsoft.Storage/storageAccounts/adlsBlobServices\",\"\"))))))))))\r\n};\r\nlet Extend_BackupInstanceId = (T:(ResourceId:string, BackupManagementType:string, BackupItemType:string, ProtectedContainerName:string, BackupItemName:string))\r\n{\r\nT | extend BackupInstanceId = toupper(iff ((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/IaasVMContainer;\", ProtectedContainerName, \"/protectedItems/VM;\", ProtectedContainerName),\r\niff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/StorageContainer;\", ProtectedContainerName, \"/protectedItems/AzureFileShare;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SQLDataBase;\", BackupItemName) , \r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPHanaDatabase;\", BackupItemName),\r\niff((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\"), strcat(ResourceId,\"/backupFabrics/Azure/protectionContainers/VMAppContainer;\", ProtectedContainerName, \"/protectedItems/SAPAseDatabase;\", BackupItemName), \"\"))))))\r\n};\r\nlet Extend_DatasourceSetResourceId_DatasourceSetType_DatasourceResourceId = (T:(ResourceId:string, ProtectedContainerName:string, BackupManagementType:string, BackupItemType:string, BackupItemUniqueId:string, BackupItemName:string, BackupItemFriendlyName:string))\r\n{\r\nT | extend prefix = array_strcat(array_split(split(ResourceId,\"/\"), 4)[0] ,\"/\")\r\n| extend container_array = split(ProtectedContainerName,\";\")\r\n| extend container_arraylen = array_length(container_array)\r\n| extend containerNameString = iff(container_arraylen == 3, ProtectedContainerName, \"\")\r\n| parse containerNameString with entityType:string \";\" rgName:string \";\" entityName:string\r\n| extend entityURL = iff((BackupManagementType == \"AzureStorage\" and BackupItemType == \"AzureFileShare\"), iff(entityType == \"storage\", \"/Microsoft.Storage/storageAccounts/\", \"/Microsoft.ClassicStorage/storageAccounts/\"), iff((BackupManagementType == \"IaaSVM\" and BackupItemType == \"VM\"), iff(entityType =~ \"iaasvmcontainerv2\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), iff(((BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\") or (BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\")), iff(entityType =~ \"compute\", \"/Microsoft.Compute/virtualMachines/\", \"/Microsoft.ClassicCompute/virtualMachines/\"), \"\")))\r\n| extend DatasourceSetResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), \"\" , iff(containerNameString != \"\", strcat(prefix, \"/\", rgName, \"/providers\", entityURL, entityName), \"\")))\r\n//BackupSolution\r\n| extend DatasourceSetType = iff(BackupManagementType == \"IaaSVM\", iff(entityType =~ \"iaasvmcontainerv2\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"MAB\", \"Azure Backup Agent\", \r\niff(BackupManagementType == \"DPM\", \"DPM\", \r\niff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \r\niff(BackupManagementType == \"AzureStorage\", iff(entityType == \"storage\", \"Microsoft.Storage/storageAccounts\", \"Microsoft.ClassicStorage/storageAccounts\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\", iff(entityType =~ \"compute\", \"Microsoft.Compute/virtualMachines\", \"Microsoft.ClassicCompute/virtualMachines\"), \"\"))))))))\r\n| extend DatasourceResourceId = toupper(iff(BackupManagementType in (\"DPM\", \"AzureBackupServer\", \"MAB\"), BackupItemUniqueId, \r\niff(BackupManagementType == \"IaaSVM\", DatasourceSetResourceId, \r\niff(BackupManagementType == \"AzureStorage\", strcat(DatasourceSetResourceId, \"/fileServices/default/shares/\", BackupItemFriendlyName),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SQLDataBase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SQLDataBase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPHanaDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPHanaDatabase;\", BackupItemName),\"\"),\r\niff(BackupManagementType == \"AzureWorkload\" and BackupItemType == \"SAPAseDatabase\",iff(DatasourceSetResourceId != \"\",strcat(DatasourceSetResourceId, \"/providers/Microsoft.RecoveryServices/backupProtectedItem/SAPAseDatabase;\", BackupItemName),\"\"),\"\")))))))\r\n| project-away prefix, container_array, container_arraylen, containerNameString, entityURL \r\n};\r\n// Source Tables\r\nlet VaultUnderAzureDiagnostics = ()\r\n{\r\nAzureDiagnostics\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated = _RangeStart and TimeGenerated 0)\r\n| join kind= leftanti (LatestProtectedContainerHistoryInfoTableExcludingDPMVMs ) on ProtectedContainerUniqueId, TimeRangeEndDay\r\n| project ProtectedContainerUniqueId, BackupManagementType, ResourceId, TimeGenerated, ProtectedInstanceCount, TimeRangeEndDay)\r\n| join (\r\nunion isfuzzy = true \r\n(ProtectedContainerUnderAzureDiagnostics() | where _ExcludeLegacyEvent == false),\r\n(ProtectedContainerUnderResourceSpecific())\r\n| where BackupManagementType in (\"DPM\",\"AzureBackupServer\")\r\n| where isempty(_BillingGroupName) or _BillingGroupName == \"*\" or ProtectedContainerFriendlyName contains (_BillingGroupName)\r\n| summarize arg_max(TimeGenerated, *) by ProtectedContainerUniqueId)\r\n on ProtectedContainerUniqueId\r\n // BackupItemFrontEndSize and StorageConsumed will be 0.0 as the same will be calculated at cluster level \r\n // As it is DPM or AzureBackupServer, no extra handling needed for AzureWorkload\r\n // Ideally the TimeGenerated field should come from BackupItem/ProtectedContainer. This is a special case and we are getting the container properties from latest table and not from history table.\r\n| project TimeRangeEndDay, TimeGenerated, ProtectedInstanceCount, BackupItemFrontEndSize = 0.0, StorageConsumedInMBs = 0.0, BackupManagementType, CustomBackupManagementType = BackupManagementType, \r\nBackupSolution = iff(BackupManagementType == \"AzureBackupServer\", \"Azure Backup Server\", \"DPM\"), BillingGroupType = \"DatasourceSet\", BillingGroupFriendlyName = ProtectedContainerFriendlyName, \r\n BillingGroupUniqueId = ProtectedContainerUniqueId, BillingGroupName = ProtectedContainerName, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\nlet ProtectedInstanceHistoryMetric = ( )\r\n{ union \r\n(LatestProtectedInstanceHistoryTableFromProtectedContainerUniqueId()),\r\n(LatestProtectedInstanceHistoryTableFromBackupItemUniqueId()),\r\n(LatestProtectedInstanceHistoryTableFromDPMNodeProtectedContainerUniqueId)\r\n| where BackupSolution in~ (_BackupSolutionList) or '*' in (_BackupSolutionList)\r\n| project CustomBackupManagementType, BackupItemFrontEndSize, StorageConsumedInMBs, BillingGroupUniqueId, BillingGroupFriendlyName, BillingGroupName, ProtectedInstanceCount, BillingGroupType, TimeRangeEndDay, TimeGenerated, BackupManagementType, BackupSolution, ProtectedContainerName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, StorageReplicationType, ResourceId\r\n};\r\nlet FinalTable = () {ProtectedInstanceHistoryMetric\r\n};\r\n// Display Tweaks for AFS and null ProtectedInstanceCount\r\n// Billing Entity is at BackupManagementType level and not at DS level. \r\nlet FinalTable_V1Vault = () {FinalTable\r\n| project CustomBackupManagementType, BackupManagementType, BackupSolution, ProtectedInstanceCount = iff(isempty(ProtectedInstanceCount), 0.0 ,todouble(ProtectedInstanceCount)/10), StorageConsumedInMBs = iff(isempty(StorageConsumedInMBs), todouble(0), todouble(StorageConsumedInMBs)), BackupItemFrontEndSize = iff(isempty(BackupItemFrontEndSize), todouble(0), todouble(BackupItemFrontEndSize)), BillingGroupUniqueId, BillingGroupType, BillingGroupName, BillingGroupFriendlyName, VaultUniqueId, VaultName, VaultTags, SubscriptionId, ResourceGroupName, AzureDataCenter, ResourceId, StorageReplicationType, ProtectedContainerName, TimeGenerated\r\n| project UniqueId = BillingGroupUniqueId, Name = BillingGroupName, Type = BillingGroupType, FriendlyName = BillingGroupFriendlyName, SourceSizeInMBs = BackupItemFrontEndSize, ExtendedProperties = pack(\"ProtectedInstanceCount\", ProtectedInstanceCount), VaultStore_StorageConsumptionInMBs = StorageConsumedInMBs, BackupSolution, VaultUniqueId, VaultName, VaultResourceId = ResourceId, VaultSubscriptionId = SubscriptionId, VaultLocation = AzureDataCenter, VaultStore_StorageReplicationType = StorageReplicationType, VaultTags, VaultType = \"Microsoft.RecoveryServices/vaults\", TimeGenerated};\r\n// FinalTable_DPPVault to be added later\r\nlet BillingGroupTrendsUnderResourceSpecificForDPP = ()\r\n{\r\nAddonAzureBackupProtectedInstance\r\n// Take records until previous day\r\n| where TimeGenerated >= _RangeStart and TimeGenerated __."},{"name":"AuditClassId","type":"real","description":"The AuditClassId is a numeric identifier used to classify different types of audit events in SAP. It helps group similar events together and is used in various transactions and reports to provide information about audit events and to help with auditing and compliance requirements."},{"name":"MonitoringObjectName","type":"string","description":"The MonitoringObjectName is the name of the object being monitored by a specific monitoring activity. It is used in various SAP monitoring tools and reports to provide information about the status and performance of the monitored object."},{"name":"SalDateChar8","type":"string","description":"The SalDateChar8 is the date the event occured in char8 format (yyyyMMdd) eg: 20190101."},{"name":"SalTimeChar6","type":"string","description":"The SalTimeChar6 is the time the event occured in char6 format (hhMMss) eg: 110804."},{"name":"MonitorShortName","type":"string","description":"The MonitorShortName is the short name of the MTE(Monitoring Tree Element) in which the alert occurred."},{"name":"MessageId","type":"string","description":"The MessageId is a unique identifier for a specific message or log entry used to identify and track messages and log entries within an SAP system."},{"name":"MessageText","type":"string","description":"The MessageText is the text of a specific message or log entry. It provides information about the event or issue that is being logged and is used in various SAP transactions and reports to provide context and details about specific messages or log entries."},{"name":"MessageClass","type":"string","description":"The MessageClass is a grouping or category for specific messages or log entries used to organize and classify messages and log entries within an SAP system."},{"name":"MessageContainerId","type":"string","description":"The MessageContainerId is a unique identifier for a specific message container, which is a logical grouping of related messages or log entries within an SAP system."},{"name":"AlertValue","type":"real","description":"The AlertValue represents the importance of the message of a log attribute, characterized by color and severity."},{"name":"AlertSeverity","type":"real","description":"The AlertSeverity is a number between 0 and 255; the larger the number, the greater the severity."},{"name":"AlertSeverityText","type":"string","description":"The AlertSeverityText refers to the text description associated with a specific alert or notification severity level. It provides a detailed explanation of the severity level and is used in various SAP transactions and reports."},{"name":"User","type":"string","description":"The User who performed the a specific event or activity."},{"name":"TransactionCode","type":"string","description":"the TransactionCode is a unique identifier for a specific SAP transaction used to identify and execute a specific transaction within the SAP system. It is typically a four-character alphanumeric code and can be used in various SAP transactions and reports."},{"name":"AbapProgramName","type":"string","description":"The AbapProgramName is a four-character alphanumeric code that is used identify a specific program within the SAP system."},{"name":"SapProcessType","type":"string","description":"The SapProcessType refers to the type of process that is being executed within the SAP system. This can include various types of processes such as background jobs, dialog processes, or update processes."},{"name":"SapWorkProcessName","type":"string","description":"The SapWorkProcessName refers to the name of a specific work process within the SAP system used to identify and monitor specific work processes. It is typically a unique alphanumeric code."},{"name":"Email","type":"string","description":"The Email refers to the email address associated with a specific user. It is used to identify the user via email within the SAP system."},{"name":"Host","type":"string","description":"The Host refers to the name of the computer or server on which the SAP system is running. It is used to identify and locate the SAP system within a network."},{"name":"Computer","type":"string","description":"The Computer refers to the name or IP address of the user's machine. It is used to identify the machine from which a specific activity or event was performed."},{"name":"SalIpAddress","type":"string","description":"The SALIpAddress refers to the IP address associated with a specific user or system that generated a specific log entry."},{"name":"TerminalIpV6","type":"string","description":"The TerminalIPv6 refers to the IPv6 address associated with the user's terminal or device. It is used to identify the location and origin of specific activities or events performed by the user within the SAP system."},{"name":"Variable1","type":"string","description":"The Variable1 used by the SAP system for additional information regarding the event or activity that was performed."},{"name":"Variable2","type":"string","description":"The Variable2 used by the SAP system for additional information regarding the event or activity that was performed."},{"name":"Variable3","type":"string","description":"The Variable3 used by the SAP system for additional information regarding the event or activity that was performed."},{"name":"Variable4","type":"string","description":"The Variable4 used by the SAP system for additional information regarding the event or activity that was performed."},{"name":"SystemRole","type":"string","description":"The SAP system's role."},{"name":"SystemUniqueId","type":"string","description":"Unique system identifier."},{"name":"AgentId","type":"string","description":"Unique agent or integration suite identifier."},{"name":"RemoteIpLongitude","type":"real","description":"The Longitude of the TerminalIpV6 according to the GEO information at the time of the record ingestion."},{"name":"RemoteIpLatitude","type":"real","description":"The Latitude of the TerminalIpV6 according to the GEO information at the time of the record ingestion."},{"name":"RemoteIpCountry","type":"string","description":"The country of the TerminalIpV6 according to the GEO information at the time of the record ingestion."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["180e9e53-1653-4483-aab8-9f55725e8a63","e0b79a1a-edf7-4a0e-9ed4-8a0ae14d3a85"]}},{"id":"ABAPAuthorizationDetails","name":"ABAPAuthorizationDetails","tableType":"Microsoft","description":"SAP authorizations details per role.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated"},{"name":"Role","type":"string","description":"The SAP role name."},{"name":"RoleType","type":"string","description":"Single or composite role"},{"name":"UpdatedOn","type":"datetime","description":"The date and time when the role was last updated."},{"name":"TypeOfChange","type":"string","description":"I and J for insert, U for update, D and E for deletion."},{"name":"Authorization","type":"string","description":"The authorization identifier."},{"name":"AuthorizationGroup","type":"string","description":"The authorization group."},{"name":"Object","type":"string","description":"The authorization object name."},{"name":"Field","type":"string","description":"The authorization field name."},{"name":"Low","type":"string","description":"The low value of the authorization field."},{"name":"High","type":"string","description":"The high value of the authorization field."},{"name":"ChildRole","type":"string","description":"The child role name, if the role is a composite one."},{"name":"SystemId","type":"string","description":"The SystemId is a unique identifier for a specific SAP system. It is a three-character alphanumeric code that is used to distinguish between different SAP systems."},{"name":"ClientId","type":"string","description":"The ClientId is a three-digit number that identifies a specific client within an SAP system. The ClientId is used in various SAP transactions and configuration settings to identify the client and ensure that the correct client is being accessed or configured."},{"name":"SystemRole","type":"string","description":"The SAP system's role."},{"name":"SystemUniqueId","type":"string","description":"Unique system identifier."},{"name":"AgentId","type":"string","description":"Unique agent or integration suite identifier."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ABAPChangeDocsLog","name":"ABAPChangeDocsLog","tableType":"Microsoft","description":"SAP NetWeaver Application Server ABAP logs changes to business data objects in change documents. This table stores information about the changes made to business objects, including the user who made the change, the date and time of the change, and the type of change that was made.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"UpdatedOn","type":"datetime","description":"The date and time of the event occured in the SAP system in UTC format."},{"name":"SystemId","type":"string","description":"The SystemId is a unique identifier for a specific SAP system. It is a three-character alphanumeric code that is used to distinguish between different SAP systems."},{"name":"SystemNumber","type":"string","description":"The SystemNumber is a two-digit number that identifies a specific SAP system. It is set during the installation of an SAP system and cannot be changed afterwards. The SystemNumber is used in various SAP transactions and configuration settings to identify the system and ensure that the correct system is being accessed or configured."},{"name":"ClientId","type":"string","description":"The ClientId is a three-digit number that identifies a specific client within an SAP system. The ClientId is used in various SAP transactions and configuration settings to identify the client and ensure that the correct client is being accessed or configured."},{"name":"Instance","type":"string","description":"The Instance refers to a specific installation of an SAP system on a server. An SAP system can have multiple instances running on the same server, each with its own set of processes and resources. The Instance is identified by a unique name that is set during the installation of the SAP system, following syntax: __."},{"name":"User","type":"string","description":"The User who performed the a specific event or activity."},{"name":"SystemRole","type":"string","description":"The SAP system's role."},{"name":"SystemUniqueId","type":"string","description":"Unique system identifier."},{"name":"AgentId","type":"string","description":"Unique agent or integration suite identifier."},{"name":"ActualChangeNumber","type":"string","description":"Actual change number."},{"name":"ChangedTableKey","type":"string","description":"Changed table key."},{"name":"ChangeNumber","type":"string","description":"Document change number."},{"name":"CreatedFromPlannedChange","type":"string","description":"Created from planned change, in the following syntax:('X' , ' ')."},{"name":"CurrencyKeyNew","type":"string","description":"Currency key: new value."},{"name":"CurrencyKeyOld","type":"string","description":"Currency key: old value."},{"name":"FieldName","type":"string","description":"Field name."},{"name":"FlagText","type":"string","description":"Flag text."},{"name":"Language","type":"string","description":"Document language."},{"name":"ObjectClass","type":"string","description":"Object class, such as BELEG, BPAR, PFCG, IDENTITY."},{"name":"ObjectId","type":"string","description":"Object ID."},{"name":"PlannedChangeNumber","type":"string","description":"Planned change number."},{"name":"TableName","type":"string","description":"Table name."},{"name":"TransactionCode","type":"string","description":"Transaction code."},{"name":"HeaderTypeOfChange","type":"string","description":"Header type of change, including: U = Change; I = Insert; E = Delete Single Docu; D = Delete; J = Insert Single Docu."},{"name":"ItemTypeOfChange","type":"string","description":"Item type of change, including: U = Change; I = Insert; E = Delete Single Docu; D = Delete; J = Insert Single Docu."},{"name":"UOMNew","type":"string","description":"Unit of measure: new value."},{"name":"UOMOld","type":"string","description":"Unit of measure: old value."},{"name":"ValueNew","type":"string","description":"Field content: new value."},{"name":"ValueOld","type":"string","description":"Field content: old value."},{"name":"Version","type":"string","description":"Document change version."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ABAPTableDataLog","name":"ABAPTableDataLog","tableType":"Microsoft","description":"SAP NetWeaver Application Server ABAP logs changes to tables. This log stores information about the changes made to selected tables, including the user who made the change, the date and time of the change, and the type of change that was made.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"UpdatedOn","type":"datetime","description":"The date and time of the event occured in the SAP system in UTC format."},{"name":"SystemId","type":"string","description":"The SystemId is a unique identifier for a specific SAP system. It is a three-character alphanumeric code that is used to distinguish between different SAP systems."},{"name":"SystemNumber","type":"string","description":"The SystemNumber is a two-digit number that identifies a specific SAP system. It is set during the installation of an SAP system and cannot be changed afterwards. The SystemNumber is used in various SAP transactions and configuration settings to identify the system and ensure that the correct system is being accessed or configured."},{"name":"Instance","type":"string","description":"The Instance refers to a specific installation of an SAP system on a server. An SAP system can have multiple instances running on the same server, each with its own set of processes and resources. The Instance is identified by a unique name that is set during the installation of the SAP system, following syntax: __."},{"name":"ClientId","type":"string","description":"The ClientId is a three-digit number that identifies a specific client within an SAP system. The ClientId is used in various SAP transactions and configuration settings to identify the client and ensure that the correct client is being accessed or configured."},{"name":"User","type":"string","description":"The User who performed the a specific event or activity."},{"name":"SystemRole","type":"string","description":"The SAP system's role."},{"name":"SystemUniqueId","type":"string","description":"Unique system identifier."},{"name":"AgentId","type":"string","description":"Unique agent or integration suite identifier."},{"name":"DBLogId","type":"string","description":"The unique identifier of the database log."},{"name":"LogKey","type":"string","description":"The unique identifier of the log key."},{"name":"Host","type":"string","description":"The hostname of the SAP system."},{"name":"TransactionCode","type":"string","description":"The transaction code of the event."},{"name":"Program","type":"string","description":"The program that was executed."},{"name":"OperationTypeSQL","type":"string","description":"The type of operation that was performed, such as insert, update and delete."},{"name":"VersionNumber","type":"string","description":"The version number of the event."},{"name":"Language","type":"string","description":"The language of the event."},{"name":"TableName","type":"string","description":"The name of the table that produced the change."},{"name":"TableField","type":"string","description":"The field of the table that produced the change."},{"name":"OldValue","type":"string","description":"The old value of the field."},{"name":"NewValue","type":"string","description":"The new value of the field."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ABAPUserDetails","name":"ABAPUserDetails","tableType":"Microsoft","description":"SAP User details, such as roles and profiles assigned.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was sent to Sentinel."},{"name":"User","type":"string","description":"SAP User."},{"name":"UserGroup","type":"string","description":"SAP User group."},{"name":"Email","type":"string","description":"Email address."},{"name":"UserType","type":"string","description":"User Type (dialog, system)."},{"name":"Timezone","type":"string","description":"User default Time zone."},{"name":"LockedStatus","type":"string","description":"Locked status: 0: Not Locked, 32: Locked Globally By Administrator, 64: Locked Locally By Administrator, 128: Locked Due To Incorrect Logons."},{"name":"LastSeen","type":"datetime","description":"User last logon."},{"name":"CreatedOn","type":"datetime","description":"Day on which user was created."},{"name":"ChangedOn","type":"datetime","description":"Last changed on date and time."},{"name":"ValidityDate","type":"datetime","description":"Last valid day for login in."},{"name":"LastChangedBy","type":"string","description":"Last changed by."},{"name":"Profiles","type":"dynamic","description":"List of profiles generated for the user."},{"name":"Roles","type":"dynamic","description":"List of roles assigned to user."},{"name":"SystemId","type":"string","description":"The SystemId is a unique identifier for a specific SAP system. It is a three-character alphanumeric code that is used to distinguish between different SAP systems."},{"name":"ClientId","type":"string","description":"The ClientId is a three-digit number that identifies a specific client within an SAP system. The ClientId is used in various SAP transactions and configuration settings to identify the client and ensure that the correct client is being accessed or configured."},{"name":"SystemRole","type":"string","description":"The SAP system's role."},{"name":"SystemUniqueId","type":"string","description":"Unique system identifier."},{"name":"AgentId","type":"string","description":"Unique agent or integration suite identifier."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"ABSBotRequests","name":"ABSBotRequests","tableType":"Microsoft","description":"Logs of requests made by Azure Bot Service onbehalf of a bot such as requests from channel to bot and to other dependencies.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with the log record."},{"name":"CorrelationId","type":"string","description":"The ID for the correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Category","type":"string","description":"Classification of the log."},{"name":"Location","type":"string","description":"Location of the service sending the log (Azure region name e.g. West US)."},{"name":"Level","type":"string","description":"log level of message such as Information, Warning, Error, etc."},{"name":"BotId","type":"string","description":"Name of the bot or the bot handle."},{"name":"ResultCode","type":"int","description":"HTTP request response code."},{"name":"Channel","type":"string","description":"Name of the Channel generating the log such as Direct Line, MS Teams, Facebook, etc."},{"name":"DurationMs","type":"real","description":"Duration of the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.botservice/botservices"],"solutions":["LogManagement"],"queries":["64f87548-08b9-4b7a-83af-c05315d36666","8b407dc8-15eb-4ab6-8ddc-b9fa4d71ea0a","bc1ef3cf-7f5d-4516-9464-3d192bddce3b","60f51b61-07de-4bd5-a0ee-e0d9cf82d340","10fc7fcb-95db-4b92-aeb7-36e8fdec7d31","b8e80791-6507-423b-8cba-0e0b320af1c3","fec44dbd-94cd-4dab-8c68-0b0b64c256de","599d9097-d85c-44a3-8284-55e525590f20","599d9097-d85c-44a3-8284-55e525590f21","599d9097-d85c-44a3-8284-55e525590f23","599d9097-d85c-44a3-8284-55e525590f24","599d9097-d85c-44a3-8284-55e525590f25","599d9097-d85c-44a3-8284-55e525534f97"]}},{"id":"ACICollaborationAudit","name":"ACICollaborationAudit","tableType":"Microsoft","description":"Audits of collaborative resources approval and access during pipeline execution.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the audit was generated."},{"name":"OperationName","type":"string","description":"The operation associated with audit record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated pipeline run events. Can be used to identify audits that belong to the same pipeline run."},{"name":"EntitlementResult","type":"string","description":"The result of the entitlement evaluation. Options are: Granted = access granted; Denied = access was not granted; Revoked = accessed was revoked because the pipeline could not be fully approved; Actualized = the resource was accessed by the pipeline run."},{"name":"TargetResourceId","type":"string","description":"The azure resource ID of the accessed resource."},{"name":"TargetResourceType","type":"string","description":"The resource type of the accessed resource."},{"name":"ParticipantName","type":"string","description":"The participant friendly name as used in the contract negotiation."},{"name":"ParticipantTenantId","type":"string","description":"The participant tenant id. Enable query by the granted tenant invariant id. Example of retrieving this is for contoso: https://login.microsoftonline.com/contoso.com/.well-known/openid-configuration"},{"name":"UserName","type":"string","description":"Name of the user that initiated the pipeline. Available only if the audit relate to owned resource"},{"name":"GrantType","type":"string","description":"The method used to grant access to the resource (Owned, Reference, Entitlement)."},{"name":"GrantSource","type":"string","description":"The azure resource ID of the resource the grant is based on."},{"name":"GrantSourceType","type":"string","description":"The type of the the resource the grant is based on."},{"name":"GrantCorrelationId","type":"string","description":"The ID for the grant events. Can be used to correlate between different results of the same grant."},{"name":"EntitlementSummary","type":"string","description":"Textual summary of the granted access."},{"name":"ReferencedResourceId","type":"string","description":"The storage resource that the accessed CI resource points to, if applicable"},{"name":"ReferencedResourceType","type":"string","description":"The storage resource type that the accessed CI resource points to, if applicable."},{"name":"Location","type":"string","description":"The Location (Region) the resource was accessed in."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.datacollaboration/workspaces"],"solutions":["LogManagement"],"queries":["3eb92137-5019-4eb0-8a01-7480256befea","bc25e051-3518-4aa2-9493-2dc1abf176b1","acd263c0-a5a3-42cd-af74-d12df6f577e3","1c7e3db4-ce89-43b3-a951-b7948e6f4874"]}},{"id":"ACLTransactionLogs","name":"ACLTransactionLogs","tableType":"Microsoft","description":"Logs related to transactions.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Level","type":"string","description":"An error or informational message indicating if the service processed the request."},{"name":"Message","type":"string","description":"The Log message."},{"name":"File","type":"string","description":"The file name that generated the log message."},{"name":"Location","type":"string","description":"The Azure datacenter region where the pod is deployed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"solutions":["LogManagement"],"queries":["e159f354-4be5-40de-90cc-0152553aca5a"]}},{"id":"ACLUserDefinedLogs","name":"ACLUserDefinedLogs","tableType":"Microsoft","description":"Logs related to User Defined Functions and User Defined Endpoints.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Level","type":"string","description":"An error or informational message indicating if the service processed the request."},{"name":"Message","type":"string","description":"The Log message."},{"name":"File","type":"string","description":"The file name that generated the log message."},{"name":"Location","type":"string","description":"The Azure datacenter region where the pod is deployed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit","applications"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"solutions":["LogManagement"],"queries":["3f837a43-8382-465c-9681-cadd66b5755d"]}},{"id":"ACRConnectedClientList","name":"ACRConnectedClientList","tableType":"Microsoft","description":"Logs count of Redis clients connected to a cache instance and their IP addresses, logged at a 10-second interval.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of when the log was generated in UTC."},{"name":"OperationName","type":"string","description":"The Redis operation associated with the log record."},{"name":"CacheName","type":"string","description":"The name of the Azure Cache for Redis instance."},{"name":"Location","type":"string","description":"The location (region) the Azure Cache for Redis instance was accessed in."},{"name":"RoleInstance","type":"string","description":"The role instance which logged the client list."},{"name":"ClientIp","type":"string","description":"The Redis client IP address."},{"name":"PrivateLinkIpv6","type":"string","description":"The Redis client private link IPv6 address (if applicable)."},{"name":"ClientCount","type":"int","description":"The number of Redis client connections from the associated IP address."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.cache/redis"],"solutions":["LogManagement"],"queries":["7147966e-f714-405b-b243-2c2d69e8b3fe","b0743562-0414-4fb9-a14b-fb1cfd5242b9"]}},{"id":"ACREntraAuthenticationAuditLog","name":"ACREntraAuthenticationAuditLog","tableType":"Microsoft","description":"Logs Microsoft Entra authentication audit events for Azure Cache for Redis.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of when the log was generated in UTC."},{"name":"OperationName","type":"string","description":"The Redis operation associated with the log record."},{"name":"CacheName","type":"string","description":"The name of the Azure Cache for Redis instance."},{"name":"Location","type":"string","description":"The location (region) the Azure Cache for Redis instance was accessed in."},{"name":"Message","type":"string","description":"The message associated with the log event."},{"name":"Authentication","type":"string","description":"Authentication result."},{"name":"Username","type":"string","description":"The user's identifier or username."},{"name":"IpAddress","type":"string","description":"The IP address and port associated with the log event."},{"name":"ClientId","type":"string","description":"Client identifier."},{"name":"ClientName","type":"string","description":"Client name."},{"name":"Lifetime","type":"string","description":"Duration of Microsoft Entra authentication validity, measured in Milliseconds from the initial connection."},{"name":"RoleInstance","type":"int","description":"The role instance associated with the log event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.cache/redis"],"solutions":["LogManagement"],"queries":["c7d2bca8-92e7-4c02-87f3-43aa0a0a2a3a"]}},{"id":"ACSAdvancedMessagingOperations","name":"ACSAdvancedMessagingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to Advanced Messaging operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Location","type":"string","description":"The location the request was processed."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"ChannelId","type":"string","description":"The Channel Registration ID of the channel used to send the request."},{"name":"MessageType","type":"string","description":"The type of message in the request. Possible values include: \"text\", \"media\", and \"template\"."},{"name":"MessageStatus","type":"string","description":"The status result of the message send. Possible values include: \"delivered\", \"read\", \"sent\", \"failed\", \"accepted\", \"preprocessingfailed\", \"received\", and \"unknown\"."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["064165C0-C98A-490F-B1CC-EEB7E97E14D7","C413DD46-FC07-4503-BD46-6675865964D9","43BDBB0E-EDEB-4553-9D3B-0F0FCD634A2A","11E85FFF-DB30-44EB-BF92-C1B2AE87FA67","903C2AAD-D6B3-4EBE-B36F-489BAE2CE89B","5A911040-8674-47FB-B9F6-82F16E98F6EE","ADB6AFF9-FEAD-443C-BCC8-704F586CC5A4"]}},{"id":"ACSAuthIncomingOperations","name":"ACSAuthIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to auth operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"URI","type":"string","description":"The URI of the request"},{"name":"Identity","type":"string","description":"The request sender's identity"},{"name":"Scopes","type":"dynamic","description":"Scopes for the auth request (e.g. Chat, SMS, etc.)"},{"name":"SdkType","type":"string","description":"The SDK type being used in the request."},{"name":"PlatformType","type":"string","description":"The platform type being used in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["d5195a1a-c7ab-4f2a-8720-6b3f5c544df0","cc68c95a-8de0-4c40-8394-537a00437ea7","056f1614-fffa-4286-be6b-fd614dfa4dc5","be71a17c-5ffd-4215-ab19-2ead19f56396","cf4f8822-721b-4bf0-91a8-6d0b7937047c"]}},{"id":"ACSBillingUsage","name":"ACSBillingUsage","tableType":"Microsoft","description":"Usage records across all modes of Communication Services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"RecordId","type":"string","description":"The unique ID for a given usage record."},{"name":"UsageType","type":"string","description":"The type of resource being consumed."},{"name":"UnitType","type":"string","description":"The unit in which the type of usage is measured."},{"name":"Quantity","type":"real","description":"The amount of usage in terms of the specified unit."},{"name":"StartTime","type":"datetime","description":"Time when the resource consumption started."},{"name":"EndTime","type":"datetime","description":"The time when resource consumption ended. Optional, as some events are instant by nature."},{"name":"UserIdA","type":"string","description":"User ID consuming the resource."},{"name":"UserIdB","type":"string","description":"User ID consuming the resource for consumables involving two users."},{"name":"ParticipantId","type":"string","description":"Participant Id is the link between billing data and calling data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["8dc3bc93-2339-4035-8a92-b67f48f5d972","ca2d21c4-ac33-4ac0-88a9-ee2208e01ab7","050dc234-d6a1-4408-8c5e-dc61d81a2f57","f46854c3-fa37-4b92-8675-ce838000949b","7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b"]}},{"id":"ACSCallAutomationIncomingOperations","name":"ACSCallAutomationIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to Call Automation operations. Every entry corresponds to the result of a call to the Call Automation APIs, e.g. CreateCall, AnswerCall, Play, Recognize, etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version associated with the operation or version of the operation (if there is no API version)."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"int","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"CallConnectionId","type":"string","description":"Id of the call connection/leg, if available."},{"name":"ServerCallId","type":"string","description":"Server Call Id."},{"name":"SdkVersion","type":"string","description":"SDK Version."},{"name":"SdkType","type":"string","description":"The SDK type used in the request."},{"name":"SubOperationName","type":"string","description":"Denotes the operation specific configuration (e.g. Recognize Dtmf, Play File), if available."},{"name":"OperationId","type":"string","description":"The ID for media events. Can be used to identify operation events between ACSCallAutomationMediaSummary table and this."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["7f3d1936-3775-429b-bfd7-dc9b2ba60c64","40461cde-9c28-4bb0-a227-f6a1a7467541","b42ac607-c76d-438a-b76a-33acb4e54138","b67c8c54-3f67-47b2-b452-16fb84ed417c","9e8fe6f0-8c27-4177-aa41-e49f1e7450be","78bcf04a-0b38-4996-9f4e-7372e9c2d020","98d0fd24-6a32-435f-96ac-2581938a8416","440010c7-039e-4ef3-9e9e-edd4d3771257","7a167d23-5ea5-481e-bbb6-fd19699af0ba","9a6be894-4674-4d77-8d2e-844a8eb28eae","a00fc011-6091-440b-8284-f9fac99a7afe","e804b73f-639a-4b9c-acc2-cbbbfa2ef312","a45ed096-b8c6-4ce1-ba2e-a6b5a52a7aae","64844757-e0db-4568-845c-cf608593778c","6c58d1d8-5dfe-4a65-9764-4bd50fbcf37d"]}},{"id":"ACSCallAutomationMediaSummary","name":"ACSCallAutomationMediaSummary","tableType":"Microsoft","description":"Communication Services summary logs of Call Automation Media operations. Every entry corresponds to the result of a call to the Call Automation Media APIs. (e.g. Play, Recognize).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationId","type":"string","description":"The ID for media events. Can be used to identify operation events between ACSCallAutomationIncomingOperations table and this."},{"name":"PlayInLoop","type":"bool","description":"Describes if the Play was requested to loop."},{"name":"PlayToParticipant","type":"bool","description":"True if Play request was targeted to a single participant, false if it was played to all participants."},{"name":"PlayInterrupted","type":"bool","description":"Describes if the play operation was interrupted."},{"name":"RecognizePromptSubOperationName","type":"string","description":"Describes the Recognize request's prompt kind, i.e. SSML, Text, File. Only available when Prompt is requested during Recognize operation."},{"name":"ResultCode","type":"int","description":"The HTTP result code for the operation."},{"name":"ResultSubcode","type":"int","description":"The sub status code for the operation."},{"name":"ResultMessage","type":"string","description":"The result message related to the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["d0fad1c6-6580-4c19-ad0b-d410db4e04d6","b838972e-f1e4-4141-be20-fcb264e283ac","77b86d68-0cad-4dbe-a475-89f76f524035","aad69aaf-18e3-480a-93f3-5e4fac15f772"]}},{"id":"ACSCallAutomationStreamingUsage","name":"ACSCallAutomationStreamingUsage","tableType":"Microsoft","description":"Communication Services Call Automation Media Streaming features usage information. Every entry corresponds to a streaming session between a Start and Stop operation for MediaStreaming or Transcription and records information about the session such as session start time, duration, sessionId, etc. In unmixed streaming cases, participantId of the stream being billed is also included.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"StreamingModality","type":"string","description":"The modality of streaming being recorded, eg. AudioStreamingMixed, AudioStreamingUnmixed, Transcription."},{"name":"StreamingSessionId","type":"string","description":"The ID associated with the streaming session belonging to the current record."},{"name":"ParticipantId","type":"string","description":"The participantId of the current participant record for unmixed streaming cases. Will be null for mixed sessions."},{"name":"StreamingStartTime","type":"datetime","description":"The start time of the streaming session."},{"name":"StreamingDurationInMs","type":"real","description":"The duration of the streaming session in milliseconds"},{"name":"CallConnectionId","type":"string","description":"Id of the call connection/leg, if available."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["ad05f177-82ee-43fb-8454-522e08f987e0","dfa672f3-f6ae-4eda-8550-1f7fbf1bcca1","6b2c4057-669d-493d-a6b3-fbb2a2f44fb3","d99254bc-99b3-421b-ba6c-8ef7d465ecfc","1b5f6e45-fefc-465e-ae38-5d5a57ce5d1a","cd98dfa9-1467-4c31-a378-b65063fea535"]}},{"id":"ACSCallClientMediaStatsTimeSeries","name":"ACSCallClientMediaStatsTimeSeries","tableType":"Microsoft","description":"Call client media stats logs provide media statistics about a call made through ACS. These los are used to provide granular timeseries for quality metrics in Call Diagnostics Center. The logs contains information about media stream type, direction, codec as well as bitrate properties (e.g. max, min, average).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CallId","type":"string","description":"The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"CallClientTimeStamp","type":"datetime","description":"The timestamp (UTC) of when the ACS client's media stats log was generated."},{"name":"MetricName","type":"string","description":"Client metric name."},{"name":"Count","type":"long","description":"The count of a certain media metric statistics."},{"name":"Sum","type":"real","description":"The sum of a certain media metric statistics."},{"name":"Average","type":"real","description":"The average of a certain media metric statistics."},{"name":"Minimum","type":"real","description":"The minimum of a certain media metric statistics."},{"name":"Maximum","type":"real","description":"The maximum of a certain media metric statistics."},{"name":"MediaStreamDirection","type":"string","description":"Client media stream direction, i.e. recv or send."},{"name":"MediaStreamType","type":"string","description":"Client media stream type, i.e. video or screen."},{"name":"MediaStreamCodec","type":"string","description":"Client media stream codec."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"ClientInstanceId","type":"string","description":"Client instance ID."},{"name":"EndpointId","type":"string","description":"ACS calling endpoint ID."},{"name":"RemoteParticipantId","type":"string","description":"ACS remote participant ID."},{"name":"RemoteEndpointId","type":"string","description":"ACS calling remote endpoint ID."},{"name":"MediaStreamId","type":"string","description":"ACS calling media stream ID."},{"name":"AggregationIntervalSeconds","type":"int","description":"ACS calling media stats aggregation interval in seconds."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["b22325db4-5ea1-3436-a5eb-14ad2ab4gb31","a6552tt9-5ed2-4965-b7fb-62ee5ac0ff66","a3552tt9-4ed2-4665-b7eb-61ee5ac0fc46"]}},{"id":"ACSCallClientOperations","name":"ACSCallClientOperations","tableType":"Microsoft","description":"Call client operation logs provide information regarding operations performed by clients using the Azure Communication Service Calling client SDK. It includes information regarding events raised by the SDK, such as state changes, e.g. createView, startAudio,DevicePermissionRequest. This log will be used by Call Diagnostics Center to visualize a call flow in a time series manner.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CallClientTimeStamp","type":"datetime","description":"The timestamp (UTC) of when the call client log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CallId","type":"string","description":"The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"OperationType","type":"string","description":"Client operation type."},{"name":"OperationId","type":"string","description":"Client operation ID."},{"name":"DurationMs","type":"long","description":"Client operation duration in millisecond."},{"name":"ResultType","type":"string","description":"Client operation event result type."},{"name":"ResultSignature","type":"int","description":"Client operation event result network code."},{"name":"SdkVersion","type":"string","description":"Azure Communication Service calling client SDK version associated with the log."},{"name":"UserAgent","type":"string","description":"The user agent string of the client application."},{"name":"ClientInstanceId","type":"string","description":"Client instance ID."},{"name":"EndpointId","type":"string","description":"Azure Communication Service calling endpoint ID."},{"name":"OperationPayload","type":"dynamic","description":"Azure Communication Service calling specific operation payload adhering to a defined schema."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["a21345ab2-4eb1-1323-c5ba-64ad3bd3ga25","f05244sn2-5ed2-4965-b7fb-62ee5ac0fh21","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","e23137ab2-1ba3-2526-a3eb-14bd1bc1gb31","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","c22325ab2-5ea1-3436-a5eb-14ad2ac4gb31","d22137ab2-6ba3-2426-a2eb-14ad1bc1gb32"]}},{"id":"ACSCallClientServiceRequestAndOutcome","name":"ACSCallClientServiceRequestAndOutcome","tableType":"Microsoft","description":"Service side request and outcome logs from calling SDK like call join, hangup and state updates as outcomes with http request/response payloads in the property bag.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The unique gguid per dimension."},{"name":"Level","type":"string","description":"Log level like info/error."},{"name":"DurationMs","type":"int","description":"Duration of an operation in milliseconds."},{"name":"Properties","type":"dynamic","description":"Properties payload based on request/outcome of various calling operations."},{"name":"ResultType","type":"string","description":"Result type like Success/UnexpectedServerError."},{"name":"ResultSignature","type":"int","description":"HTTP result signature."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"]}},{"id":"ACSCallClosedCaptionsSummary","name":"ACSCallClosedCaptionsSummary","tableType":"Microsoft","description":"Call closed captions summary logs provide an overview about a closed captions made through ACS. There is one log for every closed captions done, and logs contain information about the duration of the closed captions, start time, spoken language and end reason, as well as the cancel reason of closed captions.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"SpeechRecognitionSessionId","type":"string","description":"The ID given to the closed captions this log refers to."},{"name":"SpokenLanguage","type":"string","description":"The spoken language of the closed captions."},{"name":"EndReason","type":"string","description":"The reason why the closed captions ended."},{"name":"CancelReason","type":"string","description":"The reason why the closed captions cancelled."},{"name":"StartTime","type":"datetime","description":"The time that the closed captions started."},{"name":"Duration","type":"real","description":"Duration of the closed captions in seconds."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"]}},{"id":"ACSCallDiagnostics","name":"ACSCallDiagnostics","tableType":"Microsoft","description":"Diagnostics logs provide information about the media transfers that occur in a call. Every log corresponds to an individual media stream and contains information about the emitting endpoint (e.g. the user sending the stream).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Identifier","type":"string","description":"The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"EndpointId","type":"string","description":"ID of the endpoint."},{"name":"EndpointType","type":"string","description":"Type of the endpoint."},{"name":"MediaType","type":"string","description":"Type of Media."},{"name":"StreamId","type":"long","description":"ID of the stream."},{"name":"TransportType","type":"string","description":"Type of the internet transport layer, it can be UDP, TCP or unknown."},{"name":"RoundTripTimeAvg","type":"int","description":"Average time of a round trip in milliseconds."},{"name":"RoundTripTimeMax","type":"int","description":"Max time of a trip in milliseconds."},{"name":"JitterAvg","type":"int","description":"Average delay of sending the packages in milliseconds."},{"name":"JitterMax","type":"int","description":"Max delay of sending the packages in milliseconds."},{"name":"PacketLossRateAvg","type":"real","description":"Average lost packages."},{"name":"PacketLossRateMax","type":"real","description":"Max lost packages."},{"name":"HealedDataRatioAvg","type":"real","description":"Average healed data ratio for incoming audio."},{"name":"HealedDataRatioMax","type":"real","description":"Maximum healed data ratio for incoming audio."},{"name":"RecvResolutionHeight","type":"int","description":"Receive average resolution height."},{"name":"RecvFreezeDurationPerMinuteInMs","type":"real","description":"Average receive freeze duration per minute in microseconds."},{"name":"VideoFrameRateAvg","type":"real","description":"Average frames per second."},{"name":"JitterBufferSizeAvg","type":"int","description":"Average jitter buffer size in milliseconds."},{"name":"JitterBufferSizeMax","type":"int","description":"Maximum jitter buffer size in milliseconds."},{"name":"PacketUtilization","type":"int","description":"Utilized packets for the media stream."},{"name":"VideoBitRateAvg","type":"int","description":"Average bitrate."},{"name":"VideoBitRateMax","type":"int","description":"Maximum bitrate."},{"name":"StreamDirection","type":"string","description":"The direction of the stream, can be inbound or outbound."},{"name":"CodecName","type":"string","description":"Codec used for the media stream."},{"name":"TPE","type":"bool","description":"Boolean value that identify Teams Phone Extensibility calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["693cc58e-1b66-41f2-b83e-d92de385aace","e94fbeb3-4642-4ccf-b138-82c39dede64c","4944e5c6-520d-41b4-84e6-9c9cc4b564ec","f240c320-03bb-4562-ad29-8282c706778d","7fe223e8-c01b-482a-9578-4fb0f0fa86af","b87b8817-e3ee-4bfc-87b3-e07176865011","f94f0759-ed97-45dd-bdc3-d856e2c93ea4","6309ad3f-f611-4c95-a627-5ba6b1eda4d4","61e410fb-0923-4837-a93b-b68b771dc7f5","ff582702-6d8c-4487-bcb7-584fc3f5c223","b77fadc5-0e2b-4d97-958a-8069988150be","4a074c0d-6343-46df-b9dc-c693f1cc54c5","c8bf3142-c260-4062-8a92-b7b22ba14c90","c1815bd9-9000-4477-8a47-7ec598b3d482","440010c7-039e-4ef3-9e9e-edd4d3771257","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","c22325ab2-5ea1-3436-a5eb-14ad2ac4gb31"]}},{"id":"ACSCallDiagnosticsUpdates","name":"ACSCallDiagnosticsUpdates","tableType":"Microsoft","description":"Diagnostics logs provide information about the media transfers that occur in a call. Every log corresponds to an individual media stream and contains information about the emitting endpoint (e.g. the user sending the stream).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Identifier","type":"string","description":"The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"EndpointId","type":"string","description":"ID of the endpoint."},{"name":"EndpointType","type":"string","description":"Type of the endpoint."},{"name":"MediaType","type":"string","description":"Type of Media."},{"name":"StreamId","type":"long","description":"ID of the stream."},{"name":"TransportType","type":"string","description":"Type of the internet transport layer, it can be UDP, TCP or unknown."},{"name":"RoundTripTimeAvg","type":"int","description":"Average time of a round trip in milliseconds."},{"name":"RoundTripTimeMax","type":"int","description":"Max time of a trip in milliseconds."},{"name":"JitterAvg","type":"int","description":"Average delay of sending the packages in milliseconds."},{"name":"JitterMax","type":"int","description":"Max delay of sending the packages in milliseconds."},{"name":"PacketLossRateAvg","type":"real","description":"Average lost packages."},{"name":"PacketLossRateMax","type":"real","description":"Max lost packages."},{"name":"HealedDataRatioAvg","type":"real","description":"Average healed data ratio for incoming audio."},{"name":"HealedDataRatioMax","type":"real","description":"Maximum healed data ratio for incoming audio."},{"name":"RecvResolutionHeight","type":"int","description":"Receive average resolution height."},{"name":"RecvFreezeDurationPerMinuteInMs","type":"real","description":"Average receive freeze duration per minute in microseconds."},{"name":"VideoFrameRateAvg","type":"real","description":"Average frames per second."},{"name":"JitterBufferSizeAvg","type":"int","description":"Average jitter buffer size in milliseconds."},{"name":"JitterBufferSizeMax","type":"int","description":"Maximum jitter buffer size in milliseconds."},{"name":"PacketUtilization","type":"int","description":"Utilized packets for the media stream."},{"name":"VideoBitRateAvg","type":"int","description":"Average bitrate."},{"name":"VideoBitRateMax","type":"int","description":"Maximum bitrate."},{"name":"StreamDirection","type":"string","description":"The direction of the stream, can be inbound or outbound."},{"name":"CodecName","type":"string","description":"Codec used for the media stream."},{"name":"CallUpdatesVersion","type":"int","description":"Experience Version of the log."},{"name":"TPE","type":"bool","description":"Boolean value that identify Teams Phone Extensibility calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["141e074c-7563-4d02-8e03-41fbb2be1f39","2b6d1a2b-3c4d-5e6f-7e6f-4d3c9d8b2b6d","1e2d3c4b-5a6f-7e8d-9c0b-1a2b3c4d5e6f","7e6f5d4c-3b2a-1d0c-9e8b-7a6f5d4c3b2a","5e6f7e8d-9c0b-1a2b-3c4d-5e6f7e8d9c0b","5e6f7e6f-4d3c-9d8b-2b6d-1a2b3c4d5e6f","7e8d9c0b-1a2b-3c4d-5e6f-7e8d9c0b1a2b","1a2b3c4d-5e6f-7e8d-9c0b-1a2b3c4d5e6f","7e6f4d3c-9d8b-2b6d-1a2b-3c4d5e6f7e6f","3c4d5e6f-7e6f-4d3c-9d8b-2b6d1a2b3c4d","4d3c9d8b-2b6d-1a2b-3c4d-5e6f7e6f4d3c","3c4d5e6f-7e8d-9c0b-1a2b-3c4d5e6f7e8d"]}},{"id":"ACSCallRecordingIncomingOperations","name":"ACSCallRecordingIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to Call Recording operations. Every entry corresponds to the result of a call to the Call Recording APIs, e.g. StartRecording, StopRecording, PauseRecording, ResumeRecording, etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version associated with the operation or version of the operation (if there is no API version)."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"int","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"CallConnectionId","type":"string","description":"Id of the call connection/leg, if available."},{"name":"ServerCallId","type":"string","description":"Server Call Id."},{"name":"SdkVersion","type":"string","description":"SDK Version."},{"name":"SdkType","type":"string","description":"The SDK type used in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["e89a42f7-5318-4ca1-a0d9-2f105543a1bf","7d6310c2-4c88-45c4-9e4d-9feab95f84f8","d64d18e9-1c75-4b3b-a6c9-acd67a6f55f6","8db4823c-7f3d-4d5a-89db-5b5f5eb2a4a9","a4b6d7c9-8e6f-4a3b-81c3-1f9d6e7b8a2c","6f935ea8-7c95-4f6b-a13a-16af03485d29"]}},{"id":"ACSCallRecordingSummary","name":"ACSCallRecordingSummary","tableType":"Microsoft","description":"Call recording summary logs provide an overview about a recording maed through ACS. There is one log for every recording done, and logs contain information about the duration of the recording, the content (e.g. Audio-Video, Unmixed, Transcription, etc.) and format (e.g. WAV, MP4, etc) types used for the recording, as well as the end reason of recording.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"RecordingId","type":"string","description":"The ID given to the recording this log refers to."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"RecordingEndReason","type":"string","description":"The reason why the recording ended."},{"name":"ChunkCount","type":"int","description":"The total number of chunks created fot the recording."},{"name":"RecordingStartTime","type":"datetime","description":"The time that the recording started."},{"name":"RecordingLength","type":"real","description":"Duration of the recording in seconds."},{"name":"ContentType","type":"string","description":"The recording's content, i.e. Audio Only, Audio - Video, Transcription, etc."},{"name":"ChannelType","type":"string","description":"The recording's channel type, i.e. mixed, unmixed."},{"name":"FormatType","type":"string","description":"The recording's file format."},{"name":"AudioChannelsCount","type":"int","description":"Total number of audio channels in the recording."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["f06635bd-c6ed-4052-b2d9-074bc8fa9f79","b5716eb0-b7ed-4748-9c3f-ace527fc382a","9aeac264-1f94-4b63-a1e7-afff335dadde","0462291d-ba25-4268-8440-6135184e6f7b","42d970fa-0354-4325-b9c2-bc47f7cbd46b","421c4968-ba9a-41fb-8f3e-0b43837e5b79"]}},{"id":"ACSCallSummary","name":"ACSCallSummary","tableType":"Microsoft","description":"Call summary logs provide an overview about a call made through ACS. There is one log for every participant in the call, and logs contain information about the duration of the call, the duration of the individual participant, the type of participant (e.g. VoIP, PSTN, etc.), as well as the endpoint information like the OS version being used, or the SDK version of the ACS platform.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Identifier","type":"string","description":"The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"CallStartTime","type":"datetime","description":"Start time of the call."},{"name":"CallDuration","type":"long","description":"Duration of the call in seconds."},{"name":"CallType","type":"string","description":"Type of the call, for example P2P (peer to peer)."},{"name":"TeamsThreadId","type":"string","description":"Thread ID of the team."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"ParticipantTenantId","type":"string","description":"The ID of the Microsoft tenant associated with the identity of the participant. The tenant can either be the Azure tenant that owns the ACS resource or the Microsoft tenant of an M365 identity. This field is used to guide cross-tenant redaction."},{"name":"ParticipantStartTime","type":"datetime","description":"Start time of the participant."},{"name":"ParticipantDuration","type":"long","description":"Duration of the participant call in seconds."},{"name":"ParticipantEndReason","type":"string","description":"Participant's call end reason."},{"name":"EndpointId","type":"string","description":"The ID of the endpoint."},{"name":"EndpointType","type":"string","description":"Type of the endpoint, for example VoIP (voice over IP)."},{"name":"SdkVersion","type":"string","description":"SDK version."},{"name":"OsVersion","type":"string","description":"Operating System version."},{"name":"PstnParticipantCallType","type":"string","description":"The type and direction of PSTN participants, including emergency calling, direct routing, transfer, forwarding, etc."},{"name":"ParticipantType","type":"string","description":"Description of the participant as a combination of its client (Azure Communication Services (ACS) or Teams), and its identity, (ACS or Microsoft 365). Possible values include: ACS (ACS identity and ACS SDK), Teams (Teams identity and Teams client), ACS as Teams external user (ACS identity and ACS SDK in Teams call or meeting), and ACS as Microsoft 365 user (M365 identity and ACS client)."},{"name":"ParticipantEndSubCode","type":"string","description":"Participant's call end reason sub code."},{"name":"ResultCategory","type":"string","description":"The category of participant call end reason."},{"name":"DiagnosticOptions","type":"string","description":"JSON containing the DiagnosticOptions provided during client initialization containing appName, appVersion and tags."},{"name":"CallDebuggingInfo","type":"string","description":"JSON containing the fields with debug details about the call."},{"name":"TPE","type":"bool","description":"Boolean value that identify Teams Phone Extensibility calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["ed999090-4bc2-4704-ba16-ff0223930a4d","f46854c3-fa37-4b92-8675-ce838000949b","6d9f94e6-0421-4611-b43a-c9a8f409b83b","7f49ca30-a69f-45fd-b06f-d2b5271587da","a7cc4b34-b191-4d3a-8fac-830ed3321e45","912d4bfd-f025-4f8d-909e-2936b7796eb8","df398179-e2b2-418d-bfae-95faf858c0cf","444fcb48-73f7-49b4-bc43-852418bbd394","98481911-2a32-4b68-b7bb-8065ffc25376","16168079-3eda-4f8e-b486-51a592299b87","4a3ef465-671d-4759-815e-c6bd2769da61","7a167d23-5ea5-481e-bbb6-fd19699af0ba","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31","d22137ab2-6ba3-2426-a2eb-14ad1bc1gb32"]}},{"id":"ACSCallSummaryUpdates","name":"ACSCallSummaryUpdates","tableType":"Microsoft","description":"Call summary logs provide an overview about a call made through ACS. There is one log for every participant in the call, and logs contain information about the duration of the call, the duration of the individual participant, the type of participant (e.g. VoIP, PSTN, etc.), as well as the endpoint information like the OS version being used, or the SDK version of the ACS platform.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Identifier","type":"string","description":"The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"CallStartTime","type":"datetime","description":"Start time of the call."},{"name":"CallDuration","type":"long","description":"Duration of the call in seconds."},{"name":"CallType","type":"string","description":"Type of the call, for example P2P (peer to peer)."},{"name":"TeamsThreadId","type":"string","description":"Thread ID of the team."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"ParticipantTenantId","type":"string","description":"The ID of the Microsoft tenant associated with the identity of the participant. The tenant can either be the Azure tenant that owns the ACS resource or the Microsoft tenant of an M365 identity. This field is used to guide cross-tenant redaction."},{"name":"ParticipantStartTime","type":"datetime","description":"Start time of the participant."},{"name":"ParticipantDuration","type":"long","description":"Duration of the participant call in seconds."},{"name":"ParticipantEndReason","type":"string","description":"Participant's call end reason."},{"name":"EndpointId","type":"string","description":"The ID of the endpoint."},{"name":"EndpointType","type":"string","description":"Type of the endpoint, for example VoIP (voice over IP)."},{"name":"SdkVersion","type":"string","description":"SDK version."},{"name":"OsVersion","type":"string","description":"Operating System version."},{"name":"PstnParticipantCallType","type":"string","description":"The type and direction of PSTN participants, including emergency calling, direct routing, transfer, forwarding, etc."},{"name":"ParticipantType","type":"string","description":"Description of the participant as a combination of its client (Azure Communication Services (ACS) or Teams), and its identity, (ACS or Microsoft 365). Possible values include: ACS (ACS identity and ACS SDK), Teams (Teams identity and Teams client), ACS as Teams external user (ACS identity and ACS SDK in Teams call or meeting), and ACS as Microsoft 365 user (M365 identity and ACS client)."},{"name":"ParticipantEndSubCode","type":"string","description":"Participant's call end reason sub code."},{"name":"ResultCategory","type":"string","description":"The category of participant call end reason."},{"name":"DiagnosticOptions","type":"string","description":"JSON containing the DiagnosticOptions provided during client initialization containing appName, appVersion and tags."},{"name":"CallUpdatesVersion","type":"int","description":"Experience Version of the log."},{"name":"CallDebuggingInfo","type":"string","description":"JSON containing the fields with debug details about the call."},{"name":"TPE","type":"bool","description":"Boolean value that identify Teams Phone Extensibility calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["1a2b3c4d-e5f6-7a8b-9c0d-1e2f3a4b5c6d","7e8f9a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b","3e4f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b","9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f","5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d","023e5cae-a136-5a9e-010f-1047c8807fc9","d62bf65f-66b7-482f-b296-83f2ca4e19d8","f94860c-a83f-44cb-88bd-3fc8d2ab5510","fc661805-ba40-45c5-84f0-1afa40af255d","2f874bbe-63ac-479a-ba4e-858c0607b2ac","d13a7541-aeee-425f-89e6-33795d8e1e23","07dd8389-c27d-4fbe-8b52-8506a933be06","985dcc97-d950-413f-a024-9e12640775a9"]}},{"id":"ACSCallSurvey","name":"ACSCallSurvey","tableType":"Microsoft","description":"Call survey provides information about the call surveys submitted by the participants.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. This field contains the participant ID that allows call survey to be correlated with other calling logs."},{"name":"CallId","type":"string","description":"The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables."},{"name":"ParticipantId","type":"string","description":"ID of the participant."},{"name":"SurveyId","type":"string","description":"The ID of the survey uniquely identifies the call survey."},{"name":"OverallRatingScore","type":"int","description":"Overall call experience rated by the participant."},{"name":"OverallRatingScoreLowerBound","type":"int","description":"Minimum value of the OverallRatingScore scale."},{"name":"OverallRatingScoreUpperBound","type":"int","description":"Maximum value of the OverallRatingScore scale."},{"name":"OverallRatingScoreThreshold","type":"int","description":"The OverallRatingScore greater than this value indicates better quality."},{"name":"OverallCallIssues","type":"string","description":"Comma separated overall issues reported by the participant."},{"name":"AudioRatingScore","type":"int","description":"Audio experience rated by the participant."},{"name":"AudioRatingScoreLowerBound","type":"int","description":"Minimum value of the AudioRatingScore scale."},{"name":"AudioRatingScoreUpperBound","type":"int","description":"Maximum value of the AudioRatingScore scale."},{"name":"AudioRatingScoreThreshold","type":"int","description":"The AudioRatingScore greater than this value indicates better quality."},{"name":"AudioIssues","type":"string","description":"Comma separated audio issues reported by the participant."},{"name":"VideoRatingScore","type":"int","description":"Video experience rated by the participant."},{"name":"VideoRatingScoreLowerBound","type":"int","description":"Minimum value of the VideoRatingScore scale."},{"name":"VideoRatingScoreUpperBound","type":"int","description":"Maximum value of the VideoRatingScore scale."},{"name":"VideoRatingScoreThreshold","type":"int","description":"The VideoRatingScore greater than this value indicates better quality."},{"name":"VideoIssues","type":"string","description":"Comma separated video issues reported by the participant."},{"name":"ScreenshareRatingScore","type":"int","description":"Screenshare experience rated by the participant."},{"name":"ScreenshareRatingScoreLowerBound","type":"int","description":"Minimum value of the ScreenshareRatingScore scale."},{"name":"ScreenshareRatingScoreUpperBound","type":"int","description":"Maximum value of the ScreenshareRatingScore scale."},{"name":"ScreenshareRatingScoreThreshold","type":"int","description":"The ScreenshareRatingScore greater than this value indicates better quality."},{"name":"ScreenshareIssues","type":"string","description":"Comma separated screenshare issues reported by the participant."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["b91f0d9c-d737-426a-8f82-ae437dd9f96a","8d00c931-20c2-407b-9259-1ae4c88b028d","36fbf974-5e1b-4769-87fa-225eaa89d5f7","c9644b48-1200-4111-8f62-b0149217257e","a2922c7d-f507-4475-aa51-05d132d74533","016bbfac-c423-4c25-83e5-53853c691c9c","b4cdbea5-9617-4b09-b176-50240a07ba65","f6011a1e-5ed2-4965-b7fb-62ed5ac0ffd9","a03245sn2-5ac1-5745-a7eb-12ce5bc0fa23","b13345ab2-5ea1-3436-a5eb-24ad2bc4gb31"]}},{"id":"ACSCallingMetrics","name":"ACSCallingMetrics","tableType":"Microsoft","description":"Aggregated Calling metrics in daily bins based on dimensions like SDK Version, OS name, Subcode.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The unique gguid per dimension."},{"name":"TimestampMax","type":"datetime","description":"The max timestamp for each dimension."},{"name":"TimestampBin","type":"datetime","description":"The daily timestamp bin for each dimension."},{"name":"MetricValueAvg","type":"real","description":"The average value of metric per dimension."},{"name":"Unit","type":"string","description":"Unit of metric"},{"name":"Goal","type":"string","description":"Threshold defined for a leg to succeed."},{"name":"FailedLegsDcount","type":"int","description":"Number of failed participants per dimension."},{"name":"SuccessLegsDcount","type":"int","description":"Count of succeeded participants per dimension."},{"name":"CallsDcount","type":"int","description":"Count of total Call per dimension."},{"name":"LegsDcount","type":"int","description":"Count of total participants per dimension."},{"name":"SubCode","type":"string","description":"Subcode dimension."},{"name":"CallType","type":"string","description":"Call type dimension."},{"name":"Platform","type":"string","description":"Platform dimension."},{"name":"ResultType","type":"string","description":"Result type dimension."},{"name":"DeviceModel","type":"string","description":"Device model dimension."},{"name":"DeviceBrand","type":"string","description":"Device brand dimension."},{"name":"DeviceFamily","type":"string","description":"Device Family dimension."},{"name":"DeviceOsVersionMajor","type":"string","description":"Device OS version major dimension."},{"name":"DeviceOsVersionMinor","type":"string","description":"Device OS version minor dimension."},{"name":"DeviceBrowserVersionMinor","type":"string","description":"Device browser minor dimension."},{"name":"DeviceBrowserVersionMajor","type":"string","description":"Device browser major dimension."},{"name":"DeviceOsName","type":"string","description":"Device OS name dimension."},{"name":"DeviceBrowser","type":"string","description":"Device browser dimension."},{"name":"SdkVersion","type":"string","description":"SDK version dimension."},{"name":"MetricName","type":"string","description":"Metric name dimension."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"]}},{"id":"ACSChatIncomingOperations","name":"ACSChatIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to chat operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"UserId","type":"string","description":"The request sender's user ID."},{"name":"ChatThreadId","type":"string","description":"The chat thread ID associated with the request."},{"name":"ChatMessageId","type":"int","description":"The chat message ID associated with the request."},{"name":"SdkType","type":"string","description":"The SDK type used in the request."},{"name":"PlatformType","type":"string","description":"The platform type used in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["afece89a-eed3-4aa4-ba30-dfb7edd8b429","d72355a1-1cc9-405c-bfbb-02dfc41cfd5f","f2291767-c2a3-4865-8f70-f4f5adca5dd2","9812504c-00a6-42c4-9cd6-b1532480a3cf","4a0cdc80-bf62-498e-98e8-e52804a8a766"]}},{"id":"ACSEmailSendMailOperational","name":"ACSEmailSendMailOperational","tableType":"Microsoft","description":"Email Communication Services logs for send operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Location","type":"string","description":"The location the request was processed."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables."},{"name":"Size","type":"real","description":"The size of the email in megabypes."},{"name":"ToRecipientsCount","type":"int","description":"The count of unique recipients on the 'To' line."},{"name":"CcRecipientsCount","type":"int","description":"The count of unique recipients on the 'Cc' line."},{"name":"BccRecipientsCount","type":"int","description":"The count of unique recipients on the 'Bcc' line."},{"name":"UniqueRecipientsCount","type":"int","description":"The unique count of all recipients."},{"name":"AttachmentsCount","type":"int","description":"The count of attachments attached to a request."},{"name":"TrafficSource","type":"string","description":"The traffic source of a request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["60802B04-BD2C-455E-B18D-ABCE28675B11"]}},{"id":"ACSEmailStatusUpdateOperational","name":"ACSEmailStatusUpdateOperational","tableType":"Microsoft","description":"Email Communication Services logs for message and recipient delivery status update operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Location","type":"string","description":"The location the request was processed."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables."},{"name":"RecipientId","type":"string","description":"The email address of the recipient who received the message."},{"name":"DeliveryStatus","type":"string","description":"The terminal status of a message. If the recipientId is null, this value represents whether or not the Azure Communication Email Service was able to deliver the message to email providers. If the recipientId is present, this will be the per-recipient status. There should be one event for each recipient."},{"name":"SmtpStatusCode","type":"string","description":"The SMTP status code returned from the recipient email server in response to a send mail request."},{"name":"EnhancedSmtpStatusCode","type":"string","description":"The enhanced SMTP status code returned from the recipient email server (if available)."},{"name":"RecipientMailServerHostName","type":"string","description":"The mail server host name of recipient."},{"name":"SenderDomain","type":"string","description":"The domain portion of the SenderAddress used in sending emails."},{"name":"SenderUsername","type":"string","description":"The username portion of the SenderAddress used in sending emails."},{"name":"IsHardBounce","type":"string","description":"Signifies whether a delivery failure was due to a permanent or temporary issue. IsHardBounce == true means a permanent mailbox issue preventing emails from being delivered."},{"name":"InternetMessageId","type":"string","description":"The internet message id of the recipient."},{"name":"FailureReason","type":"string","description":"Failure reason for the given SMTP or EnhancedSmtp status code."},{"name":"FailureMessage","type":"string","description":"Verbatim error message for the given SMTP or EnhancedSmtp status code."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["4E309B85-22D3-4D75-96FA-E507BED0DFC4","9E690E1D-16C2-4476-A233-ECD3D3EC3815","44E70EDA-FA17-4B40-BF7A-4CD476525EB4"]}},{"id":"ACSEmailUserEngagementOperational","name":"ACSEmailUserEngagementOperational","tableType":"Microsoft","description":"Email Communication Services logs for message and recipient delivery status update operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Location","type":"string","description":"The location the request was processed."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables."},{"name":"InternetMessageId","type":"string","description":"The field corresponds to the Message-ID property of the email based on the RFC2822. It's a unique message identifier that refers to a particular version of a particular message."},{"name":"RecipientId","type":"string","description":"The count of unique recipients on the To line."},{"name":"EngagementType","type":"string","description":"The type of user engagement."},{"name":"EngagementContext","type":"string","description":"The context of the user interaction."},{"name":"UserAgent","type":"string","description":"The user agent string of the client application."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"]}},{"id":"ACSJobRouterIncomingOperations","name":"ACSJobRouterIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to Job Router operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"real","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"SdkType","type":"string","description":"The SDK type used in the request."},{"name":"EntityId","type":"string","description":"The Entity Id for the request."},{"name":"EntityType","type":"string","description":"The Entity Type for the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["894a51a8-1e91-4ac1-b7d8-156894eb06c2","7fb10cd3-ed0f-4a4b-a00c-a039d3e6ccbc","a634f34d-b0b7-4e06-9f63-9323011e23ea","6d965ac8-a8c6-4831-80d3-5c51275100d5","6f1bc254-caa7-4598-a714-d3ec267e2eee"]}},{"id":"ACSOptOutManagementOperations","name":"ACSOptOutManagementOperations","tableType":"Microsoft","description":"Communication Services logs of opt-out operations independently from other SMS services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The status text response of the result of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"PhoneNumber","type":"string","description":"Represents the phone number or identifier (short code, toll-free number, or long code) used by the application to send or manage SMS messages."},{"name":"SdkType","type":"string","description":"The SDK type being used in the request."},{"name":"PlatformType","type":"string","description":"The platform type being used in the request."},{"name":"Method","type":"string","description":"The method used in the request."},{"name":"Country","type":"string","description":"Represent the countries where the SMS messages were sent to or received from."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"]}},{"id":"ACSRoomsIncomingOperations","name":"ACSRoomsIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to rooms operations, with summaries of room object, lifespan, participants and roles count etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record. e.g., CreateRoom, PatchRoom, GetRoom, ListRooms, DeleteRoom, GetParticipants, AddParticipants, UpdateParticipants, or RemoveParticipants."},{"name":"CorrelationId","type":"string","description":"The unique ID of the request."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"RoomId","type":"string","description":"The ID of the room."},{"name":"RoomLifespan","type":"int","description":"The Room lifespan in minutes."},{"name":"RoomParticipantsCount","type":"int","description":"The count of participants in a room."},{"name":"RoomParticipantsConsumer","type":"int","description":"The participants count with consumer role."},{"name":"RoomParticipantsAttendee","type":"int","description":"The participants count with attendee role."},{"name":"RoomParticipantsPresenter","type":"int","description":"The participants count with presenter role."},{"name":"AddedRoomParticipantsCount","type":"int","description":"The count of participants added to a room."},{"name":"UpsertedRoomParticipantsCount","type":"int","description":"The count of participants upserted in a room."},{"name":"RemovedRoomParticipantsCount","type":"int","description":"The count of participants removed in a room."},{"name":"PstnDialOutEnabled","type":"bool","description":"Flag to true if, at the time of the call, dial out to a PSTN number is enabled in a particular room."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["61a39dfb-f069-4639-a650-ef6c292cfc7b","25852cd3-2216-49ad-a492-6778b4854c5c","b061d0cf-21c1-4b76-b890-caf0dd3ce71e"]}},{"id":"ACSSMSIncomingOperations","name":"ACSSMSIncomingOperations","tableType":"Microsoft","description":"Communication Services logs of incoming requests to SMS operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"The API-version associated with the operation or version of the operation (if there is no API version)."},{"name":"Category","type":"string","description":"The log category of the event. Logs with the same log category and resource type will have the same properties fields."},{"name":"ResultType","type":"string","description":"The status of the operation."},{"name":"ResultSignature","type":"string","description":"The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The status text response of the result of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"Level","type":"string","description":"The severity level of the operation."},{"name":"URI","type":"string","description":"The URI of the request."},{"name":"OutgoingMessageLength","type":"int","description":"The number of characters in the outgoing message."},{"name":"IncomingMessageLength","type":"int","description":"The number of characters in the incoming message."},{"name":"DeliveryAttempts","type":"int","description":"The number of attempts made to deliver this message."},{"name":"PhoneNumber","type":"string","description":"The number used for sending or receiving the SMS message (e.g. +18445791704)"},{"name":"NumberType","type":"string","description":"The type of number used for sending or receiving the SMS message (e.g. LongCodeNumber)"},{"name":"SdkType","type":"string","description":"The SDK type being used in the request."},{"name":"PlatformType","type":"string","description":"The platform type being used in the request."},{"name":"Method","type":"string","description":"The method used in the request."},{"name":"MessageId","type":"string","description":"The identifier of the outgoing Sms message. Only present if message processed."},{"name":"Country","type":"string","description":"The recipient country."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.communication/communicationservices"],"solutions":["LogManagement"],"queries":["2e541dc6-bf82-4fcc-9e57-1faedbbfa48a","c0e3ac32-7bc7-45b0-bbd1-4f2ab8abc70e","f3712c70-6f28-4cb2-9ff1-ba35854115a2","66ffdd36-8574-4622-b269-d4965e5d8b1d","28e284cb-faf4-4577-92a6-1fa73eed18bc"]}},{"id":"ADAssessmentRecommendation","name":"ADAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by AD assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"OpsManager","isPreferredFacet":true},{"name":"AssessmentId","type":"string","description":"ID of the assessment","isPreferredFacet":true},{"name":"RecommendationId","type":"string","description":"ID of the recommendation generated","isPreferredFacet":true},{"name":"Recommendation","type":"string","description":"Generated recommendation","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the recommendation"},{"name":"RecommendationResult","type":"string","description":"Result of the recommendation generated","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"FocusAreaId","type":"string","description":"ID of the Focus Area","isPreferredFacet":true},{"name":"FocusArea","type":"string","description":"Area to be focussed on","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","description":"ID generated for Action Area","isPreferredFacet":true},{"name":"ActionArea","type":"string","description":"The segment in which action is to be performed","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real","description":"Weight of recommendation"},{"name":"Computer","type":"string","description":"The machine from which data is uploaded","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","description":"Type of object which is affected","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","description":"Name of the affected object","isPreferredFacet":true},{"name":"Forest","type":"string","isPreferredFacet":true},{"name":"Domain","type":"string","description":"Domain of the system","isPreferredFacet":true},{"name":"DomainController","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"solutions":["ADAssessment","ADAssessmentPlus","AzureResources"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"ADFActivityRun","name":"ADFActivityRun","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"OperationName","type":"string"},{"name":"Category","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Level","type":"string"},{"name":"Location","type":"string"},{"name":"Tags","type":"string"},{"name":"Status","type":"string"},{"name":"UserProperties","type":"string"},{"name":"Annotations","type":"string"},{"name":"EventMessage","type":"string"},{"name":"Start","type":"datetime"},{"name":"ActivityName","type":"string"},{"name":"ActivityRunId","type":"string"},{"name":"PipelineRunId","type":"string"},{"name":"EffectiveIntegrationRuntime","type":"string"},{"name":"ActivityType","type":"string"},{"name":"ActivityIterationCount","type":"int"},{"name":"LinkedServiceName","type":"string"},{"name":"End","type":"datetime"},{"name":"FailureType","type":"string"},{"name":"PipelineName","type":"string"},{"name":"Input","type":"string"},{"name":"Output","type":"string"},{"name":"ErrorCode","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"Error","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFAirflowSchedulerLogs","name":"ADFAirflowSchedulerLogs","tableType":"Microsoft","description":"ADF Airflow scheduler logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation id of the event.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of the log that belongs to Airflow application.","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"The name of the Data factory.","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"The name of the Integration runtime.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The application log of the Airflow event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"ADFAirflowTaskLogs","name":"ADFAirflowTaskLogs","tableType":"Microsoft","description":"ADF Airflow task logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of the log that belongs to Airflow application.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation id of the event.","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"The name of the Data factory.","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"The name of the Integration runtime.","isPreferredFacet":true},{"name":"DagId","type":"string","description":"The dag ID of the Airflow task run.","isPreferredFacet":true},{"name":"TaskId","type":"string","description":"The task ID of the Airflow task run.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The application log of the Airflow event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"ADFAirflowWebLogs","name":"ADFAirflowWebLogs","tableType":"Microsoft","description":"ADF Airflow web logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of the log that belongs to Airflow application.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation id of the event.","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"The name of the Data factory.","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"The name of the Integration runtime.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The application log of the Airflow event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"ADFAirflowWorkerLogs","name":"ADFAirflowWorkerLogs","tableType":"Microsoft","description":"ADF Airflow worker logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of the log that belongs to Airflow application.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation id of the event.","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"The name of the Data factory.","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"The name of the Integration runtime.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The application log of the Airflow event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"ADFPipelineRun","name":"ADFPipelineRun","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"OperationName","type":"string"},{"name":"Category","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Level","type":"string"},{"name":"Location","type":"string"},{"name":"Tags","type":"string"},{"name":"Status","type":"string"},{"name":"UserProperties","type":"string"},{"name":"Input","type":"string"},{"name":"Output","type":"string"},{"name":"ErrorCode","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"Annotations","type":"string"},{"name":"EventMessage","type":"string"},{"name":"Start","type":"datetime"},{"name":"End","type":"datetime"},{"name":"FailureType","type":"string"},{"name":"PipelineName","type":"string"},{"name":"RunId","type":"string"},{"name":"Predecessors","type":"string"},{"name":"Parameters","type":"string"},{"name":"SystemParameters","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISIntegrationRuntimeLogs","name":"ADFSSISIntegrationRuntimeLogs","tableType":"Microsoft","description":"ADF SSIS integration runtime logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Status of the log","isPreferredFacet":true},{"name":"Message","type":"string","description":"Event message"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISPackageEventMessageContext","name":"ADFSSISPackageEventMessageContext","tableType":"Microsoft","description":"ADF SSIS package execution event message context","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"OperationId","type":"long","description":"Operation id","isPreferredFacet":true},{"name":"ContextDepth","type":"int","description":"Context depth"},{"name":"PackagePath","type":"string","description":"Package path"},{"name":"ContextType","type":"int","description":"Context type"},{"name":"ContextSourceName","type":"string","description":"Context source name"},{"name":"ContextSourceId","type":"string","description":"Context source Id"},{"name":"PropertyName","type":"string","description":"Property name"},{"name":"PropertyValue","type":"dynamic","description":"Property value"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISPackageEventMessages","name":"ADFSSISPackageEventMessages","tableType":"Microsoft","description":"ADF SSIS package execution event messages","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"OperationId","type":"long","description":"Operation id","isPreferredFacet":true},{"name":"MessageTime","type":"datetime","description":"Message time"},{"name":"MessageType","type":"int","description":"Message type","isPreferredFacet":true},{"name":"MessageSourceType","type":"int","description":"Message source type","isPreferredFacet":true},{"name":"Message","type":"string","description":"Event message"},{"name":"ExtendedInfoId","type":"long","description":"Extended info id"},{"name":"PackageName","type":"string","description":"Package name","isPreferredFacet":true},{"name":"EventName","type":"string","description":"Event name","isPreferredFacet":true},{"name":"MessageSourceName","type":"string","description":"Message source name","isPreferredFacet":true},{"name":"MessageSourceId","type":"string","description":"Message source id","isPreferredFacet":true},{"name":"SubcomponentName","type":"string","description":"Subcomponent name","isPreferredFacet":true},{"name":"PackagePath","type":"string","description":"Package path"},{"name":"ExecutionPath","type":"string","description":"Execution path"},{"name":"ThreadId","type":"int","description":"Thread id","isPreferredFacet":true},{"name":"MessageCode","type":"int","description":"Message code"},{"name":"EventMessageGuid","type":"string","description":"Event message guid"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISPackageExecutableStatistics","name":"ADFSSISPackageExecutableStatistics","tableType":"Microsoft","description":"ADF SSIS package execution executable statistics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"ExecutionId","type":"long","description":"Execution id","isPreferredFacet":true},{"name":"ExecutionPath","type":"string","description":"Execution path"},{"name":"StartTime","type":"datetime","description":"Executable start time"},{"name":"EndTime","type":"datetime","description":"Executable end time"},{"name":"ExecutionDuration","type":"int","description":"Executable execution duration"},{"name":"ExecutionResult","type":"int","description":"Execution result"},{"name":"ExecutionValue","type":"dynamic","description":"Execution value"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISPackageExecutionComponentPhases","name":"ADFSSISPackageExecutionComponentPhases","tableType":"Microsoft","description":"ADF SSIS package execution component phases","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"ExecutionId","type":"long","description":"Execution id","isPreferredFacet":true},{"name":"PackageName","type":"string","description":"Package name","isPreferredFacet":true},{"name":"TaskName","type":"string","description":"Task name"},{"name":"SubcomponentName","type":"string","description":"Subcomponent name"},{"name":"Phase","type":"string","description":"Phase"},{"name":"StartTime","type":"datetime","description":"Start time"},{"name":"EndTime","type":"datetime","description":"End time"},{"name":"ExecutionPath","type":"string","description":"Execution path"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSISPackageExecutionDataStatistics","name":"ADFSSISPackageExecutionDataStatistics","tableType":"Microsoft","description":"ADF SSIS package execution data statistics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"correlation id","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"Data factory name","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"Integration runtime name","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"ExecutionId","type":"long","description":"Execution id","isPreferredFacet":true},{"name":"PackageName","type":"string","description":"Package name","isPreferredFacet":true},{"name":"TaskName","type":"string","description":"Task name"},{"name":"DataflowPathIdString","type":"string","description":"Dataflow path Id string"},{"name":"DataflowPathName","type":"string","description":"Dataflow path name"},{"name":"SourceComponentName","type":"string","description":"Source somponent name"},{"name":"DestinationComponentName","type":"string","description":"Destination component name"},{"name":"RowsSent","type":"long","description":"Rows sent"},{"name":"CreatedTime","type":"datetime","description":"Created time"},{"name":"ExecutionPath","type":"string","description":"Execution path"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSSignInLogs","name":"ADFSSignInLogs","tableType":"Microsoft","description":"Logs generated by Active Directory Federation Service.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string","description":"Details of source system of the object being provisioned"},{"name":"TimeGenerated","type":"datetime","description":"The date and time of the event in UTC"},{"name":"OperationName","type":"string","description":"For sign-ins, this value is always Sign-in activity"},{"name":"OperationVersion","type":"string","description":"The REST API version that's requested by the client"},{"name":"Category","type":"string","description":"Category of the sign-in event"},{"name":"ResultType","type":"string","description":"The result of the sign-in operation can be Success or Failure"},{"name":"ResultSignature","type":"string","description":"Contains the error code, if any, for the sign-in operation"},{"name":"ResultDescription","type":"string","description":"Provides the error description for the sign-in operation"},{"name":"DurationMs","type":"long","description":"The duration of the operation in milliseconds"},{"name":"CorrelationId","type":"string","description":"ID to provide sign-in trail"},{"name":"ResourceGroup","type":"string","description":"Resource group for the logs"},{"name":"Identity","type":"string","description":"The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal"},{"name":"Level","type":"string","description":"The severity level of the event"},{"name":"Location","type":"string","description":"The region of the resource emitting the event"},{"name":"AlternateSignInName","type":"string","description":"Provides the on-premises UPN of the user sign-ing into Azure AD.e.g. Phone number sign-in"},{"name":"AppDisplayName","type":"string","description":"The string name of the OAuth client in the request displayed in the Azure Portal"},{"name":"AppId","type":"string","description":"A unique ID of the Oauth Client ID in the request"},{"name":"AuthenticationDetails","type":"string","description":"A record of each step of authentication undertaken in the sign-in"},{"name":"AuthenticationProcessingDetails","type":"string","description":"Provides the details associated with authentication processor"},{"name":"AuthenticationRequirement","type":"string","description":"Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required"},{"name":"AuthenticationRequirementPolicies","type":"string","description":"Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user"},{"name":"ConditionalAccessPolicies","type":"string","description":"Details of the conditional access policies being applied for the sign-in"},{"name":"ConditionalAccessStatus","type":"string","description":"Status of all the conditionalAccess policies related to the sign-in"},{"name":"CreatedDateTime","type":"datetime","description":"Datetime of the sign-in activity"},{"name":"DeviceDetail","type":"string","description":"Details of the device used for the sign-in"},{"name":"IsInteractive","type":"bool","description":"Indicates if a sign-in is interactive or not"},{"name":"Id","type":"string","description":"Unique ID representing the sign-in activity"},{"name":"IPAddress","type":"string","description":"IP address of the client used to sign in"},{"name":"NetworkLocationDetails","type":"string","description":"Provides the details associated with authentication processor"},{"name":"OriginalRequestId","type":"string","description":"The request id of the first request in the authentication sequence"},{"name":"ProcessingTimeInMs","type":"string","description":"Request processing time in milliseconds in AD STS"},{"name":"ResourceDisplayName","type":"string","description":"The string name of the application the user signed into displayed in the Azure Portal"},{"name":"ResourceIdentity","type":"string","description":"A unique ID application ID the user signed into of the request"},{"name":"ResourceTenantId","type":"string","description":"The resource tenant ID for cross-tenant scenarios"},{"name":"Requirement","type":"string","description":"If the authentication is a primary or secondary authentication. Can be not set."},{"name":"Status","type":"string","description":"Details of the sign-in status"},{"name":"TokenIssuerName","type":"string","description":"Name of the identity provider (e.g. sts.microsoft.com )"},{"name":"TokenIssuerType","type":"string","description":"Type of identityProvider (Azure AD, AD Federation Services)"},{"name":"UniqueTokenIdentifier","type":"string","description":"Unique token identifier for the request"},{"name":"UserAgent","type":"string","description":"User Agent for the sign-in"},{"name":"UserDisplayName","type":"string","description":"Display name of the user that initiated the sign-in"},{"name":"UserId","type":"string","description":"ID of the user that initiated the sign-in"},{"name":"UserPrincipalName","type":"string","description":"User principal name of the user that initiated the sign-in"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["audit","security"],"solutions":["LogManagement"],"queries":["9e1062d5-b526-42d0-9d46-80ec8604da4d"]}},{"id":"ADFSandboxActivityRun","name":"ADFSandboxActivityRun","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"OperationName","type":"string"},{"name":"Category","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Level","type":"string"},{"name":"Location","type":"string"},{"name":"Tags","type":"string"},{"name":"Status","type":"string"},{"name":"UserProperties","type":"string"},{"name":"Annotations","type":"string"},{"name":"EventMessage","type":"string"},{"name":"Start","type":"datetime"},{"name":"ActivityName","type":"string"},{"name":"ActivityRunId","type":"string"},{"name":"PipelineRunId","type":"string"},{"name":"EffectiveIntegrationRuntime","type":"string"},{"name":"ActivityType","type":"string"},{"name":"ActivityIterationCount","type":"int"},{"name":"LinkedServiceName","type":"string"},{"name":"End","type":"datetime"},{"name":"FailureType","type":"string"},{"name":"PipelineName","type":"string"},{"name":"Input","type":"string"},{"name":"Output","type":"string"},{"name":"ErrorCode","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"Error","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFSandboxPipelineRun","name":"ADFSandboxPipelineRun","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"OperationName","type":"string"},{"name":"Category","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Level","type":"string"},{"name":"Location","type":"string"},{"name":"Tags","type":"string"},{"name":"Status","type":"string"},{"name":"UserProperties","type":"string"},{"name":"Input","type":"string"},{"name":"Output","type":"string"},{"name":"ErrorCode","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"Annotations","type":"string"},{"name":"EventMessage","type":"string"},{"name":"Start","type":"datetime"},{"name":"End","type":"datetime"},{"name":"FailureType","type":"string"},{"name":"PipelineName","type":"string"},{"name":"RunId","type":"string"},{"name":"Predecessors","type":"string"},{"name":"Parameters","type":"string"},{"name":"SystemParameters","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADFTriggerRun","name":"ADFTriggerRun","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"OperationName","type":"string"},{"name":"Category","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Level","type":"string"},{"name":"Location","type":"string"},{"name":"Tags","type":"string"},{"name":"Status","type":"string"},{"name":"UserProperties","type":"string"},{"name":"Input","type":"string"},{"name":"Output","type":"string"},{"name":"ErrorCode","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"Annotations","type":"string"},{"name":"EventMessage","type":"string"},{"name":"Start","type":"datetime"},{"name":"TriggerId","type":"string"},{"name":"TriggerName","type":"string"},{"name":"TriggerType","type":"string"},{"name":"TriggerEvent","type":"string"},{"name":"TriggerFailureType","type":"string"},{"name":"Parameters","type":"string"},{"name":"SystemParameters","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datafactory/factories"]}},{"id":"ADGSyslogEvent","name":"ADGSyslogEvent","tableType":"Microsoft","description":"This table has syslog event records.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the syslog event was generated."},{"name":"NVAResourceId","type":"string","description":"Azure resource ID of the NVA that generated the syslog event."},{"name":"OperationName","type":"string","description":"The specific operation that emitted this syslog event record."},{"name":"NVARegion","type":"string","description":"Azure region of the NVA that generated the syslog event."},{"name":"Msg","type":"string","description":"The syslog message content."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.network/networkvirtualappliances"],"solutions":["LogManagement"],"queries":["30acf699-84cb-4c65-ad46-b2ad151ebc55"]}},{"id":"ADReplicationResult","name":"ADReplicationResult","tableType":"Microsoft","description":"The AD Replication Status solution regularly monitors your Active Directory environment for any replication failures.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"LastSyncResult","type":"int","description":"Last Replication Sync Success / Failure Code","isPreferredFacet":true},{"name":"LastSyncMessage","type":"string","description":"Last Replication Sync Message"},{"name":"SourceServer","type":"string","description":"Source Server Name","isPreferredFacet":true},{"name":"DestinationServer","type":"string","description":"AD Replication Destination Server","isPreferredFacet":true},{"name":"PartitionName","type":"string","description":"Partition Name","isPreferredFacet":true},{"name":"LastAttemptedSync","type":"datetime","description":"Last Attempted Replication DateTime"},{"name":"LastSuccessfulSync","type":"datetime","description":"Last Successful DateTime"},{"name":"ConsecutiveFailures","type":"int","description":"Number of consecutive replication failures between two Domain Controllers"},{"name":"HelpLink","type":"string","description":"Help Link for more information"},{"name":"TombstoneLifetime","type":"string","description":"Length of time a deleted object persisted in the database"},{"name":"PercentOfTSL","type":"real","description":"Percentage of Tombstone Lifecycle"},{"name":"IsSourceGC","type":"bool","description":"Is Source Global Catalog"},{"name":"IsDestinationGC","type":"bool","description":"Is Destinationation Global Catalog"},{"name":"SourceSiteName","type":"string","description":"Source Site Name"},{"name":"DestinationSiteName","type":"string","description":"AD Replication Destination Site Name"},{"name":"ReplicationNeighborOption","type":"string"},{"name":"SourceInvocationId","type":"string","description":"Unique Id assigned to a Domain Controller"},{"name":"AssessmentId","type":"string","description":"Unique Guid corresponding to each run","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"Source of the Output","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer Name where the solution ran","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"solutions":["ADReplication","AzureResources"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"ADSecurityAssessmentRecommendation","name":"ADSecurityAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by AD Security assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Forest","type":"string"},{"name":"Domain","type":"string","isPreferredFacet":true},{"name":"DNSZone","type":"string"},{"name":"DomainController","type":"string","isPreferredFacet":true},{"name":"Site","type":"string"},{"name":"GroupPolicyObject","type":"string"},{"name":"NamingContext","type":"string"},{"name":"DNSServer","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["ADSecurityAssessment","AzureResources"]}},{"id":"ADTDataHistoryOperation","name":"ADTDataHistoryOperation","tableType":"Microsoft","description":"This table tracks all data history events being published to time series database connections.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version utilized during the event."},{"name":"ResultType","type":"string","description":"Result of the event. For example: Success, Failure, ClientFalure, etc."},{"name":"ResultSignature","type":"int","description":"Http status code of the event (if applicable)."},{"name":"ResultDescription","type":"string","description":"Additional details about the event."},{"name":"DurationMs","type":"long","description":"How long it took to perform the event in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"A masked source IP address for the event."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ApplicationId","type":"string","description":"Application ID used in bearer authorization."},{"name":"Level","type":"int","description":"The logging severity of the event."},{"name":"Region","type":"string","description":"Azure region in which the Digital Twins instance is located."},{"name":"RequestUri","type":"string","description":"The time series database connection's eventhub endpoint."},{"name":"TraceId","type":"string","description":"TraceId as part of W3C's trace context. The ID of the whole trace used to uniquely identify a distributed trace across systems."},{"name":"SpanId","type":"string","description":"SpanId as part of W3C's trace context. The ID of this request in the trace."},{"name":"ParentId","type":"string","description":"ParentId as part of W3C's trace context. A request without a parent id is the root of the trace."},{"name":"TraceFlags","type":"string","description":"TraceFlags as part of W3C's trace context. Controls tracing flags such as sampling, trace level, etc."},{"name":"TraceState","type":"string","description":"TraceState as part of W3C's trace context. Additional vendor-specific trace identification information to span across different distributed tracing systems."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"],"solutions":["LogManagement"],"queries":["bc4366ef-b269-43f2-aad7-4919e5defdfb","5fdb334b-28ad-411e-8679-e9ef7f40ad1f"]}},{"id":"ADTDigitalTwinsOperation","name":"ADTDigitalTwinsOperation","tableType":"Microsoft","description":"Schema for Azure Digital Twins' Digital Twin operations. The Digital Twins Operation category tracks all customer requests to manage a digital twin, including CRUD on Twins and Relationships.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time that this event occurred, in UTC"},{"name":"Category","type":"string","description":"The type of resource being emitted"},{"name":"OperationName","type":"string","description":"The type of action being performed during the event"},{"name":"OperationVersion","type":"string","description":"The API Version utilized during the event"},{"name":"ResultType","type":"string","description":"Outcome of the event"},{"name":"ResultSignature","type":"string","description":"Http status code of the event (if applicable)"},{"name":"ResultDescription","type":"string","description":"Additional details about the event"},{"name":"DurationMs","type":"string","description":"How long it took to perform the event in milliseconds"},{"name":"CallerIpAddress","type":"string","description":"A masked source IP address for the event"},{"name":"CorrelationId","type":"string","description":"Customer provided unique identifier for the event"},{"name":"ApplicationId","type":"string","description":"Application ID used in bearer authorization"},{"name":"Level","type":"string","description":"The logging severity of the event"},{"name":"Location","type":"string","description":"Azure region in which the Digital Twins instance is located"},{"name":"RequestUri","type":"string","description":"The endpoint utilized during the event","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"},{"name":"SpanId","type":"string","description":"SpanId as part of W3C's Trace Context. The ID of this request in the trace"},{"name":"ParentId","type":"string","description":"ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"},{"name":"TraceFlags","type":"string","description":"TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."},{"name":"TraceState","type":"string","description":"TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"ADTEventRoutesOperation","name":"ADTEventRoutesOperation","tableType":"Microsoft","description":"Schema for Azure Digital Twins' Event Routes operations. The Event Routes Operation category tracks all events being published to endpoints, which are other Azure services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time that this event occurred, in UTC"},{"name":"Category","type":"string","description":"The type of resource being emitted"},{"name":"OperationName","type":"string","description":"The type of action being performed during the event"},{"name":"OperationVersion","type":"string","description":"The API Version utilized during the event"},{"name":"ResultType","type":"string","description":"Outcome of the event"},{"name":"ResultSignature","type":"string","description":"Http status code of the event (if applicable)"},{"name":"ResultDescription","type":"string","description":"Additional details about the event"},{"name":"DurationMs","type":"string","description":"How long it took to perform the event in milliseconds"},{"name":"CallerIpAddress","type":"string","description":"A masked source IP address for the event"},{"name":"CorrelationId","type":"string","description":"Customer provided unique identifier for the event"},{"name":"ApplicationId","type":"string","description":"Application ID used in bearer authorization"},{"name":"Level","type":"string","description":"The logging severity of the event"},{"name":"Location","type":"string","description":"Azure region in which the Digital Twins instance is located"},{"name":"RequestUri","type":"string","description":"The endpoint utilized during the event","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"},{"name":"SpanId","type":"string","description":"SpanId as part of W3C's Trace Context. The ID of this request in the trace"},{"name":"ParentId","type":"string","description":"ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"},{"name":"TraceFlags","type":"string","description":"TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."},{"name":"TraceState","type":"string","description":"TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"},{"name":"EndpointName","type":"string","description":"The name of egress endpoint created in Azure Digital Twins"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"ADTModelsOperation","name":"ADTModelsOperation","tableType":"Microsoft","description":"Schema for Azure Digital Twins' Models operations. The Models Operation category tracks all customer requests to manage models in a digital twins instance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time that this event occurred, in UTC"},{"name":"Category","type":"string","description":"The type of resource being emitted"},{"name":"OperationName","type":"string","description":"The type of action being performed during the event"},{"name":"OperationVersion","type":"string","description":"The API Version utilized during the event"},{"name":"ResultType","type":"string","description":"Outcome of the event"},{"name":"ResultSignature","type":"string","description":"Http status code of the event (if applicable)"},{"name":"ResultDescription","type":"string","description":"Additional details about the event"},{"name":"DurationMs","type":"string","description":"How long it took to perform the event in milliseconds"},{"name":"CallerIpAddress","type":"string","description":"A masked source IP address for the event"},{"name":"CorrelationId","type":"string","description":"Customer provided unique identifier for the event"},{"name":"ApplicationId","type":"string","description":"Application ID used in bearer authorization"},{"name":"Level","type":"string","description":"The logging severity of the event"},{"name":"Location","type":"string","description":"Azure region in which the Digital Twins instance is located"},{"name":"RequestUri","type":"string","description":"The endpoint utilized during the event","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"},{"name":"SpanId","type":"string","description":"SpanId as part of W3C's Trace Context. The ID of this request in the trace"},{"name":"ParentId","type":"string","description":"ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"},{"name":"TraceFlags","type":"string","description":"TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."},{"name":"TraceState","type":"string","description":"TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"ADTQueryOperation","name":"ADTQueryOperation","tableType":"Microsoft","description":"Schema for Azure Digital Twins' Query operations. The Query Operation category tracks all customer requests to query their digital twins instance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time that this event occurred, in UTC"},{"name":"Category","type":"string","description":"The type of resource being emitted"},{"name":"OperationName","type":"string","description":"The type of action being performed during the event"},{"name":"OperationVersion","type":"string","description":"The API Version utilized during the event"},{"name":"ResultType","type":"string","description":"Outcome of the event"},{"name":"ResultSignature","type":"string","description":"Http status code of the event (if applicable)"},{"name":"ResultDescription","type":"string","description":"Additional details about the event"},{"name":"DurationMs","type":"string","description":"How long it took to perform the event in milliseconds"},{"name":"CallerIpAddress","type":"string","description":"A masked source IP address for the event"},{"name":"CorrelationId","type":"string","description":"Customer provided unique identifier for the event"},{"name":"ApplicationId","type":"string","description":"Application ID used in bearer authorization"},{"name":"Level","type":"string","description":"The logging severity of the event"},{"name":"Location","type":"string","description":"Azure region in which the Digital Twins instance is located"},{"name":"RequestUri","type":"string","description":"The endpoint utilized during the event","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"},{"name":"SpanId","type":"string","description":"SpanId as part of W3C's Trace Context. The ID of this request in the trace"},{"name":"ParentId","type":"string","description":"ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"},{"name":"TraceFlags","type":"string","description":"TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."},{"name":"TraceState","type":"string","description":"TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"},{"name":"QueryCharge","type":"real","description":"The QueryCharge for this event in the trace."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.digitaltwins/digitaltwinsinstances"]}},{"id":"ADXCommand","name":"ADXCommand","tableType":"Microsoft","description":"Azure Data Explorer command execution summary.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of this operation","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of this log for this events it will be Command","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"Time (UTC) at which this command started","isPreferredFacet":true},{"name":"LastUpdatedOn","type":"datetime","description":"Time (UTC) at which this command ended","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database the command ran on"},{"name":"State","type":"string","description":"The State the command ended with"},{"name":"FailureReason","type":"string","description":"The failure reason"},{"name":"TotalCPU","type":"string","description":"Total CPU duration"},{"name":"CommandType","type":"string","description":"Command type"},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the command"},{"name":"ResourceUtilization","type":"dynamic","description":"Command resource utilization"},{"name":"Duration","type":"string","description":"Command duration"},{"name":"User","type":"string","description":"The user that invoked the query"},{"name":"Principal","type":"string","description":"The principal that invoked the query"},{"name":"WorkloadGroup","type":"string","description":"The workload group the command was classified to"},{"name":"Text","type":"string","description":"The text of the invoked command"},{"name":"ClientRequestProperties","type":"dynamic","description":"The client request properties of the command"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"ADXDataOperation","name":"ADXDataOperation","tableType":"Microsoft","description":"Azure Data Explorer data operation summary.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of this operation","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of this log for this events it will be DataOperation","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request id","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity id","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database related to this data operation"},{"name":"TableName","type":"string","description":"The name of the table related to this data operation"},{"name":"DataOperationKind","type":"string","description":"The kind of the data operation activity"},{"name":"OriginalSize","type":"long","description":"The original size of data ingested (in bytes)"},{"name":"ExtentSize","type":"long","description":"The size of extents (compressed size + index size) ingested (in bytes)"},{"name":"RowCount","type":"long","description":"The number of rows ingested"},{"name":"ExtentCount","type":"int","description":"The total number of extents ingested on this operation"},{"name":"TotalCPU","type":"string","description":"Total CPU duration"},{"name":"Duration","type":"string","description":"Data operation duration"},{"name":"Principal","type":"string","description":"The principal that invoked the data operation"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"ADXIngestionBatching","name":"ADXIngestionBatching","tableType":"Microsoft","description":"Azure Data Explorer ingestion batching operations. These logs have detailed statistics of batches ready for ingestion (duration, batch size and blobs count).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated","isPreferredFacet":true},{"name":"Database","type":"string","description":"Name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"Name of the target table into which the data is ingested","isPreferredFacet":true},{"name":"BatchingType","type":"string","description":"Trigger of sealing a batch: whether the batch reached batching time, data size, or number of files limit set by batching policy","isPreferredFacet":true},{"name":"SourceCreationTime","type":"datetime","description":"Minimal time (UTC) at which blobs in this batch were created","isPreferredFacet":true},{"name":"BatchTimeSeconds","type":"real","description":"Total batching time of this batch (seconds)","isPreferredFacet":true},{"name":"BatchSizeBytes","type":"long","description":"Total uncompressed size of data in this batch (bytes)","isPreferredFacet":true},{"name":"DataSourcesInBatch","type":"int","description":"Number of data sources in this batch","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The operation's activity ID","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"ADXJournal","name":"ADXJournal","tableType":"Microsoft","description":"Azure Data Explorer journal (metadata operations).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this log was sent to Log Analytics","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID of the operation that caused the metadata change (for example: 1234ab0c-567d-8c9e-0123-456789fg012h)","isPreferredFacet":true},{"name":"Event","type":"string","description":"The metadata change event name","isPreferredFacet":true},{"name":"OperationTimestamp","type":"datetime","description":"The timestamp (UTC) at which the metadata operation completed","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database changed following the event","isPreferredFacet":true},{"name":"EntityName","type":"string","description":"The entity name that the operation was executed on, before the change","isPreferredFacet":true},{"name":"UpdatedEntityName","type":"string","description":"The new entity name after the change"},{"name":"OriginalEntityVersion","type":"string","description":"The version of the entity (entity properties) before the change","isPreferredFacet":true},{"name":"EntityVersion","type":"string","description":"The new metadata version (DB/cluster) following the change","isPreferredFacet":true},{"name":"EntityContainerName","type":"string","description":"The entity container name (entity=column, container=table), or the database name","isPreferredFacet":true},{"name":"OriginalEntityState","type":"string","description":"The state of the entity (entity properties) before the change","isPreferredFacet":true},{"name":"UpdatedEntityState","type":"string","description":"The new state after the change","isPreferredFacet":true},{"name":"ChangeCommand","type":"string","description":"The executed control command that triggered the metadata change","isPreferredFacet":true},{"name":"User","type":"string","description":"The user that executed the control command","isPreferredFacet":true},{"name":"Principal","type":"string","description":"The principal (user/app) that executed the control command","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"ADXQuery","name":"ADXQuery","tableType":"Microsoft","description":"Azure Data Explorer query execution summary.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of this operation","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of this log for this events it will be Query","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"Time (UTC) at which this command started","isPreferredFacet":true},{"name":"LastUpdatedOn","type":"datetime","description":"Time (UTC) at which this command ended","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database that the command ran on","isPreferredFacet":true},{"name":"State","type":"string","description":"The state the command ended with"},{"name":"FailureReason","type":"string","description":"The failure reason"},{"name":"TotalCPU","type":"string","description":"Total CPU duration"},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the query"},{"name":"MemoryPeak","type":"long","description":"Memory peak"},{"name":"Duration","type":"string","description":"Command duration"},{"name":"User","type":"string","description":"The user that invoked the query"},{"name":"Principal","type":"string","description":"The principal that invoked the query"},{"name":"ExtentsMinDataScannedTime","type":"datetime","description":"Minimum data scan time","isPreferredFacet":true},{"name":"ExtentsMaxDataScannedTime","type":"datetime","description":"Maximum data scan time","isPreferredFacet":true},{"name":"TotalExtentsCount","type":"long","description":"Total extents count"},{"name":"ScannedExtentsCount","type":"long","description":"Scanned extents count"},{"name":"TotalRowsCount","type":"long","description":"Total rows count"},{"name":"ScannedRowsCount","type":"long","description":"Scanned rows count"},{"name":"CacheMemoryHits","type":"long","description":"Memory cache hits"},{"name":"CacheMemoryMisses","type":"long","description":"Memory cache misses"},{"name":"CacheDiskHits","type":"long","description":"Disk cache hits"},{"name":"CacheDiskMisses","type":"long","description":"Disk cache misses"},{"name":"CacheShardsHotHits","type":"long","description":"Shards hot cache hits"},{"name":"CacheShardsHotMisses","type":"long","description":"Shards hot cache misses"},{"name":"CacheShardsColdHits","type":"long","description":"Shards cold cache hits"},{"name":"CacheShardsColdMisses","type":"long","description":"Shards cold cache misses"},{"name":"CacheShardsBypassBytes","type":"long","description":"Shards cache bypass bytes"},{"name":"TableCount","type":"int","description":"Table count"},{"name":"TablesStatistics","type":"dynamic","description":"Tables statistics"},{"name":"WorkloadGroup","type":"string","description":"The workload group the query was classified to"},{"name":"Text","type":"string","description":"The text of the invoked query"},{"name":"ComponentFault","type":"string","description":"The entity that caused the query to fail. For example, if the query result is too large, the ComponentFault will be 'Client'. If an internal error occured, it will be 'Server'"},{"name":"ClientRequestProperties","type":"dynamic","description":"The client request properties of the query"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"ADXTableDetails","name":"ADXTableDetails","tableType":"Microsoft","description":"Azure Data Explorer table details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of this operation","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database"},{"name":"TableName","type":"string","description":"The name of the table"},{"name":"EntityType","type":"string","description":"The type of the table. Can be Table or MaterializedView"},{"name":"TotalExtentSize","type":"real","description":"The total size of extents (compressed size + index size) in the table (in bytes)"},{"name":"TotalOriginalSize","type":"real","description":"The total original size of data in the table (in bytes)"},{"name":"HotExtentSize","type":"real","description":"The total size of extents (compressed size + index size) in the table, stored in the hot cache (in bytes)"},{"name":"RetentionPolicyOrigin","type":"string","description":"Retention policy origin entity (Table/Database/Cluster)"},{"name":"RetentionPolicy","type":"dynamic","description":"The table's effective entity retention policy, serialized as JSON"},{"name":"CachingPolicyOrigin","type":"string","description":"Caching policy origin entity (Table/Database/Cluster)"},{"name":"CachingPolicy","type":"dynamic","description":"The table's effective entity caching policy, serialized as JSON"},{"name":"MaxExtentsCreationTime","type":"datetime","description":"The maximum creation time of an extent in the table (or null, if there are no extents)"},{"name":"MinExtentsCreationTime","type":"datetime","description":"The minimum creation time of an extent in the table (or null, if there are no extents)"},{"name":"TotalExtentCount","type":"long","description":"The total number of extents in the table"},{"name":"TotalRowCount","type":"long","description":"The total number of rows in the table"},{"name":"HotExtentCount","type":"long","description":"The total number of extents in the table, stored in the hot cache"},{"name":"HotOriginalSize","type":"long","description":"The total original size of data in the table, stored in the hot cache (in bytes)"},{"name":"HotRowCount","type":"long","description":"The total number of rows in the table, stored in the hot cache"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"ADXTableUsageStatistics","name":"ADXTableUsageStatistics","tableType":"Microsoft","description":"Azure Data Explorer table usage statistics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of this operation","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"Time (UTC) at which table usage statistics operation started","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database"},{"name":"TableName","type":"string","description":"The name of the table"},{"name":"MinCreatedOn","type":"datetime","description":"Oldest extent time of the table","isPreferredFacet":true},{"name":"MaxCreatedOn","type":"datetime","description":"Lastest extent time of the table","isPreferredFacet":true},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the command"},{"name":"User","type":"string","description":"The user that invoked the query"},{"name":"Principal","type":"string","description":"The principal that invoked the query"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"AEWAssignmentBlobLogs","name":"AEWAssignmentBlobLogs","tableType":"Microsoft","description":"Assignment blob upload events for the Experiment Workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Succeeded, Failed."},{"name":"HttpStatusCode","type":"int","description":"The HTTP status code of the corresponding REST API call operation."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation (to upload blob file) in milliseconds."},{"name":"Level","type":"string","description":"The severity level of the operation. Will be one of Information, Warning, Error, or Critical."},{"name":"URI","type":"string","description":"The request Url."},{"name":"Location","type":"string","description":"The location of the resource."},{"name":"Identity","type":"string","description":"The resource id of the user assigned managed identity that performed this operation."},{"name":"ExperimentWorkspaceId","type":"string","description":"The Guid of your experimentation workspace."},{"name":"AssignmentBlobDataVersion","type":"int","description":"Data version (gets incremented with every experiment operation) of Assignment Blob."},{"name":"AssignmentBlobSchemaVersion","type":"string","description":"Schema version of assignment blob data associated with this operation."},{"name":"AssignmentBlobNewOperationIds","type":"dynamic","description":"List of new operation ids (changes) that are getting published or added with this assignment blob."},{"name":"AssignmentBlobLastOperationId","type":"string","description":"The last operation id that got published for an assignment blob data version which is generally one below the current version."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"]}},{"id":"AEWAuditLogs","name":"AEWAuditLogs","tableType":"Microsoft","description":"Audit, activity and status for the Experiment Workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) of the HTTP request."},{"name":"ExpComponentName","type":"string","description":"The Exp component sending the log."},{"name":"Message","type":"string","description":"The message in the log."},{"name":"Category","type":"string","description":"The event category. Typical log categories are Audit, Operational, Execution, and Request."},{"name":"ActionName","type":"string","description":"The event name."},{"name":"RequestUri","type":"string","description":"The event URI."},{"name":"Operator","type":"string","description":"The user identity triggering the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"]}},{"id":"AEWComputePipelinesLogs","name":"AEWComputePipelinesLogs","tableType":"Microsoft","description":"AEWComputePipelines Events for the Experiment Workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) of the HTTP request."},{"name":"EventName","type":"string","description":"The event name."},{"name":"ExperimentWorkspaceId","type":"string","description":"The Guid ID of your experimentation workspace."},{"name":"ExperimentationGroup","type":"string","description":"Experimentation group name of your experiment."},{"name":"ExperimentId","type":"string","description":"The GUID of your experiment."},{"name":"ExperimentStepId","type":"string","description":"The GUID of your experiment step."},{"name":"FeatureId","type":"string","description":"The GUID of your experiment feature."},{"name":"AnalysisId","type":"string","description":"The ID of your experiment study."},{"name":"ScorecardId","type":"string","description":"The ID of your experiment scorecard."},{"name":"AnalysisType","type":"string","description":"The type of your analysis."},{"name":"Properties","type":"dynamic","description":"Event properties in Experimentation Platform Compute Pipeline with json format."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"],"queries":["4a8a8d90-af11-1302-7556-02c1a6c4287f","307938f2-3ebe-e1dd-e6cd-60181b631133","c6b38466-c4e7-4b51-59c6-9dc6ab8b7d56","8abfa818-c87f-81c7-99ef-fa38d0c750b3"]}},{"id":"AEWExperimentAssignmentSummary","name":"AEWExperimentAssignmentSummary","tableType":"Microsoft","description":"Experiment variant assignment summary from feature evaluation events. Used to monitor experiment activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The ingestion time of the experiment assignment summary."},{"name":"FeatureFlagReference","type":"string","description":"The fully qualified Id of the feature flag."},{"name":"FeatureName","type":"string","description":"The name of the feature flag."},{"name":"AllocationId","type":"string","description":"The Id of the allocation used for the feature evaluation."},{"name":"Variant","type":"string","description":"The Id of the feature variant assigned."},{"name":"VariantAssignmentPercentage","type":"real","description":"The variant assignment percentage of the feature variant."},{"name":"IsControlVariant","type":"bool","description":"Whether the feature variant assigned is the control for the experiment."},{"name":"AssignmentEventCount","type":"long","description":"Total number of assignment events."},{"name":"MinTimeGenerated","type":"datetime","description":"The timestamp of earliest assignment event in time range."},{"name":"MaxTimeGenerated","type":"datetime","description":"The timestamp of latest assignment event in time range."},{"name":"BinStartTime","type":"datetime","description":"The bin start time of assignment summary."},{"name":"BinSize","type":"long","description":"The duration of assignment summary time range (in minutes)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"],"queries":["bcec51fd-9e72-40a8-b01b-6d3fd16e0fb6","967eb9bf-2d91-4a86-8115-18ee8b458d0e","7f870b0a-b457-4221-a739-20bf3ece31f3"]}},{"id":"AEWExperimentScorecardMetricPairs","name":"AEWExperimentScorecardMetricPairs","tableType":"Microsoft","description":"Detailed experiment results including metric comparisons and any metric-level derived insights.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the scorecard results were ingested."},{"name":"ScorecardId","type":"string","description":"The Id of the experiment scorecard."},{"name":"MetricId","type":"string","description":"The Id of the metric."},{"name":"MetricDisplayName","type":"string","description":"The display name of the metric."},{"name":"MetricDescription","type":"string","description":"The description of the metric."},{"name":"MetricKind","type":"string","description":"The metric kind. Possible values include EventCount, UserCount, EventRate, UserRate, Sum, Average, Percentile."},{"name":"MetricLifecycle","type":"string","description":"The lifecycle stage of the metric. Possible values include Active, Inactive"},{"name":"MetricTags","type":"dynamic","description":"Metric tags in the form of string array."},{"name":"DesiredDirection","type":"string","description":"Desirable direction for the metric. Possible values: Increase, Decrease, Neutral"},{"name":"MetricVersion","type":"string","description":"The version of the metric."},{"name":"MetricETag","type":"string","description":"The ETag of the metric."},{"name":"TreatmentVariant","type":"string","description":"The Id of the treatment variant."},{"name":"TreatmentCount","type":"long","description":"The sample count of the treatment variant."},{"name":"TreatmentMetricValue","type":"real","description":"The metric value for the treatment variant."},{"name":"TreatmentMetricValueNormalized","type":"real","description":"The normalized metric value for the treatment variant. Used by metric comparisons, which accounts for unequal traffic allocation."},{"name":"TreatmentStandardErrorNormalized","type":"real","description":"The standard error (StandardDeviation / sqrt(Count)) of the metric for the control variant."},{"name":"ControlVariant","type":"string","description":"The Id of the control variant."},{"name":"ControlCount","type":"long","description":"The sample count of the control variant."},{"name":"ControlMetricValue","type":"real","description":"The metric value for the control variant."},{"name":"ControlMetricValueNormalized","type":"real","description":"The normalized metric value for the control variant. Used by metric comparisons, which accounts for unequal traffic allocation."},{"name":"ControlStandardErrorNormalized","type":"real","description":"The standard error (StandardDeviation / sqrt(Count)) of the metric for the control variant."},{"name":"PValue","type":"real","description":"The P-Value of the comparison. Used to indicate if the difference between the variants is significant."},{"name":"TreatmentEffect","type":"string","description":"The effect of the treatment variant on the metric. Possible values: Zero samples, Too few samples, Inconclusive, Changed, Improved, Degraded."},{"name":"RelativeDifference","type":"real","description":"The relative difference of the comparison based on TreatmentMetricValueNormalized and ControlMetricValueNormalized."},{"name":"Insights","type":"dynamic","description":"Metric-level Insights derived from the analysis results in JSON format."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"],"queries":["7f870b0a-b457-4221-a739-20bf3ece31f3"]}},{"id":"AEWExperimentScorecards","name":"AEWExperimentScorecards","tableType":"Microsoft","description":"Experimet scorecard metadata and insights.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the scorecard results were ingested."},{"name":"FeatureName","type":"string","description":"The name of the feature."},{"name":"FeatureFlagReference","type":"string","description":"The fully qualified Id of the feature."},{"name":"AllocationId","type":"string","description":"The Id of the allocation used for the feature evaluation."},{"name":"ScorecardId","type":"string","description":"The Id of the experiment scorecard."},{"name":"AnalysisStartTime","type":"datetime","description":"The start time of the scorecard analysis."},{"name":"AnalysisEndTime","type":"datetime","description":"The end name of the scorecard analysis."},{"name":"Insights","type":"dynamic","description":"Scorecard-level Insights derived from the analysis results in JSON format."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.experimentation/experimentworkspaces"],"solutions":["LogManagement"],"queries":["967eb9bf-2d91-4a86-8115-18ee8b458d0e","7f870b0a-b457-4221-a739-20bf3ece31f3"]}},{"id":"AFSAuditLogs","name":"AFSAuditLogs","tableType":"Microsoft","description":"This table contains audit logs retrieved from your Azure Managed Lustre filesystem resource. These logs capture all priviledged operations performed on each Azure Managed Lustre resource. They can be used to monitor events and configure alerts on your resource.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"ActivityId","type":"string","description":"Internal identifier used for tracking."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultDescription","type":"string","description":"Details about the result of the operation, if available."},{"name":"Identity","type":"dynamic","description":"JSON structure that describes the identity of the user or application that performed the operation."},{"name":"Location","type":"string","description":"The region of the resource associated with the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.storagecache/amlfilesytems"],"solutions":["LogManagement"],"queries":["c4cdf677-7d39-4fc9-9894-e2264e719916","1ef86e81-77c6-467a-a7a6-f5769f1df2f2"]}},{"id":"AGCAccessLogs","name":"AGCAccessLogs","tableType":"Microsoft","description":"Contains details of client requests made to Application Gateway for Containers. Each client request creats a log entry that can be used to identify slow requests, determine error rates, and correlate logs with backend services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"Region","type":"string","description":"The region where Application Gateway for Containers association is deployed"},{"name":"BackendHost","type":"string","description":"Address of backend target with appended port. For example :"},{"name":"BackendIp","type":"string","description":"IP address of backend target Application Gateway for Containers proxies the request to."},{"name":"BackendPort","type":"int","description":"Port number of the backend target."},{"name":"BackendResponseLatency","type":"real","description":"Time in milliseconds to receive first byte from Application Gateway for Containers to the backend target."},{"name":"BackendTimeTaken","type":"int","description":"Time in milliseconds for the response to be transmitted from the backend target to Application Gateway for Containers."},{"name":"ClientIp","type":"string","description":"IP address of the client initiating the request to the frontend of Application Gateway for Containers."},{"name":"FrontendName","type":"string","description":"Name of the Application Gateway for Containers frontend that received the request from the client."},{"name":"FrontendPort","type":"int","description":"Port number the request was listened on by Application Gateway for Containers."},{"name":"HostName","type":"string","description":"Host header value received from the client by Application Gateway for Containers."},{"name":"HttpMethod","type":"string","description":"HTTP Method of the request received from the client by Application Gateway for Containers as per RFC 7231."},{"name":"HttpStatusCode","type":"int","description":"HTTP Status code returned from Application Gateway for Containers to the client."},{"name":"HttpVersion","type":"string","description":"HTTP version of the request received from the client by Application Gateway for Containers."},{"name":"Referrer","type":"string","description":"Referrer header of the request received from the client by Application Gateway for Containers."},{"name":"RequestBodyBytes","type":"long","description":"Size in bytes of the body payload of the request received from the client by Application Gateway for Containers."},{"name":"RequestHeaderBytes","type":"long","description":"Size in bytes of the headers of the request received from the client by Application Gateway for Containers."},{"name":"RequestUri","type":"string","description":"URI of the request received from the client by Application Gateway for Containers (everything after :// of the URL)."},{"name":"ResponseBodyBytes","type":"long","description":"Size in bytes of the body payload of the response returned to the client by Application Gateway for Containers."},{"name":"ResponseHeaderBytes","type":"long","description":"Size in bytes of the headers of the response returned to the client by Application Gateway for Containers."},{"name":"TimeTaken","type":"real","description":"Time in milliseconds of the client request received by Application Gateway for Containers and the last byte returned to the client from Application Gateway for Containers."},{"name":"TlsCipher","type":"string","description":"TLS cipher suite negotiated between the client and Application Gateway for Containers frontend."},{"name":"TlsProtocol","type":"string","description":"TLS version negotiated between the client and Application Gateway for Containers frontend."},{"name":"TrackingId","type":"string","description":"Generated guid by Application Gateway for Containers to help with tracking and debugging. This value correlates to the x-request-id header returned to the client from Application Gateway for Containers."},{"name":"UserAgent","type":"string","description":"User-Agent header of the request received from the client by Application Gateway for Containers."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network"],"resourceTypes":["microsoft.servicenetworking/trafficcontrollers"],"solutions":["LogManagement"],"queries":["c3cf794b-5617-4eb8-95fa-66aa2a2678df","e7766bc6-9d49-4b09-93ed-e564d7593be3","2c4f7c71-9d37-4987-a767-3951876a5477"]}},{"id":"AGCFirewallLogs","name":"AGCFirewallLogs","tableType":"Microsoft","description":"Contains web application firewall logs logged through either detection or prevention mode for Application Gateway for Containers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"InstanceId","type":"string","description":"Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance."},{"name":"ClientIp","type":"string","description":"Originating IP for the request."},{"name":"ClientPort","type":"int","description":"Originating port for the request."},{"name":"Action","type":"string","description":"Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules, depending on if the WAF is in detection or prevention mode)."},{"name":"Message","type":"string","description":"User-friendly message for the triggering event. More details are provided in the details section."},{"name":"DetailedMessage","type":"string","description":"Description of the rule for the triggered event."},{"name":"DetailedData","type":"string","description":"Specific data found in request that matched the rule for the triggered event."},{"name":"FileDetails","type":"string","description":"Configuration file that contained the rule for the triggered event."},{"name":"LineDetails","type":"string","description":"Line number in the configuration file that triggered the event."},{"name":"Hostname","type":"string","description":"Hostname or IP address of the Application Gateway."},{"name":"PolicyId","type":"string","description":"Resource ID of the web application firewall policy."},{"name":"PolicyScope","type":"string","description":"A named scope consisting of Kubernetes resource references the scope is applied to."},{"name":"PolicyScopeName","type":"string","description":"The name to the type of scope assignment the web application firewall policy is assigned to."},{"name":"RequestUri","type":"string","description":"URL of the received request."},{"name":"RuleSetType","type":"string","description":"Rule set type. The available value is Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet."},{"name":"RuleSetVersion","type":"string","description":"Rule set version used for Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet."},{"name":"RuleId","type":"string","description":"Rule ID of the triggering event."},{"name":"TrackingId","type":"string","description":"Generated guid by Application Gateway for Containers to help with tracking and debugging. This value correlates to the x-request-id header returned to the client from Application Gateway for Containers."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.servicenetworking/trafficcontrollers"],"solutions":["LogManagement"]}},{"id":"AGSGrafanaLoginEvents","name":"AGSGrafanaLoginEvents","tableType":"Microsoft","description":"Login events for an instance of Azure Managed Workspace for Grafana including user identity, user Grafana role (in success) and detailed message (in failure).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the Azure Managed Grafana instance was accessed in."},{"name":"OperationName","type":"string","description":"The Grafana operation associated with the log record."},{"name":"Category","type":"string","description":"The category of the log record."},{"name":"Level","type":"string","description":"The severity level of the log record."},{"name":"CorrelationId","type":"string","description":"GUID for the correlated logs."},{"name":"TargetResource","type":"string","description":"The corresponding resource name of the log record."},{"name":"ResourceGroup","type":"string","description":"The resource group containing the resource corresponding to the log record."},{"name":"User","type":"string","description":"The user identity of the login event."},{"name":"UserRole","type":"string","description":"The Grafana role of the user for the login event."},{"name":"Message","type":"string","description":"The inner message of the log record."},{"name":"TraceContext","type":"dynamic","description":"The W3C distributed tracing context for the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dashboard/grafana"],"solutions":["LogManagement"],"queries":["b2bd1ca4-8a33-11ec-8fd3-00155dd7661c"]}},{"id":"AGSGrafanaUsageInsightsEvents","name":"AGSGrafanaUsageInsightsEvents","tableType":"Microsoft","description":"Usage insights events for an instance of Azure Managed Workspace for Grafana.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the Azure Managed Grafana instance was accessed in."},{"name":"OperationName","type":"string","description":"The Grafana operation associated with the log record."},{"name":"Category","type":"string","description":"The category of the log record."},{"name":"Level","type":"string","description":"The severity level of the log record."},{"name":"Details","type":"dynamic","description":"The usage insights details"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dashboard/grafana"],"solutions":["LogManagement"]}},{"id":"AGSUpdateEvents","name":"AGSUpdateEvents","tableType":"Microsoft","description":"Events that update the content of a Grafana dashboard, such as saving an edit or restoring a previously saved version.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the Grafana dashboard was updated in."},{"name":"OperationName","type":"string","description":"The Grafana operation associated with the log record."},{"name":"Category","type":"string","description":"The category of the log record."},{"name":"Level","type":"string","description":"The severity level of the log record."},{"name":"CorrelationId","type":"string","description":"GUID for the correlated logs."},{"name":"TargetResource","type":"string","description":"The corresponding resource ID of the log record."},{"name":"User","type":"string","description":"The identifier of the user that updated the dashboard."},{"name":"Message","type":"string","description":"The inner message of the log record."},{"name":"TraceContext","type":"dynamic","description":"The W3C distributed tracing context for the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.dashboard/dashboard"],"solutions":["LogManagement"],"queries":["1b1df069-ae9b-4026-876e-09b8d1c4cf12"]}},{"id":"AGWAccessLogs","name":"AGWAccessLogs","tableType":"Microsoft","description":"Contains all the log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"ListenerName","type":"string","description":"The listener associated with given request log."},{"name":"RuleName","type":"string","description":"The rule associated with the given request log."},{"name":"BackendPoolName","type":"string","description":"The backend pool associated with the given request log."},{"name":"BackendSettingName","type":"string","description":"The backend setting name associated with the given request log."},{"name":"InstanceId","type":"string","description":"Application Gateway instance that served the request."},{"name":"ClientIp","type":"string","description":"IP of the immediate client of Application Gateway. If another proxy fronts your application gateway, this displays the IP of that fronting proxy."},{"name":"ClientPort","type":"int","description":"Port of the client that initiated the request."},{"name":"HttpMethod","type":"string","description":"HTTP method used by the request."},{"name":"RequestUri","type":"string","description":"URI of the received request."},{"name":"RequestQuery","type":"string","description":"Query string portion of the request URI."},{"name":"UserAgent","type":"string","description":"User agent from the HTTP request header."},{"name":"HttpStatus","type":"int","description":"HTTP status code returned to the client from Application Gateway."},{"name":"HttpVersion","type":"string","description":"HTTP version of the request."},{"name":"ReceivedBytes","type":"int","description":"Size of packet received, in bytes."},{"name":"SentBytes","type":"int","description":"Size of packet sent, in bytes."},{"name":"ClientResponseTime","type":"real","description":"Time difference (in seconds) between first byte received from the backend to first byte sent to the client."},{"name":"TimeTaken","type":"real","description":"Length of time (in seconds) that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network."},{"name":"WafEvaluationTime","type":"real","description":"Length of time (in seconds) that it takes for the request to be processed by the WAF."},{"name":"WafMode","type":"string","description":"Value can be either Detection or Prevention."},{"name":"WafPolicyId","type":"string","description":"The resource ID of the WAF policy associated with the Application Gateway."},{"name":"TransactionId","type":"string","description":"Unique identifier to correlate the request received from the client."},{"name":"SslEnabled","type":"string","description":"Whether communication to the backend pools used TLS. Valid values are on and off."},{"name":"SslCipher","type":"string","description":"Cipher suite being used for TLS communication (if TLS is enabled)."},{"name":"SslProtocol","type":"string","description":"SSL/TLS protocol being used (if TLS is enabled)."},{"name":"SslClientVerify","type":"string","description":"Status of SSL client certificate verification."},{"name":"SslClientCertificateFingerprint","type":"string","description":"Fingerprint of the SSL client certificate."},{"name":"SslClientCertificateIssuerName","type":"string","description":"Issuer name of the SSL client certificate."},{"name":"ServerRouted","type":"string","description":"The backend server that application gateway routes the request to."},{"name":"ServerStatus","type":"int","description":"HTTP status code of the backend server."},{"name":"ServerResponseLatency","type":"real","description":"Latency of the response (in seconds) from the backend server."},{"name":"ServerConnectTime","type":"real","description":"Time (in seconds) taken to establish a connection with the backend server."},{"name":"ServerHeaderTime","type":"real","description":"Time (in seconds) taken to receive the response headers from the backend server."},{"name":"BackendSslProtocol","type":"string","description":"SSL/TLS protocol used for communication with the backend server."},{"name":"BackendSslCipher","type":"string","description":"Cipher suite used for TLS communication with the backend server."},{"name":"ErrorInfo","type":"string","description":"Error category of the failing request."},{"name":"Host","type":"string","description":"Address listed in the host header of the request. If rewritten using header rewrite, this field contains the updated host name."},{"name":"OriginalRequestUriWithArgs","type":"string","description":"This field contains the original request URL."},{"name":"UpstreamSourcePort","type":"int","description":"The source port used by Application Gateway when initiating a connection to the backend target."},{"name":"OriginalHost","type":"string","description":"This field contains the original request host name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/applicationgateways"],"solutions":["LogManagement"]}},{"id":"AGWFirewallLogs","name":"AGWFirewallLogs","tableType":"Microsoft","description":"Contains all the logs to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"InstanceId","type":"string","description":"Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance."},{"name":"ClientIp","type":"string","description":"Originating IP for the request."},{"name":"ClientPort","type":"int","description":"Originating port for the request."},{"name":"RequestUri","type":"string","description":"URL of the received request."},{"name":"RuleSetType","type":"string","description":"Rule set type. The available value is OWASP."},{"name":"RuleSetVersion","type":"string","description":"Rule set version used. Available values are 2.2.9 and 3.0."},{"name":"RuleId","type":"string","description":"Rule ID of the triggering event."},{"name":"Message","type":"string","description":"User-friendly message for the triggering event. More details are provided in the details section."},{"name":"Action","type":"string","description":"Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules, depending on if the WAF is in detection or prevention mode)."},{"name":"Site","type":"string","description":"Site for which the log was generated. Currently, only Global is listed because rules are global."},{"name":"DetailedMessage","type":"string","description":"Description of the rule for the triggered event."},{"name":"DetailedData","type":"string","description":"Specific data found in request that matched the rule for the triggered event."},{"name":"FileDetails","type":"string","description":"Configuration file that contained the rule for the triggered event."},{"name":"LineDetails","type":"string","description":"Line number in the configuration file that triggered the event."},{"name":"Hostname","type":"string","description":"Hostname or IP address of the Application Gateway."},{"name":"TransactionId","type":"string","description":"Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request."},{"name":"PolicyId","type":"string","description":"The ID of the firewall policy applied to the request."},{"name":"PolicyScope","type":"string","description":"The scope of the policy. Values can be Global, Listener, or Location (for path-based rules)."},{"name":"PolicyScopeName","type":"string","description":"The name of the policy scope applied."},{"name":"ParanoiaLevel","type":"string","description":"The OWASP CRS paranoia level (1-4) of the rule that triggered. Empty for non-CRS rules (e.g., anomaly scoring, bot protection)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/applicationgateways"],"solutions":["LogManagement"]}},{"id":"AGWPerformanceLogs","name":"AGWPerformanceLogs","tableType":"Microsoft","description":"Contains all the logs to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count.The Performance log is available only for the v1 SKU.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"InstanceId","type":"string","description":"Application Gateway instance for which performance data is being generated. For a multiple-instance application gateway, there is one row per instance."},{"name":"HealthyHostCount","type":"int","description":"Number of healthy hosts in the backend pool."},{"name":"UnHealthyHostCount","type":"int","description":"Number of unhealthy hosts in the backend pool."},{"name":"RequestCount","type":"int","description":"Number of requests served."},{"name":"Latency","type":"int","description":"Average latency (in milliseconds) of requests from the instance to the back end that serves the requests."},{"name":"FailedRequestCount","type":"int","description":"Number of failed requests."},{"name":"Throughput","type":"int","description":"Average throughput since the last log, measured in bytes per second."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/applicationgateways"],"solutions":["LogManagement"]}},{"id":"AHCIDiagnosticLogs","name":"AHCIDiagnosticLogs","tableType":"Microsoft","description":"Actionable logs generated from your Interoperability application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation stage of the service from which the log entry was generated."},{"name":"Message","type":"string","description":"Description of the log entry."},{"name":"LogType","type":"string","description":"Type of the log entry."},{"name":"CorrelationId","type":"string","description":"Correlation ID associated with the log entry."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareinterop/workspaces"],"solutions":["LogManagement"],"queries":["e2c1b8a7-4f8b-4e2a-9a3d-2c6e8f7d5b1c","e8a2f7c1-5b3d-4c9a-9e2f-7d1b6a4c2f8e"]}},{"id":"AHDSDeidAuditLogs","name":"AHDSDeidAuditLogs","tableType":"Microsoft","description":"Data plane audit logs of privileged actions made against Azure Health Data Services de-identificiation service, such as initiating a de-identification job.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was generated."},{"name":"StatusCode","type":"int","description":"HTTP status code returned for the request."},{"name":"CorrelationId","type":"string","description":"An identifier used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"Identity of the issuer of the request."},{"name":"Uri","type":"string","description":"URI of the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.healthdataaiservices/deidservices"],"solutions":["LogManagement"]}},{"id":"AHDSDicomAuditLogs","name":"AHDSDicomAuditLogs","tableType":"Microsoft","description":"Data plane audit logs of privileged actions made against Azure Health Data DICOM service. For example, storing a DICOM instance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was generated."},{"name":"ResultType","type":"string","description":"Indicates whether the operation started or ended."},{"name":"StatusCode","type":"int","description":"Status code returned for the request."},{"name":"CorrelationId","type":"string","description":"An identifier used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"Identity of the issuer of the request."},{"name":"Level","type":"string","description":"The log's severity level. Possible values are Informational, Warning, and Error."},{"name":"Uri","type":"string","description":"URI of the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"solutions":["LogManagement"],"queries":["5d9df8e3-7ff1-45f5-9569-411f6ffacfc7"]}},{"id":"AHDSDicomDiagnosticLogs","name":"AHDSDicomDiagnosticLogs","tableType":"Microsoft","description":"Actionable logs generated from your Azure Health Data DICOM service, including events information like, warning logs per tag per DICOM instance denoting validation issues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was generated. For example, Store/PostInstance/POST"},{"name":"CorrelationId","type":"string","description":"An identifier used to group together a set of related events."},{"name":"Message","type":"string","description":"Description of the log entry."},{"name":"LogLevel","type":"string","description":"The log's severity level. Possible values are Informational, Warning, and Error."},{"name":"Location","type":"string","description":"Azure region of service from which log was generated. Examples are 'eastus', 'centralindia', 'westus2', etc."},{"name":"Properties","type":"dynamic","description":"Additional information about the event in JSON array format. Examples include DICOM identifiers present in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"solutions":["LogManagement"],"queries":["c3346bdf-e3db-4af3-b6f7-5e1e73ce0d2b"]}},{"id":"AHDSMedTechDiagnosticLogs","name":"AHDSMedTechDiagnosticLogs","tableType":"Microsoft","description":"Actionable logs generated from your MedTech application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation stage of the service from which the log entry was generated."},{"name":"Message","type":"string","description":"Description of the log entry."},{"name":"LogType","type":"string","description":"Type of the log entry."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.healthcareapis/workspaces"],"solutions":["LogManagement"],"queries":["68299a2f-71a3-4795-a11c-9dfc7b2d0651","af396c53-a04e-43aa-8bd9-c9cf75f96318","3dfc6cd3-9545-43f3-b1b8-7c4813d1da5c","5c33c4fb-04cf-410e-9556-04509fb24090","f1aa373c-ecc6-49cd-835a-05ac38b0749f"]}},{"id":"AKSAudit","name":"AKSAudit","tableType":"Microsoft","description":"Contains all Kubernetes API Server audit logs including events with the get and list verbs. These events are useful for monitoring all of the interactions with the Kubernetes API. To limit the scope to modifying operations see the AKSAuditAdmin table. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Level","type":"string","description":"Level (Metadata, Request, RequestResponse) of the audit event."},{"name":"AuditId","type":"string","description":"Unique audit ID that is generated for each request."},{"name":"Stage","type":"string","description":"The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated."},{"name":"RequestUri","type":"string","description":"The URI of the request made by the client to the server."},{"name":"Verb","type":"string","description":"The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method."},{"name":"User","type":"dynamic","description":"Authenticated user metadata of the requesting client, including optional fields such as UID and groups."},{"name":"SourceIps","type":"dynamic","description":"The list of source IP addresses for the originating client and intermediate proxies."},{"name":"UserAgent","type":"string","description":"The user agent string presented by the originating client."},{"name":"ObjectRef","type":"dynamic","description":"The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests."},{"name":"ResponseStatus","type":"dynamic","description":"Response status for the request, which includes the response code. In error cases, this object will include the error message property."},{"name":"RequestObject","type":"dynamic","description":"Kubernetes API object from the request in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"ResponseObject","type":"dynamic","description":"Kubernetes API object from the response, in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"RequestReceivedTime","type":"datetime","description":"Time when the API Server first received the request."},{"name":"StageReceivedTime","type":"datetime","description":"Time when the request reached the current audit stage."},{"name":"Annotations","type":"dynamic","description":"An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level."},{"name":"PodName","type":"string","description":"Name of the pod emitting this audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["LogManagement"],"queries":["5bcdd75f-8eaf-4c5a-aa38-7c10a501d260"]}},{"id":"AKSAuditAdmin","name":"AKSAuditAdmin","tableType":"Microsoft","description":"Contains Kubernetes API Server audit logs excluding events with the get and list verbs. These events are useful for monitoring resource modification requests made to the Kubernetes API. To see all modifying and non-modifying operations see the AKSAudit table. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Level","type":"string","description":"Level (Metadata, Request, RequestResponse) of the audit event."},{"name":"AuditId","type":"string","description":"Unique audit ID that is generated for each request."},{"name":"Stage","type":"string","description":"The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated."},{"name":"RequestUri","type":"string","description":"The URI of the request made by the client to the server."},{"name":"Verb","type":"string","description":"The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method."},{"name":"User","type":"dynamic","description":"Authenticated user metadata of the requesting client, including optional fields such as UID and groups."},{"name":"SourceIps","type":"dynamic","description":"The list of source IP addresses for the originating client and intermediate proxies."},{"name":"UserAgent","type":"string","description":"The user agent string presented by the originating client."},{"name":"ObjectRef","type":"dynamic","description":"The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests."},{"name":"ResponseStatus","type":"dynamic","description":"Response status for the request, which includes the response code. In error cases, this object will include the error message property."},{"name":"RequestObject","type":"dynamic","description":"Kubernetes API object from the request in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"ResponseObject","type":"dynamic","description":"Kubernetes API object from the response, in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"RequestReceivedTime","type":"datetime","description":"Time when the API Server first received the request."},{"name":"StageReceivedTime","type":"datetime","description":"Time when the request reached the current audit stage."},{"name":"Annotations","type":"dynamic","description":"An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level."},{"name":"PodName","type":"string","description":"Name of the pod emitting this audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["LogManagement"],"queries":["820ac966-e438-4fae-aef9-2d162ce23ced","39ef777f-53d8-400a-9d4e-d6e6946a538e"]}},{"id":"AKSControlPlane","name":"AKSControlPlane","tableType":"Microsoft","description":"Contains diagnostic logs for the Kubernetes API Server, Controller Manager, Scheduler, Cluster Autoscaler, Cloud Controller Manager, Guard, the Azure CSI storage drivers, Azure Fleet Manager agents and Karpenter controller logs. These diagnostic logs have distinct Category entries corresponding their diagnostic log setting (e.g. kube-apiserver, kube-audit-admin). Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Category","type":"string","description":"Service log category describing the service logging the message."},{"name":"Level","type":"string","description":"Level (Fatal, Error, Warning, Info) of the log message."},{"name":"Message","type":"string","description":"Log message body."},{"name":"Stream","type":"string","description":"Output stream (stdout, stderr) source of the log message."},{"name":"PodName","type":"string","description":"Name of the pod logging the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["LogManagement"],"queries":["1f0b44f9-2a90-4d74-bd6f-32671f493c65","6d69a6ab-78ed-45c8-b5bb-557c2a096d54"]}},{"id":"ALBHealthEvent","name":"ALBHealthEvent","tableType":"Microsoft","description":"Table of events related to the availability and health of a load balancer resource.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was generated."},{"name":"operationName","type":"string","description":"The operation when the record is generated"},{"name":"HealthEventType","type":"string","description":"Type of the health event."},{"name":"Severity","type":"string","description":"Severity of the health event."},{"name":"LoadBalancerResourceId","type":"string","description":"Load Balancer Resource ID of the health event."},{"name":"Description","type":"string","description":"Description of the health event."},{"name":"FrontendIP","type":"string","description":"Frontend IP of the health event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.network/loadbalancers"],"solutions":["LogManagement"],"queries":["8f2774ec-9662-4eff-bc18-b223ec9ce86d"]}},{"id":"AMAHealth","name":"AMAHealth","tableType":"Microsoft","description":"Agent self-reported health data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"StartTime","type":"datetime","description":"The start time in UTC of the interval for which the agent health data was aggregated."},{"name":"EndTime","type":"datetime","description":"The end time in UTC of the interval for which the agent health data was aggregated."},{"name":"AgentRegion","type":"string","description":"The Azure region in which the VM is located."},{"name":"AgentType","type":"string","description":"The type of agent reporting the health data."},{"name":"VMUUID","type":"string","description":"The VM UUID of the virtual machine on which the agent is running."},{"name":"AgentVersion","type":"string","description":"The version of the agent reporting the health data."},{"name":"AgentHealth","type":"int","description":"Indicates whether the agent is healthy (0), warning (1), or unhealthy (2)."},{"name":"DroppedEventsStatus","type":"int","description":"Indicates whether the agent is not dropping events (0), dropping a few events (1), or dropping an unacceptable number of events (2). The dropping of events can occur due to various reasons such as resource constraints, excessive event volume, external environmental issues like connectivity loss, and configuration errors."},{"name":"MaxDiskExceededPercent","type":"real","description":"The percent of the reporting interval for which the disk usage exceeded the established quota."},{"name":"MaxEventsExceededPercent","type":"real","description":"The percent of the reporting interval for which the log volume exceeded the established quota."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines","management"],"resourceTypes":["microsoft.compute/virtualmachines/extensions"],"solutions":["LogManagement"]}},{"id":"AMSKeyDeliveryRequests","name":"AMSKeyDeliveryRequests","tableType":"Microsoft","description":"Key delivery requests logs from Azure Media Services. This table captures details for every HTTP request for key or license acquisition sent to Azure Media Services. It can be used to monitor encrypted content playback, and to diagnose issues with DRM license acquisition or Clear Key acquisition.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"OperationVersion","type":"string","description":"Azure Media Services operation version."},{"name":"ResultType","type":"string","description":"Azure Media Services operation result type."},{"name":"ResultSignature","type":"string","description":"Azure Media Services operation result signature."},{"name":"DurationMs","type":"int","description":"Azure Media Services operation duration in milli-seconds."},{"name":"Level","type":"string","description":"Message level. Possible values are Informational, Warning, Error, Critical and Verbose."},{"name":"Location","type":"string","description":"Location of the service sending the log."},{"name":"RequestId","type":"string","description":"Id of the request."},{"name":"KeyType","type":"string","description":"Could be one of the following values: Clear (no encryption), FairPlay, PlayReady, or Widevine."},{"name":"KeyId","type":"string","description":"The ID of the requested key."},{"name":"TokenType","type":"string","description":"The token type."},{"name":"PolicyName","type":"string","description":"The Azure Resource Manager name of the policy."},{"name":"StatusMessage","type":"string","description":"The status message."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"solutions":["LogManagement"],"queries":["8b5511d4-2df9-445f-ac8c-183615aeff4f","b098e967-079a-4467-898a-8568b6f96f6a","e5d93d90-7ff9-4c4d-b46f-5bc037afa284"]}},{"id":"AMSLiveEventOperations","name":"AMSLiveEventOperations","tableType":"Microsoft","description":"Contains logs related to a Live Event. Logs are sent when an encoder connects, disconnects, or if there is a discontinuity in the media data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"Level","type":"string","description":"Message level. Possible values are Informational, Warning, Error, Critical and Verbose."},{"name":"Location","type":"string","description":"Location of the service sending the event."},{"name":"Properties","type":"dynamic","description":"Operation details."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"solutions":["LogManagement"],"queries":["fba0fd35-f822-4df0-bc10-2ca0d9041d63","ecdcd5a9-ac4e-4e24-9ce6-bcb9b2e0cfa6"]}},{"id":"AMSMediaAccountHealth","name":"AMSMediaAccountHealth","tableType":"Microsoft","description":"Media Account Health Status. This table captures the Azure Media Services account health status. It can be used to diagnose issues for unhealthy accounts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"Level","type":"string","description":"Message level. Possible values are Informational, Warning, Error, Critical and Verbose."},{"name":"Location","type":"string","description":"Location of the service sending the log."},{"name":"EventCode","type":"string","description":"The event code."},{"name":"EventMessage","type":"string","description":"The event status message."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"solutions":["LogManagement"],"queries":["7308fa13-7b01-48d3-b9b6-8ac464ba5b3f"]}},{"id":"AMSStreamingEndpointRequests","name":"AMSStreamingEndpointRequests","tableType":"Microsoft","description":"Contains information about requests to streaming endpoints. A streaming endpoint receives HTTP requests needed to stream video content. These requests usually come from video players or from the CDN.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"OperationVersion","type":"string","description":"Azure Media Services operation version."},{"name":"Level","type":"string","description":"Message level. Possible values are Informational, Warning, Error, Critical and Verbose."},{"name":"Location","type":"string","description":"Location of the service sending the event."},{"name":"ClientIP","type":"string","description":"IP address of the client."},{"name":"URL","type":"string","description":"The streaming URL from Azure Media Services."},{"name":"Status","type":"string","description":"Status code of the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.media/mediaservices"],"solutions":["LogManagement"],"queries":["1b582828-0234-4b71-9949-c9e08be3bc04","3a2a2aea-8ada-497f-8ff1-e3a01c2469da"]}},{"id":"AMWMetricsUsageDetails","name":"AMWMetricsUsageDetails","tableType":"Microsoft","description":"Table that breaks down data quantities and query usage of metrics sent to an Azure Monitor Workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the summary data for the row was produced."},{"name":"StartTime","type":"datetime","description":"The start time (UTC) of the date range being described."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) of the date range being described."},{"name":"AMWResourceName","type":"string","description":"Azure Monitor Workspace resource name."},{"name":"MetricNamespace","type":"string","description":"Namespace in the Azure Monitor Workspace the metric belongs to."},{"name":"MetricName","type":"string","description":"The name of the metric the insights is generated for."},{"name":"DimensionsList","type":"string","description":"The set of labels/dimensions being described."},{"name":"DailyTimeseriesCount","type":"long","description":"Daily timeseries count associated with the labels/dimensions for the metric."},{"name":"IngestedSamplesCount","type":"long","description":"Number of samples ingested in the specified date range."},{"name":"IncomingEventsCount","type":"long","description":"Number of events received for the specified date range."},{"name":"DaysSinceMetricQueried","type":"int","description":"Number of days from the specified date range when the metric was queried last."},{"name":"NumberOfQueries","type":"int","description":"Number of queries received for the specified date range."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.monitor/accounts"],"solutions":["LogManagement"]}},{"id":"ANFFileAccess","name":"ANFFileAccess","tableType":"Microsoft","description":"This table maps to audit logs generated in an ANF Volume. Here audit log caters to any file system operations done by users.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log was generated."},{"name":"OperationTime","type":"datetime","description":"Time when the operation was performed."},{"name":"Category","type":"string","description":"The log category this log belongs to as configured in diagnostic settings."},{"name":"OperationName","type":"string","description":"The name of the file operation which this log is generated for."},{"name":"OperationVersion","type":"string","description":"Version of the file operation."},{"name":"SchemaVersion","type":"string","description":"Version of the log schema."},{"name":"ResultType","type":"string","description":"Indicating if the operation succeeded or failed. Values can be Audit Success, or Audit Failure."},{"name":"CallerIpAddress","type":"string","description":"IP address of client which performed this file operation."},{"name":"Location","type":"string","description":"Location of the NetApp volume."},{"name":"Level","type":"string","description":"Log level of the log. This is always set to Informational."},{"name":"ObjectName","type":"string","description":"Name of the object for which this log was generated."},{"name":"SubjectUnix","type":"string","description":"User Identifier who has performed the File operation. Format is uid:gid , separated by a colon."},{"name":"IsUserLocal","type":"bool","description":"Identifies if the User who has performed the File operation is local user or remote user."},{"name":"ObjectType","type":"string","description":"Type of the object on which operation was performed."},{"name":"Properties","type":"dynamic","description":"A set of file operation specific fields. Varies by OperationName."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"solutions":["LogManagement"],"queries":["f6544502-3c0c-4e40-916d-bac6bb3ce8cf","b0398ff8-d74a-11ec-9d64-0242ac120002"]}},{"id":"ANFTopClientReadIOPS","name":"ANFTopClientReadIOPS","tableType":"Microsoft","description":"This table contains Top-K client read IOPS logs for ANF volumes, showing which clients are generating the most read IOPS on each volume.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log was generated."},{"name":"Category","type":"string","description":"The log category this log belongs to as configured in diagnostic settings."},{"name":"OperationName","type":"string","description":"The name of the operation which generated this log."},{"name":"OperationVersion","type":"string","description":"API version used for the operation."},{"name":"ResultType","type":"string","description":"Result of the operation."},{"name":"Location","type":"string","description":"Location of the ANF volume."},{"name":"Level","type":"string","description":"Log level. Always set to Informational."},{"name":"VolumeName","type":"string","description":"External name of the ANF volume."},{"name":"TopDimension","type":"string","description":"Dimension of the top-K metric: client or file."},{"name":"TopMetric","type":"string","description":"Metric type: Read or Write."},{"name":"MetricUnit","type":"string","description":"Unit of the metric. Always iops."},{"name":"Quantity","type":"real","description":"IOPS value for this client."},{"name":"ClientIp","type":"string","description":"IP address of the client generating the read IOPS."},{"name":"Properties","type":"dynamic","description":"Additional properties of the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"solutions":["LogManagement"]}},{"id":"ANFTopClientWriteIOPS","name":"ANFTopClientWriteIOPS","tableType":"Microsoft","description":"This table contains Top-K client write IOPS logs for ANF volumes, showing which clients are generating the most write IOPS on each volume.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log was generated."},{"name":"Category","type":"string","description":"The log category this log belongs to as configured in diagnostic settings."},{"name":"OperationName","type":"string","description":"The name of the operation which generated this log."},{"name":"OperationVersion","type":"string","description":"API version used for the operation."},{"name":"ResultType","type":"string","description":"Result of the operation."},{"name":"Location","type":"string","description":"Location of the ANF volume."},{"name":"Level","type":"string","description":"Log level. Always set to Informational."},{"name":"VolumeName","type":"string","description":"External name of the ANF volume."},{"name":"TopDimension","type":"string","description":"Dimension of the top-K metric: client or file."},{"name":"TopMetric","type":"string","description":"Metric type: Read or Write."},{"name":"MetricUnit","type":"string","description":"Unit of the metric. Always iops."},{"name":"Quantity","type":"real","description":"IOPS value for this client."},{"name":"ClientIp","type":"string","description":"IP address of the client generating the write IOPS."},{"name":"Properties","type":"dynamic","description":"Additional properties of the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"solutions":["LogManagement"]}},{"id":"ANFTopFileReadIOPS","name":"ANFTopFileReadIOPS","tableType":"Microsoft","description":"This table contains Top-K file read IOPS logs for ANF volumes, showing which files are generating the most read IOPS on each volume.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log was generated."},{"name":"Category","type":"string","description":"The log category this log belongs to as configured in diagnostic settings."},{"name":"OperationName","type":"string","description":"The name of the operation which generated this log."},{"name":"OperationVersion","type":"string","description":"API version used for the operation."},{"name":"ResultType","type":"string","description":"Result of the operation."},{"name":"Location","type":"string","description":"Location of the ANF volume."},{"name":"Level","type":"string","description":"Log level. Always set to Informational."},{"name":"VolumeName","type":"string","description":"External name of the ANF volume."},{"name":"TopDimension","type":"string","description":"Dimension of the top-K metric: client or file."},{"name":"TopMetric","type":"string","description":"Metric type: Read or Write."},{"name":"MetricUnit","type":"string","description":"Unit of the metric. Always iops."},{"name":"Quantity","type":"real","description":"IOPS value for this file."},{"name":"FilePath","type":"string","description":"Path of the file generating the read IOPS."},{"name":"Properties","type":"dynamic","description":"Additional properties of the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"solutions":["LogManagement"]}},{"id":"ANFTopFileWriteIOPS","name":"ANFTopFileWriteIOPS","tableType":"Microsoft","description":"This table contains Top-K file write IOPS logs for ANF volumes, showing which files are generating the most write IOPS on each volume.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log was generated."},{"name":"Category","type":"string","description":"The log category this log belongs to as configured in diagnostic settings."},{"name":"OperationName","type":"string","description":"The name of the operation which generated this log."},{"name":"OperationVersion","type":"string","description":"API version used for the operation."},{"name":"ResultType","type":"string","description":"Result of the operation."},{"name":"Location","type":"string","description":"Location of the ANF volume."},{"name":"Level","type":"string","description":"Log level. Always set to Informational."},{"name":"VolumeName","type":"string","description":"External name of the ANF volume."},{"name":"TopDimension","type":"string","description":"Dimension of the top-K metric: client or file."},{"name":"TopMetric","type":"string","description":"Metric type: Read or Write."},{"name":"MetricUnit","type":"string","description":"Unit of the metric. Always iops."},{"name":"Quantity","type":"real","description":"IOPS value for this file."},{"name":"FilePath","type":"string","description":"Path of the file generating the write IOPS."},{"name":"Properties","type":"dynamic","description":"Additional properties of the log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.netapp/netappaccounts/capacitypools"],"solutions":["LogManagement"]}},{"id":"AOIDatabaseQuery","name":"AOIDatabaseQuery","tableType":"Microsoft","description":"Audit logs related to queries run on database, in dataproduct environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated."},{"name":"OperationName","type":"string","description":"The name of this operation."},{"name":"Location","type":"string","description":"The region where this query was executed."},{"name":"CorrelationId","type":"string","description":"The client request ID."},{"name":"RootActivityId","type":"string","description":"The root activity ID."},{"name":"StartedOn","type":"datetime","description":"Time (UTC) at which this command started."},{"name":"LastUpdatedOn","type":"datetime","description":"Time (UTC) at which this command ended."},{"name":"DatabaseName","type":"string","description":"The name of the database that the command ran on."},{"name":"State","type":"string","description":"The state the command ended with."},{"name":"FailureReason","type":"string","description":"The failure reason."},{"name":"TotalCPU","type":"string","description":"Total CPU duration time."},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the query."},{"name":"MemoryPeak","type":"long","description":"Memory peak."},{"name":"DurationMs","type":"string","description":"Command duration in milliseconds."},{"name":"User","type":"string","description":"The user that invoked the query."},{"name":"Principal","type":"string","description":"The principal that invoked the query."},{"name":"MinDataScannedTime","type":"datetime","description":"Minimum data scan time."},{"name":"MaxDataScannedTime","type":"datetime","description":"Maximum data scan time."},{"name":"TotalExtentsCount","type":"long","description":"Total extents count."},{"name":"ScannedExtentsCount","type":"long","description":"Scanned extents count."},{"name":"TotalRowsCount","type":"long","description":"Total rows count."},{"name":"ScannedRowsCount","type":"long","description":"Scanned rows count."},{"name":"CacheMemoryHits","type":"long","description":"Memory cache hits."},{"name":"CacheMemoryMisses","type":"long","description":"Memory cache misses."},{"name":"CacheDiskHits","type":"long","description":"Disk cache hits."},{"name":"CacheDiskMisses","type":"long","description":"Disk cache misses."},{"name":"CacheShardsHotHits","type":"long","description":"Shards hot cache hits."},{"name":"CacheShardsHotMisses","type":"long","description":"Shards hot cache misses."},{"name":"CacheShardsColdHits","type":"long","description":"Shards cold cache hits."},{"name":"CacheShardsColdMisses","type":"long","description":"Shards cold cache misses."},{"name":"CacheShardsBypassBytes","type":"long","description":"Shards cache bypass bytes."},{"name":"TableCount","type":"int","description":"Table count."},{"name":"TablesStatistics","type":"dynamic","description":"Tables statistics."},{"name":"WorkloadGroup","type":"string","description":"The workload group the query was classified to."},{"name":"Text","type":"string","description":"The text of the invoked query."},{"name":"ComponentFault","type":"string","description":"The entity that caused the query to fail. For example, if the query result is too large, the ComponentFault will be 'Client'. If an internal error occured, it will be 'Server'."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"solutions":["LogManagement"],"queries":["9788de8c-73da-4b6f-b259-28f89c8f8964"]}},{"id":"AOIDigestion","name":"AOIDigestion","tableType":"Microsoft","description":"Logs related to digestion of files added to the input storage account. These can be used to verify that data is being successfully passed through to enrichment, or to troubleshoot issues with processing the raw data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the log was generated."},{"name":"Level","type":"string","description":"The level of the log."},{"name":"Message","type":"string","description":"The log message."},{"name":"FilePath","type":"string","description":"The path of the file that was digested."},{"name":"Datatype","type":"string","description":"The datatype of the file that was digested."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"solutions":["LogManagement"],"queries":["839b634d-aa61-4eeb-9826-e42b57a650dc","4caba217-a14b-4690-934f-d57b9ccbd1da"]}},{"id":"AOIStorage","name":"AOIStorage","tableType":"Microsoft","description":"These are Audit logs related to ingestion of files on the input storage account.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) at which this event was generated."},{"name":"AccountName","type":"string","description":"The name of the storage account."},{"name":"Location","type":"string","description":"The location of storage account."},{"name":"Category","type":"string","description":"The category to which this row belongs to, it will be one of Ingestion, IngestionRead, IngestionDelete or ReadStorage."},{"name":"Protocol","type":"string","description":"The protocol that is used in the operation."},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed."},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request."},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown."},{"name":"StatusText","type":"string","description":"The status of the requested operation."},{"name":"DurationMs","type":"real","description":"The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester."},{"name":"ServerLatencyMs","type":"real","description":"The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested."},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester, including the port number."},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate logs across resources."},{"name":"SchemaVersion","type":"string","description":"The schema version of the log."},{"name":"OperationVersion","type":"string","description":"The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header."},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token."},{"name":"RequesterObjectId","type":"string","description":"The OAuth object ID of the requester."},{"name":"RequesterTenantId","type":"string","description":"The OAuth tenant ID of identity."},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester."},{"name":"RequesterAudience","type":"string","description":"The OAuth audience of the request."},{"name":"RequesterTokenIssuer","type":"string","description":"The OAuth token issuer."},{"name":"RequesterUpn","type":"string","description":"The User Principal Names of requestor."},{"name":"AuthorizationDetails","type":"dynamic","description":"Detailed policy information used to authorize the request."},{"name":"UserAgentHeader","type":"string","description":"The User-Agent header value, in quotes."},{"name":"ReferrerHeader","type":"string","description":"The Referer header value."},{"name":"ClientRequestId","type":"string","description":"The x-ms-client-request-id header value of the request."},{"name":"Etag","type":"string","description":"The ETag identifier for the returned object, in quotes."},{"name":"ServiceType","type":"string","description":"The service associated with this request."},{"name":"OperationCount","type":"int","description":"The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation."},{"name":"ObjectKey","type":"string","description":"The key of the requested object, in quotes."},{"name":"RequestHeaderSize","type":"long","description":"The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty."},{"name":"RequestBodySize","type":"long","description":"The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty."},{"name":"ResponseHeaderSize","type":"long","description":"The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty."},{"name":"ResponseBodySize","type":"long","description":"The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty."},{"name":"RequestMd5","type":"string","description":"The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request."},{"name":"ResponseMd5","type":"string","description":"The value of the MD5 hash calculated by the storage service."},{"name":"LastModifiedTime","type":"datetime","description":"The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects."},{"name":"ConditionsUsed","type":"string","description":"A semicolon-separated list of key-value pairs that represent a condition."},{"name":"ContentLengthHeader","type":"long","description":"The value of the Content-Length header for the request sent to the storage service."},{"name":"TlsVersion","type":"string","description":"The TLS version used in the connection of request."},{"name":"SasExpiryStatus","type":"string","description":"Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy."},{"name":"MetricResponseType","type":"string","description":"Records the metric response for correlation between metrics and logs."},{"name":"SourceUri","type":"string","description":"Records the source URI for operations."},{"name":"DestinationUri","type":"string","description":"Records the destination URI for operations."},{"name":"AccessTier","type":"string","description":"The access tier of the storage account."},{"name":"SourceAccessTier","type":"string","description":"The source tier of the storage account."},{"name":"RehydratePriority","type":"string","description":"The priority used to rehydrate an archived blob."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.networkanalytics/dataproducts"],"solutions":["LogManagement"],"queries":["1d326b1d-b84f-475a-9ce6-78dc33d33461","2f7096f6-093c-4c1d-bd85-b47737aa1aa7","0bd960eb-b761-4ff6-bf0e-73bc57590734","30005149-f6be-42fc-871c-65b45fbb7891"]}},{"id":"APIMDevPortalAuditDiagnosticLog","name":"APIMDevPortalAuditDiagnosticLog","tableType":"Microsoft","description":"Diagnostic Logs for API Management Developer Portal API.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Represents the date and time when the associated event or record was generated."},{"name":"OperationName","type":"string","description":"Field denotes the specific name or identifier of the operation being performed."},{"name":"Category","type":"string","description":"Distinct group or type of record."},{"name":"ActivityId","type":"string","description":"An unique identifier represented as a GUID (Globally Unique Identifier). It serves as a globally distinctive label for tracking and correlating activities or events across systems and applications."},{"name":"Version","type":"string","description":"API Management version"},{"name":"ResultType","type":"string","description":"This field signifies the outcome or type of result associated with this operation. It has two values: Succeeded or Failed"},{"name":"HashedUserId","type":"string","description":"The field represents a hashed or encrypted form of a user identifier."},{"name":"RequestPath","type":"string","description":"The field contains the path or endpoint of an incoming request."},{"name":"RequestMethod","type":"string","description":"The field indicates the type of HTTP method used in an incoming request."},{"name":"UserAgent","type":"string","description":"The field refers to the HTTP header that provides information about the user's browser or client application."},{"name":"ResponseCode","type":"int","description":"The field indicates the HTTP status code associated with the server's response to a client's request."},{"name":"Region","type":"string","description":"The field indicates the geographical location or data center region within the Azure cloud infrastructure where a specific resource or service is deployed."},{"name":"ServiceName","type":"string","description":"API Management service name"},{"name":"ApimClient","type":"string","description":"The field refers to the HTTP header X-Ms-Apim-Client sent by Developer Portal."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.apimanagement/service"],"solutions":["LogManagement"]}},{"id":"ASCAuditLogs","name":"ASCAuditLogs","tableType":"Microsoft","description":"Contains audit logs generated by Azure Sphere service and devices. Logs can be used for audit and troubleshooting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp(UTC) when the log event was generated."},{"name":"Location","type":"string","description":"The location and region where the log event was generated."},{"name":"OperationName","type":"string","description":"The Azure Sphere operation associated with the log event."},{"name":"ResultType","type":"string","description":"The result type (success, failure) for the log event."},{"name":"ResultDescription","type":"string","description":"The result description for the log event."},{"name":"Identity","type":"dynamic","description":"Identity of the user or application responsible for the log event."},{"name":"Properties","type":"dynamic","description":"Additional properties related to the log event."},{"name":"CorrelationId","type":"string","description":"A unique correlation ID for the log event."},{"name":"DurationMs","type":"int","description":"The total duration (in milliseconds) for the log event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.azuresphere/catalogs"],"solutions":["LogManagement"]}},{"id":"ASCDeviceEvents","name":"ASCDeviceEvents","tableType":"Microsoft","description":"Contains event details for operations generated by Azure Sphere devices. These logs contain information about event types, event categories, event classes, event descriptions etc. that can be used for monitoring and troubleshooting app crashes on devices.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp(UTC) when the log event was generated."},{"name":"Location","type":"string","description":"The location and region where the log event was generated."},{"name":"OperationName","type":"string","description":"The Azure Sphere operation associated with the log event."},{"name":"DeviceId","type":"string","description":"The ID of the device where the log event was generated."},{"name":"CatalogId","type":"string","description":"The catalog ID of the device where the log event was generated."},{"name":"Properties","type":"dynamic","description":"Additional properties related to the log event."},{"name":"ResultType","type":"string","description":"The result type (success, failure) for the log event."},{"name":"ResultDescription","type":"string","description":"The result description for the log event."},{"name":"CorrelationId","type":"string","description":"A unique correlation ID for the log event."},{"name":"DurationMs","type":"int","description":"The total duration (in milliseconds) for the log event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.azuresphere/catalogs"],"solutions":["LogManagement"],"queries":["483f4b2c-5325-441f-9ec4-edc9baefcdd4","24acfce7-569c-4e05-9145-e09752fae02c","0c4a1b53-4761-4793-88ee-b5e569a333c4","f718df22-98e8-4b32-a6d0-bfd05f725a42","5ef6030d-8c6a-44a0-8739-5797f36eea20"]}},{"id":"ASRJobs","name":"ASRJobs","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery (ASR) jobs such as failover, test failover, reprotection etc., with key details for monitoring and diagnostics, such as the replicated item information, duration, status, description and so on. Whenever an ASR job is completed (i.e., succeeded or failed), a corresponding record for the job is sent to this table. You can view history of ASR jobs by querying this table over a larger time range, provided your workspace has the required retention configured.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"VaultType","type":"string","description":"Type of the vault associated with the ASR job."},{"name":"VaultName","type":"string","description":"Name of the vault associated with the ASR job."},{"name":"OperationName","type":"string","description":"Type of ASR job, for example, Test failover."},{"name":"Status","type":"string","description":"Status of the ASR job."},{"name":"CorrelationId","type":"string","description":"Correlation ID associated with the ASR job for debugging purposes."},{"name":"ResultDescription","type":"string","description":"Result of the ASR job."},{"name":"DurationMs","type":"int","description":"Duration of the ASR job."},{"name":"StartTime","type":"datetime","description":"Start time of the ASR job."},{"name":"EndTime","type":"datetime","description":"End time of the ASR job."},{"name":"SourceFriendlyName","type":"string","description":"Friendly name of the resource on which the ASR job was executed."},{"name":"Version","type":"string","description":"The API version."},{"name":"SourceResourceId","type":"string","description":"ARM ID of the resource on which the ASR job was executed."},{"name":"SourceResourceGroup","type":"string","description":"Resource Group of the source."},{"name":"SourceType","type":"string","description":"Type of resource on which the ASR job was executed."},{"name":"ReplicatedItemFriendlyName","type":"string","description":"Friendly name of replicated item associated with the ASR job (if applicable)."},{"name":"ReplicatedItemId","type":"string","description":"ARM ID of the replicated item associated with the ASR job (if applicable)."},{"name":"ReplicationScenario","type":"string","description":"Field used to identify whether the replication is being done for an Azure resource or an on-premises resource."},{"name":"ReplicatedItemUniqueId","type":"string","description":"Unique ID of the replicated item associated with the ASR job (if applicable)."},{"name":"PolicyUniqueId","type":"string","description":"Unique ID of the replication policy applied to the replicated item (if applicable)."},{"name":"PolicyId","type":"string","description":"ARM ID of the replication policy applied to the replicated item (if applicable)."},{"name":"PolicyFriendlyName","type":"string","description":"Friendly name of the replication policy applied to the replicated item (if applicable)."},{"name":"VaultLocation","type":"string","description":"Location of the vault associated with the ASR job."},{"name":"JobUniqueId","type":"string","description":"Unique ID of the ASR job."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"solutions":["LogManagement"],"queries":["8ae09b10-bba7-4059-a179-4dd802f9dd28"],"functions":["b65a317e-7513-4379-b5fc-a467d3daa1d9"]}},{"id":"ASRReplicatedItems","name":"ASRReplicatedItems","tableType":"Microsoft","description":"This table contains details of Azure Site Recovery (ASR) replicated items, such as associated vault, policy, replication health, failover readiness. etc. Data is pushed once a day to this table for all replicated items, to provide the latest information for each item.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"VaultType","type":"string","description":"Type of the vault associated with the replicated item."},{"name":"VaultName","type":"string","description":"Name of the vault associated with the replicated item."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ReplicationHealthErrors","type":"string","description":"List of issues that might be affecting the recovery point generation for the replicated item."},{"name":"RecoveryRegion","type":"string","description":"Target region to which the resource is replicated."},{"name":"MultiVMGroupId","type":"string","description":"For scenarios where multi-VM consistency feature is enabled for replicated VMs, this field specifies the ID of the multi-VM group associated with the replicated VM."},{"name":"LastSuccessfulTestFailoverTime","type":"datetime","description":"Time of the last successful faliover performed on the replicated item."},{"name":"LastHeartbeat","type":"datetime","description":"Time at which the ASR agent associated with the replicated item last made a call to the ASR service. Useful for debugging error scenarios where you wish to identify the time at which issues started arising."},{"name":"ReplicationStatus","type":"string","description":"Status of replication for the ASR replicated item."},{"name":"FailoverReadiness","type":"string","description":"Denotes whether there are any configuration issues that could affect the failover operation success for the ASR replicated item."},{"name":"DatasourceFriendlyName","type":"string","description":"Friendly name of the datasource being replicated."},{"name":"DatasourceUniqueId","type":"string","description":"Unique ID of the datasource being replicated."},{"name":"PrimaryFabricName","type":"string","description":"Represents the source region of the replicated item. By default, the value is the name of the source region, however if you have specified a custom name for the primary fabric while enabling replication, then that custom name shows up under this field."},{"name":"RecoveryFabricName","type":"string","description":"Represents the target region of the replicated item. By default, the value is the name of the target region, however if you have specified a custom name for the recovery fabric while enabling replication, then that custom name shows up under this field."},{"name":"PrimaryFabricType","type":"string","description":"Fabric type associated with the source region of the replicated item. Depending on whether the replicated item is an Azure VM, Hyper-V VM or VMWare VM, the value for this field varies."},{"name":"RecoveryFabricType","type":"string","description":"Fabric type associated with the target region of the replicated item. Depending on whether the replicated item is an Azure VM, Hyper-V VM or VMWare VM, the value for this field varies."},{"name":"ProtectionInfo","type":"string","description":"Protection status of the replicated item."},{"name":"ActiveLocation","type":"string","description":"Current active location for the replicated item. If the item is in failed over state, the active location will be the secondary (target) region. Otherwise, it will be the primary region."},{"name":"PolicyFriendlyName","type":"string","description":"Friendly name of the replication policy applied to the replicated item."},{"name":"OSFamily","type":"string","description":"OS family of the resource being replicated."},{"name":"IRProgressPercentage","type":"int","description":"Progress percentage of the initial replication phase for the replicated item."},{"name":"DatasourceType","type":"string","description":"ARM type of the resource configured for replication."},{"name":"LastRpoCalculatedTime","type":"datetime","description":"Time at which the RPO was last calculated by the ASR service for the replicated item."},{"name":"Version","type":"string","description":"The API version."},{"name":"ReplicatedItemId","type":"string","description":"ARM ID of the replicated item."},{"name":"ReplicatedItemUniqueId","type":"string","description":"Unique ID of the replicated item."},{"name":"SourceResourceId","type":"string","description":"ARM ID of the datasource being replicated."},{"name":"PolicyUniqueId","type":"string","description":"Unique ID of the replication policy applied for the replicated item."},{"name":"PolicyId","type":"string","description":"ARM ID of the replication policy applied to the replicated item."},{"name":"ReplicatedItemFriendlyName","type":"string","description":"Friendly name of the resource being replicated."},{"name":"VaultLocation","type":"string","description":"Location of the vault associated with the replicated item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"solutions":["LogManagement"],"queries":["d7328548-c02f-4461-a86d-ddea98534a3c"],"functions":["29112523-50d8-4bb9-931f-47b8b3da558f"]}},{"id":"ASRv2HealthEvents","name":"ASRv2HealthEvents","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) health related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlation Id of the event."},{"name":"AffectedResourceId","type":"string","description":"The affected resource Id."},{"name":"AffectedResourceName","type":"string","description":"The affected resource name."},{"name":"EventType","type":"string","description":"The health event type."},{"name":"EventName","type":"string","description":"The health event name."},{"name":"TimeOfOccurrence","type":"datetime","description":"The time of occurrence of the event."},{"name":"EventSeverity","type":"string","description":"The health event severity."},{"name":"HealthErrors","type":"dynamic","description":"The errors associated with the health event."},{"name":"LogId","type":"string","description":"The event log Id for the health event."},{"name":"Version","type":"string","description":"The version for the event properties."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASRv2JobEvents","name":"ASRv2JobEvents","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) jobs such as replication, migration, etc., with key details for monitoring and diagnostics, such as protected item's information, duration, status, description and so on. Whenever an ASRv2 job is completed (i.e., succeeded or failed), a corresponding record for the job is sent to this table. You can view history of ASRv2 jobs by querying this table over a larger time range, provided your workspace has the required retention configured.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlation Id of the event."},{"name":"AffectedObjectId","type":"string","description":"The affected object Id."},{"name":"AffectedObjectName","type":"string","description":"The affected object name."},{"name":"AffectedObjectType","type":"string","description":"The affected object type."},{"name":"State","type":"string","description":"The operation state."},{"name":"HasInformation","type":"bool","description":"Whether the operation has informational messages logged."},{"name":"HasWarnings","type":"bool","description":"Whether the operation has warnings logged."},{"name":"HasErrors","type":"bool","description":"Whether the operation has critical errors logged."},{"name":"Message","type":"string","description":"The description for the event."},{"name":"StartTime","type":"datetime","description":"The operation start time."},{"name":"EndTime","type":"datetime","description":"The operation end time."},{"name":"TimeTaken","type":"real","description":"The duration of the operation in milliseconds."},{"name":"Version","type":"string","description":"The version for the event properties."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASRv2ProtectedItems","name":"ASRv2ProtectedItems","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) protected item related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlation Id of the event."},{"name":"ProviderId","type":"string","description":"The replication provider Id."},{"name":"PolicyName","type":"string","description":"The name of the replication policy."},{"name":"ReplicationExtensionName","type":"string","description":"The name of the replication extension."},{"name":"SourceFabricProviderId","type":"string","description":"The source fabric provider Id."},{"name":"TargetFabricProviderId","type":"string","description":"The target fabric provider Id."},{"name":"FabricAgentId","type":"string","description":"The fabric agent Id."},{"name":"TargetFabricAgentId","type":"string","description":"The target fabric agent Id."},{"name":"FabricObjectId","type":"string","description":"The fabric object Id."},{"name":"FabricObjectName","type":"string","description":"The fabric object name."},{"name":"FabricId","type":"string","description":"The fabric Id."},{"name":"TargetFabricId","type":"string","description":"The target fabric Id."},{"name":"ProtectionState","type":"string","description":"The current protection state."},{"name":"LastSuccessfulPlannedFailoverTime","type":"datetime","description":"The time of the last successful failover the protected item."},{"name":"ReplicationHealth","type":"string","description":"The health of the protected item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASRv2ReplicationExtensions","name":"ASRv2ReplicationExtensions","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) replication extension related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"ProvisioningState","type":"string","description":"The provisioning state of the replication extension."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASRv2ReplicationPolicies","name":"ASRv2ReplicationPolicies","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) replication policy related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"ProvisioningState","type":"string","description":"The provisioning state of the replication policy."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASRv2ReplicationVaults","name":"ASRv2ReplicationVaults","tableType":"Microsoft","description":"This table contains records of Azure Site Recovery v2 (ASRv2) replication vault related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Location","type":"string","description":"The location of the replication vault."},{"name":"ServiceResourceId","type":"string","description":"The replication vault service resource Id."},{"name":"ProvisioningState","type":"string","description":"The provisioning state of the replication vault."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.datareplication/replicationvaults"],"solutions":["LogManagement"]}},{"id":"ASimAgentEventLogs","name":"ASimAgentEventLogs","tableType":"Microsoft","description":"Microsoft Sentinel normalized agent event logs table. Stores events associated with agent interactions, ensuring consistent and efficient analysis across different data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"EventUid","type":"string","description":"A unique identifier for the event."},{"name":"EventOriginalUid","type":"string","description":"The original unique identifier of the event as provided by the source."},{"name":"EventSchema","type":"string","description":"The name of the ASIM schema for the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the ASIM schema used."},{"name":"EventStartTime","type":"datetime","description":"The time at which the event started."},{"name":"EventEndTime","type":"datetime","description":"The time at which the event ended."},{"name":"EventCount","type":"int","description":"The number of events aggregated in this record."},{"name":"EventVendor","type":"string","description":"The vendor of the product that generated the event."},{"name":"EventProduct","type":"string","description":"The product that generated the event."},{"name":"SrcAgentId","type":"string","description":"The unique identifier of the source agent."},{"name":"SrcAgentName","type":"string","description":"The name of the source agent."},{"name":"SrcAgentOriginalType","type":"string","description":"The original type of the source agent as reported by the source."},{"name":"SrcAgentDescription","type":"string","description":"A description of the source agent."},{"name":"SrcAgentBlueprintId","type":"string","description":"The blueprint identifier of the source agent."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the source."},{"name":"SrcFQDN","type":"string","description":"The fully qualified domain name of the source."},{"name":"SrcPortNumber","type":"int","description":"The port number of the source."},{"name":"TargetAgentId","type":"string","description":"The unique identifier of the target agent."},{"name":"TargetAgentName","type":"string","description":"The name of the target agent."},{"name":"TargetAgentUsername","type":"string","description":"The username associated with the target agent."},{"name":"TargetAgentUserId","type":"string","description":"The user identifier associated with the target agent."},{"name":"TargetAgentOriginalType","type":"string","description":"The original type of the target agent as reported by the source."},{"name":"TargetAgentDescription","type":"string","description":"A description of the target agent."},{"name":"TargetAgentBlueprintId","type":"string","description":"The blueprint identifier of the target agent."},{"name":"PlatformTargetAgentId","type":"string","description":"The unique identifier of the platform target agent."},{"name":"PlatformTargetAgentName","type":"string","description":"The name of the platform target agent."},{"name":"PlatformTargetAgentDescription","type":"string","description":"A description of the platform target agent."},{"name":"PlatformTargetOriginalAgentType","type":"string","description":"The original type of the platform target agent as reported by the source."},{"name":"ActorUserId","type":"string","description":"The unique identifier of the actor user."},{"name":"ActorUserIdType","type":"string","description":"The type of the actor user identifier."},{"name":"ActorUserScope","type":"string","description":"The scope of the actor user."},{"name":"ActorUserScopeId","type":"string","description":"The scope identifier of the actor user."},{"name":"ActorUsername","type":"string","description":"The username of the actor."},{"name":"ActorUsernameType","type":"string","description":"The type of the actor username."},{"name":"ActingAppName","type":"string","description":"The name of the application that initiated the event."},{"name":"ActingAppId","type":"string","description":"The identifier of the application that initiated the event."},{"name":"ActingAppType","type":"string","description":"The type of the application that initiated the event."},{"name":"EventSessionId","type":"string","description":"The unique identifier of the event session."},{"name":"EventSessionName","type":"string","description":"The name of the event session."},{"name":"EventType","type":"string","description":"The type of the event."},{"name":"EventOriginalType","type":"string","description":"The original event type as provided by the source."},{"name":"EventRequestId","type":"string","description":"The unique identifier of the request associated with the event."},{"name":"EventRequestTemperature","type":"real","description":"The temperature parameter used in the event request."},{"name":"EventRequestTopP","type":"real","description":"The top-p (nucleus sampling) parameter used in the event request."},{"name":"EventRequestPresencePenalty","type":"real","description":"The presence penalty parameter used in the event request."},{"name":"EventRequestFrequencyPenalty","type":"real","description":"The frequency penalty parameter used in the event request."},{"name":"EventRequestSeed","type":"long","description":"The seed parameter used in the event request for reproducibility."},{"name":"EventResponseId","type":"string","description":"The unique identifier of the response associated with the event."},{"name":"EventOriginalRequestDetails","type":"string","description":"The original request details as provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details as provided by the source."},{"name":"EventErrorDetails","type":"string","description":"Details about any error that occurred during the event."},{"name":"EventOriginalErrorType","type":"string","description":"The original error type as provided by the source."},{"name":"EventThoughtProcessDetails","type":"string","description":"Details about the thought process or reasoning during the event."},{"name":"EventThoughtProcessId","type":"string","description":"The unique identifier of the thought process associated with the event."},{"name":"EventFinishReasons","type":"dynamic","description":"The reasons for the event completion."},{"name":"EventOutputType","type":"string","description":"The type of the event output."},{"name":"ToolId","type":"string","description":"The unique identifier of the tool used in the event."},{"name":"ToolName","type":"string","description":"The name of the tool used in the event."},{"name":"ToolDescription","type":"string","description":"A description of the tool used in the event."},{"name":"ToolOriginalType","type":"string","description":"The original type of the tool as reported by the source."},{"name":"ModelProviderName","type":"string","description":"The name of the model provider."},{"name":"ModelName","type":"string","description":"The name of the model used in the event."},{"name":"InputTokensUsed","type":"long","description":"The number of input tokens consumed during the event."},{"name":"OutputTokensUsed","type":"long","description":"The number of output tokens generated during the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information not covered by other fields, stored as key-value pairs."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/agenteventnormalized"],"solutions":["SecurityInsights"],"queries":["86ec7263-b38a-4b73-b0cd-0939156545a6"]}},{"id":"ASimAlertEventLogs","name":"ASimAlertEventLogs","tableType":"Microsoft","description":"Microsoft Sentinel normalized alert events table. Stores events associated with security events and alerts, ensuring consistent and efficient analysis across different data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventStartTime","type":"datetime","description":"The time (UTC) in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time (UTC) in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record."},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"EventUid","type":"string","description":"A machine-readable, alphanumeric string that uniquely identifies an alert within a system."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"AlertId","type":"string","description":"Alias or friendly name for EventUid field."},{"name":"AlertName","type":"string","description":"Title or name of the alert."},{"name":"AlertDescription","type":"string","description":"Alias or friendly name for EventMessage field."},{"name":"AlertVerdict","type":"string","description":"The final determination or outcome of the alert, indicating whether the alert was confirmed as a threat, deemed suspicious, or resolved as a false positive."},{"name":"AlertStatus","type":"string","description":"Indicates the current state or progress of the alert."},{"name":"AlertOriginalStatus","type":"string","description":"The status of the alert as reported by the originating system."},{"name":"DetectionMethod","type":"string","description":"Provides detailed information about the specific detection method, technology, or data source that contributed to the generation of the alert."},{"name":"Rule","type":"string","description":"Either the value of RuleName or the value of RuleNumber."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the alert."},{"name":"RuleName","type":"string","description":"The name or ID of the rule associated with the alert."},{"name":"RuleDescription","type":"string","description":"Description of the rule associated with the alert."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the alert."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the alert."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"Date and time when the threat was first reported."},{"name":"ThreatLastReportedTime","type":"datetime","description":"Date and time when the threat was last reported."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in the alert."},{"name":"ThreatOriginalCategory","type":"string","description":"The category of the threat as reported by the originating system."},{"name":"ThreatIsActive","type":"bool","description":"Indicates whether the threat is currently active."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the originating system."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The confidence level as reported by the originating system."},{"name":"IndicatorType","type":"string","description":"The type or category of the indicator."},{"name":"IndicatorAssociation","type":"string","description":"Specifies whether the indicator is linked to or directly impacted by the threat."},{"name":"AttackTactics","type":"string","description":"The attack tactics (name, ID, or both) associated with the alert."},{"name":"AttackTechniques","type":"string","description":"The attack techniques (name, ID, or both) associated with the alert."},{"name":"AttackRemediationSteps","type":"string","description":"Recommended actions or steps to mitigate or remediate the identified attack or threat."},{"name":"UserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the user associated with the alert."},{"name":"UserIdType","type":"string","description":"The type of the user ID, such as GUID, SID, or Email."},{"name":"Username","type":"string","description":"Name of the user associated with the alert, including domain information when available."},{"name":"User","type":"string","description":"Alias or friendly name for Username field."},{"name":"UsernameType","type":"string","description":"Specifies the type of the user name stored in the Username field."},{"name":"UserType","type":"string","description":"The type of the Actor."},{"name":"OriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"UserSessionId","type":"string","description":"The unique ID of the user's session associated with the alert."},{"name":"UserScopeId","type":"string","description":"The scope ID, such as Microsoft Entra Directory ID, in which UserId and Username are defined."},{"name":"UserScope","type":"string","description":"The scope, such as Microsoft Entra tenant, in which UserId and Username are defined."},{"name":"ProcessId","type":"string","description":"The process ID (PID) associated with the alert."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to start the process."},{"name":"ProcessName","type":"string","description":"Name of the process."},{"name":"ProcessFileCompany","type":"string","description":"Company that created the process image file."},{"name":"FileName","type":"string","description":"Name of the file associated with the alert, without path or a location."},{"name":"FilePath","type":"string","description":"The full, normalized path of the target file, including the folder or location, the file name, and the extension."},{"name":"FileSHA1","type":"string","description":"SHA1 hash of the file."},{"name":"FileSHA256","type":"string","description":"SHA256 hash of the file."},{"name":"FileMD5","type":"string","description":"MD5 hash of the file."},{"name":"FileSize","type":"string","description":"Size of the file in bytes."},{"name":"Url","type":"string","description":"The URL string captured in the alert."},{"name":"RegistryKey","type":"string","description":"The registry key associated with the alert, normalized to standard root key naming conventions."},{"name":"RegistryValue","type":"string","description":"Registry value."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value."},{"name":"RegistryValueType","type":"string","description":"Type of the registry value."},{"name":"EmailMessageId","type":"string","description":"Unique identifier for the email message, associated with the alert."},{"name":"EmailSubject","type":"string","description":"Subject of the email."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/alerteventnormalized"],"solutions":["SecurityInsights"],"queries":["9fe432a8-1b0a-4cb5-8878-0825e01c66fa"]}},{"id":"ASimAssetEntityLogs","name":"ASimAssetEntityLogs","tableType":"Microsoft","description":"Microsoft Sentinel normalized asset entity events table. Stores events associated with security events and alerts, ensuring consistent and efficient analysis across different data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"EntitySchema","type":"string","description":"The ASIM schema name for this entity record."},{"name":"EntitySchemaVersion","type":"string","description":"The version of the ASIM schema used for this entity record."},{"name":"EntityUpdatedTime","type":"datetime","description":"The timestamp (UTC) of when the entity record was last updated."},{"name":"EntityIngestionTime","type":"datetime","description":"The timestamp (UTC) of when the entity record was ingested into the system."},{"name":"EntityKey","type":"string","description":"The unique identifier of the entity, used for correlation across schemas."},{"name":"EntityId","type":"string","description":"A unique identifier for the entity within the normalized schema."},{"name":"EntityIdType","type":"string","description":"The type or format of the entity identifier."},{"name":"EntityOriginalId","type":"string","description":"The original identifier for the entity as reported by the source system."},{"name":"EntityName","type":"string","description":"The display name or identifier of the entity."},{"name":"EntityNameType","type":"string","description":"The type or format of the entity name, such as UPN, or username."},{"name":"AssetType","type":"string","description":"The high-level type of the asset, such as File, or Site."},{"name":"AssetOriginalType","type":"string","description":"The original type of the asset as reported by the source system."},{"name":"EntityVendor","type":"string","description":"The vendor or provider that reported the entity."},{"name":"EntitySource","type":"string","description":"The data source or connector that provided the entity record."},{"name":"EntityOriginalSource","type":"string","description":"The original data source or connector that provided the entity record."},{"name":"EntityProduct","type":"string","description":"The product name associated with the source that reported the entity."},{"name":"EntitySubProduct","type":"string","description":"The sub-product or component name associated with the source that reported the entity."},{"name":"EntityCreatedTime","type":"datetime","description":"The timestamp (UTC) of when the entity was originally created in the source system."},{"name":"EntityLastAccessedTime","type":"datetime","description":"The timestamp (UTC) of when the entity was last accessed."},{"name":"EntityLastModifiedTime","type":"datetime","description":"The timestamp (UTC) of when the entity was last modified in the source system."},{"name":"EntityIsDeleted","type":"bool","description":"Indicates whether the entity has been deleted in the source system."},{"name":"EntityFeedType","type":"string","description":"The type or category of the data feed that provided the entity record."},{"name":"EntitySnapshotId","type":"string","description":"The identifier of the snapshot to which the current record belongs."},{"name":"AssetOwnerId","type":"string","description":"The identifier of the user or principal that owns the asset."},{"name":"AssetOwnerIdType","type":"string","description":"The type or format of the asset owner identifier, such as UPN or SID."},{"name":"AssetOwnerType","type":"string","description":"The type of the asset owner, such as User, Group, or ServicePrincipal."},{"name":"AssetOwnerScope","type":"string","description":"The organizational or administrative scope to which the asset owner belongs."},{"name":"AssetOwnerScopeId","type":"string","description":"The identifier of the scope to which the asset owner belongs."},{"name":"AdditionalAssetOwners","type":"dynamic","description":"A dynamic collection of additional owners or co-owners associated with the asset."},{"name":"AssetOriginalPermissions","type":"dynamic","description":"The original permission set assigned to the asset as reported by the source system."},{"name":"AssetOriginalRiskDetails","type":"dynamic","description":"The full risk details for the asset as provided by the source system."},{"name":"AssetRiskName","type":"string","description":"The normalized name of the risk or threat associated with the asset."},{"name":"AssetRiskLevel","type":"string","description":"The normalized risk level assigned to the asset, such as Low, Medium, High, or Critical."},{"name":"AssetOriginalRiskLevel","type":"string","description":"The risk level assigned to the asset as reported by the source system, before normalization."},{"name":"AssetRiskFirstReportedTime","type":"datetime","description":"The timestamp (UTC) of when the risk associated with the asset was first reported."},{"name":"AssetRiskLastReportedTime","type":"datetime","description":"The timestamp (UTC) of when the risk associated with the asset was most recently reported."},{"name":"AssetSensitivityLabel","type":"string","description":"The sensitivity label applied to the asset, such as Confidential or Public."},{"name":"AssetOriginalSensitivityLevel","type":"string","description":"The sensitivity level as reported by the source system, before normalization."},{"name":"AssetIsProtectedByDlp","type":"bool","description":"Indicates whether the asset is protected by a Data Loss Prevention (DLP) policy."},{"name":"AssetRelatedIndicators","type":"dynamic","description":"A dynamic collection of threat indicators or signals related to the asset."},{"name":"AssetOriginalDataClassificationType","type":"dynamic","description":"The original data classification type(s) assigned to the asset as reported by the source system."},{"name":"AssetClassificationLastScanDateTime","type":"datetime","description":"The timestamp (UTC) of when the asset was last scanned for data classification."},{"name":"AADTenantId","type":"string","description":"The Azure Active Directory tenant identifier associated with the asset or entity."},{"name":"IdentityDirectoryName","type":"string","description":"The name of the identity directory, such as Active Directory or Azure AD, associated with the entity."},{"name":"IdentityDirectoryId","type":"string","description":"The identifier of the identity directory associated with the entity."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity that is not captured by other fields in the schema."},{"name":"InternalUsersCount","type":"int","description":"The number of internal users associated with or having access to the asset."},{"name":"ExternalUsersCount","type":"int","description":"The number of external users associated with or having access to the asset."},{"name":"FilePath","type":"string","description":"The full path of the file associated with the asset."},{"name":"FileSize","type":"long","description":"The size of the file in bytes."},{"name":"FileMD5","type":"string","description":"The MD5 hash of the file associated with the asset."},{"name":"FileSHA1","type":"string","description":"The SHA-1 hash of the file associated with the asset."},{"name":"FileSHA256","type":"string","description":"The SHA-256 hash of the file associated with the asset."},{"name":"FileSHA512","type":"string","description":"The SHA-512 hash of the file associated with the asset."},{"name":"FileExtension","type":"string","description":"The file extension of the file associated with the asset, such as .exe or .pdf."},{"name":"FileIsSignatureValid","type":"bool","description":"Indicates whether the digital signature of the file is valid."},{"name":"FileSignatureDetails","type":"string","description":"Details about the digital signature of the file, such as the signer or certificate information."},{"name":"SitePath","type":"string","description":"The path of the site or storage location associated with the asset."},{"name":"SitePrimaryUri","type":"string","description":"The primary URI of the site or storage location associated with the asset."},{"name":"AssetPath","type":"string","description":"The alias of either FilePath or SitePath."},{"name":"User","type":"string","description":"The alias of AssetOwnerId."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/assetentitynormalized"],"solutions":["SecurityInsights"],"queries":["9fe432a8-1b0a-4cb5-8878-0825e01c66fb"]}},{"id":"ASimAuditEventLogs","name":"ASimAuditEventLogs","tableType":"Microsoft","description":"Microsoft Sentinel normalized audit events table. Stores events associated with the audit trail of information systems and audit trail logs system configuration activities and policy changes. Such changes are often performed by system administrators, but can also be performed by users when configuring the settings of their own applications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventStartTime","type":"datetime","description":"The time (UTC) in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time (UTC) in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record"},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. "},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"RuleName","type":"string","description":"The name or ID of the rule associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the audit activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the audit activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in audit activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True if the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatIpAddr","type":"string","description":"An IP address or Domain for which a threat was identified."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"ActorUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"ActorUserAadId","type":"string","description":"The Azure Active Directory ID of the actor."},{"name":"ActorUserSid","type":"string","description":"The Windows user ID (SIDs) of the actor."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUsername","type":"string","description":"The Actor's username, including domain information when available."},{"name":"ActorUsernameType","type":"string","description":"The type of the Actor's username specified in ActionUsername field"},{"name":"ActorUserType","type":"string","description":"The type of the Actor."},{"name":"ActorOriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the sign-in session of the Actor."},{"name":"TargetAppId","type":"string","description":"The ID of the application to which the event applies, including a process, browser, or service."},{"name":"TargetAppName","type":"string","description":"The name of the application to which event applies, including a service, a URL, or a SaaS application."},{"name":"TargetAppType","type":"string","description":"The type of the application authorizing on behalf of the Actor."},{"name":"TargetOriginalAppType","type":"string","description":"The target application type as reported by the reporting device."},{"name":"TargetUrl","type":"string","description":"A URL associated with the target application."},{"name":"ActingAppId","type":"string","description":"The ID of the application that initiated the activity reported, including a process, browser, or service."},{"name":"ActingAppName","type":"string","description":"The name of the application that initiated the activity reported, including a service, a URL, or a SaaS application."},{"name":"ActingAppType","type":"string","description":"The type of acting application."},{"name":"ActingOriginalAppType","type":"string","description":"The acting application type as reported by the reporting device."},{"name":"HttpUserAgent","type":"string","description":"When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."},{"name":"SrcIpAddr","type":"string","description":"The Source IP address from which the connection or session originated."},{"name":"SrcPortNumber","type":"int","description":"The Source IP port from which the connection originated."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the source device."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the identified Source."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associaeted with the identified Source as reported by the reporting device."},{"name":"TargetIpAddr","type":"string","description":"The Target IP address from which the connection or session originated."},{"name":"TargetPortNumber","type":"int","description":"The Target IP port from which the connection originated."},{"name":"TargetHostname","type":"string","description":"The target device hostname, excluding domain information."},{"name":"TargetDomain","type":"string","description":"The domain of the target device."},{"name":"TargetDomainType","type":"string","description":"The type of TargetDomain."},{"name":"TargetFQDN","type":"string","description":"The target device hostname, including domain information when available."},{"name":"TargetDescription","type":"string","description":"A descriptive text associated with the target device."},{"name":"TargetDvcId","type":"string","description":"The ID of the target device."},{"name":"TargetDvcIdType","type":"string","description":"The type of TargetDvcId."},{"name":"TargetDvcScopeId","type":"string","description":"The cloud platform scope ID the target device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"TargetDvcScope","type":"string","description":"The cloud platform scope the target device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"TargetDeviceType","type":"string","description":"The type of the target device."},{"name":"TargetGeoCountry","type":"string","description":"The country associated with the target IP address."},{"name":"TargetGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the target IP address."},{"name":"TargetGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the target IP address."},{"name":"TargetGeoRegion","type":"string","description":"The region within a country associated with the target IP address."},{"name":"TargetGeoCity","type":"string","description":"The city associated with the target IP address."},{"name":"TargetRiskLevel","type":"int","description":"The risk level associated with the target."},{"name":"TargetOriginalRiskLevel","type":"string","description":"The risk level associated with the target, as reported by the reporting device."},{"name":"TargetDvcOs","type":"string","description":"The OS of the target device."},{"name":"Operation","type":"string","description":"The operation audited as reported by the reporting device."},{"name":"ObjectId","type":"string","description":"The name of the object on which the operation identified by EventType is performed."},{"name":"Object","type":"string","description":"The name of the object on which the operation identified by EventType is performed."},{"name":"ObjectType","type":"string","description":"The type of Object."},{"name":"OriginalObjectType","type":"string","description":"The object type as reported by the reporting device."},{"name":"OldValue","type":"string","description":"The old value of Object prior to the operation."},{"name":"NewValue","type":"string","description":"The new value of Object after the operation was performed."},{"name":"ValueType","type":"string","description":"The type of the old and new values. "},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/auditeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"ASimAuthenticationEventLogs","name":"ASimAuthenticationEventLogs","tableType":"Microsoft","description":"Microsoft Sentinel normalized authentication events table. Stores events associated, for example, with the user authentication, sign-in, and sign-out.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record"},{"name":"EventSubType","type":"string","description":"The sign-in type for example System, Interactive, RemoteInteractive, Service, RemoteService, Remote or AssumeRole."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"The details associated with the event result. This field is typically populated when the result is a failure."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. "},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"RuleName","type":"string","description":"The name or ID of the rule associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the audit activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the audit activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in audit activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True if the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatIpAddr","type":"string","description":"An IP address for which a threat was identified."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"ActorUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUsername","type":"string","description":"The Actor's username, including domain information when available."},{"name":"ActorUsernameType","type":"string","description":"Specifies the type of the user name stored in the ActorUsername field."},{"name":"ActorUserType","type":"string","description":"The type of the Actor."},{"name":"ActorOriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the sign-in session of the Actor."},{"name":"ActingAppId","type":"string","description":"The ID of the application authorizing on behalf of the actor, including a process, browser, or service."},{"name":"ActingAppName","type":"string","description":"The name of the application authorizing on behalf of the actor, including a process, browser, or service."},{"name":"ActingAppType","type":"string","description":"The type of acting application."},{"name":"ActingOriginalAppType","type":"string","description":"The acting application type as reported by the reporting device."},{"name":"HttpUserAgent","type":"string","description":"When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."},{"name":"TargetUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"TargetUserIdType","type":"string","description":"The type of the ID stored in the TargetUserId field."},{"name":"TargetUserScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined."},{"name":"TargetUserScope","type":"string","description":"The scope, such as Azure AD tenant, in which TargetUserId and TargetUsername are defined."},{"name":"TargetUsername","type":"string","description":"The Target actor's username, including domain information when available."},{"name":"TargetUsernameType","type":"string","description":"The type of the Target actor's username specified in TargetUsername field"},{"name":"TargetUserType","type":"string","description":"The type of the Target actor."},{"name":"TargetOriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"TargetSessionId","type":"string","description":"The unique ID of the sign-in session of the Target actor."},{"name":"TargetAppId","type":"string","description":"The ID of the application to which the authorization is required, often assigned by the reporting device."},{"name":"TargetAppName","type":"string","description":"The name of the application to which the authorization is required, including a service, a URL, or a SaaS application."},{"name":"TargetAppType","type":"string","description":"The type of the application authorizing on behalf of the Actor."},{"name":"TargetOriginalAppType","type":"string","description":"The target application type as reported by the reporting device."},{"name":"TargetUrl","type":"string","description":"A URL associated with the target application."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the source device."},{"name":"SrcPortNumber","type":"int","description":"The IP port from which the connection originated."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the source device."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the identified Source."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associaeted with the identified Source as reported by the reporting device."},{"name":"SrcIsp","type":"string","description":"The Internet Service Provider (ISP) used by the source device to connect to the internet."},{"name":"SrcDvcOs","type":"string","description":"The OS of the source device."},{"name":"TargetIpAddr","type":"string","description":"The IP address of the target device."},{"name":"TargetPortNumber","type":"int","description":"The port of the target device."},{"name":"TargetHostname","type":"string","description":"The target device hostname, excluding domain information."},{"name":"TargetDomain","type":"string","description":"The domain of the target device."},{"name":"TargetDomainType","type":"string","description":"The type of TargetDomain."},{"name":"TargetFQDN","type":"string","description":"The target device hostname, including domain information when available."},{"name":"TargetDescription","type":"string","description":"A descriptive text associated with the target device."},{"name":"TargetDvcId","type":"string","description":"The ID of the target device."},{"name":"TargetDvcIdType","type":"string","description":"The type of TargetDvcId."},{"name":"TargetDvcScopeId","type":"string","description":"The cloud platform scope ID the target device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"TargetDvcScope","type":"string","description":"The cloud platform scope the target device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"TargetDeviceType","type":"string","description":"The type of the target device."},{"name":"TargetGeoCountry","type":"string","description":"The country associated with the target IP address."},{"name":"TargetGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the target IP address."},{"name":"TargetGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the target IP address."},{"name":"TargetGeoRegion","type":"string","description":"The region within a country associated with the target IP address."},{"name":"TargetGeoCity","type":"string","description":"The city associated with the target IP address."},{"name":"TargetRiskLevel","type":"int","description":"The risk level associated with the target."},{"name":"TargetOriginalRiskLevel","type":"string","description":"The risk level associated with the target, as reported by the reporting device."},{"name":"TargetDvcOs","type":"string","description":"The OS of the target device."},{"name":"LogonMethod","type":"string","description":"The method used to perform authentication."},{"name":"LogonProtocol","type":"string","description":"The protocol used to perform authentication."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/authenticationevent"],"solutions":["SecurityInsights"]}},{"id":"ASimDhcpEventLogs","name":"ASimDhcpEventLogs","tableType":"Microsoft","description":"The ASIM DHCP schema represents DHCP server activity, including serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"EventProduct","type":"string","description":"The product generating the event. The value should be one of the values listed in Vendors and Products."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable)."},{"name":"EventSeverity","type":"string","description":"The severity of the event."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record."},{"name":"SrcHostname","type":"string","description":"The device hostname, excluding domain information."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the source device."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the network interface from which the connection or session originated."},{"name":"DhcpCircuitId","type":"string","description":"The DHCP circuit ID, as defined by RFC3046."},{"name":"DhcpLeaseDuration","type":"int","description":"The length of the lease granted to a client, in seconds."},{"name":"DhcpSessionDuration","type":"int","description":"The amount of time, in milliseconds, for the completion of the DHCP session."},{"name":"DhcpSessionId","type":"string","description":"The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field."},{"name":"DhcpSrcDHCId","type":"string","description":"The DHCP client ID, as defined by RFC4701."},{"name":"DhcpSubscriberId","type":"string","description":"The DHCP subscriber ID, as defined by RFC3993."},{"name":"DhcpUserClass","type":"string","description":"The DHCP User Class, as defined by RFC3004."},{"name":"DhcpUserClassId","type":"string","description":"The DHCP User Class Id, as defined by RFC3004."},{"name":"DhcpVendorClass","type":"string","description":"The DHCP Vendor Class, as defined by RFC3925."},{"name":"DhcpVendorClassId","type":"string","description":"The DHCP Vendor Class Id, as defined by RFC3925."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"DvcIpAddr","type":"string","description":"The IP address of the device on which the event occurred or which reported the event, depending on the schema."},{"name":"DvcHostname","type":"string","description":"The hostname of the device on which the event occurred or which reported the event, depending on the schema."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system, if applicable."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcDomain","type":"string","description":"The domain of the device on which the event occurred or which reported the event, depending on the schema"},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event, depending on the schema."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event, depending on the schema."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device."},{"name":"SrcDomain","type":"string","description":"The domain of the device."},{"name":"EventCount","type":"int","description":"The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events."},{"name":"EventMessage","type":"string","description":"A general message or description, either included in or generated from the record."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. This value is used to derive EventSeverity."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"RequestedIpAddr","type":"string","description":"The IP address requested by the DHCP client, when available."},{"name":"SrcDeviceType","type":"string","description":"The type of the device."},{"name":"SrcDomainType","type":"string","description":"The type of the domain."},{"name":"SrcDvcId","type":"string","description":"The ID of the device."},{"name":"SrcDvcIdType","type":"string","description":"The type of the DvcId."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the device belongs to."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to."},{"name":"SrcFQDN","type":"string","description":"The device hostname, including domain information when available."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"SrcOriginalUserType","type":"string","description":"The original source user type, if provided by the source."},{"name":"SrcPortNumber","type":"int","description":"The IP port on which the device communicated, if applicable."},{"name":"SrcUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the user."},{"name":"SrcUserIdType","type":"string","description":"The type of SrcUserId."},{"name":"SrcUsername","type":"string","description":"The user's username, including domain information when available."},{"name":"SrcUsernameType","type":"string","description":"The type of username."},{"name":"SrcUserScope","type":"string","description":"The type of username."},{"name":"SrcUserScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which UserId and Username are defined."},{"name":"SrcUserSessionId","type":"string","description":"The unique ID of the sign-in session of the user."},{"name":"SrcUserType","type":"string","description":"The type of user"},{"name":"SrcUserUid","type":"string","description":"The Unix or Linux user ID of the user."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address.."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the identified Source."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associaeted with the identified Source as reported by the reporting device."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"EventSchema","type":"string","description":"The schema the event is normalized to. Each schema documents its schema name."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema. Each schema documents its current version."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ASimDnsActivityLogs","name":"ASimDnsActivityLogs","tableType":"Microsoft","description":"The ASim DNS activity schema represents DNS protocol activity, which may be logged either by a DNS server or by a device sending DNS requests to a DNS server. The DNS protocol activity includes DNS queries, DNS server updates, and DNS bulk data transfers. Since the schema represents protocol activity, it is governed by RFCs and officially assigned parameter lists. The DNS activity schema does not represent DNS server audit events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"EventCount","type":"int","description":"The number of events described by the record. This value is used when the source supports aggregation, and a single record may represent multiple events."},{"name":"EventType","type":"string","description":"Indicates the operation reported by the record. For DNS activity events, this value is the DNS opcode as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"EventSubType","type":"string","description":"Either request or response."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"The DNS response code as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, for example, the original Windows event ID."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain. Possible values include \"Windows\" and \"FQDN\"."},{"name":"DvcOs","type":"string","description":"The operating system running on the device reporting the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device reporting the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the client sending the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases, set to 127.0.0.1."},{"name":"SrcPortNumber","type":"int","description":"Source port of the DNS query."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region, or state, within a country, associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"DstIpAddr","type":"string","description":"The IP address of the server receiving the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to 127.0.0.1."},{"name":"DstGeoCountry","type":"string","description":"The country associated with the destination IP address."},{"name":"DstGeoRegion","type":"string","description":"The region, or state, within a country, associated with the destination IP address."},{"name":"DstGeoCity","type":"string","description":"The city associated with the destination IP address."},{"name":"DstGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the destination IP address."},{"name":"DstGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the destination IP address."},{"name":"DnsQuery","type":"string","description":"The domain that needs to be resolved."},{"name":"DnsQueryType","type":"int","description":"The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsQueryTypeName","type":"string","description":"The DNS resource record type name as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsResponseCode","type":"int","description":"The DNS numerical response code as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsResponseName","type":"string","description":"The content of the response, as included in the record. The structure of the DNS response data may vary between different reporting devices."},{"name":"TransactionIdHex","type":"string","description":"The DNS unique hex transaction ID."},{"name":"DstDescription","type":"string","description":"A descriptive text associated with the destination."},{"name":"DstDvcScope","type":"string","description":"The cloud platform scope the destination device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS."},{"name":"DstOriginalRiskLevel","type":"string","description":"The risk level associated with the destination device as reported by the reporting device."},{"name":"DstRiskLevel","type":"int","description":"The risk level associated with the destination device."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device. For example: Primary Domain Controller."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. This value is used to derive EventSeverity."},{"name":"NetworkProtocolVersion","type":"string","description":"The version of the network protocol. Typically used to differentiate between IPv4 and Ipv6."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"DnsResponseIpCountry","type":"string","description":"The country associated with the response IP address."},{"name":"DnsResponseIpLatitude","type":"real","description":"The Latitude of the geographical coordinate associated with the response IP address."},{"name":"DnsResponseIpLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the response IP address."},{"name":"NetworkProtocol","type":"string","description":"The transport protocol used by the network resolution event. The value can be UDP or TCP."},{"name":"DnsQueryClass","type":"int","description":"The DNS class ID as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsQueryClassName","type":"string","description":"The DNS class name as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsNetworkDuration","type":"int","description":"The amount of time, in milliseconds, for the completion of DNS request."},{"name":"DnsFlagsAuthenticated","type":"bool","description":"The DNS authenticated answer flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. see RFC 3655 Section 6.1 for more information."},{"name":"DnsFlagsAuthoritative","type":"bool","description":"The DNS authoritative answer flag indicates whether the response from the server was authoritative."},{"name":"DnsFlagsRecursionDesired","type":"bool","description":"The DNS recursion desired flag indicates in a request that that client would like the server to use recursive queries."},{"name":"DnsSessionId","type":"string","description":"The DNS session identifier as reported by the reporting device."},{"name":"SrcDescription","type":"string","description":"The number of the rule associated with the inspection results."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the source device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the source device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associated with the source device as reported by the reporting device."},{"name":"SrcUserScope","type":"string","description":"The scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined."},{"name":"SrcUserScopeId","type":"string","description":"The ID of the scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined."},{"name":"SrcUserSessionId","type":"string","description":"The unique ID of the sign-in session of the source user."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the web session."},{"name":"ThreatIpAddr","type":"string","description":"An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. If a threat is identified in the Domain field, this field should be empty."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName."},{"name":"UrlCategory","type":"string","description":"A DNS event source may also look up the category of the requested Domains."},{"name":"ThreatCategory","type":"string","description":"If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category."},{"name":"ThreatName","type":"string","description":"The name of the threat identified, as reported by the reporting device."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalRiskLevel_s","type":"string","description":"The risk level associated with the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalRiskLevel","type":"int","description":"The original risk level associated with the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"string","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatFirstReportedTime_d","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"string","description":"The last time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime_d","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"EventStartTime","type":"datetime","description":"The time at which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time at which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record."},{"name":"EventReportUrl","type":"string","description":"A URL of a resource that provides additional information about the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"Dvc","type":"string","description":"A unique identifier of the device reporting the event. The identifier can be either an IP Address, A hostname, or a device ID."},{"name":"DvcFQDN","type":"string","description":"The fully qualified hostname, including domain information, of the device reporting the event."},{"name":"DvcId","type":"string","description":"The unique ID of the device reporting the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device reporting the event."},{"name":"DvcZone","type":"string","description":"The network segment of the device reporting the event."},{"name":"DnsResponseIpCity","type":"string","description":"The city associated with the response IP address."},{"name":"DnsResponseIpRegion","type":"string","description":"The region, or state, within a country, associated with the source IP address."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"Src","type":"string","description":"A unique identifier of the source device."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the source device."},{"name":"SrcUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the source user."},{"name":"SrcUserIdType","type":"string","description":"The type of the ID stored in the SrcUserId field."},{"name":"SrcUsername","type":"string","description":"The Source username, including domain information when available."},{"name":"SrcUsernameType","type":"string","description":"The type of the username stored in the SrcUsername field."},{"name":"SrcUserType","type":"string","description":"The type of the source user."},{"name":"SrcOriginalUserType","type":"string","description":"The original source user type, as provided by the source."},{"name":"SrcProcessName","type":"string","description":"The name of the process that initiated the DNS request."},{"name":"SrcProcessId","type":"string","description":"The process ID (PID) of the process that initiated the DNS request."},{"name":"SrcProcessGuid","type":"string","description":"A generated unique identifier (GUID) of the process that initiated the DNS request."},{"name":"Dst","type":"string","description":"A unique identifier of the server that received the DNS request."},{"name":"DstPortNumber","type":"int","description":"Destination Port number."},{"name":"DstHostname","type":"string","description":"The destination device hostname, excluding domain information."},{"name":"DstDomain","type":"string","description":"The domain of the destination device."},{"name":"DstDomainType","type":"string","description":"The type of DstDomain."},{"name":"DstFQDN","type":"string","description":"The destination device hostname, including domain information when available."},{"name":"DstDvcId","type":"string","description":"The ID of the destination device."},{"name":"DstDvcScopeId","type":"string","description":"The cloud platform scope ID the destination device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DstDvcIdType","type":"string","description":"The type of DstDvcId."},{"name":"DstDeviceType","type":"string","description":"The type of the destination device."},{"name":"DvcAction","type":"string","description":"The action taken by the the reporting device on the request, such as blocking it."},{"name":"DnsFlags","type":"string","description":"The DNS request flags, as provided by the reporting device. The structure of the DNS flags information may vary between different reporting devices."},{"name":"DnsFlagsCheckingDisabled","type":"bool","description":"The DNS CD flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query."},{"name":"DnsFlagsRecursionAvailable","type":"bool","description":"The DNS RA flag indicates in a response that that server supports recursive queries."},{"name":"DnsFlagsTruncated","type":"bool","description":"The DNS TC flag indicates that a response was truncates as it exceeded the maximum response size."},{"name":"DnsFlagsZ","type":"bool","description":"The DNS Z flag is a deprecated DNS flag, which might be reported by older DNS systems."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/dnsnormalized"],"solutions":["SecurityInsights"],"queries":["083f9ca4-df5c-43d1-951c-0dc34ea73db1","30963fe3-2352-42de-94af-43ef3f63b1e3"]}},{"id":"ASimFileEventLogs","name":"ASimFileEventLogs","tableType":"Microsoft","description":"The Advanced Security Information Model (ASIM) File Event normalization schema describes file activity such as creating, modifying, or deleting files or documents.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp reflecting the time in which the event was generated."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventType","type":"string","description":"The operation reported by the record."},{"name":"TargetFilePath","type":"string","description":"The full, normalized path of the target file, including the folder or location, the file name, and the extension."},{"name":"TargetFilePathType","type":"string","description":"The type of TargetFilePath."},{"name":"ActorUsername","type":"string","description":"The Actor username, including domain information when available."},{"name":"EventResultDetails","type":"string","description":"The HTTP status code."},{"name":"DvcIpAddr","type":"string","description":"The IP address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain. Valid values include 'Windows' and 'FQDN'."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcAction","type":"string","description":"The action taken on the web session."},{"name":"TargetFileName","type":"string","description":"The name of the target file, without a path or a location, but with an extension if relevant."},{"name":"HashType","type":"string","description":"The type of hash stored in the Hash alias field."},{"name":"SrcFileName","type":"string","description":"The name of the source file, without a path or a location, but with an extension if relevant."},{"name":"SrcFilePath","type":"string","description":"The full, normalized path of the source file, including the folder or location, the file name, and the extension."},{"name":"SrcFilePathType","type":"string","description":"The type of SrcFilePath."},{"name":"ActorUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"SrcIpAddr","type":"string","description":"When the operation is initiated by a remote system, the IP address of this system."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the source device."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"This value is used when the source supports aggregation, and a single record may represent multiple events."},{"name":"EventSubType","type":"string","description":"Additional description of the event type, if applicable."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. This value is used to derive EventSeverity."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event, depending on the schema."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS."},{"name":"TargetFileCreationTime","type":"datetime","description":"The time at which the target file was created."},{"name":"TargetFileDirectory","type":"string","description":"The target file folder or location."},{"name":"TargetFileExtension","type":"string","description":"The target file extension."},{"name":"TargetFileMimeType","type":"string","description":"The Mime or Media type of the target file."},{"name":"TargetFileMD5","type":"string","description":"The MD5 hash of the target file."},{"name":"TargetFileSHA1","type":"string","description":"The SHA-1 hash of the target file."},{"name":"TargetFileSHA256","type":"string","description":"The SHA-256 hash of the target file."},{"name":"TargetFileSHA512","type":"string","description":"The SHA-512 hash of the source file."},{"name":"TargetFileSize","type":"long","description":"The size of the target file in bytes."},{"name":"SrcFileCreationTime","type":"datetime","description":"The time at which the source file was created."},{"name":"SrcFileDirectory","type":"string","description":"The source file folder or location."},{"name":"SrcFileExtension","type":"string","description":"The source file extension."},{"name":"SrcFileMimeType","type":"string","description":"The Mime or Media type of the source file."},{"name":"SrcFileMD5","type":"string","description":"The MD5 hash of the source file."},{"name":"SrcFileSHA1","type":"string","description":"The SHA-1 hash of the source file."},{"name":"SrcFileSHA256","type":"string","description":"The SHA-256 hash of the source file."},{"name":"SrcFileSHA512","type":"string","description":"The SHA-512 hash of the source file."},{"name":"SrcFileSize","type":"long","description":"The size of the source file in bytes."},{"name":"ActorUserAadId","type":"string","description":"The Azure Active Directory ID of the actor."},{"name":"ActorUserSid","type":"string","description":"The Windows user ID (SIDs) of the actor."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD Directory ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"ActorUsernameType","type":"string","description":"Specifies the type of the user name stored in the ActorUsername field."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the login session of the Actor."},{"name":"ActorUserType","type":"string","description":"The type of actor."},{"name":"ActorOriginalUserType","type":"string","description":"The original actor user type as provided by the reporting device."},{"name":"ActingProcessCommandLine","type":"string","description":"The command line used to run the acting process."},{"name":"ActingProcessName","type":"string","description":"The name of the acting process."},{"name":"ActingProcessId","type":"string","description":"The process ID (PID) of the acting process."},{"name":"ActingProcessGuid","type":"string","description":"A generated unique identifier (GUID) of the acting process."},{"name":"HttpUserAgent","type":"string","description":"When the operation is initiated using HTTP or HTTPS, the HTTP user agent header."},{"name":"NetworkApplicationProtocol","type":"string","description":"When the operation is initiated by a remote system, the application layer protocol used by the connection or session."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associated with the source. As reported by the reporting device or enriched."},{"name":"SrcPortNumber","type":"int","description":"When the operation is initiated by a remote system, the port number from which the connection was initiated."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the source."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the device belongs to. "},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device. "},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"TargetAppName","type":"string","description":"The name of the destination application."},{"name":"TargetAppId","type":"string","description":"The ID of the destination application, as reported by the reporting device."},{"name":"TargetAppType","type":"string","description":"The type of the destination application."},{"name":"TargetOriginalAppType","type":"string","description":"The target application type as reported by the reporting device."},{"name":"TargetUrl","type":"string","description":"When the operation is initiated using HTTP or HTTPS, the URL used."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the file activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the file activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in the file activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatFilePath","type":"string","description":"A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified. The value is either SrcFilePath or DstFilePath."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"EventSchema","type":"string","description":"The schema the event is normalized to. Each schema documents its schema name."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ASimNetworkSessionLogs","name":"ASimNetworkSessionLogs","tableType":"Microsoft","description":"The Microsoft Sentinel network session normalization schema represents an IP network activity, such as network connections and network sessions. Such events are reported, for example, by operating systems, routers, firewalls, and intrusion prevention systems.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"EventCount","type":"int","description":"This value is used when the source supports aggregation, and a single record may represent multiple events."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"DvcAction","type":"string","description":"The action taken on the network session."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7."},{"name":"Dvc","type":"string","description":"A unique identifier of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event. The zone is defined by the reporting device."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device."},{"name":"DvcSubscriptionId","type":"string","description":"The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. This value is used to derive EventSeverity."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema."},{"name":"NetworkApplicationProtocol","type":"string","description":"The application layer protocol used by the connection or session."},{"name":"NetworkProtocolVersion","type":"string","description":"The version of NetworkProtocol."},{"name":"NetworkDirection","type":"string","description":"The direction of the connection or session."},{"name":"NetworkIcmpCode","type":"int","description":"For an ICMP message, the ICMP message type numeric value as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections."},{"name":"NetworkIcmpType","type":"string","description":"For an ICMP message, the ICMP message type text representation, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections."},{"name":"NetworkConnectionHistory","type":"string","description":"TCP flags and other potential IP header information."},{"name":"DstBytes","type":"long","description":"The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes is the sum over all aggregated sessions."},{"name":"SrcBytes","type":"long","description":"The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes is the sum over all aggregated sessions."},{"name":"NetworkBytes","type":"long","description":"Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes is the sum over all aggregated sessions."},{"name":"DstPackets","type":"long","description":"The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets is the sum over all aggregated sessions."},{"name":"SrcPackets","type":"long","description":"The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets is the sum over all aggregated sessions."},{"name":"NetworkPackets","type":"long","description":"The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets is the sum over all aggregated sessions."},{"name":"NetworkSessionId","type":"string","description":"The session identifier as reported by the reporting device."},{"name":"DstZone","type":"string","description":"The network zone of the destination, as defined by the reporting device."},{"name":"DstInterfaceName","type":"string","description":"The network interface used for the connection or session by the destination device."},{"name":"DstInterfaceGuid","type":"string","description":"The GUID of the network interface used on the destination device."},{"name":"DstMacAddr","type":"string","description":"The MAC address of the network interface used for the connection or session by the destination device."},{"name":"DstVlanId","type":"string","description":"The VLAN ID related to the destination device."},{"name":"DstSubscriptionId","type":"string","description":"The cloud platform subscription ID the destination device belongs to. DstSubscriptionId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DstGeoCountry","type":"string","description":"The country associated with the destination IP address."},{"name":"DstGeoRegion","type":"string","description":"The region, or state, within a country associated with the destination IP address."},{"name":"DstGeoCity","type":"string","description":"The city associated with the destination IP address."},{"name":"DstGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the destination IP address."},{"name":"DstGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the destination IP address."},{"name":"DstUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the destination user."},{"name":"DstUserIdType","type":"string","description":"The type of the ID stored in the DstUserId field."},{"name":"DstUsername","type":"string","description":"The destination username, including domain information when available. Use the simple form only if domain information isn't available."},{"name":"DstUsernameType","type":"string","description":"Specifies the type of the username stored in the DstUsername field."},{"name":"DstUserType","type":"string","description":"The type of destination user."},{"name":"DstOriginalUserType","type":"string","description":"The original destination user type, if provided by the source."},{"name":"DstAppName","type":"string","description":"The name of the destination application."},{"name":"DstAppId","type":"string","description":"The ID of the destination application, as reported by the reporting device."},{"name":"DstAppType","type":"string","description":"The type of the destination application."},{"name":"SrcZone","type":"string","description":"The network zone of the source, as defined by the reporting device."},{"name":"SrcInterfaceName","type":"string","description":"The network interface used for the connection or session by the source device."},{"name":"SrcInterfaceGuid","type":"string","description":"The GUID of the network interface used on the source device."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the network interface from which the connection or session originated."},{"name":"SrcVlanId","type":"string","description":"The VLAN ID related to the source device."},{"name":"SrcSubscriptionId","type":"string","description":"The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcAppName","type":"string","description":"The name of the source application."},{"name":"SrcAppId","type":"string","description":"The ID of the source application, as reported by the reporting device."},{"name":"SrcAppType","type":"string","description":"The type of the source application."},{"name":"DstNatIpAddr","type":"string","description":"The DstNatIpAddr represents either of: The original address of the destination device if network address translation was used or the IP address used by the intermediary device for communication with the source."},{"name":"DstNatPortNumber","type":"int","description":"If reported by an intermediary NAT device, the port used by the NAT device for communication with the source."},{"name":"SrcNatIpAddr","type":"string","description":"The SrcNatIpAddr represents either of: The original address of the source device if network address translation was used or the IP address used by the intermediary device for communication with the destination."},{"name":"SrcNatPortNumber","type":"int","description":"If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination."},{"name":"DvcInboundInterface","type":"string","description":"If reported by an intermediary device, the network interface used by the NAT device for the connection to the source device."},{"name":"DvcOutboundInterface","type":"string","description":"If reported by an intermediary device, the network interface used by the NAT device for the connection to the destination device."},{"name":"NetworkRuleName","type":"string","description":"The name or ID of the rule by which DvcAction was decided upon."},{"name":"NetworkRuleNumber","type":"int","description":"The number of the rule by which DvcAction was decided upon."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the network session."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the network session."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in the network session."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the session. The level is a number between 0 to 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"EventType","type":"string","description":"The operation reported by the record."},{"name":"EventSubType","type":"string","description":"Additional description of the event type, if applicable."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain. Possible values include 'Windows' and 'FQDN'."},{"name":"DvcOs","type":"string","description":"The operating system running on the device reporting the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device reporting the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SrcIpAddr","type":"string","description":"The IP address from which the connection or session originated."},{"name":"SrcPortNumber","type":"int","description":"The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections."},{"name":"DstIpAddr","type":"string","description":"The IP address of the connection or session destination."},{"name":"NetworkProtocol","type":"string","description":"The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information. If no device name is available, may store the relevant IP address."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"ThreatIpAddr","type":"string","description":"An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the source user."},{"name":"SrcUserIdType","type":"string","description":"The type of the ID stored in the SrcUserId field."},{"name":"SrcUsername","type":"string","description":"The source username, including domain information when available."},{"name":"SrcUsernameType","type":"string","description":"Specifies the type of the username stored in the SrcUsername field."},{"name":"SrcUserType","type":"string","description":"The type of the source user."},{"name":"SrcOriginalUserType","type":"string","description":"The original destination user type, if provided by the by the reporting device."},{"name":"DstPortNumber","type":"int","description":"The destination IP port."},{"name":"DstHostname","type":"string","description":"The destination device hostname, excluding domain information."},{"name":"DstDomain","type":"string","description":"The domain of the destination device."},{"name":"DstDomainType","type":"string","description":"The type of DstDomain."},{"name":"DstFQDN","type":"string","description":"The destination device hostname, including domain information when available."},{"name":"DstDvcId","type":"string","description":"The ID of the destination device."},{"name":"DstDvcIdType","type":"string","description":"The type of DstDvcId."},{"name":"DstDeviceType","type":"string","description":"The type of the destination device."},{"name":"TcpFlagsAck","type":"bool","description":"The TCP ACK flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK as well as a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet."},{"name":"TcpFlagsFin","type":"bool","description":"The TCP FIN flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender."},{"name":"TcpFlagsPsh","type":"bool","description":"The TCP PSH flag reported. The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them."},{"name":"TcpFlagsRst","type":"bool","description":"The TCP RST flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it."},{"name":"TcpFlagsUrg","type":"bool","description":"The TCP URG flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details."},{"name":"TcpFlagsSyn","type":"bool","description":"The TCP SYN flag reported. The synchronisation flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"NetworkDuration","type":"int","description":"The amount of time, in milliseconds, for the completion of the network session or connection."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device. For example: Primary Domain Controller."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"DstDescription","type":"string","description":"A descriptive text associated with the destination."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the source."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/networksessionnormalized"],"solutions":["SecurityInsights"]}},{"id":"ASimProcessEventLogs","name":"ASimProcessEventLogs","tableType":"Microsoft","description":"The Microsoft Sentinel process events normalized table stores events using the Process Event ASIM normalized schema associated with creation or termination of a process. Such events are reported by operating systems and security systems, such as EDR (End Point Detection and Response) systems.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key and value pairs provided by the source which do not map to ASim."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record"},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. "},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain. Possible values include \"Windows\" and \"FQDN\"."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."},{"name":"ActorUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUsername","type":"string","description":"The Actor's username, including domain information when available."},{"name":"ActorUsernameType","type":"string","description":"The type of the Actor's username specified in ActionUsername field"},{"name":"ActorUserType","type":"string","description":"The type of the Actor."},{"name":"ActorOriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the sign-in session of the Actor."},{"name":"TargetUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"TargetUserIdType","type":"string","description":"The type of the ID stored in the TargetUserId field."},{"name":"TargetScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined."},{"name":"TargetScope","type":"string","description":"The scope, such as Azure AD tenant, in which TargetUserId and TargetUsername are defined."},{"name":"TargetUsername","type":"string","description":"The Target actor's username, including domain information when available."},{"name":"TargetUsernameType","type":"string","description":"The type of the Target actor's username specified in TargetUsername field"},{"name":"TargetUserType","type":"string","description":"The type of the Target actor."},{"name":"TargetOriginalUserType","type":"string","description":"The user type as reported by the reporting device."},{"name":"TargetUserSessionId","type":"string","description":"The unique ID of the sign-in session of the Target actor."},{"name":"TargetUserSessionGuid","type":"string","description":"The unique guid of the sign-in session of the Target actor."},{"name":"ActingProcessCommandLine","type":"string","description":"The command line used to run the acting process."},{"name":"ActingProcessName","type":"string","description":"The name of the acting process."},{"name":"ActingProcessFileCompany","type":"string","description":"The company that created the acting process image file."},{"name":"ActingProcessFileDescription","type":"string","description":"The description embedded in the version information of the acting process image file."},{"name":"ActingProcessFileProduct","type":"string","description":"The product name from the version information in the acting process image file."},{"name":"ActingProcessFileVersion","type":"string","description":"The product version from the version information of the acting process image file."},{"name":"ActingProcessFileInternalName","type":"string","description":"The product internal file name from the version information of the acting process image file."},{"name":"ActingProcessFileOriginalName","type":"string","description":"The product original file name from the version information of the acting process image file."},{"name":"ActingProcessFilename","type":"string","description":"The product file name from the version information of the acting process image file."},{"name":"ActingProcessIsHidden","type":"bool","description":"An indication of whether the acting process is in hidden mode."},{"name":"ActingProcessInjectedAddress","type":"string","description":"The memory address in which the responsible acting process is stored."},{"name":"ActingProcessId","type":"string","description":"The process ID of the acting process."},{"name":"ActingProcessGuid","type":"string","description":"A GUID of the acting process."},{"name":"ActingProcessIntegrityLevel","type":"string","description":"Integrity Level for acting process."},{"name":"ActingProcessMD5","type":"string","description":"The MD5 hash of the acting process image file."},{"name":"ActingProcessSHA1","type":"string","description":"The SHA-1 hash of the acting process image file."},{"name":"ActingProcessSHA256","type":"string","description":"The SHA-256 hash of the acting process image file."},{"name":"ActingProcessSHA512","type":"string","description":"The SHA-512 hash of the acting process image file."},{"name":"ActingProcessIMPHASH","type":"string","description":"The Import Hash of all the library DLLs that are used by the acting process."},{"name":"ActingProcessCreationTime","type":"datetime","description":"The date and time when the acting process was started."},{"name":"ActingProcessTokenElevation","type":"string","description":"A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the acting process."},{"name":"ActingProcessFileSize","type":"long","description":"The size of the file in bytes that ran the acting process."},{"name":"ParentProcessName","type":"string","description":"The name of the parent process."},{"name":"ParentProcessFileCompany","type":"string","description":"The company that created the parent process image file."},{"name":"ParentProcessFileDescription","type":"string","description":"The description from the version information of the parent process image file."},{"name":"ParentProcessFileProduct","type":"string","description":"The product name from the version information in the parent process image file."},{"name":"ParentProcessFileVersion","type":"string","description":"The product version from the version information of the parent process image file."},{"name":"ParentProcessIsHidden","type":"bool","description":"An indication of whether the parent process is in hidden mode."},{"name":"ParentProcessInjectedAddress","type":"string","description":"The memory address in which the responsible parent process is stored."},{"name":"ParentProcessId","type":"string","description":"The process ID of the parent process."},{"name":"ParentProcessGuid","type":"string","description":"A GUID of the parent process."},{"name":"ParentProcessIntegrityLevel","type":"string","description":"Integrity Level for parent process."},{"name":"ParentProcessMD5","type":"string","description":"The MD5 hash of the parent process image file."},{"name":"ParentProcessSHA1","type":"string","description":"The SHA-1 hash of the parent process image file."},{"name":"ParentProcessSHA256","type":"string","description":"The SHA-256 hash of the parent process image file."},{"name":"ParentProcessSHA512","type":"string","description":"The SHA-512 hash of the parent process image file."},{"name":"ParentProcessIMPHASH","type":"string","description":"The Import Hash of all the library DLLs that are used by the parent process."},{"name":"ParentProcessCreationTime","type":"datetime","description":"The date and time when the parent process was started."},{"name":"ParentProcessTokenElevation","type":"string","description":"A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the parent process."},{"name":"TargetProcessCommandLine","type":"string","description":"The command line used to run the target process."},{"name":"TargetProcessName","type":"string","description":"The name of the target process."},{"name":"TargetProcessFileCompany","type":"string","description":"The company that created the target process image file."},{"name":"TargetProcessFileDescription","type":"string","description":"The description from the version information of the target process image file."},{"name":"TargetProcessFileProduct","type":"string","description":"The product name from the version information in the target process image file."},{"name":"TargetProcessFileVersion","type":"string","description":"The product version from the version information of the target process image file."},{"name":"TargetProcessFileInternalName","type":"string","description":"The product internal file name from the version information of the target process image file."},{"name":"TargetProcessFileOriginalName","type":"string","description":"The product original file name from the version information of the target process image file."},{"name":"TargetProcessFilename","type":"string","description":"The product file name from the version information of the target process image file."},{"name":"TargetProcessIsHidden","type":"bool","description":"An indication of whether the target process is in hidden mode."},{"name":"TargetProcessInjectedAddress","type":"string","description":"The memory address in which the responsible target process is stored."},{"name":"TargetProcessId","type":"string","description":"The process ID of the target process."},{"name":"TargetProcessGuid","type":"string","description":"A GUID of the target process."},{"name":"TargetProcessIntegrityLevel","type":"string","description":"Integrity Level for target process."},{"name":"TargetProcessMD5","type":"string","description":"The MD5 hash of the target process image file."},{"name":"TargetProcessSHA1","type":"string","description":"The SHA-1 hash of the target process image file."},{"name":"TargetProcessSHA256","type":"string","description":"The SHA-256 hash of the target process image file."},{"name":"TargetProcessSHA512","type":"string","description":"The SHA-512 hash of the target process image file."},{"name":"TargetProcessIMPHASH","type":"string","description":"The Import Hash of all the library DLLs that are used by the target process."},{"name":"TargetProcessCreationTime","type":"datetime","description":"The date and time when the target process was started."},{"name":"TargetProcessTokenElevation","type":"string","description":"A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the target process."},{"name":"TargetProcessFileSize","type":"long","description":"Size of the file in bytes that ran the process responsible for the event."},{"name":"TargetProcessCurrentDirectory","type":"string","description":"The current directory in which the target process is executed."},{"name":"TargetProcessStatusCode","type":"string","description":"The exit code returned by the target process when terminated."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/processeventnormalized"],"solutions":["SecurityInsights"]}},{"id":"ASimRegistryEventLogs","name":"ASimRegistryEventLogs","tableType":"Microsoft","description":"The ASim Registry Event schema represents Windows activity of creating, modifying, or deleting Windows Registry entities. Registry events are specific to Windows systems, but are reported by different systems that monitor Windows, such as EDR (End Point Detection and Response) systems, Sysmon, or Windows itself.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record."},{"name":"RegistryKey","type":"string","description":"The registry key associated with the operation, normalized to standard root key naming conventions."},{"name":"RegistryValue","type":"string","description":"The registry value associated with the operation."},{"name":"RegistryValueType","type":"string","description":"The type of registry value, normalized to standard form."},{"name":"RegistryValueData","type":"string","description":"The data stored in the registry value."},{"name":"RegistryPreviousKey","type":"string","description":"For operations that modify the registry, the original registry key, normalized to standard root key naming."},{"name":"RegistryPreviousValue","type":"string","description":"For operations that modify the registry, the original value type, normalized to the standard form."},{"name":"RegistryPreviousValueType","type":"string","description":"For operations that modify the registry, the original value type."},{"name":"RegistryPreviousValueData","type":"string","description":"The original registry data, for operations that modify the registry."},{"name":"ActorUserId","type":"string","description":"A unique ID of the Actor."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"EventOriginalUid","type":"string","description":"."},{"name":"EventOriginalType","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS."},{"name":"ActorUserAadId","type":"string","description":"The Azure Active Directory ID of the actor."},{"name":"ActorUserSid","type":"string","description":"The Windows user ID (SIDs) of the actor."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUsername","type":"string","description":"The user name of the user who initiated the event."},{"name":"ActorUsernameType","type":"string","description":"Specifies the type of the user name stored in the ActorUsername field."},{"name":"ActorUserType","type":"string","description":"The type of the Actor. "},{"name":"ActorOriginalUserType","type":"string","description":"The original actor user type, if provided by the source."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the login session of the Actor."},{"name":"ActingProcessName","type":"string","description":"The file name of the acting process image file."},{"name":"ActingProcessId","type":"string","description":"The process ID of the acting process."},{"name":"ActingProcessCommandLine","type":"string","description":"The command line used to run the process."},{"name":"ActingProcessGuid","type":"string","description":"A generated unique identifier of the acting process."},{"name":"ParentProcessName","type":"string","description":"The file name of the parent process image file."},{"name":"ParentProcessId","type":"string","description":"The process ID of the parent process."},{"name":"ParentProcessCommandLine","type":"string","description":"The command line used to run the process."},{"name":"ParentProcessGuid","type":"string","description":"A generated unique identifier of the parent process."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"EventSchema","type":"string","description":"The name of the schema."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ASimUserManagementActivityLogs","name":"ASimUserManagementActivityLogs","tableType":"Microsoft","description":"The ASim User Management schema represents user management activities, such as creating a user or a group, changing user attribute, or adding a user to a group. Such events are reported, for example, by operating systems, directory services, identity management systems, and any other system reporting on its local user management activity.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventType","type":"string","description":"Describes the operation reported by the record."},{"name":"ActorUsername","type":"string","description":"The Actor's username, including domain information when available."},{"name":"ActorUsernameType","type":"string","description":"Specifies the type of the user name stored in the ActorUsername field."},{"name":"EventResultDetails","type":"string","description":"Reason or details for the result reported in the EventResult field."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcAction","type":"string","description":"For reporting security systems, the action taken by the system."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the source device."},{"name":"SrcPortNumber","type":"int","description":"The Source IP port from which the connection originated."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the source device."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"The number of events described by the record."},{"name":"EventSubType","type":"string","description":"Describes a subdivision of the operation reported in the EventType field."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"DvcDescription","type":"string","description":"A descriptive text associated with the device."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the device on which the event occurred or which reported the event."},{"name":"DvcZone","type":"string","description":"The network on which the event occurred or which reported the event."},{"name":"DvcOs","type":"string","description":"The operating system running on the device on which the event occurred or which reported the event."},{"name":"DvcOsVersion","type":"string","description":"The version of the operating system on the device on which the event occurred or which reported the event."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"DvcInterface","type":"string","description":"The network interface on which data was captured."},{"name":"DvcScopeId","type":"string","description":"The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DvcScope","type":"string","description":"The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS."},{"name":"ActorUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the actor."},{"name":"ActorUserAadId","type":"string","description":"The Azure Active Directory ID of the actor."},{"name":"ActorUserSid","type":"string","description":"The Windows user ID (SIDs) of the actor."},{"name":"ActorUserIdType","type":"string","description":"The type of the ID stored in the ActorUserId field."},{"name":"ActorScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."},{"name":"ActorScope","type":"string","description":"The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."},{"name":"ActorUserType","type":"string","description":"The type of the Actor."},{"name":"ActorOriginalUserType","type":"string","description":"The original actor user type, if provided by the source."},{"name":"ActorSessionId","type":"string","description":"The unique ID of the sign-in session of the Actor."},{"name":"TargetUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the target user."},{"name":"TargetUserUid","type":"string","description":"The Unix or Linux user ID of the user."},{"name":"TargetUserIdType","type":"string","description":"The type of the ID stored in the TargetUserId field."},{"name":"TargetUserScopeId","type":"string","description":"The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined."},{"name":"TargetUserScope","type":"string","description":"The scope, such as Azure AD tenant name, in which TargetUserId and TargetUsername are defined."},{"name":"TargetUsername","type":"string","description":"The target username, including domain information when available."},{"name":"TargetUsernameType","type":"string","description":"Specifies the type of the username stored in the TargetUsername field."},{"name":"TargetUserType","type":"string","description":"The type of target user."},{"name":"TargetUserSessionId","type":"string","description":"The unique ID of the sign-in session of the user."},{"name":"TargetOriginalUserType","type":"string","description":"The original destination user type, if provided by the source."},{"name":"GroupId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the group, for activities involving a group."},{"name":"GroupIdType","type":"string","description":"The type of the ID stored in the GroupId field."},{"name":"GroupName","type":"string","description":"The group name, including domain information when available, for activities involving a group."},{"name":"GroupNameType","type":"string","description":"Specifies the type of the group name stored in the GroupName field."},{"name":"GroupType","type":"string","description":"The type of the group, for activities involving a group."},{"name":"GroupOriginalType","type":"string","description":"The original group type, if provided by the source."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDescription","type":"string","description":"A descriptive text associated with the source device."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device as reported in the record."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription name on Azure and to an account ID on AWS."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address.."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcRiskLevel","type":"int","description":"The risk level associated with the identified Source."},{"name":"SrcOriginalRiskLevel","type":"string","description":"The risk level associaeted with the identified Source as reported by the reporting device."},{"name":"ActingAppId","type":"string","description":"The ID of the application used by the actor to perform the activity, including a process, browser, or service."},{"name":"ActingAppName","type":"string","description":"The name of the application used by the actor to perform the activity, including a process, browser, or service."},{"name":"ActingAppType","type":"string","description":"The type of acting application."},{"name":"ActingOriginalAppType","type":"string","description":"The acting application type as reported by the reporting device."},{"name":"HttpUserAgent","type":"string","description":"When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."},{"name":"PreviousPropertyValue","type":"string","description":"The previous value that was stored in the specified property."},{"name":"NewPropertyValue","type":"string","description":"The new value stored in the specified property."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by associated with the inspection results."},{"name":"RuleNumber","type":"int","description":"The number of the rule associated with the inspection results."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the activity."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the activity."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in activity."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the identified threat. The level should be a number between 0 and 100."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"EventSchema","type":"string","description":"The name of the schema"},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/asimtables"],"solutions":["SecurityInsights"]}},{"id":"ASimWebSessionLogs","name":"ASimWebSessionLogs","tableType":"Microsoft","description":"The Advanced Security Information Model (ASIM) Web Session normalization schema - describe an IP network activity. For example, IP network activities are reported by web servers, web proxies, and web security gateways.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) reflecting the time in which the event was generated."},{"name":"Dvc","type":"string","description":"A unique identifier of the device on which the event occurred or which reported the event."},{"name":"DvcIpAddr","type":"string","description":"The IP Address of the device reporting the event."},{"name":"DvcHostname","type":"string","description":"The hostname of the device reporting the event."},{"name":"DvcDomain","type":"string","description":"The domain of the device reporting the event."},{"name":"DvcDomainType","type":"string","description":"The type of DvcDomain. Possible values include 'Windows' and 'FQDN'."},{"name":"DvcFQDN","type":"string","description":"The hostname of the device on which the event occurred or which reported the event."},{"name":"DvcId","type":"string","description":"The unique ID of the device on which the event occurred or which reported the event."},{"name":"DvcIdType","type":"string","description":"The type of DvcId."},{"name":"DvcAction","type":"string","description":"The action taken on the web session."},{"name":"DvcOriginalAction","type":"string","description":"The original DvcAction as provided by the reporting device."},{"name":"EventMessage","type":"string","description":"A general message or description."},{"name":"EventCount","type":"int","description":"This value is used when the source supports aggregation, and a single record may represent multiple events."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."},{"name":"EventType","type":"string","description":"The operation reported by the record."},{"name":"EventSubType","type":"string","description":"Additional description of the event type, if applicable."},{"name":"EventResult","type":"string","description":"The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."},{"name":"EventResultDetails","type":"string","description":"The HTTP status code."},{"name":"EventOriginalUid","type":"string","description":"A unique ID of the original record, if provided by the source."},{"name":"EventOriginalType","type":"string","description":"The original event type or ID, if provided by the source."},{"name":"EventOriginalSubType","type":"string","description":"The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema."},{"name":"EventOriginalResultDetails","type":"string","description":"The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema."},{"name":"EventSeverity","type":"string","description":"The severity of the event. Valid values are: Informational, Low, Medium, or High."},{"name":"EventOriginalSeverity","type":"string","description":"The original severity as provided by the reporting device. This value is used to derive EventSeverity."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventSchemaVersion","type":"string","description":"The version of the schema."},{"name":"EventReportUrl","type":"string","description":"A URL provided in the event for a resource that provides more information about the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information, represented using key/value pairs provided by the source which do not map to ASim."},{"name":"DstAppName","type":"string","description":"The name of the destination application."},{"name":"DstAppId","type":"string","description":"The ID of the destination application, as reported by the reporting device."},{"name":"DstAppType","type":"string","description":"The type of the destination application."},{"name":"DstIpAddr","type":"string","description":"The IP address of the connection or session destination."},{"name":"DstPortNumber","type":"int","description":"The destination IP port."},{"name":"DstHostname","type":"string","description":"The destination device hostname, excluding domain information."},{"name":"DstDomain","type":"string","description":"The domain of the destination device."},{"name":"DstDomainType","type":"string","description":"The type of DstDomain."},{"name":"DstFQDN","type":"string","description":"The destination device hostname, including domain information when available."},{"name":"DstDvcId","type":"string","description":"The ID of the destination device."},{"name":"DstDvcIdType","type":"string","description":"The type of DstDvcId."},{"name":"DstDeviceType","type":"string","description":"The type of the destination device."},{"name":"DstGeoCountry","type":"string","description":"The country associated with the destination IP address."},{"name":"DstGeoRegion","type":"string","description":"The region, or state, within a country associated with the destination IP address."},{"name":"DstGeoCity","type":"string","description":"The city associated with the destination IP address."},{"name":"DstGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the destination IP address."},{"name":"DstGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the destination IP address."},{"name":"DstUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the destination user."},{"name":"DstUserIdType","type":"string","description":"The type of the ID stored in the DstUserId field."},{"name":"DstUsername","type":"string","description":"The destination username, including domain information when available. Use the simple form only if domain information isn't available."},{"name":"DstUsernameType","type":"string","description":"Specifies the type of the username stored in the DstUsername field."},{"name":"DstUserType","type":"string","description":"The type of destination user."},{"name":"DstOriginalUserType","type":"string","description":"The original destination user type, if provided by the source."},{"name":"NetworkApplicationProtocol","type":"string","description":"The application layer protocol used by the connection or session."},{"name":"NetworkProtocol","type":"string","description":"The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP."},{"name":"NetworkProtocolVersion","type":"string","description":"The version of NetworkProtocol."},{"name":"NetworkDirection","type":"string","description":"The direction of the connection or session."},{"name":"NetworkDuration","type":"int","description":"The amount of time, in milliseconds, for the completion of the web session or connection."},{"name":"NetworkIcmpType","type":"string","description":"For an ICMP message, the ICMP message type text representation, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections."},{"name":"NetworkIcmpCode","type":"int","description":"For an ICMP message, the ICMP message type numeric value as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections."},{"name":"NetworkConnectionHistory","type":"string","description":"TCP flags and other potential IP header information."},{"name":"DstBytes","type":"long","description":"The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes is the sum over all aggregated sessions."},{"name":"SrcBytes","type":"long","description":"The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes is the sum over all aggregated sessions."},{"name":"NetworkBytes","type":"long","description":"Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes is the sum over all aggregated sessions."},{"name":"DstPackets","type":"long","description":"The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets is the sum over all aggregated sessions."},{"name":"SrcPackets","type":"long","description":"The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets is the sum over all aggregated sessions."},{"name":"NetworkPackets","type":"long","description":"The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets is the sum over all aggregated sessions."},{"name":"NetworkSessionId","type":"string","description":"The session identifier as reported by the reporting device."},{"name":"ThreatOriginalRiskLevel","type":"string","description":"The risk level as reported by the reporting device."},{"name":"ThreatIpAddr","type":"string","description":"An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents."},{"name":"ThreatField","type":"string","description":"The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName."},{"name":"ThreatConfidence","type":"int","description":"The confidence level of the threat identified, normalized to a value between 0 and a 100."},{"name":"ThreatOriginalConfidence","type":"string","description":"The original confidence level of the threat identified, as reported by the reporting device."},{"name":"ThreatIsActive","type":"bool","description":"True ID the threat identified is considered an active threat."},{"name":"ThreatFirstReportedTime","type":"datetime","description":"The first time the IP address or domain were identified as a threat."},{"name":"ThreatLastReportedTime","type":"datetime","description":"The last time the IP address or domain were identified as a threat."},{"name":"DstNatIpAddr","type":"string","description":"The DstNatIpAddr represents either of: The original address of the destination device if network address translation was used or the IP address used by the intermediary device for communication with the source."},{"name":"DstNatPortNumber","type":"int","description":"If reported by an intermediary NAT device, the port used by the NAT device for communication with the source."},{"name":"SrcNatIpAddr","type":"string","description":"The SrcNatIpAddr represents either of: The original address of the source device if network address translation was used or the IP address used by the intermediary device for communication with the destination."},{"name":"SrcNatPortNumber","type":"int","description":"If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination."},{"name":"SrcAppName","type":"string","description":"The name of the source application."},{"name":"SrcAppId","type":"string","description":"The ID of the source application, as reported by the reporting device."},{"name":"SrcAppType","type":"string","description":"The type of the source application."},{"name":"SrcIpAddr","type":"string","description":"The IP address from which the connection or session originated."},{"name":"SrcPortNumber","type":"int","description":"The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections."},{"name":"SrcHostname","type":"string","description":"The source device hostname, excluding domain information. If no device name is available, may store the relevant IP address."},{"name":"SrcDomain","type":"string","description":"The domain of the source device."},{"name":"SrcDomainType","type":"string","description":"The type of SrcDomain."},{"name":"SrcFQDN","type":"string","description":"The source device hostname, including domain information when available."},{"name":"SrcDvcId","type":"string","description":"The ID of the source device."},{"name":"SrcDvcIdType","type":"string","description":"The type of SrcDvcId."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcUserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the source user."},{"name":"SrcUserIdType","type":"string","description":"The type of the ID stored in the SrcUserId field."},{"name":"SrcUsername","type":"string","description":"The source username, including domain information when available."},{"name":"SrcUsernameType","type":"string","description":"Specifies the type of the username stored in the SrcUsername field."},{"name":"SrcUserType","type":"string","description":"The type of the source user."},{"name":"SrcOriginalUserType","type":"string","description":"The original destination user type, if provided by the by the reporting device."},{"name":"Url","type":"string","description":"The full HTTP request URL, including parameters."},{"name":"UrlCategory","type":"string","description":"The defined grouping of a URL or the domain part of the URL."},{"name":"UrlOriginal","type":"string","description":"The original value of the URL, when the URL was modified by the reporting device and both values are provided."},{"name":"HttpVersion","type":"string","description":"The HTTP Request Version."},{"name":"HttpRequestMethod","type":"string","description":"The HTTP Method."},{"name":"HttpContentType","type":"string","description":"The HTTP Response content type header."},{"name":"HttpContentFormat","type":"string","description":"The content format part of the HttpContentType."},{"name":"HttpReferrer","type":"string","description":"The HTTP referrer header."},{"name":"HttpUserAgent","type":"string","description":"The HTTP user agent header."},{"name":"HttpRequestXff","type":"string","description":"The HTTP X-Forwarded-For header."},{"name":"HttpRequestTime","type":"int","description":"The amount of time, in milliseconds, it took to send the request to the server."},{"name":"HttpResponseTime","type":"int","description":"The amount of time, in milliseconds, it took to receive a response in the server."},{"name":"FileName","type":"string","description":"For HTTP uploads, the name of the uploaded file."},{"name":"FileMD5","type":"string","description":"For HTTP uploads, the MD5 hash of the uploaded file."},{"name":"FileSHA1","type":"string","description":"For HTTP uploads, the SHA1 hash of the uploaded file."},{"name":"FileSHA256","type":"string","description":"For HTTP uploads, the SHA256 hash of the uploaded file."},{"name":"FileSHA512","type":"string","description":"For HTTP uploads, the SHA512 hash of the uploaded file."},{"name":"FileSize","type":"int","description":"For HTTP uploads, the size in bytes of the uploaded file."},{"name":"FileContentType","type":"string","description":"For HTTP uploads, the content type of the uploaded file."},{"name":"RuleName","type":"string","description":"The name or ID of the rule by which DvcAction was decided upon. Example: AnyAnyDrop."},{"name":"RuleNumber","type":"int","description":"The number of the rule by which DvcAction was decided upon. Example: 23."},{"name":"Rule","type":"string","description":"Either NetworkRuleName or NetworkRuleNumber."},{"name":"ThreatId","type":"string","description":"The ID of the threat or malware identified in the web session."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified in the web session."},{"name":"ThreatCategory","type":"string","description":"The category of the threat or malware identified in the web session."},{"name":"ThreatRiskLevel","type":"int","description":"The risk level associated with the session. The level is a number between 0 to 100."},{"name":"HttpHost","type":"string","description":"The virtual web server the HTTP request has targeted."},{"name":"EventOwner","type":"string","description":"The owner of the event, which is usually the department or subsidiary in which it was generated."},{"name":"SrcProcessName","type":"string","description":"The name of the source process."},{"name":"SrcProcessId","type":"string","description":"The process ID (PID) of the source process."},{"name":"SrcProcessGuid","type":"string","description":"A generated unique identifier (GUID) of the source process."},{"name":"SrcUserScope","type":"string","description":"The scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined."},{"name":"SrcUserScopeId","type":"string","description":"The ID of the scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined."},{"name":"SrcDvcScopeId","type":"string","description":"The cloud platform scope ID the source device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"SrcDvcScope","type":"string","description":"The cloud platform scope the source device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS."},{"name":"DstDvcScopeId","type":"string","description":"The cloud platform scope ID the destination device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."},{"name":"DstDvcScope","type":"string","description":"The cloud platform scope the destination device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the network interface from which the connection or session originated."},{"name":"DstMacAddr","type":"string","description":"The MAC address of the network interface used for the connection or session by the destination device."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/websessionlogs"],"solutions":["SecurityInsights"]}},{"id":"ATCExpressRouteCircuitIpfix","name":"ATCExpressRouteCircuitIpfix","tableType":"Microsoft","description":"This table has Express Route Circuit IPFIX flow records. Flow records are captured and emitted by Azure Traffic Collector (ATC).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the Azure Traffic Collector (ATC) emitted this flow record."},{"name":"OperationName","type":"string","description":"The specific Azure Traffic Collector (ATC) operation that emitted this flow record."},{"name":"ATCResourceId","type":"string","description":"Azure resource ID of Azure Traffic Collector (ATC)."},{"name":"ATCRegion","type":"string","description":"Azure Traffic Collector (ATC) deployment region."},{"name":"SchemaVersion","type":"string","description":"Flow record schema version."},{"name":"FlowRecordTime","type":"datetime","description":"Timestamp (UTC) when Express Route Circuit emitted this flow record."},{"name":"ExRCircuitId","type":"string","description":"Azure resource ID of Express Route Circuit."},{"name":"ExRCircuitServiceKey","type":"string","description":"Service key of Express Route Circuit."},{"name":"ExRCircuitDirectPortId","type":"string","description":"Azure resource ID of Express Route Circuit's direct port."},{"name":"SourceIp","type":"string","description":"Source IP address."},{"name":"DestinationIp","type":"string","description":"Destination IP address."},{"name":"SourcePort","type":"int","description":"TCP source port."},{"name":"DestinationPort","type":"int","description":"TCP destination port."},{"name":"Protocol","type":"int","description":"Protocol type as specified in IP header."},{"name":"NumberOfBytes","type":"long","description":"Total number of bytes of packets captured in this flow."},{"name":"NumberOfPackets","type":"long","description":"Total number of packets captured in this flow."},{"name":"Flowsequence","type":"long","description":"Flow sequence of this flow."},{"name":"IpClassOfService","type":"int","description":"IP Class of service as specified in IP header."},{"name":"IpProtocolIdentifier","type":"int","description":"Protocol type as specified in IP header."},{"name":"IcmpType","type":"int","description":"Protocol type as specified in IP header."},{"name":"SrcMask","type":"int","description":"Mask of source subnet."},{"name":"DstMask","type":"int","description":"Mask of destination subnet."},{"name":"SrcAsn","type":"int","description":"Source Autonomous System Number (ASN)."},{"name":"DstAsn","type":"int","description":"Destination Autonomous System Number (ASN)."},{"name":"NextHop","type":"string","description":"Next hop as per forwarding table."},{"name":"TcpFlag","type":"int","description":"TCP flag as defined in the TCP header."},{"name":"MinTtl","type":"int","description":"Minimum time to live (TTL) as defined in the IP header."},{"name":"MaxTtl","type":"int","description":"Maximum time to live (TTL) as defined in the IP header."},{"name":"SrcSubnet","type":"string","description":"Source subnet of source IP."},{"name":"DstSubnet","type":"string","description":"Destination subnet of destination IP."},{"name":"IpVerCode","type":"int","description":"IP version as defined in the IP header."},{"name":"BgpNextHop","type":"string","description":"Border Gateway Protocol (BGP) next hop as defined in the routing table."},{"name":"PeeringType","type":"string","description":"Express Route Circuit peering type."},{"name":"Dot1qVlanId","type":"int","description":"Dot1q VlanId."},{"name":"Dot1qCustomerVlanId","type":"int","description":"Dot1q Customer VlanId."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkfunction/azuretrafficcollectors"],"solutions":["LogManagement"],"queries":["db83ff91-df3b-4d7d-b62f-559d49e7d63c","5c27eae1-f25b-46e1-b18b-c1cc11e35ddb","b40ab49e-3ef0-4c97-862b-207b98a68b02"]}},{"id":"ATCMicrosoftPeeringMetadata","name":"ATCMicrosoftPeeringMetadata","tableType":"Microsoft","description":"This table has Microsoft Peering public IP metadata.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the Azure Traffic Collector (ATC) emitted this record."},{"name":"OperationName","type":"string","description":"The specific Azure Traffic Collector (ATC) operation that emitted this record."},{"name":"ATCResourceId","type":"string","description":"Azure resource ID of Azure Traffic Collector (ATC)."},{"name":"ATCRegion","type":"string","description":"Azure Traffic Collector (ATC) deployment region."},{"name":"SchemaVersion","type":"string","description":"Flow record schema version."},{"name":"IpSubnet","type":"string","description":"Subnet of Microsoft Peering IP prefix."},{"name":"IpMask","type":"string","description":"Mask of Microsoft Peering IP prefix."},{"name":"ServiceName","type":"string","description":"Type of service the IP prefix is."},{"name":"PrefixRegion","type":"string","description":"Azure region of the IP prefix."},{"name":"ServiceBgpCommunity","type":"string","description":"Service-based Border Gateway Protocol (BGP) Community tag."},{"name":"RegionalBgpCommunity","type":"string","description":"Region-based Border Gateway Protocol (BGP) Community tag."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkfunction/azuretrafficcollectors"],"solutions":["LogManagement"]}},{"id":"ATCPrivatePeeringMetadata","name":"ATCPrivatePeeringMetadata","tableType":"Microsoft","description":"This table has Private Peering Vnet metadata.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the Azure Traffic Collector (ATC) emitted this record."},{"name":"OperationName","type":"string","description":"The specific Azure Traffic Collector (ATC) operation that emitted this record."},{"name":"ATCResourceId","type":"string","description":"Azure resource ID of Azure Traffic Collector (ATC)."},{"name":"ATCRegion","type":"string","description":"Azure Traffic Collector (ATC) deployment region."},{"name":"SchemaVersion","type":"string","description":"Flow record schema version."},{"name":"ExRCircuitId","type":"string","description":"Azure resource ID of Express Route Circuit."},{"name":"ExRCircuitServiceKey","type":"string","description":"Service key of Express Route Circuit."},{"name":"VnetId","type":"string","description":"Azure resource ID of Virtual Network."},{"name":"VnetSubscriptionId","type":"string","description":"Azure subscription ID of Virtual Network."},{"name":"VnetResourceGroup","type":"string","description":"Azure resource group of Virtual Network."},{"name":"VnetName","type":"string","description":"Virtual Network resource name."},{"name":"VnetLocation","type":"string","description":"Azure region of Virtual Network resource."},{"name":"VnetAddressPrefix","type":"string","description":"IP address of Virtual Network resource."},{"name":"IpMask","type":"int","description":"Mask of Virtual Network resource."},{"name":"IpSubnet","type":"dynamic","description":"Azure resource ID of subnet and subnet IP address."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkfunction/azuretrafficcollectors"],"solutions":["LogManagement"]}},{"id":"AVNMConnectivityConfigurationChange","name":"AVNMConnectivityConfigurationChange","tableType":"Microsoft","description":"Includes logs related to application or removal of connectivity configuration, on network resources like a virtual network.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the event was generated."},{"name":"Location","type":"string","description":"Region of the network resource managed by network manager like virtual network."},{"name":"OperationName","type":"string","description":"Name of the operation that applies connectivity configuration or removes applied connectivity configuration on network resources like virtual network."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with the connectivity configuration change operation of network resources. Logs having same correlation Ids are part of same connectivity configuration change operation."},{"name":"ResultType","type":"string","description":"Indicates the operation status and can include: Success, Failure."},{"name":"LogLevel","type":"string","description":"Indicates the log level and can include: Info, Warning, Error."},{"name":"Message","type":"string","description":"A brief success or failure message."},{"name":"SelfDiagnosis","type":"string","description":"A descriptive self diagnosis message that can include explanations and resolution steps in the case of failures or warnings."},{"name":"NetworkResourceIds","type":"dynamic","description":"Virtual Network IDs for which applied connectivity configurations changed."},{"name":"AppliedConnectivityConfigurations","type":"dynamic","description":"List of connectivity configuration IDs along with the connectivity topology currently applied to the network resources like virtual networks listed in NetworkResourceIds by your network manager."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/networkmanagers"],"solutions":["LogManagement"],"queries":["32e84b39-f121-4053-8d37-111c385f3e1a","b09ac15b-67c3-4531-bbb6-b0e2dba38d73"]}},{"id":"AVNMIPAMPoolAllocationChange","name":"AVNMIPAMPoolAllocationChange","tableType":"Microsoft","description":"Includes changes to allocations of an IPAM Pool such as Virtual Networks, static CIDRs, or child pools.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":" The date and time the event was generated."},{"name":"Location","type":"string","description":"Region of the IPAM Pool."},{"name":"OperationName","type":"string","description":" Name of the operation that triggered the pool allocation change."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with the pool allocation change operation."},{"name":"ResultType","type":"string","description":"Indicates the operation status and can include: Success, Failure."},{"name":"LogLevel","type":"string","description":"Indicates the log level and can include: Info, Warning, Error."},{"name":"Message","type":"string","description":"A brief success or failure message."},{"name":"ChangeType","type":"string","description":"The type of allocation change and can include: Add, Remove, Update."},{"name":"ChangeReason","type":"string","description":"The reason why allocations were changed and can include: ResourceAddedToPool, ResourceRemovedFromPool, ResourceDeleted, ResourceCidrsChanged, ReservedResourceCreated, AvnmScopeChanged."},{"name":"AllocationResources","type":"dynamic","description":"Details about resources allocated to the pool that changed, including the resource id, cidrs, and compliancy."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/networkmanagers"],"solutions":["LogManagement"],"queries":["e522b056-537a-4775-9e13-2bc6e83fcd9c","ed719e04-ef7e-4d72-b03f-14e429ce4a4f"]}},{"id":"AVNMNetworkGroupMembershipChange","name":"AVNMNetworkGroupMembershipChange","tableType":"Microsoft","description":"Includes changes to network group membership of network resources like a virtual network.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":" The date and time the event was generated."},{"name":"Location","type":"string","description":"Region of the Virtual Network."},{"name":"OperationName","type":"string","description":" Name of the operation that triggered the Virtual Network's addition or removal from a Network Group."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with the network group membership change operation of network resources."},{"name":"ResultType","type":"string","description":"Indicates the operation status and can include: Success, Failure."},{"name":"LogLevel","type":"string","description":"Indicates the log level and can include: Info, Warning, Error."},{"name":"Message","type":"string","description":"A brief success or failure message."},{"name":"DetailedMessage","type":"string","description":"A descriptive message that can include explanations and resolution steps in the case of failures or warnings."},{"name":"NetworkResourceIds","type":"dynamic","description":"Virtual Network IDs for which network group membership changed"},{"name":"GroupMemberships","type":"dynamic","description":"Details about the Virtual Network's membership of Network Group(s), including the networkgroupId, membership type, and membership details and IDs."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/networkmanagers"],"solutions":["LogManagement"],"queries":["f4d4d8db-7fa4-4196-872f-c8235d23ee8e","70eca34a-da99-45bf-9d68-415eb5def7c3"]}},{"id":"AVNMRuleCollectionChange","name":"AVNMRuleCollectionChange","tableType":"Microsoft","description":"Include logs related to application or removal of rule collections, on network resources like a virtual network or a subnet.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":" The date and time the event was generated."},{"name":"Location","type":"string","description":"Region of the network resource managed by network manager like virtual network, subnets."},{"name":"OperationName","type":"string","description":" Name of the operation that applies rule collections or removes applied rule collections on network resources like virtual network, subnets."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with the rule collection change operation of network resources. Logs having same correlation Ids are part of same rule collection change operation."},{"name":"ResultType","type":"string","description":"Indicates the operation status and can include: Success, Failure."},{"name":"LogLevel","type":"string","description":"Indicates the log level and can include: Info, Warning, Error."},{"name":"Message","type":"string","description":"A brief success or failure message."},{"name":"SelfDiagnosis","type":"string","description":"A descriptive self diagnosis message that can include explanations and resolution steps in the case of failures or warnings."},{"name":"NetworkResourceIds","type":"dynamic","description":"Virtual Network or Subnet IDs for which applied rule collections changed"},{"name":"AppliedRuleCollectionIds","type":"dynamic","description":"List of current applied rule collections to the network resources like virtual networks or subnets listed in TargetResourceIds by your network manager."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit"],"resourceTypes":["microsoft.network/networkmanagers"],"solutions":["LogManagement"],"queries":["7c5ca7f7-1d91-461b-b451-9bb10d8ebdde","10b9ae2f-97fd-4807-af5f-8039f9cc7491"]}},{"id":"AVSEsxiFirewallSyslog","name":"AVSEsxiFirewallSyslog","tableType":"Microsoft","description":"Contains firewall logs generated by ESXi hosts (distributed firewall and IDS/IPS where available).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"]}},{"id":"AVSEsxiSyslog","name":"AVSEsxiSyslog","tableType":"Microsoft","description":"Contains logs generated by ESXi hosts, other than firewall and IDS/IPS entries.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"]}},{"id":"AVSNsxEdgeSyslog","name":"AVSNsxEdgeSyslog","tableType":"Microsoft","description":"Contains logs generated by NSX Edges.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"]}},{"id":"AVSNsxManagerSyslog","name":"AVSNsxManagerSyslog","tableType":"Microsoft","description":"Contains logs generated by NSX Managers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"]}},{"id":"AVSSyslog","name":"AVSSyslog","tableType":"Microsoft","description":"Contains all system logs generated by VMWare applications, including (but not limited to) VCenter, NSX, and more.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"],"queries":["c864821b-bcc9-4305-a0e1-37dcb9f1f82d","462adba2-ab3c-42ad-8279-ba34d5f3cd49","517e9bd0-4635-44cd-9ddc-6f799d319de2","76378a5b-a5ed-4ad1-b0fa-8831475066be","a00b5597-266a-49b4-be69-ebf5606677a6","5206e354-d7a9-4eec-b3e9-7e5255a932a0","cfcdfea7-2e51-45b0-9d09-62a35900b151","7aef15d0-37cf-4db0-9691-fddd8508210b","0fc4a89c-1430-4422-816b-f3ead837b9c8","9dccb0ff-36b5-4682-b6ab-e7a4f085d782","fe1dd542-afb3-4b72-88c0-02e00a34608a","d4737f7d-28ee-4969-bf67-9065fd911210","09a0e87c-6410-4316-b7be-80b6592ca8e4","4bc9187e-5aec-464a-ba2f-86f07d1bc42b","a3b9cb07-69f5-4034-9b3d-c5f4ee3655c7","637510f2-9609-4eed-ad8d-8efc0bfe442a","cbcf3a45-5896-4020-abb3-bdc0c0581319","2079cc76-82bd-4deb-beb7-595a66c8e7b0","254a4228-9e71-489f-ba2c-e47017afbaa3"]}},{"id":"AVSVcSyslog","name":"AVSVcSyslog","tableType":"Microsoft","description":"Contains all system logs generated by vCenter appliance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was ingested."},{"name":"LogCreationTime","type":"datetime","description":"The time at which the log was created, if available."},{"name":"Message","type":"string","description":"The entire syslog message."},{"name":"Severity","type":"string","description":"The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty."},{"name":"Facility","type":"string","description":"Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc)."},{"name":"HostName","type":"string","description":"The name of the host that generated this log, if available."},{"name":"AppName","type":"string","description":"The name of the application that generated this log, if available."},{"name":"ProcId","type":"string","description":"Identifies a process; specific usage varies from application to application."},{"name":"MsgId","type":"string","description":"Identifies the type of message. For example, a firewall might use MSGID \"TCPIN\" for incoming traffic, and MSGID \"TCPOUT\" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.avs/privateclouds"],"solutions":["LogManagement"]}},{"id":"AWSALBAccessLogs","name":"AWSALBAccessLogs","tableType":"Microsoft","description":"This connector allows you to ingest AWS Elastic Load Balancer (ALB, NLB and GLB) logs into Microsoft Sentinel. These logs contain detailed records for requests handled by your load balancers, including client IPs, latencies, request paths, and status codes. These logs are useful for monitoring traffic patterns, investigating anomalies, and ensuring security compliance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the load balancer received the request."},{"name":"ALBType","type":"string","description":"The type of request (e.g., http or https)."},{"name":"Alb","type":"string","description":"The ARN of the Application Load Balancer."},{"name":"ClientIp","type":"string","description":"The IP address of the client."},{"name":"ClientPort","type":"int","description":"The port number of the client."},{"name":"TargetIp","type":"string","description":"The IP address of the target that processed the request."},{"name":"TargetPort","type":"int","description":"The port number of the target that processed the request."},{"name":"RequestProcessingTime","type":"string","description":"The total time taken by the load balancer to receive the request from the client."},{"name":"TargetProcessingTime","type":"string","description":"The total time taken by the target to process the request."},{"name":"ResponseProcessingTime","type":"string","description":"The total time taken by the load balancer to send the response to the client."},{"name":"ElbStatusCode","type":"int","description":"The status code sent from the load balancer to the client."},{"name":"TargetStatusCode","type":"string","description":"The status code received from the target."},{"name":"ReceivedBytes","type":"long","description":"The size of the request, in bytes, received from the client."},{"name":"SentBytes","type":"long","description":"The size of the response, in bytes, sent to the client."},{"name":"RequestRaw","type":"string","description":"The complete request line from the client."},{"name":"UserAgent","type":"string","description":"The user agent String of the client."},{"name":"SslCipher","type":"string","description":"The SSL cipher used for the SSL connection (if any)."},{"name":"SslProtocol","type":"string","description":"The SSL protocol used for the SSL connection (if any)."},{"name":"TargetGroupArn","type":"string","description":"The ARN of the target group that handled the request."},{"name":"TraceId","type":"string","description":"The trace identifier for the request, useful for debugging."},{"name":"DomainName","type":"string","description":"The SNI domain provided by the client during the TLS handshake."},{"name":"ChosenCertArn","type":"string","description":"The ARN of the certificate presented to the client."},{"name":"MatchedRulePriority","type":"string","description":"The priority value of the rule that matched the request."},{"name":"RequestCreationTime","type":"string","description":"The timestamp when the load balancer generated the request to the target."},{"name":"ActionsExecuted","type":"string","description":"The actions taken when processing the request (e.g., forward, fixed-response, redirect)."},{"name":"RedirectUrl","type":"string","description":"The URL of the redirect target, if a redirect action was taken."},{"name":"LambdaErrorReason","type":"string","description":"The reason code for a failed Lambda function, if applicable."},{"name":"TargetPortList","type":"string","description":"A list of IP:port pairs of the targets that handled the request."},{"name":"TargetStatusCodeList","type":"string","description":"A list of status codes returned by the targets."},{"name":"Classification","type":"string","description":"Classification of the request (e.g., success or error)."},{"name":"ClassificationReason","type":"string","description":"The reason why a request was classified in a certain way."},{"name":"ConnTraceId","type":"string","description":"The connection trace ID that uniquely identifies the connection."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSCloudTrail","name":"AWSCloudTrail","tableType":"Microsoft","description":"CloudTrail logs, which ingested from Sentinel's connector, holds all your data and management events of your Amazon Wev Services account.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC). An event's time stamp comes from the local host that provides the service API endpoint on which the API call was made."},{"name":"AwsEventId","type":"string","description":"GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event."},{"name":"EventVersion","type":"string","description":"The version of the log event format."},{"name":"EventSource","type":"string","description":"The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com."},{"name":"EventTypeName","type":"string","description":"Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleAction , AwsConsoleSignIn."},{"name":"EventName","type":"string","description":"The requested action, which is one of the actions in the API for that service."},{"name":"UserIdentityType","type":"string","description":"The type of the identity. The following values are possible: Root, IAMUser, AssumedRole, FederatedUser, Directory, AWSAccount, AWSService, Unknown."},{"name":"UserIdentityPrincipalid","type":"string","description":"A unique identifier for the entity that made the call."},{"name":"UserIdentityArn","type":"string","description":"The Amazon Resource Name (ARN) of the principal that made the call."},{"name":"UserIdentityAccountId","type":"string","description":"The account that owns the entity that granted permissions for the request."},{"name":"UserIdentityInvokedBy","type":"string","description":"The name of the AWS service that made the request."},{"name":"UserIdentityAccessKeyId","type":"string","description":"The access key ID that was used to sign the request."},{"name":"UserIdentityUserName","type":"string","description":"The name of the identity that made the call."},{"name":"SessionMfaAuthenticated","type":"bool","description":"The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false."},{"name":"SessionCreationDate","type":"datetime","description":"The date and time when the temporary security credentials were issued."},{"name":"SessionIssuerType","type":"string","description":"The source of the temporary security credentials, such as Root, IAMUser, or Role."},{"name":"SessionIssuerPrincipalId","type":"string","description":" The internal ID of the entity that was used to get credentials."},{"name":"SessionIssuerArn","type":"string","description":"The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials."},{"name":"SessionIssuerAccountId","type":"string","description":"The account that owns the entity that was used to get credentials."},{"name":"SessionIssuerUserName","type":"string","description":"The friendly name of the user or role that issued the session."},{"name":"AWSRegion","type":"string","description":"The AWS region that the request was made to."},{"name":"SourceIpAddress","type":"string","description":"The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed."},{"name":"UserAgent","type":"string","description":"The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI."},{"name":"ErrorCode","type":"string","description":"The AWS service error if the request returns an error."},{"name":"ErrorMessage","type":"string","description":"The error description when available. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling."},{"name":"RequestParameters","type":"string","description":"The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service."},{"name":"ResponseElements","type":"string","description":"The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted."},{"name":"AdditionalEventData","type":"string","description":"Additional data about the event that was not part of the request or response."},{"name":"AwsRequestId","type":"string","description":"deprecated, please use AwsRequestId_ instead."},{"name":"AwsRequestId_","type":"string","description":"The value that identifies the request. The service being called generates this value."},{"name":"Resources","type":"string","description":"A list of resources accessed in the event."},{"name":"APIVersion","type":"string","description":"Identifies the API version associated with the AwsApiCall eventType value."},{"name":"ReadOnly","type":"bool","description":"Identifies whether this operation is a read-only operation."},{"name":"RecipientAccountId","type":"string","description":"Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access."},{"name":"ServiceEventDetails","type":"string","description":"Identifies the service event, including what triggered the event and the result."},{"name":"SharedEventId","type":"string","description":"GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts."},{"name":"VpcEndpointId","type":"string","description":"Identifies the VPC endpoint in which requests were made from a VPC to another AWS service."},{"name":"ManagementEvent","type":"bool","description":"A Boolean value that identifies whether the event is a management event."},{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string","description":"Constant value: AWSCloudTrail."},{"name":"OperationName","type":"string","description":"Constant value: CloudTrail."},{"name":"Category","type":"string","description":"Shows the event category that is used in LookupEvents calls."},{"name":"EC2RoleDelivery","type":"string","description":"The friendly name of the user or role that issued the session."},{"name":"TlsVersion","type":"string","description":"Optional. Part of tlsDetails. The TLS version of a request."},{"name":"CipherSuite","type":"string","description":"Optional. Part of tlsDetails. The cipher suite (combination of security algorithms used) of a request."},{"name":"ClientProvidedHostHeader","type":"string","description":"Optional. Part of tlsDetails. The client-provided host name used in the service API call, which is typically the FQDN of the service endpoint."},{"name":"IpProtocol","type":"string","description":"The IP protocol is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IP protocol name or number. The valid values are tcp, udp, icmp, or a protocol number."},{"name":"SourcePort","type":"string","description":"The SourcePort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The start of port range for the TCP and UDP protocols, or an ICMP type number."},{"name":"DestinationPort","type":"string","description":"The DestinationPort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The end of port range for the TCP and UDP protocols, or an ICMP code."},{"name":"CidrIp","type":"string","description":"The CIDR IP is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IPv4 CIDR range."},{"name":"UserIdentityUserId","type":"string","description":"Unique internal AWS identifier of the IAM entity (user, role, or federated identity) that performed the action."},{"name":"UserIdentityStoreArn","type":"string","description":"ARN of the identity store (e.g., IAM Identity Center/SSO directory) from which the user identity originates."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["affffc71-5531-497d-ae2b-6d536ae12784"]}},{"id":"AWSCloudWatch","name":"AWSCloudWatch","tableType":"Microsoft","description":"The CloudWatch Logs provide performance and billing data from the AWS CloudWatch service which helps the user better understand and operate the AWS system and application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ExtractedTime","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the event was generated and equals to 'ExtractedTime' when included in message. If timestamp is missing, it’s set to the ingestion time."},{"name":"Message","type":"string","description":"The data contained within logs from CloudWatch."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSEKSLogs","name":"AWSEKSLogs","tableType":"Microsoft","description":"AWS EKS audit logs, which ingested from Sentinel's connector, contain detailed information about API server requests, authentication decisions, and cluster activities from Amazon Elastic Kubernetes Service. These logs provide comprehensive security monitoring and compliance tracking for Kubernetes clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the EKS audit event was generated."},{"name":"AwsAccountId","type":"string","description":"The AWS account ID where the EKS cluster is located."},{"name":"Region","type":"string","description":"The AWS region where the EKS cluster is located."},{"name":"ClusterName","type":"string","description":"The name of the EKS cluster that generated the audit event."},{"name":"Verb","type":"string","description":"The Kubernetes API verb (action) performed (e.g., get, create, update, delete)."},{"name":"User","type":"string","description":"The user or service account that performed the action."},{"name":"SourceIPs","type":"dynamic","description":"Array of source IP addresses from where the request originated."},{"name":"UserAgent","type":"string","description":"The user agent string of the client that made the request."},{"name":"ObjectRef","type":"string","description":"Reference to the Kubernetes object that was accessed (namespace/resource/name)."},{"name":"ResponseCode","type":"int","description":"The HTTP response status code of the API request."},{"name":"Stage","type":"string","description":"The stage of request processing when the audit event was generated (e.g., RequestReceived, ResponseComplete)."},{"name":"AuthDecision","type":"string","description":"The authorization decision made by the Kubernetes RBAC system (e.g., allow, forbid)."},{"name":"RawEvent","type":"dynamic","description":"The complete raw EKS audit event data containing additional context and metadata."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSELBFlowLogs","name":"AWSELBFlowLogs","tableType":"Microsoft","description":"This connector allows you to ingest AWS Elastic Load Balancer (ALB, NLB and GLB) logs into Microsoft Sentinel. These logs contain detailed records for requests handled by your load balancers, including client IPs, latencies, request paths, and status codes. These logs are useful for monitoring traffic patterns, investigating anomalies, and ensuring security compliance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log was collected or ingested."},{"name":"Version","type":"string","description":"The version of the flow log format."},{"name":"AccountId","type":"string","description":"The AWS account ID that owns the network interface."},{"name":"InterfaceId","type":"string","description":"The ID of the network interface for which the traffic is recorded."},{"name":"SourceAddress","type":"string","description":"The source IP address of the traffic."},{"name":"DestinationAddress","type":"string","description":"The destination IP address of the traffic."},{"name":"SourcePort","type":"string","description":"The source port of the traffic."},{"name":"DestinationPort","type":"string","description":"The destination port of the traffic."},{"name":"Protocol","type":"string","description":"The IANA protocol number of the traffic (e.g., 6 for TCP, 17 for UDP)."},{"name":"Packets","type":"string","description":"The number of packets transferred during the flow."},{"name":"Bytes","type":"string","description":"The number of bytes transferred during the flow."},{"name":"SStartTime","type":"datetime","description":"The start time of the flow in Unix seconds."},{"name":"EndTime","type":"datetime","description":"The end time of the flow in Unix seconds."},{"name":"Action","type":"string","description":"Indicates whether the traffic was accepted or rejected."},{"name":"LogStatus","type":"string","description":"Indicates the logging status (e.g., OK, NODATA, SKIPDATA)."},{"name":"LogType","type":"string","description":"Type of the log (e.g., VPCFlowLog, TransitGatewayFlowLog)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["SecurityInsights"]}},{"id":"AWSGuardDuty","name":"AWSGuardDuty","tableType":"Microsoft","description":"Guard Duty Findings, which ingested from Sentinel's connector, represents a potential security issue detected within your network. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated, The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding."},{"name":"SchemaVersion","type":"string","description":"The Guard Duty finding version."},{"name":"AccountId","type":"string","description":"The AWS account ID of the owner of the source network interface for which traffic is recorded. If the network interface is created by an AWS service, for example when creating a VPC endpoint or Network Load Balancer, the record may display unknown for this field."},{"name":"Region","type":"string","description":"The AWS region in which the finding was generated."},{"name":"Partition","type":"string","description":"The AWS partition in which the finding was generated."},{"name":"Id","type":"string","description":"A unique Finding ID for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID."},{"name":"Arn","type":"string","description":"Amazon resource name of the finding."},{"name":"ActivityType","type":"string","description":"A formatted string representing the type of activity that triggered the finding."},{"name":"ResourceDetails","type":"dynamic","description":"Gives details on the AWS resource that was targeted by the trigger activity. The information available varies based on resource type and action typ."},{"name":"ServiceDetails","type":"dynamic","description":"Gives details on the AWS service that was related to the finding, including Action, Actor/Target, Evidence, Anomalous behavior and Additional information."},{"name":"Severity","type":"int","description":"A finding's assigned severity level of either High, Medium, or Low."},{"name":"TimeCreated","type":"datetime","description":"The time and date when this finding was first created. If this value differs from Updated at (TimeGenerated), it indicates that the activity has occurred multiple times and is an ongoing issue."},{"name":"Title","type":"string","description":"Summary of the primary purpose of the threat or attack related to the finding."},{"name":"Description","type":"string","description":"Description of the primary purpose of the threat or attack related to the finding."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["44640527-2945-467a-a5db-fcaf8b11f1b1"]}},{"id":"AWSNLBAccessLogs","name":"AWSNLBAccessLogs","tableType":"Microsoft","description":"This connector allows you to ingest AWS Elastic Load Balancer (ALB, NLB and GLB) logs into Microsoft Sentinel. These logs contain detailed records for requests handled by your load balancers, including client IPs, latencies, request paths, and status codes. These logs are useful for monitoring traffic patterns, investigating anomalies, and ensuring security compliance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log entry was generated."},{"name":"NLBType","type":"string","description":"Type of Network Load Balancer (e.g., 'gateway', 'application')."},{"name":"Version","type":"string","description":"Version of the NLB log format."},{"name":"Nlb","type":"string","description":"Identifier or name of the Network Load Balancer."},{"name":"Listener","type":"string","description":"Listener configuration used for the connection (protocol and port)."},{"name":"ClientIPPort","type":"string","description":"IP address and port of the client initiating the request."},{"name":"TargetIPPort","type":"string","description":"IP address and port of the target receiving the request."},{"name":"ConnectionTime","type":"string","description":"Duration of the connection in milliseconds."},{"name":"TlsHandshakeTime","type":"string","description":"Time taken to complete the TLS handshake in milliseconds."},{"name":"ReceivedBytes","type":"string","description":"Number of bytes received from the client."},{"name":"SentBytes","type":"string","description":"Number of bytes sent to the client."},{"name":"IncomingTLSAlert","type":"string","description":"Details of any incoming TLS alert message."},{"name":"ChosenCertArn","type":"string","description":"ARN of the TLS certificate selected during the handshake."},{"name":"ChosenCertSerial","type":"string","description":"Serial number of the TLS certificate used in the connection."},{"name":"TLSCipher","type":"string","description":"Cipher suite used for the TLS connection."},{"name":"TLSProtocolVersion","type":"string","description":"Version of the TLS protocol used (e.g., TLS 1.2, TLS 1.3)."},{"name":"TLSNamedGroup","type":"string","description":"Elliptic curve or Diffie-Hellman group used in the handshake."},{"name":"DomainName","type":"string","description":"Domain name requested by the client via SNI (Server Name Indication)."},{"name":"ALPNFEProtocol","type":"string","description":"Application-layer protocol negotiated on the frontend (e.g., HTTP/1.1, h2)."},{"name":"ALPNBEProtocol","type":"string","description":"Application-layer protocol negotiated on the backend."},{"name":"ALPNClientPrefList","type":"string","description":"List of application protocols preferred by the client during ALPN."},{"name":"TLSConnectionCreationTime","type":"string","description":"Time taken to establish the complete TLS connection, including handshake."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSNetworkFirewallAlert","name":"AWSNetworkFirewallAlert","tableType":"Microsoft","description":"The AWS Platform Firewall Alert logs , ingested from Sentinel's connector, enabling real-time analysis and correlation with other security data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was created in AWS Network Firewall."},{"name":"FirewallName","type":"string","description":"The name of the AWS Network Firewall instance generating the log."},{"name":"AvailabilityZone","type":"string","description":"The AWS Availability Zone where the firewall instance is located."},{"name":"TxId","type":"string","description":"The transaction ID associated with the specific network flow."},{"name":"EventTimestamp","type":"datetime","description":"The epoch timestamp of when the event occurred."},{"name":"AppProto","type":"string","description":"The application layer protocol detected."},{"name":"SrcIp","type":"string","description":"The source port from which the packet originated."},{"name":"SrcPort","type":"string","description":"The source port from which the packet originated."},{"name":"EventType","type":"string","description":"The type of event recorded (e.g., alert, flow, drop, pass)."},{"name":"Severity","type":"string","description":"The severity level of the event, typically based on Suricata rule classifications."},{"name":"SignatureId","type":"string","description":"The unique identifier of the Suricata rule that matched the event."},{"name":"Rev","type":"string","description":"The revision number of the matched Suricata rule."},{"name":"Signature","type":"string","description":"The name or description of the Suricata rule that triggered the alert."},{"name":"AlertAction","type":"string","description":"The action taken when an alert was triggered (e.g., allowed, dropped, rejected)."},{"name":"Category","type":"string","description":"The category of the detected threat or network activity."},{"name":"FlowId","type":"string","description":"A unique identifier for the network flow related to this event."},{"name":"DestIp","type":"string","description":"The destination IP address of the packet."},{"name":"Proto","type":"string","description":"The protocol used (e.g., TCP, UDP, ICMP)."},{"name":"VerdictAction","type":"string","description":"The final decision made by the firewall (e.g., pass, drop, alert)."},{"name":"Sni","type":"string","description":"The Server Name Indication (SNI) from TLS traffic."},{"name":"Version","type":"string","description":"The version of the log schema or Suricata rule format used."},{"name":"DestPort","type":"string","description":"The destination port to which the packet was sent."},{"name":"PktSrc","type":"string","description":"The source of the packet (e.g., internal, external, firewall rule)."},{"name":"Direction","type":"string","description":"The direction of the traffic (e.g., inbound, outbound)."},{"name":"Timestamp","type":"datetime","description":"The exact timestamp when the event was captured."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSNetworkFirewallFlow","name":"AWSNetworkFirewallFlow","tableType":"Microsoft","description":"The AWS Platform Firewall Flow logs, ingested from Sentinel's connector, enabling real-time analysis and correlation with other security data sources like Detection alerts, firewall events network traffic logs, and more.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was created in AWS Network Firewall."},{"name":"FirewallName","type":"string","description":"The name of the AWS Network Firewall instance generating the log."},{"name":"AvailabilityZone","type":"string","description":"The AWS Availability Zone where the firewall instance is located."},{"name":"EventTimestamp","type":"string","description":"The epoch timestamp of when the event occurred."},{"name":"TCPFlags","type":"string","description":"The TCP flags observed in the packet "},{"name":"Syn","type":"bool","description":"Indicates whether the SYN flag is set in the TCP packet (true/false)."},{"name":"Fin","type":"bool","description":"Indicates whether the FIN flag is set in the TCP packet (true/false)."},{"name":"Psh","type":"bool","description":"Indicates whether the PSH flag is set in the TCP packet (true/false)."},{"name":"Ack","type":"bool","description":"Indicates whether the ACK flag is set in the TCP packet (true/false)."},{"name":"Ecn","type":"bool","description":"Indicates whether the ECN flag is set in the TCP packet (true/false)."},{"name":"Rst","type":"bool","description":"Indicates whether the RST flag is set in the TCP packet (true/false)."},{"name":"AppProto","type":"string","description":"The application layer protocol detected (e.g., HTTP, HTTPS, DNS)."},{"name":"SrcIp","type":"string","description":"The source IP address of the packet that triggered the event."},{"name":"SrcPort","type":"string","description":"The source port from which the packet originated."},{"name":"NetFlowPkts","type":"string","description":"The number of packets in the network flow."},{"name":"NetFlowBytes","type":"string","description":"The total number of bytes transferred in the network flow."},{"name":"NetFlowStart","type":"datetime","description":"The timestamp when the network flow started."},{"name":"NetFlowEnd","type":"datetime","description":"The timestamp when the network flow ended."},{"name":"NetFlowAge","type":"string","description":"The duration of the network flow in seconds."},{"name":"NetFlowMinttl","type":"string","description":"The minimum Time-to-Live (TTL) observed in the network flow."},{"name":"NetFlowMaxttl","type":"string","description":"The maximum Time-to-Live (TTL) observed in the network flow."},{"name":"EventType","type":"string","description":"The type of event recorded (e.g., flow, alert, drop, pass)."},{"name":"FlowId","type":"string","description":"A unique identifier for the network flow related to this event."},{"name":"DestIp","type":"string","description":"The destination IP address of the packet."},{"name":"Proto","type":"string","description":"The protocol used (e.g., TCP, UDP, ICMP)."},{"name":"DestPort","type":"string","description":"The destination port to which the packet was sent."},{"name":"Timestamp","type":"datetime","description":"The exact timestamp when the event was captured."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSNetworkFirewallTls","name":"AWSNetworkFirewallTls","tableType":"Microsoft","description":"The AWS Platform Firewall TLS logs, ingested from Sentinel's connector, enabling real-time analysis and correlation with other security data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was created in AWS Network Firewall."},{"name":"FirewallName","type":"string","description":"The name of the AWS Network Firewall instance generating the log."},{"name":"AvailabilityZone","type":"string","description":"The AWS Availability Zone where the firewall instance is located."},{"name":"EventTimestamp","type":"datetime","description":"The epoch timestamp of when the event occurred."},{"name":"SrcIp","type":"string","description":"The source IP address of the packet that triggered the event."},{"name":"SrcPort","type":"string","description":"The source port from which the packet originated."},{"name":"DestIp","type":"string","description":"The destination IP address of the packet."},{"name":"DestPort","type":"string","description":"The destination port to which the packet was sent."},{"name":"Sni","type":"string","description":"The Server Name Indication (SNI) from TLS traffic."},{"name":"LeafCertificateFingerprint","type":"string","description":"The SHA-256 fingerprint of the leaf certificate observed in the TLS handshake."},{"name":"Status","type":"string","description":"The status of the TLS inspection event (e.g., success, failure)."},{"name":"Action","type":"string","description":"The action taken by the firewall (e.g., allowed, dropped, inspected)."},{"name":"ErrorMessage","type":"string","description":"Any error message associated with the event, if applicable."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSRoute53Resolver","name":"AWSRoute53Resolver","tableType":"Microsoft","description":"This connector enables ingestion of AWS Route 53 DNS logs into Microsoft Sentinel for enhanced visibility and threat detection. It supports DNS Resolver query logs ingested directly from AWS S3 buckets, while Public DNS query logs and Route 53 audit logs can be ingested using Microsoft Sentinel's AWS CloudWatch and CloudTrail connectors. Comprehensive instructions are provided to guide you through the setup of each log type. Leverage this connector to monitor DNS activity, detect potential threats, and improve your security posture in cloud environments.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Version","type":"string","description":"Version of the log format."},{"name":"AccountId","type":"string","description":"The AWS account ID that owns the VPC which sent the query."},{"name":"LogType","type":"string","description":"Indicates the type of DNS log (e.g. ResolverQueryLogs)."},{"name":"Region","type":"string","description":"AWS region where the log was generated."},{"name":"VpcId","type":"string","description":"The ID of the VPC where the DNS query originated."},{"name":"TimeGenerated","type":"datetime","description":"The time the DNS query was received by Route 53 Resolver."},{"name":"QueryName","type":"string","description":"The domain name that was queried."},{"name":"QueryType","type":"string","description":"The DNS record type requested (e.g. A, AAAA, MX)."},{"name":"QueryClass","type":"string","description":"The DNS query class. Usually IN (Internet)."},{"name":"Rcode","type":"string","description":"Textual DNS response code (e.g. NOERROR, NXDOMAIN)."},{"name":"Answers","type":"dynamic","description":"Array of DNS response records, including resolved IP addresses and other query-related information."},{"name":"SrcAddr","type":"string","description":"The source IP address of the instance that made the query."},{"name":"SrcPort","type":"string","description":"The source port on the instance that made the query."},{"name":"Transport","type":"string","description":"The protocol used to send the query (e.g. UDP, TCP, TLS)."},{"name":"SrcIds","type":"dynamic","description":"Identifiers related to the source instance where the DNS query originated from or passed through."},{"name":"FirewallRuleAction","type":"string","description":"Rule action from the matching firewall rule."},{"name":"FirewallRuleGroupId","type":"string","description":"ID of the firewall rule group that applied to the query."},{"name":"FirewallDomainListId","type":"string","description":"ID of the domain list that matched the query domain."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSS3ServerAccess","name":"AWSS3ServerAccess","tableType":"Microsoft","description":"This stack integrates Microsoft Sentinel by creating an IAM role with minimal permissions for accessing S3 server access logs stored in a specified S3 bucket and sending log events to an SQS queue.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the AWS Server Access log was received by the S3 bucket, in UTC."},{"name":"BucketOwner","type":"string","description":"The canonical user ID of the owner of the source bucket (another form of AWS account ID)."},{"name":"Bucket","type":"string","description":"The name of the S3 bucket against which the request was processed."},{"name":"RemoteIp","type":"string","description":"The apparent IP address of the requester (may be obscured by proxies or firewalls)."},{"name":"Requester","type":"string","description":"The canonical user ID, IAM user, or assumed role making the request, or '-' for unauthenticated."},{"name":"RequestId","type":"string","description":"A unique string ID generated by Amazon S3 to identify the request."},{"name":"Operation","type":"string","description":"The operation type (e.g., REST.PUT.OBJECT, S3.LIFECYCLETRANSITION.OBJECT)."},{"name":"Key","type":"string","description":"The object key (name) involved in the request."},{"name":"RequestUri","type":"string","description":"The URI part of the HTTP request."},{"name":"HttpStatus","type":"int","description":"The HTTP status code returned in the response."},{"name":"ErrorCode","type":"string","description":"The S3 error code returned in the response, or '-' if none."},{"name":"BytesSent","type":"int","description":"Number of response bytes sent, excluding HTTP overhead, or 0."},{"name":"ObjectSize","type":"int","description":"The size of the object in bytes."},{"name":"TotalTime","type":"int","description":"The total time in milliseconds the request was in flight (from receipt to last response byte sent)."},{"name":"TurnAroundTime","type":"string","description":"The time in milliseconds S3 spent processing the request (from last request byte to first response byte)."},{"name":"Referer","type":"string","description":"The value of the HTTP Referer header (linking page URL), if present."},{"name":"UserAgent","type":"string","description":"The value of the HTTP User-Agent header (e.g., client software or browser)."},{"name":"VersionId","type":"string","description":"The version ID of the object involved in the request, or '-' if not applicable."},{"name":"HostId","type":"string","description":"Amazon S3 extended request ID (x-amz-id-2)."},{"name":"SignatureVersion","type":"string","description":"The signature version (SigV2 or SigV4) used to authenticate the request, or '-' for unauthenticated."},{"name":"CipherSuite","type":"string","description":"The TLS cipher suite negotiated for HTTPS, or '-' for HTTP."},{"name":"AuthenticationType","type":"string","description":"The authentication type used: AuthHeader, QueryString, or '-' for unauthenticated requests."},{"name":"HostHeader","type":"string","description":"The endpoint (host header) used to connect to S3 (e.g., s3.us-west-2.amazonaws.com)."},{"name":"TLSVersion","type":"string","description":"The TLS version used by the client (e.g., TLSv1.2), or '-' if TLS wasn't used."},{"name":"AccessPointARN","type":"string","description":"The Amazon Resource Name (ARN) of the S3 access point used for the request, or '-' if not used."},{"name":"ACLRequired","type":"string","description":"Indicates if an ACL was required for the request: 'Yes' if required, '-' otherwise."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSSecurityHubFindings","name":"AWSSecurityHubFindings","tableType":"Microsoft","description":"AWS Security Hub Findings, which are collected in AWS S3 buckets, into Microsoft Sentinel. AWS Security Hub Finding is a detailed record of a security check or security-related detection, which can originate from various sources like enabled controls, integrations with other AWS services, third-party products, or custom integrations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the event was generated."},{"name":"AwsRegion","type":"string","description":"The AWS region where the event occurred."},{"name":"AwsAccountId","type":"string","description":"The AWS account ID associated with the event."},{"name":"ComplianceStatus","type":"string","description":"The compliance status of the resource (e.g., COMPLIANT, NON_COMPLIANT)."},{"name":"ComplianceStatusReasons","type":"dynamic","description":"The reasons for the compliance status."},{"name":"ComplianceSecurityControlId","type":"string","description":"The ID of the security control related to compliance."},{"name":"ComplianceSecurityControlParameters","type":"dynamic","description":"Parameters associated with the security control."},{"name":"ComplianceRelatedRequirements","type":"dynamic","description":"The related compliance requirements."},{"name":"ComplianceAssociatedStandards","type":"dynamic","description":"The compliance standards associated with the resource."},{"name":"AwsSecurityFindingTitle","type":"string","description":"The title of the AWS security finding."},{"name":"AwsSecurityFindingId","type":"string","description":"The unique identifier for the AWS security finding."},{"name":"AwsSecurityFindingDescription","type":"string","description":"A detailed description of the AWS security finding."},{"name":"AwsSecurityFindingTypes","type":"dynamic","description":"The types or categories of the AWS security finding."},{"name":"AwsSecurityFindingCreatedAt","type":"datetime","description":"The timestamp when the security finding was created."},{"name":"AwsSecurityFindingFirstObservedAt","type":"datetime","description":"The timestamp when the security finding was first observed."},{"name":"AwsSecurityFindingUpdatedAt","type":"datetime","description":"The timestamp when the security finding was last updated."},{"name":"AwsSecurityFindingLastObservedAt","type":"datetime","description":"The timestamp when the security finding was last observed."},{"name":"AwsSecurityFindingProcessedAt","type":"datetime","description":"The timestamp when the security finding was processed."},{"name":"AwsSecurityFindingGeneratorId","type":"string","description":"The ID of the generator that created the security finding."},{"name":"AwsSecurityFindingProductArn","type":"string","description":"The Amazon Resource Name (ARN) of the product that generated the finding."},{"name":"AwsSecurityFindingProductName","type":"string","description":"The name of the product that generated the finding."},{"name":"AwsSecurityFindingProductFields","type":"dynamic","description":"Additional fields provided by the product that generated the finding."},{"name":"AwsSecurityFindingSeverity","type":"dynamic","description":"The severity level of the security finding."},{"name":"Remediation","type":"dynamic","description":"Details about how to remediate the security finding."},{"name":"SchemaVersion","type":"string","description":"The version of the schema used for the finding."},{"name":"Resources","type":"dynamic","description":"The resources associated with the security finding."},{"name":"RecordState","type":"string","description":"The state of the record (e.g., ACTIVE, ARCHIVED)."},{"name":"WorkflowState","type":"string","description":"The workflow state of the finding (e.g., NEW, RESOLVED)."},{"name":"RawData","type":"dynamic","description":"The raw data associated with the finding."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AWSVPCFlow","name":"AWSVPCFlow","tableType":"Microsoft","description":"VPC Flow Logs, which ingested from Sentinel's connector, enables you to capture IP traffic going to and from your AWS VPC network interfaces.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated. This value will be the same as 'start' input field or the data arrival time to Azure Monitor in case the 'start' input field is empty or missing."},{"name":"Version","type":"int","description":"The VPC Flow Logs version."},{"name":"AccountId","type":"string","description":"The AWS account ID of the owner of the source network interface for which traffic is recorded. If the network interface is created by an AWS service, for example when creating a VPC endpoint or Network Load Balancer, the record may display unknown for this field."},{"name":"InterfaceId","type":"string","description":"The ID of the network interface for which the traffic is recorded."},{"name":"SrcAddr","type":"string","description":"The source address for incoming traffic."},{"name":"DstAddr","type":"string","description":"The destination address for outgoing traffic."},{"name":"SrcPort","type":"int","description":"The source port of the traffic."},{"name":"DstPort","type":"int","description":"The destination port of the traffic."},{"name":"Protocol","type":"int","description":"The IANA protocol number of the traffic."},{"name":"Packets","type":"int","description":"The number of packets transferred during the flow."},{"name":"Bytes","type":"long","description":"The number of bytes transferred during the flow."},{"name":"End","type":"datetime","description":"The time when the last packet of the flow was received within the aggregation interval."},{"name":"Action","type":"string","description":"The action that is associated with the traffic."},{"name":"LogStatus","type":"string","description":"The logging status of the flow log."},{"name":"VpcId","type":"string","description":"The ID of the VPC."},{"name":"SubnetId","type":"string","description":"The ID of the subnet."},{"name":"InstanceId","type":"string","description":"The ID of the instance that's associated with network interface for which the traffic is recorded."},{"name":"TcpFlags","type":"int","description":"The bitmask value for the following TCP flags."},{"name":"TrafficType","type":"string","description":"The type of traffic. The possible values are: IPv4, IPv6, and EFA. For more information search for 'Elastic Fabric Adapter (EFA)'."},{"name":"PktSrcAddr","type":"string","description":"The packet-level (original) source IP address of the traffic."},{"name":"PktDstAddr","type":"string","description":"The packet-level (original) destination IP address for the traffic."},{"name":"Region","type":"string","description":"The Region that contains the network interface for which traffic is recorded."},{"name":"AzId","type":"string","description":"The ID of the Availability Zone."},{"name":"SublocationType","type":"string","description":"The type of sublocation that is returned in the sublocationId field."},{"name":"SublocationId","type":"string","description":"The ID of the sublocation that contains the network interface for which traffic is recorded."},{"name":"PktSrcAwsService","type":"string","description":"The name of the subset of IP address ranges for the PktSrcAddr field, if the source IP address is for an AWS service."},{"name":"PktDstAwsService","type":"string","description":"The name of the subset of IP address ranges for the PktDstAddr field, if the destination IP address is for an AWS service."},{"name":"FlowDirection","type":"string","description":"The direction of the flow with respect to the interface where traffic is captured."},{"name":"TrafficPath","type":"string","description":"The path that egress traffic takes to the destination."},{"name":"Start","type":"datetime","description":"The remote ip of the request."},{"name":"EcsClusterArn","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsClusterName","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsContainerInstanceArn","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsContainerInstanceId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsContainerId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsSecondContainerId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsServiceName","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsTaskDefinitionArn","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsTaskArn","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"EcsTaskId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["8d9fc68f-84a8-4186-9675-952013133dc9"]}},{"id":"AWSWAF","name":"AWSWAF","tableType":"Microsoft","description":"AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. AWS WAF logs are detailed records of traffic that web access control lists (ACLs) analyze, which are essential for maintaining the security and performance of web applications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Action","type":"string","description":"The terminating action taken by AWS WAF (ALLOW, BLOCK, CAPTCHA, or Challenge)."},{"name":"Args","type":"string","description":"The query string parameters of the request."},{"name":"CaptchaResponse","type":"dynamic","description":"Status of the CAPTCHA action for the request."},{"name":"ChallengeResponse","type":"dynamic","description":"Status of the security challenge for the request."},{"name":"ClientIp","type":"string","description":"IP address of the client making the request."},{"name":"Country","type":"string","description":"Country of origin for the request."},{"name":"ExcludedRules","type":"dynamic","description":"Rules excluded from evaluation in the rule group."},{"name":"FormatVersion","type":"string","description":"Version of the AWS WAF log format."},{"name":"Headers","type":"dynamic","description":"Headers included in the HTTP request."},{"name":"HttpMethod","type":"string","description":"The HTTP method (GET, POST, etc.) of the request."},{"name":"HttpRequest","type":"dynamic","description":"Metadata about the HTTP request."},{"name":"HttpSourceId","type":"string","description":"ID of the associated resource (e.g., CloudFront distribution, Load Balancer)."},{"name":"HttpSourceName","type":"string","description":"Source of the request (e.g., CF, APIGW, ALB)."},{"name":"HttpVersion","type":"string","description":"HTTP version used in the request."},{"name":"Ja3Fingerprint","type":"string","description":"JA3 fingerprint of the TLS Client Hello."},{"name":"Labels","type":"dynamic","description":"Labels applied to the request by rules."},{"name":"NonTerminatingMatchingRules","type":"dynamic","description":"List of rules that matched but didn't terminate the request."},{"name":"OversizeFields","type":"dynamic","description":"Fields in the request that exceeded AWS WAF inspection limits."},{"name":"RateBasedRuleList","type":"dynamic","description":"List of rate-based rules applied to the request."},{"name":"RequestHeadersInserted","type":"dynamic","description":"Headers inserted for custom request handling."},{"name":"RequestId","type":"string","description":"Request ID for the network request."},{"name":"ResponseCodeSent","type":"int","description":"HTTP response code sent to the client."},{"name":"RuleGroupId","type":"string","description":"ID of the rule group that matched."},{"name":"RuleGroupList","type":"dynamic","description":"List of rule groups that acted on the request."},{"name":"TerminatingRule","type":"dynamic","description":"The rule that terminated the request. If this is present, it contains action, ruleId, ruleMatchDetails, and any additional information provided for each rule varies according factors such as the rule configuration, rule match type, and details of the match."},{"name":"TerminatingRuleId","type":"string","description":"ID of the network rule that matched."},{"name":"TerminatingRuleMatchDetails","type":"dynamic","description":"Details of the rule that terminated the request."},{"name":"TerminatingRuleType","type":"string","description":"Type of rule that terminated the request."},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was processed."},{"name":"Uri","type":"string","description":"The URI of the request."},{"name":"WebAclId","type":"string","description":"The GUID of the web ACL applied to the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"AZFWApplicationRule","name":"AZFWApplicationRule","tableType":"Microsoft","description":"Contains all Application rule log data. Each match between data plane and Application rule creates a log entry with the data plane packet and the matched rule's attributes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Request's network protocol. For example: HTTP, HTTPS."},{"name":"SourceIp","type":"string","description":"Request's source IP address."},{"name":"SourcePort","type":"int","description":"Request's source port."},{"name":"DestinationPort","type":"int","description":"Request's destination port."},{"name":"Fqdn","type":"string","description":"Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."},{"name":"TargetUrl","type":"string","description":"Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."},{"name":"Action","type":"string","description":"Action taken by the firewall following the Application rule hit."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"ActionReason","type":"string","description":"When no rule is triggered for a request, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`."},{"name":"IsTlsInspected","type":"bool","description":"True if the connection is TLS inspected. False otherwise."},{"name":"WebCategory","type":"string","description":"Web Category identified for the requested FQDN (Azure Firewall Standard) or URL (Azure Firewall Premium). If a web category is not available for this request, the field is empty."},{"name":"IsExplicitProxyRequest","type":"bool","description":"True if the request is received on an explicit proxy port. False otherwise."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["8146e954-5df5-4eaa-afe6-1cef6c1583cb","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b"]}},{"id":"AZFWApplicationRuleAggregation","name":"AZFWApplicationRuleAggregation","tableType":"Microsoft","description":"Contains aggregated Application rule log data for Policy Analytics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Request's network protocol. For example: HTTP/HTTPS."},{"name":"SourceIp","type":"string","description":"Request's source IP address."},{"name":"DestinationPort","type":"int","description":"Request's destination port."},{"name":"Fqdn","type":"string","description":"Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."},{"name":"TargetUrl","type":"string","description":"Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."},{"name":"Action","type":"string","description":"Action taken by the firewall following the Application rule hit."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"ActionReason","type":"string","description":"When no rule is triggered for a packet, this field contains the reason for the action performed by the firewall."},{"name":"ApplicationRuleCount","type":"int","description":"Aggregated count of Application rule."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"]}},{"id":"AZFWDnsFlowTrace","name":"AZFWDnsFlowTrace","tableType":"Microsoft","description":"Contains all the DNS proxy data between the client, firewall, and DNS server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"MsgType","type":"string","description":"Shows whether the DNS message is a query or response, and whether it's from the client or forwarded by the firewall."},{"name":"QueryTime","type":"datetime","description":"Timestamp (UTC) when the DNS query was initiated."},{"name":"ResponseTime","type":"datetime","description":"Timestamp (UTC) when the DNS response was received."},{"name":"SocketFamily","type":"string","description":"Internet protocol family for the DNS query."},{"name":"Protocol","type":"string","description":"Internet protocol used for the DNS query (e.g., TCP, UDP)."},{"name":"SourceIp","type":"string","description":"IP address of the source that initiated the DNS query."},{"name":"ServerIp","type":"string","description":"IP address of the DNS server that responded."},{"name":"SourcePort","type":"int","description":"Source port from which the DNS query was sent."},{"name":"ServerPort","type":"int","description":"Port on the DNS server that responded to the query."},{"name":"QueryMessage","type":"string","description":"Details of the DNS query, including the FQDN or URL."},{"name":"ServerMessage","type":"string","description":"Details of the DNS response received from the upstream DNS server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"]}},{"id":"AZFWDnsQuery","name":"AZFWDnsQuery","tableType":"Microsoft","description":"Contains all DNS Proxy events log data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"SourceIp","type":"string","description":"DNS query's source IP address."},{"name":"SourcePort","type":"int","description":"DNS query's source Port."},{"name":"QueryId","type":"int","description":"DNS query's query ID."},{"name":"QueryType","type":"string","description":"DNS query's query type."},{"name":"QueryClass","type":"string","description":"DNS query's query class."},{"name":"QueryName","type":"string","description":"DNS query's name to resolve."},{"name":"Protocol","type":"string","description":"Protocol used to send the DNS query. For example: TCP, UDP."},{"name":"RequestSize","type":"int","description":"The size of the DNS request in bytes."},{"name":"DnssecOkBit","type":"bool","description":"A flag indicating that the resolver supports DNSSEC records."},{"name":"EDNS0BufferSize","type":"int","description":"Client's EDNS0 buffer size. Specifies the maximum packet size allowed in responses in bytes."},{"name":"ResponseCode","type":"string","description":"DNS reponse code."},{"name":"ResponseFlags","type":"string","description":"DNS reponse flags, comma separated."},{"name":"ResponseSize","type":"int","description":"DNS reponse syze in bytes."},{"name":"RequestDurationSecs","type":"real","description":"Duration of the DNS request from the time it arrived to the firewall and until a response was sent to the client."},{"name":"ErrorNumber","type":"int","description":"Error number matching the returned response code."},{"name":"ErrorMessage","type":"string","description":"Description of the error returned to the client. Empty if request is successful."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["dca5053f-af30-44dc-bfa7-089e61668991"]}},{"id":"AZFWFatFlow","name":"AZFWFatFlow","tableType":"Microsoft","description":"This query returns the top flows across Azure Firewall instances. Log contains flow information, date transmission rate (in Megabits per second units) and the time period when the flows were recorded. Please follow the documentation to enable Top flow logging and details on how it is recorded.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Flow's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Flow's source IP address."},{"name":"SourcePort","type":"int","description":"Flow's source port."},{"name":"DestinationIp","type":"string","description":"Flow's destination IP address."},{"name":"DestinationPort","type":"int","description":"Flow's destination port."},{"name":"FlowRate","type":"real","description":"Flow's bandwidth consumption rate in Megabits per second unit."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["04205bbc-69b9-4c56-8ef6-f99814abfcba"]}},{"id":"AZFWFlowTrace","name":"AZFWFlowTrace","tableType":"Microsoft","description":"Flow logs across Azure Firewall instances. Log contains flow information, flags and the time period when the flows were recorded. Please follow the documentation to enable flow trace logging and details on how it is recorded.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Flow's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Flow's source IP address."},{"name":"SourcePort","type":"int","description":"Flow's source port."},{"name":"DestinationIp","type":"string","description":"Flow's destination IP address."},{"name":"DestinationPort","type":"int","description":"Flow's destination port."},{"name":"Action","type":"string","description":"Action taken by the firewall to log additional flow information."},{"name":"ActionReason","type":"string","description":"The reason for the action performed by the firewall. For example: when additional logging is enabled it shows `Additional TCP Log`."},{"name":"Flag","type":"string","description":"Flags set in the connection. For example: FIN, FIN-ACK, SYN-ACK, RST, INVALID."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["616c413f-dc29-402c-851e-3b524865ce2a"]}},{"id":"AZFWIdpsSignature","name":"AZFWIdpsSignature","tableType":"Microsoft","description":"Contains all data plane packets that were matched with one or more IDPS signatures.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"SourcePort","type":"int","description":"Packet's source port."},{"name":"DestinationIp","type":"string","description":"Packet's destination IP address."},{"name":"DestinationPort","type":"int","description":"Packet's destination port."},{"name":"Action","type":"string","description":"Action taken by the firewall following the IDPS signature hit."},{"name":"SignatureId","type":"string","description":"ID of the matched IDPS signature."},{"name":"Category","type":"string","description":"Category of the matched IDPS signature."},{"name":"Description","type":"string","description":"Description of the matched IDPS signature."},{"name":"Severity","type":"int","description":"Severity of the matched IDPS signature."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["ae4119c9-1e46-4b3f-b9a6-df570e93e6f9","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b"]}},{"id":"AZFWInternalFqdnResolutionFailure","name":"AZFWInternalFqdnResolutionFailure","tableType":"Microsoft","description":"Contains all internal Firewall FQDN resolution requests that resulted in failure.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Fqdn","type":"string","description":"The FQDN which the firewall failed to resolve."},{"name":"ServerIp","type":"string","description":"DNS Resolver server's IP address."},{"name":"ServerPort","type":"int","description":"DNS Resolver server's port."},{"name":"Policy","type":"string","description":"Name of the policy in which the rule with the failing FQDN resolution resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the rule with the failing FQDN resolution resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the rule with the failing FQDN resolution resides."},{"name":"Rule","type":"string","description":"Name of the rule with the failing FQDN resolution."},{"name":"Error","type":"string","description":"Description of the error that caused the failure of the FQDN resolution."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["2705d573-c84c-4b40-973c-2aba2407ff22"]}},{"id":"AZFWNatRule","name":"AZFWNatRule","tableType":"Microsoft","description":"Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"SourcePort","type":"int","description":"Packet's source port."},{"name":"DestinationIp","type":"string","description":"Packet's destination IP address."},{"name":"DestinationPort","type":"int","description":"Packet's destination port."},{"name":"TranslatedIp","type":"string","description":"Original Destination IP address of the packet is replaced with TranslatedIp."},{"name":"TranslatedPort","type":"int","description":"Original Destination port of the packet is replaced with TranslatedPort."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["ddacb4dd-a7c6-4f36-9642-71a0fac3a34c","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b"]}},{"id":"AZFWNatRuleAggregation","name":"AZFWNatRuleAggregation","tableType":"Microsoft","description":"Contains aggregated NAT Rule log data for Policy Analytics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"TranslatedIp","type":"string","description":"Original Destination IP address of the packet is replaced with TranslatedIp."},{"name":"TranslatedPort","type":"int","description":"Original Destination port of the packet is replaced with TranslatedPort."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"NatRuleCount","type":"int","description":"Aggregated count of NAT rules."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"]}},{"id":"AZFWNetworkRule","name":"AZFWNetworkRule","tableType":"Microsoft","description":"Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"SourcePort","type":"int","description":"Packet's source port."},{"name":"DestinationIp","type":"string","description":"Packet's destination IP address."},{"name":"DestinationPort","type":"int","description":"Packet's destination port."},{"name":"Action","type":"string","description":"Action taken by the firewall following the match with this Network Rule. For example: Firewall may Allow/Deny this specific packet."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"ActionReason","type":"string","description":"When no rule is triggered for a packet, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["5eea8814-60dd-4d3c-bec0-3c364c88efca","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b"]}},{"id":"AZFWNetworkRuleAggregation","name":"AZFWNetworkRuleAggregation","tableType":"Microsoft","description":"Contains aggregated Network rule log data for Policy Analytics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"DestinationIp","type":"string","description":"Packet's destination IP address."},{"name":"DestinationPort","type":"int","description":"Packet's destination port."},{"name":"Action","type":"string","description":"Action taken by the firewall following the match with this Network rule. For example: Firewall may Allow/Deny this specific session/packet."},{"name":"ActionReason","type":"string","description":"When no rule is triggered for a request, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`."},{"name":"Policy","type":"string","description":"Name of the policy in which the triggered rule resides."},{"name":"RuleCollectionGroup","type":"string","description":"Name of the rule collection group in which the triggered rule resides."},{"name":"RuleCollection","type":"string","description":"Name of the rule collection in which the triggered rule resides."},{"name":"Rule","type":"string","description":"Name of the triggered rule."},{"name":"IsDefaultRule","type":"bool","description":"True if no network rule was hit. False otherwise."},{"name":"NetworkRuleCount","type":"int","description":"Aggregated count of network rule."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"]}},{"id":"AZFWThreatIntel","name":"AZFWThreatIntel","tableType":"Microsoft","description":"Contains all Threat Intelligence events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the data plane log was created."},{"name":"Protocol","type":"string","description":"Packet's network protocol. For example: UDP, TCP."},{"name":"SourceIp","type":"string","description":"Packet's source IP address."},{"name":"SourcePort","type":"int","description":"Packet's source port."},{"name":"DestinationIp","type":"string","description":"Packet's destination IP address."},{"name":"DestinationPort","type":"int","description":"Packet's destination port."},{"name":"Fqdn","type":"string","description":"Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."},{"name":"TargetUrl","type":"string","description":"Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."},{"name":"Action","type":"string","description":"Action taken by the firewall following the Threat Intelligence hit."},{"name":"ThreatDescription","type":"string","description":"Description of the Threat that was identified by the firewall."},{"name":"IsTlsInspected","type":"bool","description":"True if connection is TLS inspected. False otherwise."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.network/azurefirewalls"],"solutions":["LogManagement"],"queries":["3d806161-ab30-4c7c-a4fc-9bae0622e531","4d2fd56b-a0d4-42e1-8d0d-31e60f2e005b"]}},{"id":"AZKVAuditLogs","name":"AZKVAuditLogs","tableType":"Microsoft","description":"Audit logs can be used to monitor how and when your key vaults are accessed, and by whom. Customers will be able to log all authentication api requests. Operations on the key vault itself, including creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.Operation on keys and secrets in keyvault including creating, deleting, signing.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when operation occured."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"OperationName","type":"string","description":"Name of the operation"},{"name":"ResultDescription","type":"string","description":"Additional description about the result, when available."},{"name":"CorrelationId","type":"string","description":"An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request"},{"name":"OperationVersion","type":"string","description":"REST api version requested by the client."},{"name":"Identity","type":"dynamic","description":"Identity from the token that was presented in the REST API request. This is usually a user, a service principal, or the combination user+appId, as in the case of a request that results from an Azure PowerShell cmdlet."},{"name":"Properties","type":"dynamic","description":"Information that varies based on the operation (Operationname). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI."},{"name":"Nsp","type":"dynamic","description":"Network security perimeter properties including access control list, nsp id's associated with profiles."},{"name":"KeyProperties","type":"dynamic","description":"Information about key properties including type, size, curve"},{"name":"SecretProperties","type":"dynamic","description":"Information about secret properties including type, atttributes"},{"name":"CertificateProperties","type":"dynamic","description":"Information about certificate audit properties including atttributes, subject, hashing algorithm"},{"name":"CertificatePolicyProperties","type":"dynamic","description":"Information about certificate policy properties including keyproperties, secretproperties, issuerproperties"},{"name":"CertificateIssuerProperties","type":"dynamic","description":"Information about certificate issuer properties including provider, id"},{"name":"CertificateRequestProperties","type":"dynamic","description":"Boolean value indicating if certificate request operation was cancelled"},{"name":"StorageAccountProperties","type":"dynamic","description":"Information about storage account properties including activekeyname, resourceid"},{"name":"StorageSasDefinitionProperties","type":"dynamic","description":"Information about storage sas definition properties including sastype, validityperiod"},{"name":"Id","type":"string","description":"Resourceidentifier (Key ID or secret ID)"},{"name":"Algorithm","type":"string","description":"Algorithm used to generate the key"},{"name":"ClientInfo","type":"string","description":"User agent information"},{"name":"SubnetId","type":"string","description":"Id of subnet if request comes from a known subnet"},{"name":"HttpStatusCode","type":"int","description":"HTTP status code of the request"},{"name":"RequestUri","type":"string","description":"URI of the request"},{"name":"IsAddressAuthorized","type":"bool","description":"Specifies whether request came from an authorized entity"},{"name":"AddressAuthorizationType","type":"string","description":"Address type (Public IP, subnet, private connection)"},{"name":"IsAccessPolicyMatch","type":"bool","description":"True if the tenant matches vault tenant, and if the policy explicitly gives permission to the principal attempting the access."},{"name":"IsRbacAuthorized","type":"bool","description":"Specifies whether an access was granted or not as part of an access check"},{"name":"AppliedAssignmentId","type":"string","description":"AssignmentId that eiher granted or denied access as part of access check"},{"name":"TrustedService","type":"string","description":"Specifies whether the principal access the service is a trusted Service. If this field is null, principal is not a trusted service"},{"name":"Tlsversion","type":"string","description":"Network crypto protocol"},{"name":"VaultProperties","type":"dynamic","description":"Detailed vault properties containing accesspolicy, iprule, virtualnetwork etc"},{"name":"Sku","type":"dynamic","description":"Information about vault including family, name and capacity"},{"name":"NetworkAcls","type":"dynamic","description":"Information about network acls that govern access to the vault"},{"name":"EnabledForDeployment","type":"bool","description":"Specifies if the vault is enabled for deployment"},{"name":"EnabledForDiskEncryption","type":"bool","description":"Specifes if disk encryption is enabled"},{"name":"EnabledForTemplateDeployment","type":"bool","description":"Specifies whether template deployment is enabled"},{"name":"EnableSoftDelete","type":"bool","description":"Specified is the vault is enabled for soft delete"},{"name":"SoftDeleteRetentionInDays","type":"int","description":"Specifies soft delete retention in days"},{"name":"EnableRbacAuthorization","type":"bool","description":"Specifies if RBAC authorization is enabled"},{"name":"EnablePurgeProtection","type":"bool","description":"Specifies if purge protection is enabled"},{"name":"HsmPoolResourceId","type":"string","description":"Resource ID of the HSM pool"},{"name":"ResultSignature","type":"string","description":"HTTP status of the request/response"},{"name":"DurationMs","type":"int","description":"Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.keyvault/vaults"],"solutions":["LogManagement"],"queries":["126a5c26-d357-4b03-a4bc-5e8fbd26a1b8","d196c718-afdf-4eb1-9849-4f236030f51b","10026928-5243-4850-82e5-e1c4c175bc15","163b3a0a-e23d-4648-aec6-72906be0c027","dcfebdea-1637-46b9-8452-1979e9e30251","79cf6219-a0c3-4cac-a011-e5c02fc7cada"]}},{"id":"AZKVPolicyEvaluationDetailsLogs","name":"AZKVPolicyEvaluationDetailsLogs","tableType":"Microsoft","description":"Contains details of Azure Policy Evaluation including the outcome and details of what checks were performed.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when operation occured."},{"name":"ResultType","type":"string","description":"Result of the REST API request"},{"name":"OperationName","type":"string","description":"Name of the operation"},{"name":"ResultDescription","type":"string","description":"Additional description about the result, when available"},{"name":"Properties","type":"dynamic","description":"Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI"},{"name":"ObjectName","type":"string","description":"Name of the object"},{"name":"ObjectType","type":"string","description":"Type of object"},{"name":"IsComplianceCheck","type":"bool","description":"Is Compliance check enabled"},{"name":"EvaluationDetails","type":"dynamic","description":"Details of evaluation"},{"name":"ResultSignature","type":"string","description":"HTTP status of the request/response"},{"name":"DurationMs","type":"int","description":"Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.keyvault/vaults"],"solutions":["LogManagement"]}},{"id":"AZMSApplicationMetricLogs","name":"AZMSApplicationMetricLogs","tableType":"Microsoft","description":"Captures application metrics(incoming/outgoing, successful/failed, etc. message delivery) for Azure Event Hubs and Azure Service Bus.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActivityId","type":"string","description":"Internal ID, used to identify the specified activity."},{"name":"OperationName","type":"string","description":"Operation performed on Event Hub (ConsumerLag, ActiveConnection, IncomingMessages, Etc.)."},{"name":"Value","type":"int","description":"Value with respect to performed operation."},{"name":"NamespaceName","type":"string","description":"Namespace name."},{"name":"EntityType","type":"string","description":"Entity type."},{"name":"EntityName","type":"string","description":"Entity name."},{"name":"Properties","type":"dynamic","description":"Metadata that are specific to the operation."},{"name":"Outcome","type":"string","description":"Result of operation. Possible values: Success/Failure."},{"name":"Protocol","type":"string","description":"Protocol used to perform the operation. Possible value: AMQP, Kafka, and SBMP."},{"name":"AuthType","type":"string","description":"Type of authentication (Azure Active Directory or SAS Policy)."},{"name":"AuthId","type":"string","description":"Authentication ID configured for Event Hub."},{"name":"TimeGenerated","type":"datetime","description":"The event start time (UTC)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.servicebus/namespaces","microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSArchiveLogs","name":"AZMSArchiveLogs","tableType":"Microsoft","description":"Captures information about Event Hubs capture operations, specifically, logs related to capture errors.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TaskName","type":"string","description":"The description of the task that failed."},{"name":"ActivityId","type":"string","description":"Internal ID, used for tracking."},{"name":"TrackingId","type":"string","description":"Internal ID, used for tracking."},{"name":"EventhubName","type":"string","description":"The Event Hubs full name(includes namespace name)."},{"name":"PartitionId","type":"int","description":"The Event Hubs partition being written to."},{"name":"ArchiveStep","type":"string","description":"The possible values: ArchiveFlushWriter, DestinationInit."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time (UTC)."},{"name":"Failures","type":"int","description":"The number of occurrence of failures."},{"name":"DurationMs","type":"int","description":"The duration of failure (in Milliseconds)."},{"name":"Message","type":"string","description":"Error message."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSAutoscaleLogs","name":"AZMSAutoscaleLogs","tableType":"Microsoft","description":"Captures auto-inflate operations done on an Event Hubs namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TrackingId","type":"string","description":"Internal ID, which is used for tracking purposes."},{"name":"Message","type":"string","description":"Informational message, which provides details about auto-inflate action. The message contains previous and current value of throughput unit for a given namespace and what triggered the inflate of the TU."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time (UTC)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSCustomerManagedKeyUserLogs","name":"AZMSCustomerManagedKeyUserLogs","tableType":"Microsoft","description":"Captures operations related to customer-managed key.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Category","type":"string","description":"Type of category for a message. It's one of the following values: error and info. For example, if the key from your key vault is being disabled, then it would be an information category or if a key can't be unwrapped, it could fall under error."},{"name":"KeyVault","type":"string","description":"The name of the key vault resource."},{"name":"Key","type":"string","description":"The name of the key-vault key that's used to encrypt the Event Hubs namespace."},{"name":"Version","type":"string","description":"The version of the key-vault key."},{"name":"Operation","type":"string","description":"The operation that's performed on the key in your key vault. For example, disable/enable the key, wrap, or unwrap."},{"name":"StatusCode","type":"string","description":"The code that's associated with the operation. Example: Error code, 404 means that key wasn't found."},{"name":"Message","type":"string","description":"The message, which provides detailes about an error or informational message."},{"name":"TimeGenerated","type":"datetime","description":"The event start time(UTC)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSDiagnosticErrorLogs","name":"AZMSDiagnosticErrorLogs","tableType":"Microsoft","description":"Captures aggregated diagnostic information such as client errors , server busy errors and quota exceeded errors for various data plane access operations (such as send or receive messages) in Azure Event Hubs and Azure Service Bus.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActivityId","type":"string","description":"A randomly generated UUID that ensures uniqueness for the audit activity."},{"name":"ActivityName","type":"string","description":"Operation name."},{"name":"NamespaceName","type":"string","description":"Namespace name."},{"name":"EntityType","type":"string","description":"Entity type."},{"name":"EntityName","type":"string","description":"Entity name."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time (UTC)."},{"name":"OperationResult","type":"string","description":"Type of error (clienterror or serverbusy or quotaexceeded)."},{"name":"ErrorCount","type":"int","description":"Count of identical errors during the aggregation period of 1 minute."},{"name":"ErrorMessage","type":"string","description":"Detailed error message."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.servicebus/namespaces","microsoft.eventhub/namespaces"],"solutions":["LogManagement"],"queries":["eaa7957b-aecb-406b-be10-f48696b0ecehdel","eaa7957b-aecb-406b-be10-f48696b0ecdfdel"]}},{"id":"AZMSHybridConnectionsEvents","name":"AZMSHybridConnectionsEvents","tableType":"Microsoft","description":"Captures all hybrid connection events that are performed on the Azure Relay namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActivityId","type":"string","description":"Internal ID, used to identify the specified activity."},{"name":"TimeGenerated","type":"datetime","description":"The log generation time (UTC)."},{"name":"Endpoint","type":"string","description":"The endpoint identifier. Can be sender or receiver."},{"name":"OperationName","type":"string","description":"The type of the Hybrid Connections operation that is being logged."},{"name":"Message","type":"string","description":"The details on performed task."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.relay/namespaces"],"solutions":["LogManagement"],"queries":["07097c10-af17-46fd-b8a0-65c405f8b299"]}},{"id":"AZMSKafkaCoordinatorLogs","name":"AZMSKafkaCoordinatorLogs","tableType":"Microsoft","description":"Captures kafka coordinator operations related to Event Hubs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"RequestId","type":"string","description":"The request ID, which is used for tracking purposes."},{"name":"Operation","type":"string","description":"The name of operation that done during the group coordination."},{"name":"ClientId","type":"string","description":"The client ID."},{"name":"NamespaceName","type":"string","description":"The namespace name."},{"name":"Message","type":"string","description":"The Informational or warning message, which provides detailes about actions done during the group coordiantion."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time(UTC)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSKafkaUserErrorLogs","name":"AZMSKafkaUserErrorLogs","tableType":"Microsoft","description":"Captures information about kafka APIs called on Event Hubs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TrackingId","type":"string","description":"The tracking ID, which is used for tracking purposes."},{"name":"NamespaceName","type":"string","description":"Name of Event Hubs namespace."},{"name":"EventhubName","type":"string","description":"Name of Event Hub."},{"name":"Message","type":"string","description":"The informational message, which provides details about an error."},{"name":"TimeGenerated","type":"datetime","description":"The event start time (UTC)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces"],"solutions":["LogManagement"]}},{"id":"AZMSOperationalLogs","name":"AZMSOperationalLogs","tableType":"Microsoft","description":"Captures all management operations that are performed on the Azure Event Hubs/Azure Service Bus namespace and its entities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActivityId","type":"string","description":"Internal ID, used to identify the specified activity."},{"name":"EventName","type":"string","description":"The name of management operation which is executed within Service Bus."},{"name":"TimeGenerated","type":"datetime","description":"The log generation time (UTC)."},{"name":"EventProperties","type":"dynamic","description":"The operation properties."},{"name":"Status","type":"string","description":"The operation status."},{"name":"Caller","type":"string","description":"The caller of operation (the Azure portal or management client)."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.servicebus/namespaces","microsoft.eventhub/namespaces"],"solutions":["LogManagement"],"queries":["8a0df091-26c3-4e64-a3b9-d2b2bd397c4e","c6b1a9cd-8b76-468d-8a00-b3be3040cf2b","2600882e-3766-4e90-8823-4f1285d4595c","eaa7957b-aecb-406b-be10-f48696b0ecdf","e16d5b06-e193-4e8f-8f2c-e3dd04413d9e","2b7d7c31-a6f4-4fcc-857e-c40fd9ecd918","9edb2134-7a9d-4193-b727-1900e50b133d"]}},{"id":"AZMSRunTimeAuditLogs","name":"AZMSRunTimeAuditLogs","tableType":"Microsoft","description":"Captures aggregated diagnostic information for various data plane access operations (such as send or receive messages) in Azure Event Hubs and Azure Service Bus. Runtime audit logs are currently available only in premium tier.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActivityId","type":"string","description":"A randomly generated UUID that ensures uniqueness for the audit activity."},{"name":"ActivityName","type":"string","description":"Runtime operation name."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time (UTC)."},{"name":"Status","type":"string","description":"Status of the activity (success or failure)."},{"name":"Protocol","type":"string","description":"Type of the protocol associated with the operation."},{"name":"AuthType","type":"string","description":"Type of authentication (Azure Active Directory or SAS Policy)."},{"name":"AuthKey","type":"string","description":"Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource."},{"name":"NetworkType","type":"string","description":"Type of the network access: Public or Private."},{"name":"ClientIp","type":"string","description":"IP address of the client application."},{"name":"Count","type":"int","description":"Total number of operations performed during the aggregated period of 1 minute."},{"name":"Properties","type":"dynamic","description":"Metadata that are specific to the data plane operation."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.servicebus/namespaces","microsoft.eventhub/namespaces"],"solutions":["LogManagement"],"queries":["b1101646-c48a-4f18-83b9-2a3af4cd2c2b","b8df4aec-7c87-46e1-a6fb-d20b9c0e0ef0","bcb23e62-59f9-4b81-b7f9-91f2157c051f","b48bce62-0ab9-4b29-9d48-fd0602f175c3","8741ae6e-c9d1-4af4-8e8b-e139342c94cd","6e754b00-8d1b-4191-a332-fe3c746d64ee","e42b82a3-12b7-49d3-90da-cb8f0d15090c","5378867d-d538-4133-b9ad-b98d8e920995","7f71e893-1960-4080-b67f-1a06c5a79143","1b9a6421-8d31-4a38-ae8c-35f70ffafdb8","1b159023-07e2-4d37-9447-af7b6cc5cfc6"]}},{"id":"AZMSVnetConnectionEvents","name":"AZMSVnetConnectionEvents","tableType":"Microsoft","description":"Captures all virtual network and IP filtering logs for Azure Event Hubs and Azure Service Bus. These would only be emitted if namespace allows access from selected networks or from specific IP address (IP Filter rules).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"NamespaceName","type":"string","description":"Name of Event Hubs or Service Bus namespace."},{"name":"TimeGenerated","type":"datetime","description":"The event generation time (UTC)."},{"name":"AddressIp","type":"string","description":"IP address of a client connecting to the Event Hubs or Service Bus service."},{"name":"Action","type":"string","description":"Action done by the service when evaluating connection requests. Supported actions are accept connection and deny connection."},{"name":"Message","type":"string","description":"Provides a reason why the action was done."},{"name":"Count","type":"int","description":"Number of occurrences for the given action."},{"name":"Provider","type":"string","description":"Event provider name. Possible values: eventhub, relay, and servicebus."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventhub/namespaces","microsoft.servicebus/namespaces","microsoft.relay/namespaces"],"solutions":["LogManagement"],"queries":["719df79c-282d-49ff-9163-35542afe3e47","cc0aeb16-1fe2-43c5-b483-cc8aba72b41c","d25850ef-feda-42dc-afdb-d6f527854b8b","942c6acb-1f7e-498e-b5fa-d3c30f787f61","5956fb69-ccc1-40a2-a7be-8cf35a3fc627","39525fb9-8431-4c02-826f-c610eaaeb9c1"]}},{"id":"AddonAzureBackupAlerts","name":"AddonAzureBackupAlerts","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"AlertCode","type":"string","isPreferredFacet":true},{"name":"AlertConsolidationStatus","type":"string","isPreferredFacet":true},{"name":"AlertOccurrenceDateTime","type":"datetime"},{"name":"AlertRaisedOn","type":"string","isPreferredFacet":true},{"name":"AlertSeverity","type":"string","isPreferredFacet":true},{"name":"AlertStatus","type":"string","isPreferredFacet":true},{"name":"AlertTimeToResolveInMinutes","type":"real"},{"name":"AlertType","type":"string","isPreferredFacet":true},{"name":"AlertUniqueId","type":"string"},{"name":"BackupItemUniqueId","type":"string"},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"CountOfAlertsConsolidated","type":"int"},{"name":"ProtectedContainerUniqueId","type":"string"},{"name":"RecommendedAction","type":"string"},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"StorageUniqueId","type":"string"},{"name":"VaultUniqueId","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"]}},{"id":"AddonAzureBackupJobs","name":"AddonAzureBackupJobs","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"AdHocOrScheduledJob","type":"string","isPreferredFacet":true},{"name":"BackupItemUniqueId","type":"string"},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"DataTransferredInMB","type":"real"},{"name":"JobDurationInSecs","type":"real"},{"name":"JobFailureCode","type":"string","isPreferredFacet":true},{"name":"JobOperation","type":"string","isPreferredFacet":true},{"name":"JobOperationSubType","type":"string","isPreferredFacet":true},{"name":"JobStartDateTime","type":"datetime"},{"name":"JobStatus","type":"string","isPreferredFacet":true},{"name":"JobUniqueId","type":"string"},{"name":"ProtectedContainerUniqueId","type":"string"},{"name":"RecoveryJobDestination","type":"string"},{"name":"RecoveryJobRPDateTime","type":"datetime"},{"name":"RecoveryJobRPLocation","type":"string","isPreferredFacet":true},{"name":"RecoveryLocationType","type":"string","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"VaultUniqueId","type":"string"},{"name":"DatasourceSetFriendlyName","type":"string"},{"name":"DatasourceSetResourceId","type":"string"},{"name":"DatasourceSetType","type":"string"},{"name":"DatasourceResourceId","type":"string"},{"name":"DatasourceType","type":"string"},{"name":"DatasourceFriendlyName","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroupName","type":"string"},{"name":"VaultName","type":"string"},{"name":"VaultTags","type":"string"},{"name":"VaultType","type":"string"},{"name":"StorageReplicationType","type":"string"},{"name":"ArchiveTierStorageReplicationType","type":"string"},{"name":"AzureDataCenter","type":"string"},{"name":"BackupItemId","type":"string"},{"name":"BackupItemFriendlyName","type":"string"},{"name":"ExtendedProperties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a5"]}},{"id":"AddonAzureBackupPolicy","name":"AddonAzureBackupPolicy","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"BackupDaysOfTheWeek","type":"string"},{"name":"BackupFrequency","type":"string","isPreferredFacet":true},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupTimes","type":"string"},{"name":"DailyRetentionDuration","type":"int"},{"name":"DailyRetentionTimes","type":"string"},{"name":"DiffBackupDaysofTheWeek","type":"string"},{"name":"DiffBackupFormat","type":"string","isPreferredFacet":true},{"name":"DiffBackupRetentionDuration","type":"int"},{"name":"DiffBackupTime","type":"string"},{"name":"LogBackupFrequency","type":"int"},{"name":"LogBackupRetentionDuration","type":"int"},{"name":"MonthlyRetentionDaysOfTheMonth","type":"string"},{"name":"MonthlyRetentionDaysOfTheWeek","type":"string"},{"name":"MonthlyRetentionDuration","type":"int"},{"name":"MonthlyRetentionFormat","type":"string","isPreferredFacet":true},{"name":"MonthlyRetentionTimes","type":"string"},{"name":"MonthlyRetentionWeeksOfTheMonth","type":"string"},{"name":"PolicyName","type":"string"},{"name":"PolicyUniqueId","type":"string"},{"name":"PolicyTimeZone","type":"string","isPreferredFacet":true},{"name":"RetentionDuration","type":"int"},{"name":"RetentionType","type":"string","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"SynchronisationFrequencyPerDay","type":"string"},{"name":"VaultUniqueId","type":"string"},{"name":"WeeklyRetentionDaysOfTheWeek","type":"string"},{"name":"WeeklyRetentionDuration","type":"int"},{"name":"WeeklyRetentionTimes","type":"string"},{"name":"YearlyRetentionDaysOfTheMonth","type":"string"},{"name":"YearlyRetentionDaysOfTheWeek","type":"string"},{"name":"YearlyRetentionDuration","type":"int"},{"name":"YearlyRetentionFormat","type":"string","isPreferredFacet":true},{"name":"YearlyRetentionMonthsOfTheYear","type":"string"},{"name":"YearlyRetentionTimes","type":"string"},{"name":"YearlyRetentionWeeksOfTheMonth","type":"string"},{"name":"PolicySubType","type":"string"},{"name":"BackupIntervalInHours","type":"int"},{"name":"ScheduleWindowDuration","type":"int"},{"name":"ScheduleWindowStartTime","type":"datetime"},{"name":"ArchiveTieringMode","type":"string"},{"name":"ArchiveTieringDurationType","type":"string"},{"name":"ArchiveTieringDuration","type":"int"},{"name":"FullBackupDaysOfTheWeek","type":"string"},{"name":"FullBackupFrequency","type":"string"},{"name":"FullBackupTimes","type":"string"},{"name":"DifferentialBackupDaysOfTheWeek","type":"string"},{"name":"DifferentialBackupFrequency","type":"string"},{"name":"DifferentialBackupTimes","type":"string"},{"name":"IncrementalBackupDaysOfTheWeek","type":"string"},{"name":"IncrementalBackupFrequency","type":"string"},{"name":"IncrementalBackupTimes","type":"string"},{"name":"PolicyId","type":"string"},{"name":"SnapshotTierDailyRetentionDuration","type":"int"},{"name":"SnapshotTierWeeklyRetentionDuration","type":"int"},{"name":"SnapshotTierMonthlyRetentionDuration","type":"int"},{"name":"SnapshotTierYearlyRetentionDuration","type":"int"},{"name":"ArchiveTierDailyRetentionDuration","type":"int"},{"name":"ArchiveTierWeeklyRetentionDuration","type":"int"},{"name":"ArchiveTierMonthlyRetentionDuration","type":"int"},{"name":"ArchiveTierYearlyRetentionDuration","type":"int"},{"name":"ArchiveTierDefaultRetentionDuration","type":"int"},{"name":"StandardTierDefaultRetentionDuration","type":"int"},{"name":"SnapshotTierDefaultRetentionDuration","type":"int"},{"name":"DatasourceType","type":"string"},{"name":"VaultTags","type":"string"},{"name":"AzureDataCenter","type":"string"},{"name":"VaultType","type":"string"},{"name":"StorageReplicationType","type":"string"},{"name":"ArchiveTierStorageReplicationType","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroupName","type":"string"},{"name":"VaultName","type":"string"},{"name":"ExtendedProperties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a2","19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a5","19551c5e-1e3e-4425-a1d7-c846a0bca2a6"]}},{"id":"AddonAzureBackupProtectedInstance","name":"AddonAzureBackupProtectedInstance","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"BackupItemUniqueId","type":"string"},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerUniqueId","type":"string"},{"name":"ProtectedInstanceCount","type":"int","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"VaultUniqueId","type":"string"},{"name":"BillingGroupFriendlyName","type":"string"},{"name":"BillingGroupUniqueId","type":"string"},{"name":"StorageConsumedInMBs","type":"real"},{"name":"ArchiveTierStorageConsumedInMBs","type":"real"},{"name":"VaultTags","type":"string"},{"name":"AzureDataCenter","type":"string"},{"name":"VaultType","type":"string"},{"name":"StorageReplicationType","type":"string"},{"name":"ArchiveTierStorageReplicationType","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroupName","type":"string"},{"name":"VaultName","type":"string"},{"name":"DatasourceType","type":"string"},{"name":"BillingGroupType","type":"string"},{"name":"SourceSizeInMBs","type":"real"},{"name":"BillingGroupResourceGroupName","type":"string"},{"name":"ExtendedProperties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"AddonAzureBackupStorage","name":"AddonAzureBackupStorage","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"BackupItemUniqueId","type":"string"},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"PreferredWorkloadOnVolume","type":"string"},{"name":"ProtectedContainerUniqueId","type":"string"},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"StorageAllocatedInMBs","type":"real"},{"name":"StorageConsumedInMBs","type":"real"},{"name":"StorageName","type":"string"},{"name":"StorageTotalSizeInGBs","type":"real"},{"name":"StorageType","type":"string","isPreferredFacet":true},{"name":"StorageUniqueId","type":"string"},{"name":"VaultUniqueId","type":"string"},{"name":"VolumeFriendlyName","type":"string"},{"name":"ArchiveTierStorageConsumedInMBs","type":"string"},{"name":"ExtendedProperties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a6","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"AegDataPlaneRequests","name":"AegDataPlaneRequests","tableType":"Microsoft","description":"Logs for Event Grid data plane requests (publish and options) against a topic/domain/partnernamespace. It can be used for auditing purposes. Logs are aggregated over a minute and displays the total number of requests with specific request properties.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"NetworkAccess","type":"string","description":"The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link"},{"name":"ClientIpAddress","type":"string","description":"The IP address of the client issuing the request."},{"name":"TlsVersion","type":"string","description":"The transport layer security (TLS) version used by the client connection. Possible values are: 1.0, 1.1 and 1.2"},{"name":"Authentication","type":"string","description":"The type of secret used for authentication when issuing requests. Key – request uses the SAS key, SASToken – request uses a SAS token generated from SAS key, AADAccessToken – Azure Active Directory issued JSON Web Token (JWT) token, Unknown – None of the above authentication types. OPTIONS requests will have Unknown authentication type."},{"name":"OperationResult","type":"string","description":"Thw result of the operation. Possible values are: Success, Unauthorized, Forbidden, RequestEntityTooLarge, BadRequest, InternalServerError"},{"name":"TotalOperations","type":"string","description":"The total number of request with above values issued within the minute. These traces aren't emitted for each publish request. An aggregate for each unique combination of above values is emitted every minute"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventgrid/topics","microsoft.eventgrid/domains","microsoft.eventgrid/partnernamespaces"],"solutions":["LogManagement"],"queries":["09073e9b-334f-43b8-8b42-58ddf7e6b1e2"]}},{"id":"AegDeliveryFailureLogs","name":"AegDeliveryFailureLogs","tableType":"Microsoft","description":"Azure Event Grid - event delivery failure logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when log was generated."},{"name":"SubResourceName","type":"string","description":"Name of the sub resource."},{"name":"EventSubscriptionName","type":"string","description":"Name of the event subscription."},{"name":"Category","type":"string","description":"Log category name."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"Message","type":"string","description":"Log message for the user."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.eventgrid/topics","microsoft.eventgrid/domains","microsoft.eventgrid/partnertopics","microsoft.eventgrid/systemtopics"],"queries":["14ed6864-b898-400d-9083-b811bca96cb5"]}},{"id":"AegPublishFailureLogs","name":"AegPublishFailureLogs","tableType":"Microsoft","description":"Azure Event Grid - event publish failure logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when log was generated."},{"name":"SubResourceName","type":"string","description":"Name of the sub resource."},{"name":"Category","type":"string","description":"Log category name."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"Message","type":"string","description":"Log message for the user."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.eventgrid/topics","microsoft.eventgrid/domains","microsoft.eventgrid/partnernamespaces"],"queries":["1a5d3292-cb61-4372-bf32-0c013cb15625"]}},{"id":"AggregatedSecurityAlert","name":"AggregatedSecurityAlert","tableType":"Microsoft","description":"Alerts that were generated by security products and were aggregated from a partner.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the alert was generated."},{"name":"DisplayName","type":"string","description":"The name of the alert."},{"name":"AlertName","type":"string","description":"The name of the alert."},{"name":"AlertSeverity","type":"string","description":"The sevirity of the alert."},{"name":"Description","type":"string","description":"The description of the alert."},{"name":"ProviderName","type":"string","description":"The name of the provider that generated the alert."},{"name":"VendorName","type":"string","description":"The name of the vendor owning the provider that generated the alert."},{"name":"VendorOriginalId","type":"string","description":"An ID assigned to the alert by the vendor, to help track down the alert in the original system."},{"name":"SystemAlertId","type":"string","description":"An ID assigned to the alert by Sentinel."},{"name":"AlertType","type":"string","description":"The type name of the alert."},{"name":"ConfidenceLevel","type":"string","description":"The level of confidence that the alert is not a false-positive."},{"name":"ConfidenceScore","type":"real","description":"The level of confidence that the alert is not a false-positive. This property allows for more fined grained representation, represented by a number between 0 and 1 (inclusive)."},{"name":"StartTime","type":"datetime","description":"The start time of the impact of the alert."},{"name":"EndTime","type":"datetime","description":"The end time of the impact of the alert."},{"name":"ProcessingEndTime","type":"datetime","description":"The time the alert was received for processing."},{"name":"RemediationSteps","type":"string","description":"Action items to take to remediate the alert."},{"name":"ExtendedProperties","type":"string","description":"Additional data about the alert."},{"name":"Entities","type":"string","description":"A list of entities related to the alert. This list can hold a mixture of entities of different types."},{"name":"SourceSystem","type":"string","description":"The Log Analytics source system. Will always be 'Detection'."},{"name":"ExtendedLinks","type":"string","description":"A set of link objects the can provide additional data on the alert."},{"name":"ProductName","type":"string","description":"The name of the product that generated the alert."},{"name":"ProductComponentName","type":"string","description":"The name of a component inside the product which generated the alert."},{"name":"Status","type":"string","description":"The lifecycle status of the alert (new, in progress, closed)."},{"name":"CompromisedEntity","type":"string","description":"Display name of the main entity being reported on."},{"name":"Tactics","type":"string","description":"A list of adversary MITRE ATT&CK tactics involved in this security issue."},{"name":"Techniques","type":"string","description":"A list of adversary MITRE ATT&CK techniques involved in this security issue."},{"name":"SubTechniques","type":"string","description":"A list of adversary MITRE ATT&CK sub techniques involved in this security issue."},{"name":"PartnerId","type":"string","description":"An ID assigned to the partner who sent the alert."},{"name":"PartnerDisplayName","type":"string","description":"Name of the partner who sent the alert."},{"name":"PartnerMetadata","type":"string","description":"Metadata about the partner who sent the alert."},{"name":"AggregatedSecurityAlertRuleIds","type":"string","description":"IDs assigned to the aggregated security data sharing rules by Sentinel."},{"name":"AggregatedSecurityAlertRuleNames","type":"string","description":"The names of the aggregated security data sharing rules."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"],"queries":["aecb76d9-4063-422b-8837-9f4dba347a56"]}},{"id":"AgriFoodApplicationAuditLogs","name":"AgriFoodApplicationAuditLogs","tableType":"Microsoft","description":"Logs for privileged actions such as data-plane resource create, update, delete and subscription management operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"Identity","type":"dynamic","description":"Identity from the token that was presented in the REST API request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"],"queries":["f3518255-2374-448a-878a-d5d4457da11c"]}},{"id":"AgriFoodFarmManagementLogs","name":"AgriFoodFarmManagementLogs","tableType":"Microsoft","description":"Logs for create, update, delete and get operations on FarmBeats resources such as Farmer, Farm, Field, Boundary, Seasonal Field, Crop, CropVariety, Season, Attachment, Prescription Maps, Prescriptions, Management Zones, Zones, Plant Tissue Analysis, Nutrient Analysis etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"],"queries":["a4d5c564-f185-450d-9024-ac003c4f96a9"]}},{"id":"AgriFoodFarmOperationLogs","name":"AgriFoodFarmOperationLogs","tableType":"Microsoft","description":"Logs for create, update, delete and get operations for FarmOperations such as data ingestion job, ApplicationData, PlantingData, HarvestingData, TillageData etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodInsightLogs","name":"AgriFoodInsightLogs","tableType":"Microsoft","description":"Logs for read operations on FarmBeats resources such as inisghts and inisight-attachments.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodJobProcessedLogs","name":"AgriFoodJobProcessedLogs","tableType":"Microsoft","description":"Logs indicating success or failure of job runs for farmOperationDataIngestionJob, farmOperationPeriodicJob, farmOperationEventHandlingJob,satelliteDataIngestionJob, weatherDataIngestionJob etc. These logs also contain reasons for failure of these jobs if any.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"JobId","type":"string","description":"User defined ID of the job."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"JobRunType","type":"string","description":"Indicates whether a job is a periodic job or a one-time job."},{"name":"InitiatedBy","type":"string","description":"Indicates whether the job was initiated by FarmBeats or user."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"Properties","type":"dynamic","description":"Additional properties associated with the Job."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"],"queries":["97234902-0236-4821-a438-d52c8a80a8ba"]}},{"id":"AgriFoodModelInferenceLogs","name":"AgriFoodModelInferenceLogs","tableType":"Microsoft","description":"Logs for create and get operations for AI/ML model inference jobs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodProviderAuthLogs","name":"AgriFoodProviderAuthLogs","tableType":"Microsoft","description":"Logs for create, update, delete, cascade delete get and get all for oauth providers. It also has logs for get, get all and cascade delete for oauth tokens.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodSatelliteLogs","name":"AgriFoodSatelliteLogs","tableType":"Microsoft","description":"Logs for create and get operations for Satellite data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodSensorManagementLogs","name":"AgriFoodSensorManagementLogs","tableType":"Microsoft","description":"Logs for sensors, sensors mappings, sensors events, sensors data models, sensors partner integration, devices, device data models etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AgriFoodWeatherLogs","name":"AgriFoodWeatherLogs","tableType":"Microsoft","description":"Logs for create, update, delete and get operations while ingesting weather data in FarmBeats.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"FarmerId","type":"string","description":"Farmer ID associated with the request, wherever applicable."},{"name":"DataPlaneResourceId","type":"string","description":"ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc."},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"Level","type":"string","description":"The severity level of the event, will be one of Informational, Warning, Error, or Critical."},{"name":"ResultSignature","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Additional details about the result, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ApplicationId","type":"string","description":"ApplicationId in identity claims."},{"name":"ObjectId","type":"string","description":"ObjectId in identity claims."},{"name":"ClientTenantId","type":"string","description":"TenantId in identity claims."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.agfoodplatform/farmbeats"],"solutions":["LogManagement"]}},{"id":"AirflowDagProcessingLogs","name":"AirflowDagProcessingLogs","tableType":"Microsoft","description":"ADF Airflow dag processing logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of the log that belongs to Airflow application.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation id of the event.","isPreferredFacet":true},{"name":"DataFactoryName","type":"string","description":"The name of the Data factory.","isPreferredFacet":true},{"name":"IntegrationRuntimeName","type":"string","description":"The name of the Integration runtime.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The application log of the Airflow event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"Alert","name":"Alert","tableType":"Microsoft","description":"The Alert table contains legacy information that is only logged in older versions of log search alerts. The official method to query all alerts, regardless of version or alert type, is by using Azure Resource Graph (ARG) to query Alerts metadata.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"AlertName","type":"string","description":"Name of the alert.","isPreferredFacet":true},{"name":"AlertDescription","type":"string","description":"Detailed description of the alert."},{"name":"AlertState","type":"string","description":"Latest resolution state of the alert.","isPreferredFacet":true},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"PriorityNumber","type":"int","isPreferredFacet":true},{"name":"HostName","type":"string","isPreferredFacet":true},{"name":"StateType","type":"string","isPreferredFacet":true},{"name":"AlertSeverity","type":"string","description":"Severity level of the alert.","isPreferredFacet":true},{"name":"SourceDisplayName","type":"string","description":"Display name of the monitoring object that generated the alert.","isPreferredFacet":true},{"name":"QueryExecutionStartTime","type":"datetime"},{"name":"QueryExecutionEndTime","type":"datetime"},{"name":"Query","type":"string"},{"name":"RemediationJobId","type":"string"},{"name":"RemediationRunbookName","type":"string"},{"name":"AlertRuleId","type":"string"},{"name":"AlertRuleInstanceId","type":"string"},{"name":"ThresholdOperator","type":"string"},{"name":"ThresholdValue","type":"int"},{"name":"LinkToSearchResults","type":"string"},{"name":"ServiceDeskConnectionName","type":"string"},{"name":"ServiceDeskId","type":"string"},{"name":"ServiceDeskWorkItemLink","type":"string"},{"name":"ServiceDeskWorkItemType","type":"string"},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ResourceValue","type":"string","isPreferredFacet":true},{"name":"RootObjectName","type":"string","isPreferredFacet":true},{"name":"ObjectDisplayName","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AlertPriority","type":"string","description":"Priority level of the alert.","isPreferredFacet":true},{"name":"TimeLastModified","type":"datetime","description":"Date and time that the alert was last changed.","isPreferredFacet":true},{"name":"AlertTypeDescription","type":"string","isPreferredFacet":true},{"name":"AlertTypeNumber","type":"int","isPreferredFacet":true},{"name":"AlertError","type":"string"},{"name":"StatusDescription","type":"string","isPreferredFacet":true},{"name":"AlertStatus","type":"int","isPreferredFacet":true},{"name":"TriggerId","type":"string"},{"name":"Url","type":"string"},{"name":"ValueDescription","type":"string","isPreferredFacet":true},{"name":"AlertValue","type":"int","isPreferredFacet":true},{"name":"Comments","type":"string"},{"name":"TemplateId","type":"string"},{"name":"FlagsDescription","type":"string"},{"name":"Flags","type":"int","isPreferredFacet":true},{"name":"ValueFlagsDescription","type":"string","isPreferredFacet":true},{"name":"ValueFlags","type":"int","isPreferredFacet":true},{"name":"Expression","type":"string"},{"name":"SourceFullName","type":"string","description":"Full name of the monitoring object that generated the alert.","isPreferredFacet":true},{"name":"AlertId","type":"string","description":"GUID of the alert.","isPreferredFacet":true},{"name":"RepeatCount","type":"int","description":"Number of times the same alert was generated for the same monitored object since being resolved."},{"name":"ResolvedBy","type":"string","description":"Name of the user who resolved the alert. Empty if the alert has not yet been resolved.","isPreferredFacet":true},{"name":"LastModifiedBy","type":"string","description":"Name of the user who last modified the alert.","isPreferredFacet":true},{"name":"TimeRaised","type":"datetime","description":"Date and time that the alert was generated.","isPreferredFacet":true},{"name":"TimeResolved","type":"datetime","description":"Date and time that the alert was resolved. Empty if the alert has not yet been resolved.","isPreferredFacet":true},{"name":"AlertContext","type":"string","description":"Details of the data item that caused the alert to be generated in XML format."},{"name":"TicketId","type":"string","description":"Ticket ID for the alert if the System Center Operations Manager environment is integrated with a process for assigning tickets for alerts. Empty of no ticket ID is assigned.","isPreferredFacet":true},{"name":"Custom1","type":"string"},{"name":"Custom2","type":"string"},{"name":"Custom3","type":"string"},{"name":"Custom4","type":"string"},{"name":"Custom5","type":"string"},{"name":"Custom6","type":"string"},{"name":"Custom7","type":"string"},{"name":"Custom8","type":"string"},{"name":"Custom9","type":"string"},{"name":"Custom10","type":"string"},{"name":"ManagementGroupName","type":"string","description":"Name of the management group for System Center Operations Manager agents. ","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"AlertEvidence","name":"AlertEvidence","tableType":"Microsoft","description":"Includes files, IP addresses, URLs, users, or devices associated with alerts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"AlertId","type":"string","description":"Unique identifier for the alert."},{"name":"Title","type":"string","description":"Title of the alert."},{"name":"Categories","type":"string","description":"List of categories that the information belongs to, in JSON array format."},{"name":"AttackTechniques","type":"string","description":"MITRE ATT&CK techniques associated with the activity that triggered the alert."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"EntityType","type":"string","description":"Type of object, such as a file, a process, a device, or a user."},{"name":"EvidenceRole","type":"string","description":"How the entity is involved in an alert, indicating whether it is impacted or is merely related."},{"name":"EvidenceDirection","type":"string","description":"Indicates whether the entity is the source or the destination of a network connection."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"SHA1","type":"string","description":"SHA-1 of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"ThreatFamily","type":"string","description":"Malware family that the suspicious or malicious file or process has been classified under."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure Active Directory."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the machine."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local device used during communication."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email, generated by Office 365."},{"name":"EmailSubject","type":"string","description":"Subject of the email."},{"name":"ApplicationId","type":"int","description":"Unique identifier for the application."},{"name":"Application","type":"string","description":"Application that performed the recorded action."},{"name":"OAuthApplicationId","type":"string","description":"Unique identifier of the third-party OAuth application."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the event in JSON array format."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"CloudPlatform","type":"string","description":"The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform."},{"name":"CloudResource","type":"string","description":"Cloud resource name."},{"name":"Severity","type":"string","description":"Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["be15042c-877f-4842-8e66-5bdb4355bcde"]}},{"id":"AlertHistory","name":"AlertHistory","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"AlertPriority","type":"string","isPreferredFacet":true},{"name":"AlertSeverity","type":"string","isPreferredFacet":true},{"name":"SourceDisplayName","type":"string","isPreferredFacet":true},{"name":"SourceFullName","type":"string","isPreferredFacet":true},{"name":"AlertId","type":"string","isPreferredFacet":true},{"name":"AlertName","type":"string","isPreferredFacet":true},{"name":"AlertDescription","type":"string"},{"name":"RepeatCount","type":"int","isPreferredFacet":true},{"name":"AlertState","type":"string","isPreferredFacet":true},{"name":"ResolvedBy","type":"string","isPreferredFacet":true},{"name":"LastModifiedBy","type":"string","isPreferredFacet":true},{"name":"TimeRaised","type":"datetime","isPreferredFacet":true},{"name":"TimeResolved","type":"datetime","isPreferredFacet":true},{"name":"TimeLastModified","type":"datetime","isPreferredFacet":true},{"name":"AlertContext","type":"string"},{"name":"TicketId","type":"string","isPreferredFacet":true},{"name":"Custom1","type":"string"},{"name":"Custom2","type":"string"},{"name":"Custom3","type":"string"},{"name":"Custom4","type":"string"},{"name":"Custom5","type":"string"},{"name":"Custom6","type":"string"},{"name":"Custom7","type":"string"},{"name":"Custom8","type":"string"},{"name":"Custom9","type":"string"},{"name":"Custom10","type":"string"},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor"],"solutions":["AlertManagement"]}},{"id":"AlertInfo","name":"AlertInfo","tableType":"Microsoft","description":"Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity, including severity information and threat categorization.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"AlertId","type":"string","description":"Unique identifier for the alert."},{"name":"Title","type":"string","description":"Title of the alert."},{"name":"Category","type":"string","description":"Type of threat indicator or breach activity identified by the alert."},{"name":"Severity","type":"string","description":"Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"AttackTechniques","type":"string","description":"MITRE ATT&CK techniques associated with the activity that triggered the alert."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["ad9ab554-0b90-4eca-b39a-7871b96d23f4"]}},{"id":"AmlComputeClusterEvent","name":"AmlComputeClusterEvent","tableType":"Microsoft","description":"AmlCompute Cluster events","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"ResultSignature","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log entry was generated"},{"name":"OperationName","type":"string","description":"Name of the operation associated with the log event"},{"name":"ProvisioningState","type":"string","description":"Provisioning state of the cluster"},{"name":"ClusterName","type":"string","description":"Name of the cluster"},{"name":"ClusterType","type":"string","description":"Type of the cluster"},{"name":"CreatedBy","type":"string","description":"User who created the cluster"},{"name":"CoreCount","type":"int","description":"Count of the cores in the cluster"},{"name":"VmSize","type":"string","description":"Vm size of the cluster"},{"name":"VmPriority","type":"string","description":"Priority of the nodes created inside a cluster Dedicated/LowPriority"},{"name":"ScalingType","type":"string","description":"Type of cluster scaling manual/auto"},{"name":"InitialNodeCount","type":"int","description":"Initial node count of the cluster"},{"name":"MinimumNodeCount","type":"int","description":"Minimum node count of the cluster"},{"name":"MaximumNodeCount","type":"int","description":"Maximum node count of the cluster"},{"name":"NodeDeallocationOption","type":"string","description":"How the node should be deallocated"},{"name":"Publisher","type":"string","description":"Publisher of the cluster type"},{"name":"Offer","type":"string","description":"Offer with which the cluster is created"},{"name":"Sku","type":"string","description":"Sku of the Node/VM created inside cluster"},{"name":"Version","type":"string","description":"Version of the image used while Node/VM is created"},{"name":"SubnetId","type":"string","description":"SubnetId of the cluster"},{"name":"AllocationState","type":"string","description":"Cluster allocation state"},{"name":"CurrentNodeCount","type":"int","description":"Current node count of the cluster"},{"name":"TargetNodeCount","type":"int","description":"Target node count of the cluster while scaling up/down"},{"name":"EventType","type":"string","description":"Type of event during cluster creation."},{"name":"NodeIdleTimeSecondsBeforeScaleDown","type":"int","description":"Idle time in seconds before cluster is scaled down"},{"name":"PreemptedNodeCount","type":"string","description":"Preempted node count of the cluster"},{"name":"IsResizeGrow","type":"string","description":"Flag indicating that cluster is scaling up"},{"name":"VmFamilyName","type":"string","description":"Name of the VM family of the nodes that can be created inside cluster"},{"name":"LeavingNodeCount","type":"int","description":"Leaving node count of the cluster"},{"name":"UnusableNodeCount","type":"int","description":"Unusable node count of the cluster"},{"name":"IdleNodeCount","type":"int","description":"Idle node count of the cluster"},{"name":"RunningNodeCount","type":"int","description":"Running node count of the cluster"},{"name":"PreparingNodeCount","type":"int","description":"Preparing node count of the cluster"},{"name":"QuotaAllocated","type":"string","description":"Allocated quota to the cluster"},{"name":"QuotaUtilized","type":"string","description":"Utilized quota of the cluster"},{"name":"AllocationStateTransitionTime","type":"datetime","description":"Transition time from one state to another"},{"name":"ClusterErrorCodes","type":"string","description":"Error code received during cluster creation or scaling"},{"name":"CreationApiVersion","type":"string","description":"Api version used while creating the cluster"},{"name":"InternalOperationName","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlComputeClusterNodeEvent","name":"AmlComputeClusterNodeEvent","tableType":"Microsoft","description":"AmlCompute Cluster Node events","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"ResultSignature","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log entry was generated"},{"name":"OperationName","type":"string","description":"Name of the operation associated with the log event"},{"name":"ClusterName","type":"string","description":"Name of the cluster"},{"name":"NodeId","type":"string","description":"ID of the cluster node created"},{"name":"VmSize","type":"string","description":"Vm size of the node"},{"name":"VmFamilyName","type":"string","description":"Vm family to which the node belongs"},{"name":"VmPriority","type":"string","description":"Priority of the node created Dedicated/LowPriority"},{"name":"Publisher","type":"string","description":"Publisher of the vm image. For example, microsoft-dsvm"},{"name":"Offer","type":"string","description":"Offer associated with the VM creation"},{"name":"Sku","type":"string","description":"Sku of the Node/VM created"},{"name":"Version","type":"string","description":"Version of the image used while Node/VM is created"},{"name":"ClusterCreationTime","type":"string","description":"Time when cluster was created"},{"name":"ResizeStartTime","type":"datetime","description":"Time when cluster scale up/down started"},{"name":"ResizeEndTime","type":"datetime","description":"Time when cluster scale up/down ended"},{"name":"NodeAllocationTime","type":"datetime","description":"Time when Node was allocated"},{"name":"NodeBootTime","type":"datetime","description":"Time when Node was booted up"},{"name":"StartTaskStartTime","type":"datetime","description":"Time when task was assigned to a node and started"},{"name":"StartTaskEndTime","type":"datetime","description":"Time when task assigned to a node ended"},{"name":"TotalE2ETimeInSeconds","type":"string","description":"Total time node was active"},{"name":"InternalOperationName","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlComputeCpuGpuUtilization","name":"AmlComputeCpuGpuUtilization","tableType":"Microsoft","description":"Azure Machine Learning services CPU and GPU utilizaion logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"OperationVersion","type":"string","description":"The api-version associated with the operation, if the operationName was performed using an API."},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"ResultSignature","type":"string","description":"The sub status of the event. If this operation corresponds to a REST API call, this is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"string","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"string","description":"Identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"WorkspaceName","type":"string","description":"User friendly workspace identifier.","isPreferredFacet":true},{"name":"WorkspaceId","type":"string","description":"Unique workspace identifer.","isPreferredFacet":true},{"name":"RunId","type":"string","description":"Unique run identifier.","isPreferredFacet":true},{"name":"DeviceType","type":"string","description":"Type of compute, either CPU or GPU."},{"name":"DeviceId","type":"string","description":"DeviceId of GPU."},{"name":"NodeId","type":"string","description":"NodeId on the cluster."},{"name":"Utilization","type":"string","description":"Compute utilization of node."},{"name":"MetricName","type":"string","description":"Metric name. This would be Cpu/Gpu utilization metric eg. GpuMemoryUtilization, GpuUtilization, CpuUtilization etc."},{"name":"ClusterName","type":"string","description":"Compute cluster name for AmlCompute clusters. In case of singularity this would be VirtualCluster(VC) name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlComputeInstanceEvent","name":"AmlComputeInstanceEvent","tableType":"Microsoft","description":"Events when ML Compute Instance is accessed (read/write).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events, when applicable."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlComputeInstanceName","type":"string","description":"The name of the compute instance.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlComputeJobEvent","name":"AmlComputeJobEvent","tableType":"Microsoft","description":"AmlCompute Job events","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"ResultSignature","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the log entry was generated"},{"name":"OperationName","type":"string","description":"Name of the operation associated with the log event"},{"name":"JobId","type":"string","description":"ID of the Job submitted"},{"name":"ExperimentId","type":"string","description":"ID of the Experiment"},{"name":"ExperimentName","type":"string","description":"Name of the Experiment"},{"name":"CustomerSubscriptionId","type":"string","description":"SubscriptionId where Experiment and Job as submitted"},{"name":"WorkspaceName","type":"string","description":"Name of the machine learning workspace"},{"name":"ClusterName","type":"string","description":"Name of the Cluster"},{"name":"ProvisioningState","type":"string","description":"State of the Job submission"},{"name":"ResourceGroupName","type":"string","description":"Name of the resource group"},{"name":"JobName","type":"string","description":"Name of the Job"},{"name":"ClusterId","type":"string","description":"ID of the cluster"},{"name":"EventType","type":"string","description":"Type of the Job event. For example, JobSubmitted, JobRunning, JobFailed, JobSucceeded."},{"name":"ExecutionState","type":"string","description":"State of the job (the Run). For example, Queued, Running, Succeeded, Failed"},{"name":"ErrorDetails","type":"string","description":"Details of job error"},{"name":"CreationApiVersion","type":"string","description":"Api version used to create the job"},{"name":"ClusterResourceGroupName","type":"string","description":"Resource group name of the cluster"},{"name":"TFWorkerCount","type":"string","description":"Count of TF workers"},{"name":"TFParameterServerCount","type":"string","description":"Count of TF parameter server"},{"name":"ToolType","type":"string","description":"Type of tool used"},{"name":"RunInContainer","type":"string","description":"Flag describing if job should be run inside a container"},{"name":"JobErrorMessage","type":"string","description":"detailed message of Job error"},{"name":"NodeId","type":"string","description":"ID of the node created where job is running"},{"name":"InternalOperationName","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlDataLabelEvent","name":"AmlDataLabelEvent","tableType":"Microsoft","description":"Events when data label(s) or its projects is accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlProjectId","type":"string","description":"The unique identifier of the project.","isPreferredFacet":true},{"name":"AmlProjectName","type":"string","description":"The name of the AML project.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlLabelNames","type":"string","description":"The label class names which are created for the project.","isPreferredFacet":true},{"name":"AmlDataStoreName","type":"string","description":"The name of the data store where the project's data is stored.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlDataSetEvent","name":"AmlDataSetEvent","tableType":"Microsoft","description":"Events when a registered or unregistered ML datastore is accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlWorkspaceId","type":"string","description":"The unique ID of the workspace.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlDatasetId","type":"string","description":"The ID of the AML Data Set."},{"name":"AmlDatasetName","type":"string","description":"The name of the AML Data Set."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlDataStoreEvent","name":"AmlDataStoreEvent","tableType":"Microsoft","description":"Events when ML datastore is accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlWorkspaceId","type":"string","description":"The unique ID of the workspace.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlDatastoreName","type":"string","description":"The name of the AML Data Store."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlDeploymentEvent","name":"AmlDeploymentEvent","tableType":"Microsoft","description":"Events when a model deployment happens on ACI or AKS.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlServiceName","type":"string","description":"The name of the AML service."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlEnvironmentEvent","name":"AmlEnvironmentEvent","tableType":"Microsoft","description":"Events when ML environments are accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlEnvironmentName","type":"string","description":"The name of environment.","isPreferredFacet":true},{"name":"AmlEnvironmentVersion","type":"string","description":"The version of the environment.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlInferencingEvent","name":"AmlInferencingEvent","tableType":"Microsoft","description":"Events for inference or related operation on AKS or ACI compute type.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlServiceName","type":"string","description":"The name of the AML service."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlModelsEvent","name":"AmlModelsEvent","tableType":"Microsoft","description":"Events when ML model is accessed (read, created, or deleted). Incudes events when packaging of models and assets happen into a ready-to-build packages.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"ResultSignature","type":"string","description":"The HTTP status code of the event. Typical values include 200, 201, 202 etc."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlModelName","type":"string","description":"The name of the AML Model."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlOnlineEndpointConsoleLog","name":"AmlOnlineEndpointConsoleLog","tableType":"Microsoft","description":"Azure ML online endpoints console logs. It provides console logs output from user containers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"InstanceId","type":"string","description":"The ID of the instance that generated this log record."},{"name":"DeploymentName","type":"string","description":"The name of the deployment associated with the log record."},{"name":"ContainerName","type":"string","description":"The name of the container where the log was generated."},{"name":"ContainerImageName","type":"string","description":"The name of the docker image running in the container where the log was generated."},{"name":"Message","type":"string","description":"The content of the log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"solutions":["LogManagement"],"queries":["a5c31bf6-314c-4c77-9144-eacc566de521"]}},{"id":"AmlOnlineEndpointEventLog","name":"AmlOnlineEndpointEventLog","tableType":"Microsoft","description":"Azure ML online endpoints event logs. It provides event logs regarding the inference-server container's life cycle.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when this log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with this log record."},{"name":"InstanceId","type":"string","description":"The ID of the instance that generated this log record."},{"name":"DeploymentName","type":"string","description":"The name of the deployment associated with this log record."},{"name":"Name","type":"string","description":"The name of the inference-server container life cycle event."},{"name":"Message","type":"string","description":"The content of the inference-server container life cycle event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"solutions":["LogManagement"],"queries":["ddc56a57-a0a1-442d-b738-a600bca740f8"]}},{"id":"AmlOnlineEndpointTrafficLog","name":"AmlOnlineEndpointTrafficLog","tableType":"Microsoft","description":"Traffic logs for AzureML (machine learning) online endpoints. The table could be used to check the detailed information of the request to an online endpoint. For example, you could use it to check the request duration, the request failure reason, etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the request was received by Azure Machine Learning."},{"name":"Location","type":"string","description":"The region of the online endpoint."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Method","type":"string","description":"The requested method from client."},{"name":"Path","type":"string","description":"The requested path from client."},{"name":"AzureMLWorkspaceId","type":"string","description":"The machine learning workspace ID of the online endpoint."},{"name":"AzureMLWorkspaceName","type":"string","description":"The machine learning workspace name of the online endpoint."},{"name":"EndpointName","type":"string","description":"The name of the online endpoint."},{"name":"DeploymentName","type":"string","description":"The name of the online deployment."},{"name":"Protocol","type":"string","description":"The protocol of the request."},{"name":"ResponseCode","type":"int","description":"The final response code returned to the user."},{"name":"ResponseCodeReason","type":"string","description":"The final response code reason returned to the user."},{"name":"ModelStatusCode","type":"int","description":"The response status code from model."},{"name":"ModelStatusReason","type":"string","description":"The response status reason from model."},{"name":"RequestPayloadSize","type":"int","description":"The total bytes received from the user client."},{"name":"ResponsePayloadSize","type":"int","description":"The total bytes sent back to the user client."},{"name":"UserAgent","type":"string","description":"The user-agent header of the request."},{"name":"XRequestId","type":"string","description":"The request ID generated by Azure Machine Learning for internal tracing."},{"name":"XMSClientRequestId","type":"string","description":"The tracking ID generated by user client."},{"name":"TotalDurationMs","type":"int","description":"Duration in milliseconds from the request start time to the last response byte sent back to the user client. If the user client disconnected, it measures from the start time to client disconnect time."},{"name":"RequestDurationMs","type":"int","description":"Duration in milliseconds from the request start time to the last byte of the request received from the user client."},{"name":"ResponseDurationMs","type":"int","description":"Duration in milliseconds from the request start time to the first response byte read from the model."},{"name":"RequestThrottlingDelayMs","type":"int","description":"Delay in milliseconds in request data transfer due to network throttling."},{"name":"ResponseThrottlingDelayMs","type":"int","description":"Delay in milliseconds in response data transfer due to network throttling."},{"name":"AuthType","type":"string","description":"The authentication type of the request (Key, AMLToken, AADToken)."},{"name":"IdentityData","type":"string","description":"The identity data from the user client (JWT OID)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.machinelearningservices/workspaces"],"solutions":["LogManagement"],"queries":["a3e072ef-5aa5-484a-9641-11485b55cb42"]}},{"id":"AmlPipelineEvent","name":"AmlPipelineEvent","tableType":"Microsoft","description":"Events when ML pipeline draft or endpoint or module are accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlModuleId","type":"string","description":"The unique ID of the module.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"AmlModuleName","type":"string","description":"The name of the AML Module."},{"name":"AmlWorkspaceId","type":"string","description":"The unique ID of the AML workspace.","isPreferredFacet":true},{"name":"AmlWorkspaceName","type":"string","description":"The name of the AML workspace."},{"name":"AmlPipelineId","type":"string","description":"The ID of the AML pipeline."},{"name":"AmlParentPipelineId","type":"string","description":"The ID of the parent AML pipeline (in the case of cloning)."},{"name":"AmlPipelineDraftId","type":"string","description":"The ID of the AML pipeline draft."},{"name":"AmlPipelineDraftName","type":"string","description":"The name of the AML pipeline draft."},{"name":"AmlPipelineEndpointId","type":"string","description":"The ID of the AML pipeline endpoint."},{"name":"AmlPipelineEndpointName","type":"string","description":"The name of the AML pipeline endpoint."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlRegistryReadEventsLog","name":"AmlRegistryReadEventsLog","tableType":"Microsoft","description":"Azure ML Registry Read events log. It keeps records of Read operations with registries data access (data plane), including user identity, asset name and version for each access event.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with log record."},{"name":"RegistryResourceId","type":"string","description":"ARM ResourceId of the registry that generated this log record."},{"name":"UserName","type":"string","description":"User name who initialized the event."},{"name":"UserObjectId","type":"string","description":"User AAD object ID who initialized the event."},{"name":"RegistryTenantId","type":"string","description":"TenantId associated with log record."},{"name":"AssetName","type":"string","description":"AzureML Asset name associated with log record."},{"name":"AssetVersion","type":"string","description":"AzureML Asset version associated with log record."},{"name":"Labels","type":"string","description":"Labels associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.machinelearningservices/registries"],"solutions":["LogManagement"]}},{"id":"AmlRegistryWriteEventsLog","name":"AmlRegistryWriteEventsLog","tableType":"Microsoft","description":"Azure ML Registry Write events log. It keeps records of Write operations with registries data access (data plane), including user identity, asset name and version for each access event.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The correlation ID associated with log record."},{"name":"RegistryResourceId","type":"string","description":"ARM ResourceId of the registry that generated this log record."},{"name":"UserName","type":"string","description":"User name who initialized the event."},{"name":"UserObjectId","type":"string","description":"User AAD object ID who initialized the event."},{"name":"RegistryTenantId","type":"string","description":"TenantId associated with log record."},{"name":"AssetName","type":"string","description":"AzureML Asset name associated with log record."},{"name":"AssetVersion","type":"string","description":"AzureML Asset version associated with log record."},{"name":"Labels","type":"string","description":"Labels associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.machinelearningservices/registries"],"solutions":["LogManagement"],"queries":["efb1f6c6-6498-4eba-9f42-71ca1b4ae3ee"]}},{"id":"AmlRunEvent","name":"AmlRunEvent","tableType":"Microsoft","description":"Events when ML experiments are accessed (read, created, or deleted).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"Identity","type":"dynamic","description":"The identity of the user or application that performed the operation."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"AmlWorkspaceId","type":"string","description":"The unique ID of the workspace.","isPreferredFacet":true},{"name":"RunId","type":"string","description":"The unique ID of the run.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant ID the operation was submitted for."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"AmlRunStatusChangedEvent","name":"AmlRunStatusChangedEvent","tableType":"Microsoft","description":"Azure Machine Learning services run status event logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"OperationVersion","type":"string","description":"The api-version associated with the operation, if the operationName was performed using an API."},{"name":"ResultType","type":"string","description":"The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved."},{"name":"ResultSignature","type":"string","description":"The sub status of the event. If this operation corresponds to a REST API call, this is the HTTP status code of the corresponding REST call."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"DurationMs","type":"string","description":"The duration of the operation in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"string","description":"Identity of the user or application that performed the operation"},{"name":"Level","type":"string","description":"The severity level of the event. Must be one of Informational, Warning, Error, or Critical."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation associated with the log entry.","isPreferredFacet":true},{"name":"WorkspaceName","type":"string","description":"User friendly workspace identifier.","isPreferredFacet":true},{"name":"WorkspaceId","type":"string","description":"Unique workspace identifer.","isPreferredFacet":true},{"name":"RunId","type":"string","description":"Unique run identifier.","isPreferredFacet":true},{"name":"RootRunId","type":"string","description":"The unique identifier for the root run.","isPreferredFacet":true},{"name":"ParentRunId","type":"string","description":"The unique identifier for the parent run.","isPreferredFacet":true},{"name":"Status","type":"string","description":"Updated run status."},{"name":"Message","type":"string","description":"Message associated with run status change."},{"name":"TriggeringUserName","type":"string","description":"Friendly name of run status change initiator."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.machinelearningservices/workspaces"]}},{"id":"Anomalies","name":"Anomalies","tableType":"Microsoft","description":"This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Id","type":"string","description":"The ID of the generated anomaly."},{"name":"WorkspaceId","type":"string","description":"The ID of the Sentinel workspace."},{"name":"VendorName","type":"string","description":"The name of the vendor that generated this anomaly."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the anomaly was generated."},{"name":"AnomalyTemplateId","type":"string","description":"The ID of the Anomaly template that generated this anomaly."},{"name":"AnomalyTemplateName","type":"string","description":"The name of the Anomaly template that generated this anomaly."},{"name":"AnomalyTemplateVersion","type":"string","description":"The version of the Anomaly template that generated this anomaly."},{"name":"RuleId","type":"string","description":"The ID of the Anomaly analytics rule that generated this anomaly."},{"name":"RuleStatus","type":"string","description":"The status (Flighting/Production) of the Anomaly analytics rule that generated this anomaly."},{"name":"RuleName","type":"string","description":"The name of the Anomaly analytics rule that generated this anomaly."},{"name":"RuleConfigVersion","type":"string","description":"The configuration version of the Anomaly analytics rule that generated this anomaly."},{"name":"Score","type":"real","description":"The score of the anomaly."},{"name":"Description","type":"string","description":"The description of the anomaly."},{"name":"StartTime","type":"datetime","description":"The time (UTC) when the anomaly started."},{"name":"EndTime","type":"datetime","description":"The time (UTC) when the anomaly ended."},{"name":"ExtendedLinks","type":"dynamic","description":"List of links pointing to the data that generated the anomaly."},{"name":"Tactics","type":"string","description":"List of MITRE ATT&CK tactics (strings) corresponding to the anomaly."},{"name":"Techniques","type":"string","description":"List MITRE ATT&CK techniques (strings) corresponding to the anomaly."},{"name":"UserName","type":"string","description":"The username for which the anomaly was generated."},{"name":"UserPrincipalName","type":"string","description":"The UPN of the user for which the anomaly was generated."},{"name":"SourceIpAddress","type":"string","description":"The source ip address for which the anomaly was generated."},{"name":"SourceLocation","type":"dynamic","description":"Info about the source location for which the anomaly was generated as JSON."},{"name":"SourceDevice","type":"string","description":"The source device for which the anomaly was generated."},{"name":"DestinationIpAddress","type":"string","description":"The destination ip address for which the anomaly was generated."},{"name":"DestinationLocation","type":"dynamic","description":"Info about the destination location for which the anomaly was generated as JSON."},{"name":"DestinationDevice","type":"string","description":"The destination device for which the anomaly was generated."},{"name":"ActivityInsights","type":"dynamic","description":"Insights about the activites corresponding to the generated anomaly as JSON."},{"name":"DeviceInsights","type":"dynamic","description":"Insights about the devices corresponding to the generated anomaly as JSON."},{"name":"UserInsights","type":"dynamic","description":"Insights about the users corresponding to the generated anomaly as JSON."},{"name":"AnomalyReasons","type":"dynamic","description":"The detailed explanation of the generated anomaly as JSON."},{"name":"Entities","type":"dynamic","description":"JSON object containing all entities involved in the generated anomaly."},{"name":"ExtendedProperties","type":"dynamic","description":"JSON object with additional data on the anomaly as key-value pairs."},{"name":"AnomalyDetails","type":"dynamic","description":"JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["d343d7e2-9407-485a-96e5-8fb5d0031ee2","650380ee-8027-4dc3-8763-c338222be64a"]}},{"id":"ApiManagementGatewayLlmLog","name":"ApiManagementGatewayLlmLog","tableType":"Microsoft","description":"Gateway Logs related to language models for API Management Language.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request processing started."},{"name":"OperationName","type":"string","description":"Field denotes the specific name or identifier of the operation being performed."},{"name":"CorrelationId","type":"string","description":"Unique id corresponding with the same field in ApiManagementGatewayLogs."},{"name":"Region","type":"string","description":"The field indicates the geographical location or data center region within the Azure cloud infrastructure where a specific resource or service is deployed."},{"name":"SequenceNumber","type":"int","description":"The index of this entry in the message exchange."},{"name":"PromptTokens","type":"int","description":"The number of prompt tokens used by the request."},{"name":"CompletionTokens","type":"int","description":"The number of completion tokens used by the request."},{"name":"TotalTokens","type":"int","description":"The number of total tokens used by the request."},{"name":"ModelName","type":"string","description":"Model name used by the request."},{"name":"IsStreamCompletion","type":"bool","description":"Boolean value indicating if the request specified stream mode to be false."},{"name":"RequestId","type":"string","description":"Language model's request Id."},{"name":"DeploymentName","type":"string","description":"Deployment name used by client."},{"name":"ApiVersion","type":"string","description":"API version used by client."},{"name":"RequestMessages","type":"dynamic","description":"Contents of the request messages."},{"name":"ResponseMessages","type":"dynamic","description":"Contents of the response messages."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.apimanagement/service"],"solutions":["LogManagement"]}},{"id":"ApiManagementGatewayLogs","name":"ApiManagementGatewayLogs","tableType":"Microsoft","description":"Azure ApiManagement gateway logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OperationName","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Region","type":"string","isPreferredFacet":true},{"name":"IsRequestSuccess","type":"bool","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"TotalTime","type":"long","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string"},{"name":"Method","type":"string","isPreferredFacet":true},{"name":"Url","type":"string"},{"name":"ClientProtocol","type":"string","isPreferredFacet":true},{"name":"ResponseCode","type":"int","isPreferredFacet":true},{"name":"BackendMethod","type":"string","isPreferredFacet":true},{"name":"BackendUrl","type":"string"},{"name":"BackendResponseCode","type":"int","isPreferredFacet":true},{"name":"BackendProtocol","type":"string","isPreferredFacet":true},{"name":"RequestSize","type":"int"},{"name":"ResponseSize","type":"int"},{"name":"Cache","type":"string","isPreferredFacet":true},{"name":"CacheTime","type":"long"},{"name":"BackendTime","type":"long"},{"name":"ClientTime","type":"long"},{"name":"ApiId","type":"string","isPreferredFacet":true},{"name":"OperationId","type":"string","isPreferredFacet":true},{"name":"ProductId","type":"string","isPreferredFacet":true},{"name":"UserId","type":"string","isPreferredFacet":true},{"name":"ApimSubscriptionId","type":"string","isPreferredFacet":true},{"name":"BackendId","type":"string","isPreferredFacet":true},{"name":"LastErrorElapsed","type":"long"},{"name":"LastErrorSource","type":"string"},{"name":"LastErrorScope","type":"string"},{"name":"LastErrorSection","type":"string"},{"name":"LastErrorReason","type":"string","isPreferredFacet":true},{"name":"LastErrorMessage","type":"string"},{"name":"ApiRevision","type":"string"},{"name":"ClientTlsVersion","type":"string"},{"name":"RequestHeaders","type":"dynamic"},{"name":"ResponseHeaders","type":"dynamic"},{"name":"BackendRequestHeaders","type":"dynamic"},{"name":"BackendResponseHeaders","type":"dynamic"},{"name":"RequestBody","type":"string","description":"Client request body"},{"name":"ResponseBody","type":"string","description":"Gateway response body"},{"name":"BackendRequestBody","type":"string","description":"Backend request body"},{"name":"BackendResponseBody","type":"string","description":"Backend response body"},{"name":"Errors","type":"dynamic"},{"name":"TraceRecords","type":"dynamic","description":"Records emitted by trace policies"},{"name":"IsTraceRequested","type":"bool","description":"Indication if the caller has requested to create a request trace"},{"name":"IsTraceExpired","type":"bool","description":"Indication if the requested trace has expired and is not granted"},{"name":"IsTraceAllowed","type":"bool","description":"Indication if the requested trace was allowed"},{"name":"IsMasterTrace","type":"bool","description":"Indication if the request trace was created with the master subscription"},{"name":"WorkspaceId","type":"string","description":"ID of a workspace for which the request API operation is a part of"},{"name":"SourceSystem","type":"string"},{"name":"Timestamp","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"ApiManagementGatewayMCPLog","name":"ApiManagementGatewayMCPLog","tableType":"Microsoft","description":"Gateway Logs related to MCP requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request processing started."},{"name":"OperationName","type":"string","description":"Field denotes the specific name or identifier of the operation being performed."},{"name":"CorrelationId","type":"string","description":"Unique id corresponding with the same field in ApiManagementGatewayLogs."},{"name":"Region","type":"string","description":"The field indicates the geographical location or data center region within the Azure cloud infrastructure where a specific resource or service is deployed."},{"name":"ApiType","type":"string","description":"Field denotes the specific API type used for the request, like passthrough or mcp backend."},{"name":"TransportType","type":"string","description":"Field denotes the specific transport type used for the request, like SSE or Streamable HTTP."},{"name":"AuthenticationMethod","type":"string","description":"Field denotes the specific authentication method used for the request (e.g. oauth2 | api_key | cert | none)."},{"name":"ClientName","type":"string","description":"Field denotes the specific client name who is making the request."},{"name":"ClientVersion","type":"string","description":"Field denotes the specific client version who is making the request."},{"name":"ServerName","type":"string","description":"Field denotes the mcp server name handling the request."},{"name":"ServerVersion","type":"string","description":"Field denotes the mcp server version handling the request."},{"name":"McpServerEndpoint","type":"string","description":"Field denotes the specific endpoint of the MCP server."},{"name":"ProtocolVersion","type":"string","description":"Field denotes the specific version of the MCP server."},{"name":"ToolCount","type":"int","description":"Field denotes the number of MCP tools discovered by the client."},{"name":"ToolName","type":"string","description":"Field denotes the name of the MCP tool being used."},{"name":"Method","type":"string","description":"Field denotes the specific tools call method used for the request (e.g. tools/call, notification)."},{"name":"SessionId","type":"string","description":"Field denotes id from AI conversation / agent chat session."},{"name":"Error","type":"string","description":"Field denotes error message if any error occurred during the request."},{"name":"ErrorType","type":"string","description":"Field denotes error type if any error occurred during the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.apimanagement/service"],"solutions":["LogManagement"]}},{"id":"ApiManagementWebSocketConnectionLogs","name":"ApiManagementWebSocketConnectionLogs","tableType":"Microsoft","description":"Websocket connection logs provides logs on websocket connection events for API Management Gateway. Logging starts when the request arrives to API Management Gateway for handshake and till the request gets terminated. Every request log can be uniquely identified with CorrelationId.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request processing started.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"Unique id to group related events for a websocket request."},{"name":"Region","type":"string","description":"Country or region where API Management Gateway is located.","isPreferredFacet":true},{"name":"EventName","type":"string","description":"Name of the event describing the operation.","isPreferredFacet":true},{"name":"Source","type":"string","description":"The source of the request/message for the websocket connection."},{"name":"Destination","type":"string","description":"The destination of the request/message for the websocket connection."},{"name":"Error","type":"string","description":"Error details if any for the websocket connection."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.apimanagement/service"]}},{"id":"AppAvailabilityResults","name":"AppAvailabilityResults","tableType":"Microsoft","description":"Application Insights availability test results.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when availability result was recorded."},{"name":"Id","type":"string","description":"Unique ID of the availability test."},{"name":"Name","type":"string","description":"Availability Test Name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location from where the test ran.","isPreferredFacet":true},{"name":"Success","type":"bool","description":"The result of test.","isPreferredFacet":true},{"name":"Message","type":"string","description":"Application-defined message."},{"name":"DurationMs","type":"real","description":"Number of milliseconds it took to finish the test."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppBrowserTimings","name":"AppBrowserTimings","tableType":"Microsoft","description":"Application Insights browser timings.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request was recorded."},{"name":"Name","type":"string","description":"Name of the page.","isPreferredFacet":true},{"name":"Url","type":"string","description":"URI of the page view.","isPreferredFacet":true},{"name":"NetworkDurationMs","type":"real","description":"Page load network time in milliseconds."},{"name":"SendDurationMs","type":"real","description":"Send request time in milliseconds."},{"name":"ReceiveDurationMs","type":"real","description":"Page load recieve response duration in milliseconds."},{"name":"ProcessingDurationMs","type":"real","description":"Page DOM processing time in milliseconds."},{"name":"TotalDurationMs","type":"real","description":"Page loading total time in milliseconds."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppCenterError","name":"AppCenterError","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SchemaType","type":"string","isPreferredFacet":true},{"name":"ErrorId","type":"string","isPreferredFacet":true},{"name":"ErrorGroupId","type":"string","isPreferredFacet":true},{"name":"UserString","type":"string","isPreferredFacet":true},{"name":"Oem","type":"string","isPreferredFacet":true},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"OsVersion","type":"string","isPreferredFacet":true},{"name":"JailBreak","type":"bool","isPreferredFacet":true},{"name":"ErrorType","type":"string","isPreferredFacet":true},{"name":"ErrorClass","type":"string","isPreferredFacet":true},{"name":"ErrorMethod","type":"string","isPreferredFacet":true},{"name":"ErrorFile","type":"string","isPreferredFacet":true},{"name":"ErrorLine","type":"int","isPreferredFacet":true},{"name":"ErrorReason","type":"string","isPreferredFacet":true},{"name":"ExceptionType","type":"string","isPreferredFacet":true},{"name":"Status","type":"string"},{"name":"Annotation","type":"string","isPreferredFacet":true},{"name":"CreatedAt","type":"datetime","isPreferredFacet":true},{"name":"SymbolicatedAt","type":"datetime","isPreferredFacet":true},{"name":"LastErrorAt","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement"]}},{"id":"AppDependencies","name":"AppDependencies","tableType":"Microsoft","description":"Application Insights dependencies.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when dependency call was recorded."},{"name":"Id","type":"string","description":"Application-generated, unique ID of the dependency call."},{"name":"Target","type":"string","description":"Target of a dependency call, such as a Web or a SQL server name.","isPreferredFacet":true},{"name":"DependencyType","type":"string","description":"Dependency type, such as HTTP or SQL.","isPreferredFacet":true},{"name":"Name","type":"string","description":"Dependency name, such as an URI query without parameters or a SQL server table name.","isPreferredFacet":true},{"name":"Data","type":"string","description":"Detailed information about the dependency call, such as a full URI or a SQL statement."},{"name":"Success","type":"bool","description":"Indicates whether the dependency call completed successfully.","isPreferredFacet":true},{"name":"ResultCode","type":"string","description":"Result code returned to the application by the dependency call.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"Number of milliseconds the dependency call took to complete."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"ReferencedItemId","type":"string","description":"Id of the item with additional details about the dependency call."},{"name":"ReferencedType","type":"string","description":"Name of the table with additional details about the dependency call."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppEnvSessionConsoleLogs","name":"AppEnvSessionConsoleLogs","tableType":"Microsoft","description":"Logs generated by Sessions within a Container App Environment. This includes logs generated on the stdout or stderr streams by all containers in the session.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the session generating this log."},{"name":"Log","type":"string","description":"The log generated by the user's session."},{"name":"Stream","type":"string","description":"The stream where the log was emitted."},{"name":"SessionPoolName","type":"string","description":"The name of the Session Pool generating this log."},{"name":"SessionIdentifier","type":"string","description":"The identifier of the session generating this log."},{"name":"EnvironmentName","type":"string","description":"The name of the Container App Environment generating this log."},{"name":"ContainerName","type":"string","description":"The name of the container generating this log."},{"name":"ContainerId","type":"string","description":"The ID of the session generating this log."},{"name":"ContainerGroupName","type":"string","description":"The name of the session's pod generating this log."},{"name":"ContainerGroupId","type":"string","description":"The ID of the session's pod generating this log."},{"name":"ContainerImage","type":"string","description":"The image used in the container instance that generated this log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"AppEnvSessionLifecycleLogs","name":"AppEnvSessionLifecycleLogs","tableType":"Microsoft","description":"Logs generated by CustomContainer Session Pool within a Container App Environment. This includes logs produced by session allocation related platform events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Session Pool generating this log."},{"name":"SessionPoolName","type":"string","description":"The name of the Session Pool generating this log."},{"name":"PodName","type":"string","description":"The name of the session's pod generating this log."},{"name":"NodeName","type":"string","description":"The name of the node instance that generated this log."},{"name":"Level","type":"string","description":"The log level of the log. This can be Info, Error, etc."},{"name":"Log","type":"string","description":"The log generated by the Session Pool."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"AppEnvSessionPoolEventLogs","name":"AppEnvSessionPoolEventLogs","tableType":"Microsoft","description":"Logs generated by CustomContainer Session Pool within a Container App Environment. This includes logs produced by the Session Pool itself, including pod creation and deletion, etc","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Session Pool generating this log."},{"name":"SessionPoolName","type":"string","description":"The name of the Session Pool generating this log."},{"name":"PodName","type":"string","description":"The name of the session's pod generating this log."},{"name":"NodeName","type":"string","description":"The name of the node instance that generated this log."},{"name":"Level","type":"string","description":"The log level of the log. This can be Info, Error, etc."},{"name":"Log","type":"string","description":"The log generated by the Session Pool."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"AppEnvSpringAppConsoleLogs","name":"AppEnvSpringAppConsoleLogs","tableType":"Microsoft","description":"Logs generated by Spring Apps(Container Apps with managedBy annotation) within a Container App Environment. This includes logs generated on the stdout or stderr streams by all containers in the app. It also includes all Dapr sidecar container logs but does not include any system or platform level logs produced by the Container App Environment itself.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Container App generating this log."},{"name":"ContainerName","type":"string","description":"The name of the container generating this log."},{"name":"ContainerGroupName","type":"string","description":"The name of the container's pod (Container App replica) generating this log."},{"name":"ContainerImage","type":"string","description":"The image used in the container instance that generated this log."},{"name":"Stream","type":"string","description":"The stream where the log was emitted."},{"name":"ContainerGroupId","type":"string","description":"The ID of the container's pod (Container App replica) generating this log."},{"name":"EnvironmentName","type":"string","description":"The name of the Container App Environment generating this log."},{"name":"Log","type":"string","description":"The log message generated by the user's Container App."},{"name":"ContainerAppName","type":"string","description":"The name of the Container App generating this log."},{"name":"ContainerId","type":"string","description":"The ID of the Container App generating this log."},{"name":"RevisionName","type":"string","description":"The name of the revision generating this log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"AppEvents","name":"AppEvents","tableType":"Microsoft","description":"Application Insights events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when customEvent was recorded."},{"name":"Name","type":"string","description":"Human-readable name of the customEvent.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppExceptions","name":"AppExceptions","tableType":"Microsoft","description":"Application Insights exceptions.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request was recorded."},{"name":"ProblemId","type":"string","description":"Problem ID of the exception.","isPreferredFacet":true},{"name":"HandledAt","type":"string","description":"Where the exception was seen."},{"name":"ExceptionType","type":"string","description":"Type of exception.","isPreferredFacet":true},{"name":"Message","type":"string","description":"Exception message."},{"name":"Assembly","type":"string","description":"Exception assembly."},{"name":"Method","type":"string","description":"Exception method.","isPreferredFacet":true},{"name":"OuterType","type":"string","description":"Type of the outer exception."},{"name":"OuterMessage","type":"string","description":"Message of the outer exception."},{"name":"OuterAssembly","type":"string","description":"Assembly of the outer exception."},{"name":"OuterMethod","type":"string","description":"Method of the outer exception."},{"name":"InnermostType","type":"string","description":"Type of the innermost exception."},{"name":"InnermostMessage","type":"string","description":"Message of the innermost exception."},{"name":"InnermostAssembly","type":"string","description":"Assembly of the innermost exception."},{"name":"InnermostMethod","type":"string","description":"Method of the innermost exception."},{"name":"SeverityLevel","type":"int","description":"Severity level of the exception."},{"name":"Details","type":"dynamic","description":"Details of the exception."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppGenAIContent","name":"AppGenAIContent","tableType":"Microsoft","description":"Generative AI content captured from an OpenTelemetry source, including input and output messages, system instructions, and tool interactions.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Id","type":"string","description":"A unique identifier for the record."},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the GenAI content was captured."},{"name":"TraceId","type":"string","description":"The identifier of the trace this record belongs to."},{"name":"SpanId","type":"string","description":"The identifier of the span this content is associated with."},{"name":"ParentSpanId","type":"string","description":"The identifier of the parent of the associated span."},{"name":"AgentName","type":"string","description":"The name of the GenAI agent."},{"name":"AgentId","type":"string","description":"The unique identifier of the GenAI agent."},{"name":"ModelName","type":"string","description":"The name of the GenAI model the request is being made to."},{"name":"InputMessages","type":"string","description":"The chat history provided to the model as an input."},{"name":"OutputMessages","type":"string","description":"Messages returned by the model where each message represents a specific model response (choice, candidate)."},{"name":"SystemInstructions","type":"string","description":"The system message or instructions provided to the GenAI model separately from the chat history."},{"name":"ToolDefinitions","type":"string","description":"The list of source system tool definitions available to the GenAI agent or model."},{"name":"ToolCallArguments","type":"string","description":"Parameters passed to the tool call."},{"name":"ToolCallResult","type":"string","description":"The result returned by the tool call (if any and if execution was successful)."},{"name":"EvaluationExplanation","type":"string","description":"The explanation or reasoning provided by an evaluation of the GenAI interaction."},{"name":"ServiceNamespace","type":"string","description":"A namespace for ServiceName. This is the value of the 'service.namespace' resource attribute."},{"name":"ServiceName","type":"string","description":"Logical name of the service. This is the value of the 'service.name' resource attribute."},{"name":"ServiceInstanceId","type":"string","description":"A unique identifier for the instance of the service. This is the value of the 'service.instance.id' resource attribute."},{"name":"RoleName","type":"string","description":"A simplified service identifier combining ServiceNamespace and ServiceName."},{"name":"Attributes","type":"dynamic","description":"A property bag of additional key-value pairs associated with this record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"]}},{"id":"AppMetrics","name":"AppMetrics","tableType":"Microsoft","description":"Application Insights metrics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when metric was generated."},{"name":"Name","type":"string","description":"Application-defined name","isPreferredFacet":true},{"name":"ItemCount","type":"int","description":"The number of measurements that were aggregated into trackMetric(..) call."},{"name":"Sum","type":"real","description":"This is the sum of the measurements. To get the mean value, divide by valueCount."},{"name":"Min","type":"real","description":"The minimum value in the measurements that were aggregated into trackMetric(..) call."},{"name":"Max","type":"real","description":"The maximum value in the measurements that were aggregated into trackMetric(..) call."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppPageViews","name":"AppPageViews","tableType":"Microsoft","description":"Application Insights page views.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when page view was recorded."},{"name":"Id","type":"string","description":"Application-generated, unique page view ID."},{"name":"Name","type":"string","description":"Human-readable name of the page view.","isPreferredFacet":true},{"name":"Url","type":"string","description":"URL of the page view.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"Number of milliseconds it took the application to handle the page view."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppPerformanceCounters","name":"AppPerformanceCounters","tableType":"Microsoft","description":"Application Insights performance counters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when performance counter was recorded."},{"name":"Name","type":"string","description":"Performance counter name.","isPreferredFacet":true},{"name":"Category","type":"string","description":"Performance counter category.","isPreferredFacet":true},{"name":"Counter","type":"string","description":"Performance counter name.","isPreferredFacet":true},{"name":"Instance","type":"string","description":"Instance identifier, to which the counter is related."},{"name":"Value","type":"real","description":"Performance counter value."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppPlatformBuildLogs","name":"AppPlatformBuildLogs","tableType":"Microsoft","description":"Azure Spring Cloud build logs of user source codes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log is collected by Azure Spring Cloud."},{"name":"BuildLog","type":"string","description":"The build log for each build stages.","isPreferredFacet":true},{"name":"PodName","type":"string","description":"The name of the pod that emitted the log.","isPreferredFacet":true},{"name":"ContainerName","type":"string","description":"The name of the container that emitted the log.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"AppPlatformContainerEventLogs","name":"AppPlatformContainerEventLogs","tableType":"Microsoft","description":"Azure Spring Cloud container event logs of user applications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log is collected by Azure Spring Cloud."},{"name":"App","type":"string","description":"The name of the application that emitted the container event.","isPreferredFacet":true},{"name":"Deployment","type":"string","description":"The name of the deployment that emitted the container event.","isPreferredFacet":true},{"name":"Instance","type":"string","description":"The name of the instance that emitted the container event.","isPreferredFacet":true},{"name":"Event","type":"string","description":"The name of container event, including: 'Backoff', 'Pulled', 'Created', 'Started', 'Unhealty' and so on.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The type of container event, including: 'Error', 'Warning' and 'Normal'.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The detailed message of the container event.","isPreferredFacet":true},{"name":"FirstTimestamp","type":"datetime","description":"The timestamp when this container event was first seen.","isPreferredFacet":true},{"name":"LastTimestamp","type":"datetime","description":"The timestamp when this container event was last seen.","isPreferredFacet":true},{"name":"Count","type":"int","description":"The count of this container event happened.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"AppPlatformIngressLogs","name":"AppPlatformIngressLogs","tableType":"Microsoft","description":"Azure Spring Cloud ingress logs, currently it is nginx access logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log is collected by Azure Spring Cloud"},{"name":"RemoteAddr","type":"string","description":"The source IP address of the client","isPreferredFacet":true},{"name":"RemoteUser","type":"string","description":"User name supplied with the basic authentication","isPreferredFacet":true},{"name":"TimeLocal","type":"string","description":"Local time in the common log format","isPreferredFacet":true},{"name":"Host","type":"string","description":"The host name of the log","isPreferredFacet":true},{"name":"Request","type":"string","description":"Full original request line","isPreferredFacet":true},{"name":"Status","type":"string","description":"Response status","isPreferredFacet":true},{"name":"BodyBytesSent","type":"string","description":"Number of bytes sent to a client, not counting the response header","isPreferredFacet":true},{"name":"HttpReferer","type":"string","description":"Value of the referer header","isPreferredFacet":true},{"name":"HttpUserAgent","type":"string","description":"Value of user-agent header","isPreferredFacet":true},{"name":"RequestLength","type":"string","description":"Request length in bytes (including request line, header, and request body)","isPreferredFacet":true},{"name":"RequestTime","type":"real","description":"Time in seconds with millisecond resolution elapsed since the first bytes were read from the client","isPreferredFacet":true},{"name":"ProxyUpstreamName","type":"string","description":"Name of the upstream server. The format is upstream---","isPreferredFacet":true},{"name":"ProxyAlternativeUpstreamName","type":"string","description":"Name of the alternative upstream server. The format is upstream---","isPreferredFacet":true},{"name":"UpstreamAddr","type":"string","description":"The IP address and port (or the path to the domain socket) of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas","isPreferredFacet":true},{"name":"UpstreamResponseLength","type":"string","description":"The length in bytes of the response obtained from the upstream server","isPreferredFacet":true},{"name":"UpstreamResponseTime","type":"string","description":"Time spent on receiving the response from the upstream server, the time is kept in seconds with millisecond resolution","isPreferredFacet":true},{"name":"UpstreamStatus","type":"string","description":"Status code of the response obtained from the upstream server","isPreferredFacet":true},{"name":"ReqId","type":"string","description":"The randomly generated ID of the request","isPreferredFacet":true},{"name":"RequestHeaders","type":"string","description":"Request headers end with 'id' or 'ID'","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"AppPlatformLogsforSpring","name":"AppPlatformLogsforSpring","tableType":"Microsoft","description":"App Platform Logs for Spring.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log is collected by Azure Spring Cloud"},{"name":"ServiceName","type":"string","description":"The service name that emitted the log","isPreferredFacet":true},{"name":"AppName","type":"string","description":"The application name that emitted the log","isPreferredFacet":true},{"name":"InstanceName","type":"string","description":"The instance name that emitted the log","isPreferredFacet":true},{"name":"Log","type":"string","description":"The content of the log","isPreferredFacet":true},{"name":"AppTimestamp","type":"datetime","description":"The log timestamp (UTC) from user application log","isPreferredFacet":true},{"name":"Logger","type":"string","description":"The logger from user application log","isPreferredFacet":true},{"name":"CustomLevel","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"Thread","type":"string","description":"The thread of the log","isPreferredFacet":true},{"name":"Message","type":"string","description":"The message of the log","isPreferredFacet":true},{"name":"StackTrace","type":"string","description":"The stackTrace of the log","isPreferredFacet":true},{"name":"MDC","type":"string","description":"Customized MDC field in the log","isPreferredFacet":true},{"name":"ExceptionClass","type":"string","description":"The exceptionClass of the log","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"TraceId for tracing","isPreferredFacet":true},{"name":"SpanId","type":"string","description":"SpanId for tracing","isPreferredFacet":true},{"name":"Stream","type":"string","description":"The stream of the log","isPreferredFacet":true},{"name":"Category","type":"string","description":"Log Category","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"AppPlatformSystemLogs","name":"AppPlatformSystemLogs","tableType":"Microsoft","description":"Azure Spring Cloud System Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log is collected by Azure Spring Cloud"},{"name":"ServiceName","type":"string","description":"The service name that emitted the log","isPreferredFacet":true},{"name":"InstanceName","type":"string","description":"The instance name that emitted the log","isPreferredFacet":true},{"name":"Level","type":"string","description":"The level of the log","isPreferredFacet":true},{"name":"Thread","type":"string","description":"The thread of the log","isPreferredFacet":true},{"name":"Logger","type":"string","description":"The logger of the log","isPreferredFacet":true},{"name":"Log","type":"string","description":"The log of the log","isPreferredFacet":true},{"name":"Stack","type":"string","description":"The stack of the log","isPreferredFacet":true},{"name":"LogType","type":"string","description":"The type of the log","isPreferredFacet":true},{"name":"Category","type":"string","description":"Log Category","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.appplatform/spring"]}},{"id":"AppRequests","name":"AppRequests","tableType":"Microsoft","description":"Application Insights requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when request processing started."},{"name":"Id","type":"string","description":"Application-generated, unique request ID."},{"name":"Source","type":"string","description":"Friendly name of the request source, when known. Source is based on the metadata supplied by the caller."},{"name":"Name","type":"string","description":"Human-readable name of the request.","isPreferredFacet":true},{"name":"Url","type":"string","description":"URL of the request.","isPreferredFacet":true},{"name":"Success","type":"bool","description":"Indicates whether the application handled the request successfully.","isPreferredFacet":true},{"name":"ResultCode","type":"string","description":"Result code returned by the application after handling the request.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"Number of milliseconds it took the application to handle the request."},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"ReferencedItemId","type":"string","description":"Id of the item with additional details about the request."},{"name":"ReferencedType","type":"string","description":"Name of the table with additional details about the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppServiceAntivirusScanAuditLogs","name":"AppServiceAntivirusScanAuditLogs","tableType":"Microsoft","description":"Report on any discovered virus or infected files that have been uploaded to their site.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"ScanStatus","type":"string","description":"Status of the scan"},{"name":"TotalFilesScanned","type":"int","description":"Total number of scanned files"},{"name":"NumberOfInfectedFiles","type":"int","description":"Total number of files infected with virus"},{"name":"ListOfInfectedFiles","type":"string","description":"List of each virus file path"},{"name":"ErrorMessage","type":"string","description":"Error Message"},{"name":"SourceSystem","type":"string"},{"name":"Category","type":"string","description":"Log category name","isPreferredFacet":true},{"name":"TimeStamp","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceAppLogs","name":"AppServiceAppLogs","tableType":"Microsoft","description":"Logs generated through your application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log mapped to standard levels (Informational, Warning, Error, or Critical)","isPreferredFacet":true},{"name":"Host","type":"string","description":"Host where the application is running","isPreferredFacet":true},{"name":"ResultDescription","type":"string","description":"Log message description"},{"name":"CustomLevel","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"Source","type":"string","description":"Application source from where log message is emitted"},{"name":"Method","type":"string","description":"Application Method from where log message is emitted"},{"name":"Logger","type":"string","description":"Application logger used to emit log message","isPreferredFacet":true},{"name":"WebSiteInstanceId","type":"string","description":"Instance Id the application running","isPreferredFacet":true},{"name":"ExceptionClass","type":"string","description":"Application class from where log message is emitted "},{"name":"Message","type":"string","description":"Log message"},{"name":"StackTrace","type":"string","description":"Complete stack trace of the log message in case of exception"},{"name":"ContainerId","type":"string","description":"Application container id"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Category","type":"string","description":"Log category name"},{"name":"Stacktrace","type":"string","description":"Complete stack trace of the log message in case of exception"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceAuditLogs","name":"AppServiceAuditLogs","tableType":"Microsoft","description":"Logs generated when publishing users successfully log on via one of the App Service publishing protocols.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated"},{"name":"Category","type":"string","description":"Log category name"},{"name":"OperationName","type":"string","description":"Name of the operation"},{"name":"User","type":"string","description":"Username used for publishing access"},{"name":"UserDisplayName","type":"string","description":"Email address of a user in case publishing was authorized via AAD authentication"},{"name":"UserAddress","type":"string","description":"Client IP addres of the publishing user"},{"name":"Protocol","type":"string","description":"Authentication protocol"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceAuthenticationLogs","name":"AppServiceAuthenticationLogs","tableType":"Microsoft","description":"Logs generated through App Service Authentication for your application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when this event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event."},{"name":"Level","type":"string","description":"The level of log verbosity."},{"name":"TaskName","type":"string","description":"The name of the task being performed."},{"name":"Message","type":"string","description":"The log message."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events."},{"name":"SiteName","type":"string","description":"The runtime name of the application."},{"name":"HostName","type":"string","description":"The host name of the application."},{"name":"StatusCode","type":"int","description":"The HTTP status code of the operation."},{"name":"SubStatusCode","type":"int","description":"The HTTP sub-status code of the request."},{"name":"Details","type":"string","description":"The event details."},{"name":"ModuleRuntimeVersion","type":"string","description":"The version of App Service Authentication running."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites"],"solutions":["LogManagement"],"queries":["c8e2cc5e-c9e3-499c-93ef-56ffe79e9bba","4a6eac8a-736f-4f1b-a237-f5801daedbff","e68dd16c-3295-43e8-aae2-09870e143b67"]}},{"id":"AppServiceConsoleLogs","name":"AppServiceConsoleLogs","tableType":"Microsoft","description":"Console logs generated from application or container.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"Level","type":"string","description":"Verbosity level of log","isPreferredFacet":true},{"name":"ResultDescription","type":"string","description":"Log message description"},{"name":"ContainerId","type":"string","description":"Application container id"},{"name":"Host","type":"string","description":"Host where the application is running","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Category","type":"string","description":"Log category name"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceEnvironmentPlatformLogs","name":"AppServiceEnvironmentPlatformLogs","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"AppServiceFileAuditLogs","name":"AppServiceFileAuditLogs","tableType":"Microsoft","description":"Logs generated when app service content is modified.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated"},{"name":"Category","type":"string","description":"Log category name"},{"name":"OperationName","type":"string","description":"Operation performed on a file"},{"name":"Path","type":"string","description":"Path to the file that was changed"},{"name":"Process","type":"string","description":"Type of the process that change the file"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceHTTPLogs","name":"AppServiceHTTPLogs","tableType":"Microsoft","description":"Incoming HTTP requests on App Service. Use these logs to monitor application health, performance and usage patterns.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"CsMethod","type":"string","description":"The request HTTP verb"},{"name":"CsUriStem","type":"string","description":"The target of the request"},{"name":"SPort","type":"string","description":"Server port number"},{"name":"CIp","type":"string","description":"IP address of the client"},{"name":"UserAgent","type":"string","description":"User agent on HTTP request"},{"name":"CsHost","type":"string","description":"Host name header on HTTP request"},{"name":"ScStatus","type":"int","description":"HTTP status code"},{"name":"ScSubStatus","type":"string","description":"Substatus error code on HTTP request"},{"name":"ScWin32Status","type":"string","description":"Windows status code on HTTP request"},{"name":"ScBytes","type":"int","description":"Number of bytes sent by server"},{"name":"CsBytes","type":"int","description":"Number of bytes received by server"},{"name":"TimeTaken","type":"int","description":"Time taken by HTTP request in milliseconds"},{"name":"Result","type":"string","description":"Success / Failure of HTTP request"},{"name":"Cookie","type":"string","description":"Cookie on HTTP request"},{"name":"CsUriQuery","type":"string","description":"URI query on HTTP request"},{"name":"CsUsername","type":"string","description":"The name of the authenticated user on HTTP request"},{"name":"Referer","type":"string","description":"The site that the user last visited. This site provided a link to the current site"},{"name":"ComputerName","type":"string","description":"The name of the server on which the log file entry was generated."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceIPSecAuditLogs","name":"AppServiceIPSecAuditLogs","tableType":"Microsoft","description":"Logs generated through your application and pushed to Azure Monitoring.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time of the Http Request","isPreferredFacet":true},{"name":"Result","type":"string","description":"The result whether the access is Allowed or Denied"},{"name":"CsHost","type":"string","description":"Host header of the HTTP request"},{"name":"ServiceEndpoint","type":"string","description":"This indicates whether the access is via Virtual Network Service Endpoint communication"},{"name":"CIp","type":"string","description":"IP address of the client"},{"name":"XForwardedFor","type":"string","description":"X-Forwarded-For header of the HTTP request"},{"name":"XForwardedHost","type":"string","description":"X-Forwarded-Host header of the HTTP request"},{"name":"XAzureFDID","type":"string","description":"X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request"},{"name":"XFDHealthProbe","type":"string","description":"X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request"},{"name":"Details","type":"string","description":"Additional information"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServicePlatformLogs","name":"AppServicePlatformLogs","tableType":"Microsoft","description":"Logs generated through AppService platform for your application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when event is generated","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event.","isPreferredFacet":true},{"name":"Level","type":"string","description":"Level of log verbosity","isPreferredFacet":true},{"name":"Message","type":"string","description":"Log message"},{"name":"ContainerId","type":"string","description":"Application container id"},{"name":"DeploymentId","type":"string","description":"Deployment ID of the application deployment"},{"name":"Host","type":"string","description":"Host where the application is running","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"ActivityId","type":"string","description":"Activity Id to correlate events"},{"name":"Exception","type":"string","description":"Details of the exception"},{"name":"StackTrace","type":"string","description":"Stack trace for the exception"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"AppServiceServerlessSecurityPluginData","name":"AppServiceServerlessSecurityPluginData","tableType":"Microsoft","description":"Logs from the data collection services of the defender for serverless apps. Used to detect security issues and provide alerts and recommendations on how to mitigate/fix them.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) this message was created on the node."},{"name":"SlSecRequestId","type":"string","description":"The ingestion request ID used for identifying the message and the request for diagnostics and debugging."},{"name":"Sender","type":"string","description":"The name of the component that published this message. Almost always will be the name of the plugin, but can also be platform."},{"name":"PayloadType","type":"string","description":"The type of the payload. Mostly used to distinguish between messages meant for different types of security analysis."},{"name":"Payload","type":"dynamic","description":"An array of messages, where each one is a JSON string."},{"name":"Index","type":"int","description":"Available when multiple payloads exist for the same message. In that case, payloads share the same SlSecRequestId and Index defines the chronological order of payloads."},{"name":"SlSecMetadata","type":"dynamic","description":"Contains details about the resource like the deployment ID, runtime info, website info, OS, etc."},{"name":"SlSecProps","type":"dynamic","description":"Contains other details that might be needed for debugging end-to-end requests, e.g., slsec nuget version."},{"name":"MsgVersion","type":"string","description":"The version of the message schema. Used to make code changes backward- and forward- compatible."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.web/sites"],"solutions":["LogManagement"]}},{"id":"AppSystemEvents","name":"AppSystemEvents","tableType":"Microsoft","description":"Application Insights system events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the system event was recorded."},{"name":"EventType","type":"string","description":"Event type","isPreferredFacet":true},{"name":"Name","type":"string","description":"Event name","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"Event properties."},{"name":"Measurements","type":"dynamic","description":"Event measurements."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"AppTraces","name":"AppTraces","tableType":"Microsoft","description":"Application Insights traces.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when trace was recorded."},{"name":"Message","type":"string","description":"Trace message."},{"name":"SeverityLevel","type":"int","description":"Severity level of the trace.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"Application-defined properties."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements."},{"name":"OperationName","type":"string","description":"Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"Application-defined operation ID."},{"name":"ParentId","type":"string","description":"ID of the parent operation."},{"name":"SyntheticSource","type":"string","description":"Synthetic source of the operation."},{"name":"SessionId","type":"string","description":"Application-defined session ID."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the application."},{"name":"UserAuthenticatedId","type":"string","description":"Persistent string that uniquely represents each authenticated user in the application."},{"name":"UserAccountId","type":"string","description":"Application-defined account associated with the user."},{"name":"AppVersion","type":"string","description":"Version of the application.","isPreferredFacet":true},{"name":"AppRoleName","type":"string","description":"Role name of the application.","isPreferredFacet":true},{"name":"AppRoleInstance","type":"string","description":"Role instance of the application.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"ClientBrowser","type":"string","description":"Browser running on the client device.","isPreferredFacet":true},{"name":"ResourceGUID","type":"string","description":"Unique, persistent identifier of an Azure resource."},{"name":"IKey","type":"string","description":"Instrumentation key of the Azure resource."},{"name":"SDKVersion","type":"string","description":"Version of the SDK used by the application to generate this telemetry item."},{"name":"ItemCount","type":"int","description":"Number of telemetry items represented by a single sample item."},{"name":"ReferencedItemId","type":"string","description":"Id of the item with additional details about the trace."},{"name":"ReferencedType","type":"string","description":"Name of the table with additional details about the trace."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/components"]}},{"id":"ApplicationInsights","name":"ApplicationInsights","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TelemetryType","type":"string","isPreferredFacet":true},{"name":"ApplicationName","type":"string","isPreferredFacet":true},{"name":"ApplicationId","type":"string"},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"ScreenResolution","type":"string"},{"name":"DeviceID","type":"string","isPreferredFacet":true},{"name":"OS","type":"string","isPreferredFacet":true},{"name":"OsVersion","type":"string","isPreferredFacet":true},{"name":"Browser","type":"string","isPreferredFacet":true},{"name":"BrowserVersion","type":"string","isPreferredFacet":true},{"name":"Continent","type":"string","isPreferredFacet":true},{"name":"Country","type":"string","isPreferredFacet":true},{"name":"ClientIP","type":"string","isPreferredFacet":true},{"name":"Province","type":"string","isPreferredFacet":true},{"name":"City","type":"string","isPreferredFacet":true},{"name":"isSynthetic","type":"string","isPreferredFacet":true},{"name":"SamplingRate","type":"string"},{"name":"IsAuthenticated","type":"bool","isPreferredFacet":true},{"name":"AnonAcquisitionDate","type":"datetime"},{"name":"AccountAcquisitionDate","type":"datetime"},{"name":"OperationID","type":"string"},{"name":"ParentOperationID","type":"string"},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"SessionId","type":"string"},{"name":"SampledCount","type":"int"},{"name":"UserAccountId","type":"string"},{"name":"AnonUserId","type":"string"},{"name":"CustomEventName","type":"string","isPreferredFacet":true},{"name":"CustomEventCount","type":"int"},{"name":"CustomEventDimensions","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"LocalSubnet","type":"string","isPreferredFacet":true},{"name":"Language","type":"string","isPreferredFacet":true},{"name":"Role","type":"string","isPreferredFacet":true},{"name":"DeviceName","type":"string","isPreferredFacet":true},{"name":"DeviceModel","type":"string","isPreferredFacet":true},{"name":"csUserAgent","type":"string","isPreferredFacet":true},{"name":"Latitude","type":"string","isPreferredFacet":true},{"name":"Longitude","type":"string","isPreferredFacet":true},{"name":"AuthAcquisitionDate","type":"datetime"},{"name":"DeveloperMode","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Host","type":"string","isPreferredFacet":true},{"name":"URLBase","type":"string"},{"name":"sPort","type":"int","isPreferredFacet":true},{"name":"ApplicationProtocol","type":"string","isPreferredFacet":true},{"name":"ResponseCode","type":"string","isPreferredFacet":true},{"name":"RequestSuccess","type":"bool","isPreferredFacet":true},{"name":"RequestID","type":"string"},{"name":"RequestName","type":"string","isPreferredFacet":true},{"name":"RequestCount","type":"int"},{"name":"RequestDuration","type":"real"},{"name":"RequestDurationCount","type":"int"},{"name":"RequestDurationMin","type":"real"},{"name":"RequestDurationMax","type":"real"},{"name":"RequestDurationStdDev","type":"real"},{"name":"URL","type":"string","isPreferredFacet":true},{"name":"ApplicationTypeVersion","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"RoleInstance","type":"string","isPreferredFacet":true},{"name":"ExceptionAssembly","type":"string"},{"name":"ExceptionType","type":"string","isPreferredFacet":true},{"name":"ExceptionGroup","type":"string","isPreferredFacet":true},{"name":"ExceptionHandledAt","type":"string","isPreferredFacet":true},{"name":"ExceptionCount","type":"int"},{"name":"ExceptionMethod","type":"string","isPreferredFacet":true},{"name":"ExceptionHasStack","type":"bool","isPreferredFacet":true},{"name":"ExceptionMessage","type":"string","isPreferredFacet":true},{"name":"ExceptionStack","type":"string"},{"name":"PageViewName","type":"string","isPreferredFacet":true},{"name":"PageViewCount","type":"int"},{"name":"PageViewDurationCount","type":"int"},{"name":"PageViewDurationMin","type":"real"},{"name":"PageViewDurationMax","type":"real"},{"name":"PageViewDurationStdDev","type":"real"},{"name":"PageViewDuration","type":"real"},{"name":"AvailabilityTestName","type":"string","isPreferredFacet":true},{"name":"AvailabilityRunLocation","type":"string","isPreferredFacet":true},{"name":"AvailabilityResult","type":"string","isPreferredFacet":true},{"name":"AvailabilityTestId","type":"string"},{"name":"AvailabilityMessage","type":"string","isPreferredFacet":true},{"name":"AvailabilityTimestamp","type":"datetime"},{"name":"AvailabilityCount","type":"int"},{"name":"DataSizeMetricValue","type":"real"},{"name":"DataSizeMetricCount","type":"int"},{"name":"AvailabilityDuration","type":"real"},{"name":"AvailabilityDurationCount","type":"int"},{"name":"AvailabilityDurationMin","type":"real"},{"name":"AvailabilityDurationMax","type":"real"},{"name":"AvailabilityDurationStdDev","type":"real"},{"name":"AvailabilityValue","type":"real"},{"name":"AvailabilityMetricCount","type":"int"},{"name":"AvailabilityMin","type":"real"},{"name":"AvailabilityMax","type":"real"},{"name":"AvailabilityStdDev","type":"real"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["ApplicationInsights"]}},{"id":"ArcK8sAudit","name":"ArcK8sAudit","tableType":"Microsoft","description":"Contains all Kubernetes API Server audit logs including events with the get and list verbs. These events are useful for monitoring all of the interactions with the Kubernetes API. To limit the scope to modifying operations see the ArcK8sAuditAdmin table. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Level","type":"string","description":"Level (Metadata, Request, RequestResponse) of the audit event."},{"name":"AuditId","type":"string","description":"Unique audit ID that is generated for each request."},{"name":"Stage","type":"string","description":"The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated."},{"name":"RequestUri","type":"string","description":"The URI of the request made by the client to the server."},{"name":"Verb","type":"string","description":"The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method."},{"name":"User","type":"dynamic","description":"Authenticated user metadata of the requesting client, including optional fields such as UID and groups."},{"name":"SourceIps","type":"dynamic","description":"The list of source IP addresses for the originating client and intermediate proxies."},{"name":"UserAgent","type":"string","description":"The user agent string presented by the originating client."},{"name":"ObjectRef","type":"dynamic","description":"The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests."},{"name":"ResponseStatus","type":"dynamic","description":"Response status for the request, which includes the response code. In error cases, this object will include the error message property."},{"name":"RequestObject","type":"dynamic","description":"Kubernetes API object from the request in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"ResponseObject","type":"dynamic","description":"Kubernetes API object from the response, in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"RequestReceivedTime","type":"datetime","description":"Time when the API Server first received the request."},{"name":"StageReceivedTime","type":"datetime","description":"Time when the request reached the current audit stage."},{"name":"Annotations","type":"dynamic","description":"An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level."},{"name":"PodName","type":"string","description":"Name of the pod emitting this audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.kubernetes/connectedclusters"],"solutions":["LogManagement"]}},{"id":"ArcK8sAuditAdmin","name":"ArcK8sAuditAdmin","tableType":"Microsoft","description":"Contains Kubernetes API Server audit logs excluding events with the get and list verbs. These events are useful for monitoring resource modification requests made to the Kubernetes API. To see all modifying and non-modifying operations see the ArcK8sAudit table. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Level","type":"string","description":"Level (Metadata, Request, RequestResponse) of the audit event."},{"name":"AuditId","type":"string","description":"Unique audit ID that is generated for each request."},{"name":"Stage","type":"string","description":"The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated."},{"name":"RequestUri","type":"string","description":"The URI of the request made by the client to the server."},{"name":"Verb","type":"string","description":"The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method."},{"name":"User","type":"dynamic","description":"Authenticated user metadata of the requesting client, including optional fields such as UID and groups."},{"name":"SourceIps","type":"dynamic","description":"The list of source IP addresses for the originating client and intermediate proxies."},{"name":"UserAgent","type":"string","description":"The user agent string presented by the originating client."},{"name":"ObjectRef","type":"dynamic","description":"The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests."},{"name":"ResponseStatus","type":"dynamic","description":"Response status for the request, which includes the response code. In error cases, this object will include the error message property."},{"name":"RequestObject","type":"dynamic","description":"Kubernetes API object from the request in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"ResponseObject","type":"dynamic","description":"Kubernetes API object from the response, in object format or the string \"skipped-too-big-size-object\". This is omitted for non-resource requests."},{"name":"RequestReceivedTime","type":"datetime","description":"Time when the API Server first received the request."},{"name":"StageReceivedTime","type":"datetime","description":"Time when the request reached the current audit stage."},{"name":"Annotations","type":"dynamic","description":"An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level."},{"name":"PodName","type":"string","description":"Name of the pod emitting this audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources","container"],"resourceTypes":["microsoft.kubernetes/connectedclusters"],"solutions":["LogManagement"]}},{"id":"ArcK8sControlPlane","name":"ArcK8sControlPlane","tableType":"Microsoft","description":"Contains diagnostic logs for the Kubernetes API Server, Controller Manager, Scheduler, Cluster Autoscaler, Cloud Controller Manager, Guard, and the Azure CSI storage drivers. These diagnostic logs have distinct Category entries corresponding their diagnostic log setting (e.g. kube-apiserver, kube-audit-admin). Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Category","type":"string","description":"Service log category describing the service logging the message."},{"name":"Level","type":"string","description":"Level (Fatal, Error, Warning, Info) of the log message."},{"name":"Message","type":"string","description":"Log message body."},{"name":"Stream","type":"string","description":"Output stream (stdout, stderr) source of the log message."},{"name":"PodName","type":"string","description":"Name of the pod logging the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","container"],"resourceTypes":["microsoft.kubernetes/connectedclusters"],"solutions":["LogManagement"]}},{"id":"AuditLogs","name":"AuditLogs","tableType":"Microsoft","description":"Audit log for Azure Active Directory. Includes system activity information about user and group management managed applications and directory activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"Name of the operation.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"REST API version that's requested by the client.","isPreferredFacet":true},{"name":"Category","type":"string","description":"Currently Audit is the only supported value.","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Result of the operation. Possible values are Success and Failure.","isPreferredFacet":true},{"name":"ResultSignature","type":"string","description":"Property is not used and can be ignored.","isPreferredFacet":true},{"name":"ResultDescription","type":"string","description":"Additional description of the result."},{"name":"DurationMs","type":"long","description":"Property is not used and can be ignored."},{"name":"CorrelationId","type":"string","description":"Optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services."},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Identity from the token that was presented when the request was made. The identity can be a user account system account or service principal.","isPreferredFacet":true},{"name":"Level","type":"string","description":"Message type. This is currently always Informational.","isPreferredFacet":true},{"name":"Location","type":"string","description":"Location of the datacenter."},{"name":"AdditionalDetails","type":"dynamic","description":"Indicates additional details on the activity."},{"name":"Id","type":"string","description":"GUID that uniquely identifies the activity."},{"name":"InitiatedBy","type":"dynamic","description":"User or app initiated the activity.","isPreferredFacet":true},{"name":"LoggedByService","type":"string","description":"Service that initiated the activity (For example: Self-service Password Management Core Directory B2C Invited Users Microsoft Identity Manager Privileged Identity Management.","isPreferredFacet":true},{"name":"Result","type":"string","description":"Result of the activity. Possible values are: success failure timeout unknownFutureValue."},{"name":"ResultReason","type":"string","description":"Describes cause of failure or timeout results."},{"name":"TargetResources","type":"dynamic","description":"Indicates information on which resource was changed due to the activity. Target Resource Type can be User Device Directory App Role Group Policy or Other."},{"name":"AADTenantId","type":"string","description":"ID of the ADD tenant"},{"name":"ActivityDisplayName","type":"string","description":"Activity name or the operation name. Examples include Create User and Add member to group. For full list see Azure AD activity list."},{"name":"ActivityDateTime","type":"datetime","description":"Date and time the activity was performed in UTC."},{"name":"AADOperationType","type":"string","description":"Type of the operation. Possible values are Add Update Delete and Other."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources","security"],"solutions":["LogManagement"],"resourceTypes":["microsoft.azureadgraph/tenants","microsoft.graph/tenants"]}},{"id":"AutoscaleEvaluationsLog","name":"AutoscaleEvaluationsLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"TargetResourceId","type":"string","isPreferredFacet":true},{"name":"AvailabilitySet","type":"string","isPreferredFacet":true},{"name":"CloudServiceName","type":"string","isPreferredFacet":true},{"name":"CoolDown","type":"int"},{"name":"CurrentInstanceCount","type":"int"},{"name":"MetricData","type":"string"},{"name":"DefaultInstanceCount","type":"int"},{"name":"DeploymentSlot","type":"string","isPreferredFacet":true},{"name":"MetricEndTime","type":"datetime"},{"name":"EstimateScaleResult","type":"string"},{"name":"EvaluationResult","type":"string"},{"name":"EvaluationTime","type":"datetime"},{"name":"LastScaleActionOperationId","type":"string"},{"name":"LastScaleActionOperationStatus","type":"string"},{"name":"LastScaleActionTime","type":"datetime"},{"name":"MaximumInstanceCount","type":"int"},{"name":"AutoscaleMetricName","type":"string"},{"name":"MetricNamespace","type":"string"},{"name":"MinimumInstanceCount","type":"int"},{"name":"NewInstanceCount","type":"int"},{"name":"ObservedValue","type":"real"},{"name":"Operator","type":"string"},{"name":"Profile","type":"string","isPreferredFacet":true},{"name":"ProfileEvaluationTime","type":"datetime"},{"name":"ProfileSelected","type":"bool","isPreferredFacet":true},{"name":"Projection","type":"real"},{"name":"InstanceUpdateReason","type":"string"},{"name":"CloudServiceRole","type":"string","isPreferredFacet":true},{"name":"SelectedAutoscaleProfile","type":"string","isPreferredFacet":true},{"name":"ServerFarm","type":"string","isPreferredFacet":true},{"name":"ShouldUpdateInstance","type":"bool","isPreferredFacet":true},{"name":"SkipCurrentAutoscaleEvaluation","type":"bool","isPreferredFacet":true},{"name":"SkipRuleEvaluationForCooldown","type":"bool","isPreferredFacet":true},{"name":"MetricStartTime","type":"datetime"},{"name":"Threshold","type":"real"},{"name":"TimeAggregationType","type":"string"},{"name":"MetricTimeGrain","type":"string"},{"name":"TimeGrainStatistic","type":"string"},{"name":"TimeWindow","type":"string"},{"name":"Webspace","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor","virtualmachines","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"AutoscaleScaleActionsLog","name":"AutoscaleScaleActionsLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"TargetResourceId","type":"string","isPreferredFacet":true},{"name":"CreatedAsyncScaleActionJob","type":"bool"},{"name":"CreatedAsyncScaleActionJobId","type":"string"},{"name":"CurrentInstanceCount","type":"int"},{"name":"NewInstanceCount","type":"int"},{"name":"ScaleActionMessage","type":"string"},{"name":"ScaleActionOperationId","type":"string"},{"name":"ScaleActionOperationStatus","type":"string","isPreferredFacet":true},{"name":"ScaleDirection","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor","virtualmachines","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.insights/autoscalesettings"]}},{"id":"AzureActivity","name":"AzureActivity","tableType":"Microsoft","description":"Entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"OperationNameValue","type":"string","description":"Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action.","isPreferredFacet":true},{"name":"Level","type":"string","description":"Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose.","isPreferredFacet":true},{"name":"ActivityStatus","type":"string","isPreferredFacet":true},{"name":"ActivityStatusValue","type":"string","description":"Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved.","isPreferredFacet":true},{"name":"ActivitySubstatus","type":"string","isPreferredFacet":true},{"name":"ActivitySubstatusValue","type":"string","description":"Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200)."},{"name":"ResourceGroup","type":"string","description":"Resource group name of the impacted resource.","isPreferredFacet":true},{"name":"SubscriptionId","type":"string","description":"Subscription ID of the impacted resource."},{"name":"CorrelationId","type":"string","description":"Usually a GUID in the string format. Events that share a correlationId belong to the same uber action."},{"name":"Caller","type":"string","description":"GUID of the caller.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"IP address of the user who has performed the operation UPN claim or SPN claim based on availability."},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"CategoryValue","type":"string","description":"Category of the activity log e.g. Administrative, Policy, Security.","isPreferredFacet":true},{"name":"HTTPRequest","type":"string","description":"Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT)."},{"name":"Properties","type":"string","description":"Set of pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead."},{"name":"EventSubmissionTimestamp","type":"datetime","description":"Timestamp when the event became available for querying."},{"name":"Authorization","type":"string","description":"Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as string. The use of Authorization_d should be preferred going forward."},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"GUID of the operation"},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"ResourceProviderValue","type":"string","description":"Id of the resource provider for the impacted resource - e.g. Microsoft.Storage.","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"EventDataId","type":"string","description":"Unique identifier of an event."},{"name":"TenantId","type":"string","description":"ID of the worksapce that stores this record"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the event was generated by the Azure service processing the request corresponding the event."},{"name":"SourceSystem","type":"string","description":"Azure is used always for AzureActivity"},{"name":"Authorization_d","type":"dynamic","description":"Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as dynamic column."},{"name":"Claims","type":"string","description":"The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward."},{"name":"Claims_d","type":"dynamic","description":"The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager."},{"name":"Properties_d","type":"dynamic","description":"Set of pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column."},{"name":"Hierarchy","type":"string","description":"Management group hierarchy of the management group or subscription that event belongs to."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit","security"],"solutions":["LogManagement"],"resourceTypes":["microsoft.aad/domainservices","microsoft.azureadgraph/tenants","microsoft.containerservice/managedclusters","microsoft.apimanagement/service","microsoft.appconfiguration/configurationstores","microsoft.network/applicationgateways","microsoft.servicenetworking/trafficcontrollers","microsoft.web/sites","microsoft.kubernetes/connectedclusters","microsoft.toolchainorchestrator/diagnostics","microsoft.attestation/attestationproviders","microsoft.cache/redis","microsoft.cdn/profiles","microsoft.hardwaresecuritymodules/cloudhsmclusters","microsoft.communication/communicationservices","microsoft.documentdb/databaseaccounts","microsoft.datacollaboration/workspaces","microsoft.digitaltwins/digitaltwinsinstances","microsoft.network/dnsresolverpolicies","microsoft.eventgrid/namespaces","microsoft.eventgrid/topics","microsoft.eventhub/namespaces","microsoft.network/azurefirewalls","microsoft.dashboard/grafana","microsoft.keyvault/vaults","microsoft.loadtestservice/loadtests","microsoft.managednetworkfabric/networkdevices","microsoft.documentdb/cassandraclusters","microsoft.documentdb/mongoclusters","microsoft.dashboard/dashboard","microsoft.networkcloud/baremetalmachines","microsoft.networkcloud/clustermanagers","microsoft.networkcloud/clusters","microsoft.networkcloud/storageappliances","microsoft.network/loadbalancers","microsoft.purview/accounts","microsoft.quantum/provideraccounts","microsoft.quantum/workspaces","microsoft.recoveryservices/vaults","microsoft.relay/namespaces","microsoft.servicebus/namespaces","microsoft.sql/servers","microsoft.networkfunction/azuretrafficcollectors","microsoft.network/networkmanagers","microsoft.botservice/botservices","microsoft.chaos/experiments","microsoft.cognitiveservices/accounts","microsoft.connectedcache/cachenodes","microsoft.connectedvehicle/platformaccounts","microsoft.network/networkwatchers/connectionmonitors","microsoft.app/managedenvironments","microsoft.d365customerinsights/instances","microsoft.databricks/workspaces","microsoft.dbformysql/flexibleservers","microsoft.dbforpostgresql/flexibleservers","microsoft.devcenter/devcenters","microsoft.devopsinfrastructure/pools","microsoft.discovery/bookshelves","microsoft.discovery/supercomputers","microsoft.discovery/workspaces","microsoft.durabletask/schedulers","microsoft.experimentation/experimentworkspaces","microsoft.hdinsight/clusters","microsoft.compute/virtualmachines","microsoft.logic/integrationaccounts","microsoft.machinelearningservices/workspaces","microsoft.machinelearningservices/registries","microsoft.media/mediaservices","microsoft.azureplaywrightservice/accounts","microsoft.graph/tenants","microsoft.networkanalytics/dataproducts","microsoft.network/networkvirtualappliances","microsoft.onlineexperimentation/workspaces","microsoft.storage/storageaccounts","microsoft.storagecache/amlfilesytems","microsoft.storagemover/storagemovers","microsoft.synapse/workspaces","microsoft.edge/diagnostics","microsoft.desktopvirtualization/hostpools","microsoft.zerotrustsegmentation/segmentationmanagers","default","subscription","resourcegroup","microsoft.signalrservice/webpubsub","microsoft.insights/components","microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/workspaces","microsoft.timeseriesinsights/environments","microsoft.workloadmonitor/monitors","microsoft.analysisservices/servers","microsoft.batch/batchaccounts","microsoft.appplatform/spring","microsoft.signalrservice/signalr","microsoft.containerregistry/registries","microsoft.kusto/clusters","microsoft.blockchain/blockchainmembers","microsoft.eventgrid/domains","microsoft.eventgrid/partnernamespaces","microsoft.eventgrid/partnertopics","microsoft.eventgrid/systemtopics","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters","microsoft.insights/autoscalesettings","microsoft.devices/iothubs","microsoft.servicefabric/clusters","microsoft.logic/workflows","microsoft.automation/automationaccounts","microsoft.datafactory/factories","microsoft.datalakestore/accounts","microsoft.datalakeanalytics/accounts","microsoft.powerbidedicated/capacities","microsoft.datashare/accounts","microsoft.sql/managedinstances","microsoft.sql/servers/databases","microsoft.dbformysql/servers","microsoft.dbforpostgresql/servers","microsoft.dbforpostgresql/serversv2","microsoft.dbformariadb/servers","microsoft.devices/provisioningservices","microsoft.network/expressroutecircuits","microsoft.network/frontdoors","microsoft.network/networkinterfaces","microsoft.network/networksecuritygroups","microsoft.network/publicipaddresses","microsoft.network/trafficmanagerprofiles","microsoft.network/virtualnetworkgateways","microsoft.network/vpngateways","microsoft.network/virtualnetworks","microsoft.search/searchservices","microsoft.streamanalytics/streamingjobs","microsoft.network/bastionhosts","microsoft.healthcareapis/services"]}},{"id":"AzureAssessmentRecommendation","name":"AzureAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Azure assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"AADTenantName","type":"string"},{"name":"AADTenantId","type":"string"},{"name":"AADTenantDomain","type":"string"},{"name":"Resource","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureAssessment","AzureResources"]}},{"id":"AzureAttestationDiagnostics","name":"AzureAttestationDiagnostics","tableType":"Microsoft","description":"Logs from attestation requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"ResourceRegion","type":"string","description":"Region where the resource is located."},{"name":"ResourceUri","type":"string","description":"URI of the resource."},{"name":"OperationName","type":"string","description":"Name of the operation attempted on the resource."},{"name":"ResultType","type":"string","description":"Indicates if the request was successful or failed."},{"name":"ResultSignature","type":"string","description":"HTTP status code returned from the service."},{"name":"DurationMs","type":"real","description":"Amount of time it took to process request in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"IP Address of the client that submitted the request."},{"name":"Identity","type":"dynamic","description":"JSON structure containing information about the caller."},{"name":"Level","type":"string","description":"Error or Informational message indicating if the service processed the request."},{"name":"TraceContext","type":"dynamic","description":"W3C trace context."},{"name":"ServiceLocation","type":"string","description":"Location of the service which processed the request."},{"name":"FailureDetails","type":"string","description":"Details of the request failure, if it failed. Blank if the request succeeded."},{"name":"UserAgent","type":"string","description":"HTTP header passed by the client, if applicable."},{"name":"ContentType","type":"string","description":"Content-Type header value passed by the client."},{"name":"ContentLength","type":"int","description":"Length of the content body in bytes."},{"name":"ResultDetails","type":"string","description":"Detailed response messages included in the result, if available."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.attestation/attestationproviders"],"solutions":["LogManagement"],"queries":["4b3c3ebd-fba6-49a4-8709-7507a347a969","31a88ff8-4608-4645-ab18-4b09871b07ea","c8258837-c1bd-456c-961f-14bf71748f79","d6aaf873-8082-4960-aba0-146eb0414a27","9b285dc2-6dc7-454a-aaa0-d3113cdb8825","07f7133f-baae-444c-a1a1-2e0b6caf09c2"]}},{"id":"AzureBackupOperations","name":"AzureBackupOperations","tableType":"Microsoft","description":"This table contains details of Azure Backup operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"Category","type":"string","description":"Category of the log, for example, AzureBackupOperations."},{"name":"OperationName","type":"string","description":"High-level name of the action that is logged to this table, for example, DataOperations."},{"name":"OperationType","type":"string","description":"Type of the Azure Backup operation executed, for example, stop backup with delete data, modify policy, change passphrase."},{"name":"OperationStartTime","type":"datetime","description":"The start time of the operation."},{"name":"SchemaVersion","type":"string","description":"The schema version."},{"name":"ExtendedProperties","type":"dynamic","description":"Additional properties applicable to the operation, for example, the associated backup item or server."},{"name":"BackupManagementType","type":"string","description":"Type of workload associated with the operation, for example, DPM, Azure Backup Server, Azure Backup Agent (MAB)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.recoveryservices/vaults"],"solutions":["LogManagement"],"queries":["4e376b4a-24d9-4110-9640-4c427e80af43"]}},{"id":"AzureDevOpsAuditing","name":"AzureDevOpsAuditing","tableType":"Microsoft","description":"Schema for Azure DevOps audit logs, which can be used to track the many changes that occur within your Azure DevOps organization(s). Some examples include changes to security policies, pipelines, billing, and projects. For a full list of events, see aka.ms/azdev-audit-events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Id","type":"string","description":"The identifier for the audit event, unique across services.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"CorrelationId allows two or more auditing events to be grouped together. This happens when a single action causes a cascade of auditing entries. An example being project creation."},{"name":"ActivityId","type":"string","description":"Unique identifier for the action that occurred."},{"name":"ActorClientId","type":"string","description":"When the action was performed by a managed identity or other service principal, this value represents the client ID of that principal. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field is populated, ActorCUID and ActorUserId will both be 00000000-0000-0000-0000-000000000000."},{"name":"ActorCUID","type":"string","description":"When the action was performed by a user, this value represents a consistently unique identifier for that actor. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000.","isPreferredFacet":true},{"name":"ActorUserId","type":"string","description":"When the action was performed by a user or Azure DevOps service, this value represents that actor's user identifier. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000.","isPreferredFacet":true},{"name":"ActorUPN","type":"string","description":"The actor's user principal name.","isPreferredFacet":true},{"name":"AuthenticationMechanism","type":"string","description":"Type of authentication used by the actor.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"The time the auditing event occurred in UTC."},{"name":"ScopeType","type":"string","description":"The level (scope) that the event occurred.","isPreferredFacet":true},{"name":"ScopeDisplayName","type":"string","description":"User friendly name for the scope level that an auditing event occurred at.","isPreferredFacet":true},{"name":"ScopeId","type":"string","description":"The organization identifier.","isPreferredFacet":true},{"name":"ProjectId","type":"string","description":"Unique identifier of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project.","isPreferredFacet":true},{"name":"ProjectName","type":"string","description":"Friendly name of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project.","isPreferredFacet":true},{"name":"IpAddress","type":"string","description":"IP address where the event originated.","isPreferredFacet":true},{"name":"UserAgent","type":"string","description":"The user agent from the request.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The unique identifier for the type of auditing event that occurred. For example, Git.CreateRepo identifies the an auditing event for Git repository creation.","isPreferredFacet":true},{"name":"Data","type":"dynamic","description":"Additional data that's unique to the type of auditing event."},{"name":"Details","type":"string","description":"Description of what happened.","isPreferredFacet":true},{"name":"Area","type":"string","description":"Part of the Azure DevOps product where the auditing event occurred.","isPreferredFacet":true},{"name":"Category","type":"string","description":"Type of action that occurred when the auditing event was logged.","isPreferredFacet":true},{"name":"CategoryDisplayName","type":"string","description":"Type of action that occurred when the auditing event was logged.","isPreferredFacet":true},{"name":"ActorDisplayName","type":"string","description":"Display name of the user who initiated the auditing event to be logged.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement"]}},{"id":"AzureDiagnostics","name":"AzureDiagnostics","tableType":"Microsoft","description":"Diagnostic logs emitted by Azure services describe the operation of those services or resources. All diagnostic logs share a common top-level schema, which services extend to emit unique properties for their specifc events. Note: many services are now ingesting their diagnostic logs into resource-specific tables, see more here","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"ResourceId","type":"string"},{"name":"Category","type":"string"},{"name":"ResourceGroup","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceProvider","type":"string"},{"name":"Resource","type":"string"},{"name":"ResourceType","type":"string"},{"name":"OperationName","type":"string"},{"name":"ResultType","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"ResultDescription","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security","network"],"solutions":["LogManagement"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.apimanagement/service","microsoft.network/applicationgateways","microsoft.kubernetes/connectedclusters","microsoft.toolchainorchestrator/diagnostics","microsoft.cdn/profiles","microsoft.documentdb/databaseaccounts","microsoft.eventgrid/namespaces","microsoft.eventgrid/topics","microsoft.eventhub/namespaces","microsoft.network/azurefirewalls","microsoft.keyvault/vaults","microsoft.documentdb/mongoclusters","microsoft.network/loadbalancers","microsoft.recoveryservices/vaults","microsoft.servicebus/namespaces","microsoft.sql/servers","microsoft.cognitiveservices/accounts","microsoft.dbformysql/flexibleservers","microsoft.dbforpostgresql/flexibleservers","microsoft.media/mediaservices","microsoft.edge/diagnostics","microsoft.analysisservices/servers","microsoft.batch/batchaccounts","microsoft.eventgrid/partnernamespaces","microsoft.eventgrid/partnertopics","microsoft.eventgrid/systemtopics","microsoft.hybridcontainerservice/provisionedclusters","microsoft.devices/iothubs","microsoft.logic/workflows","microsoft.automation/automationaccounts","microsoft.datafactory/factories","microsoft.datalakestore/accounts","microsoft.datalakeanalytics/accounts","microsoft.powerbidedicated/capacities","microsoft.sql/managedinstances","microsoft.sql/servers/databases","microsoft.dbformysql/servers","microsoft.dbforpostgresql/servers","microsoft.dbforpostgresql/serversv2","microsoft.dbformariadb/servers","microsoft.devices/provisioningservices","microsoft.network/expressroutecircuits","microsoft.network/frontdoors","microsoft.network/networkinterfaces","microsoft.network/networksecuritygroups","microsoft.network/publicipaddresses","microsoft.network/trafficmanagerprofiles","microsoft.network/virtualnetworkgateways","microsoft.network/vpngateways","microsoft.network/virtualnetworks","microsoft.search/searchservices","microsoft.streamanalytics/streamingjobs"],"queries":["eeafb4d2-cc77-45de-8ee4-bcc7f804fa9b","375f9d9e-29bd-44ba-84ef-f30bbf8edbbb","03935bbe-6dcb-4712-a695-cba2e583784f","88ab8b25-c3c5-4c97-a93f-8e3158dc487e","1bd9dbca-3306-4985-8043-b4cb8c1f21e7","26f1dcce-f504-41fc-8613-e0458cce591a","e71a5c12-1ac5-4784-9c99-ce483f11da8d","ad8246e6-68dd-4bb6-a94a-dddb9c1e35d1","066798a4-70b2-4a0e-badb-a551fa92603d"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a1","19551c5e-1e3e-4425-a1d7-c846a0bca2a2","19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a5","19551c5e-1e3e-4425-a1d7-c846a0bca2a6","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"AzureLoadTestingOperation","name":"AzureLoadTestingOperation","tableType":"Microsoft","description":"Details about the operations which are performed on the Azure Load Testing resource. For example, operations like creation of a Test, Test run etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"RequestMethod","type":"string","description":"HTTP method of the API request."},{"name":"HttpStatusCode","type":"int","description":"HTTP status code of the API response."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs."},{"name":"RequestId","type":"string","description":"Unique identifier to be used to correlate request logs."},{"name":"Identity","type":"dynamic","description":"JSON structure containing information about the caller."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"ResourceRegion","type":"string","description":"Region where the resource is located."},{"name":"ServiceLocation","type":"string","description":"Location of the service which processed the request."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"OperationId","type":"string","description":"Operation identifier for rest api"},{"name":"OperationName","type":"string","description":"Name of the operation attempted on the resource."},{"name":"ResultType","type":"string","description":"Indicates if the request was successful or failed."},{"name":"DurationMs","type":"real","description":"Amount of time it took to process request in milliseconds."},{"name":"CallerIpAddress","type":"string","description":"IP Address of the client that submitted the request."},{"name":"FailureDetails","type":"string","description":"Details of the error in case if request is failed."},{"name":"UserAgent","type":"string","description":"HTTP header passed by the client, if applicable."},{"name":"OperationVersion","type":"string","description":"Request api version"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.loadtestservice/loadtests"],"solutions":["LogManagement"],"queries":["2a9d8818-5683-41cc-bedb-493c61a04bb6","a4b29234-b732-486e-9e5a-1d61af4aaf1e"]}},{"id":"AzureMetrics","name":"AzureMetrics","tableType":"Microsoft","description":"Metric data emitted by Azure services that measure their health and performance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"SourceSystem","type":"string","description":"OpsManagerfor all records in this table.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"ResourceId","type":"string","description":"Resource ID of the Azure resource reporting the metric. Same as _ResourceId present for backward compatibility reasons. _ResourceId should be used","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Category","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Reduces the set of data collected. The syntax allowed depends on the operation. See the operation's description for details.","isPreferredFacet":true},{"name":"ResultSignature","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"ResultDescription","type":"string","description":"Deprecated"},{"name":"DurationMs","type":"long","description":"Deprecated"},{"name":"CallerIpAddress","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"Deprecated"},{"name":"Resource","type":"string","description":"Resource name of the Azure resource reporting the metric.","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","description":"Resource group name of the Azure resource reporting the metric.","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","description":"Resource provider of the Azure resource reporting the metric.","isPreferredFacet":true},{"name":"SubscriptionId","type":"string","description":"Subscription id of the Azure resource reporting the metric."},{"name":"MetricName","type":"string","description":"Display name of the metric.","isPreferredFacet":true},{"name":"Total","type":"real","description":"Sum of all of the values in the time range."},{"name":"Count","type":"real","description":"Number of samples collected during the time range. Can be used to determine the number of values that contributed to the average value."},{"name":"Maximum","type":"real","description":"Maximum value collected during in the time range."},{"name":"Minimum","type":"real","description":"Minimum value collected during in the time range."},{"name":"Average","type":"real"},{"name":"TimeGrain","type":"string","description":"Time grain of the metric e.g. PT1M","isPreferredFacet":true},{"name":"UnitName","type":"string","description":"Unit of the metric. Examples include Seconds Percent Bytes.","isPreferredFacet":true},{"name":"RemoteIPCountry","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"RemoteIPLatitude","type":"real","description":"Deprecated"},{"name":"RemoteIPLongitude","type":"real","description":"Deprecated"},{"name":"MaliciousIP","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Description","type":"string","description":"Deprecated"},{"name":"TLPLevel","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Confidence","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Severity","type":"int","description":"Deprecated","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string","description":"Deprecated"},{"name":"LastReportedDateTime","type":"string","description":"Deprecated"},{"name":"IsActive","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces","microsoft.aad/domainservices","microsoft.containerservice/managedclusters","microsoft.apimanagement/service","microsoft.network/applicationgateways","microsoft.servicenetworking/trafficcontrollers","microsoft.web/sites","microsoft.kubernetes/connectedclusters","microsoft.cache/redis","microsoft.hardwaresecuritymodules/cloudhsmclusters","microsoft.communication/communicationservices","microsoft.documentdb/databaseaccounts","microsoft.datacollaboration/workspaces","microsoft.eventgrid/namespaces","microsoft.eventgrid/topics","microsoft.eventhub/namespaces","microsoft.network/azurefirewalls","microsoft.keyvault/vaults","microsoft.managednetworkfabric/networkdevices","microsoft.documentdb/mongoclusters","microsoft.networkcloud/baremetalmachines","microsoft.networkcloud/clustermanagers","microsoft.networkcloud/clusters","microsoft.networkcloud/storageappliances","microsoft.network/loadbalancers","microsoft.relay/namespaces","microsoft.servicebus/namespaces","microsoft.sql/servers","microsoft.networkfunction/azuretrafficcollectors","microsoft.network/networkmanagers","microsoft.cognitiveservices/accounts","microsoft.connectedcache/cachenodes","microsoft.connectedvehicle/platformaccounts","microsoft.databricks/workspaces","microsoft.dbformysql/flexibleservers","microsoft.dbforpostgresql/flexibleservers","microsoft.devcenter/devcenters","microsoft.compute/virtualmachines","microsoft.machinelearningservices/workspaces","microsoft.media/mediaservices","microsoft.azureplaywrightservice/accounts","microsoft.networkanalytics/dataproducts","microsoft.network/networkvirtualappliances","microsoft.storage/storageaccounts","microsoft.storagecache/amlfilesytems","microsoft.storagemover/storagemovers","microsoft.synapse/workspaces","microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/workspaces","microsoft.timeseriesinsights/environments","microsoft.workloadmonitor/monitors","microsoft.analysisservices/servers","microsoft.batch/batchaccounts","microsoft.appplatform/spring","microsoft.signalrservice/signalr","microsoft.containerregistry/registries","microsoft.kusto/clusters","microsoft.blockchain/blockchainmembers","microsoft.eventgrid/domains","microsoft.eventgrid/partnernamespaces","microsoft.eventgrid/partnertopics","microsoft.eventgrid/systemtopics","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters","microsoft.insights/autoscalesettings","microsoft.devices/iothubs","microsoft.servicefabric/clusters","microsoft.logic/workflows","microsoft.automation/automationaccounts","microsoft.datafactory/factories","microsoft.datalakestore/accounts","microsoft.datalakeanalytics/accounts","microsoft.powerbidedicated/capacities","microsoft.datashare/accounts","microsoft.sql/managedinstances","microsoft.sql/servers/databases","microsoft.dbformysql/servers","microsoft.dbforpostgresql/servers","microsoft.dbforpostgresql/serversv2","microsoft.dbformariadb/servers","microsoft.devices/provisioningservices","microsoft.network/expressroutecircuits","microsoft.network/frontdoors","microsoft.network/networkinterfaces","microsoft.network/networksecuritygroups","microsoft.network/publicipaddresses","microsoft.network/trafficmanagerprofiles","microsoft.network/virtualnetworkgateways","microsoft.network/vpngateways","microsoft.network/virtualnetworks","microsoft.search/searchservices","microsoft.streamanalytics/streamingjobs","microsoft.network/bastionhosts","microsoft.healthcareapis/services"],"solutions":["LogManagement"]}},{"id":"AzureMetricsV2","name":"AzureMetricsV2","tableType":"Microsoft","description":"Azure native platform metrics that can help to measure health and performance. AzureMetricsV2 includes metric categories and dimensions, improving upon legacy AzureMetrics table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the record was generated."},{"name":"SourceSystem","type":"string","description":"Source of the record."},{"name":"MetricResourceType","type":"string","description":"Resource type of the Azure resource reporting the metric."},{"name":"MetricName","type":"string","description":"Display name of the metric."},{"name":"MetricCategory","type":"string","description":"Category name of the metric."},{"name":"Total","type":"real","description":"Sum of all of the values in the time range."},{"name":"Count","type":"real","description":"Number of samples collected during the time range."},{"name":"Maximum","type":"real","description":"Maximum value collected during in the time range."},{"name":"Minimum","type":"real","description":"Minimum value collected during in the time range."},{"name":"Average","type":"real","description":"Average value collected during in the time range."},{"name":"TimeGrain","type":"string","description":"Time grain of the metric."},{"name":"UnitName","type":"string","description":"Unit of the metric."},{"name":"Dimension","type":"dynamic","description":"Associated dimension of the metric in JSON format."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"]}},{"id":"AzureMonitorPipelineLogErrors","name":"AzureMonitorPipelineLogErrors","tableType":"Microsoft","description":"Errors occurred during Azure Monitor pipeline data collection, transformation, and export.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Location","type":"string","description":"Azure region where the PipelineGroup is deployed."},{"name":"OperationName","type":"string","description":"Pipeline operation name. Well-known values: Ingestion, Transform, Export, Other."},{"name":"Properties","type":"dynamic","description":"Additional properties."},{"name":"Name","type":"string","description":"Azure Monitor pipeline name."},{"name":"Instance","type":"string","description":"Replica id of the Azure Monitor PipelineGroup."},{"name":"Message","type":"string","description":"User friendly log message describing the error."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.monitor/pipelinegroups"],"solutions":["LogManagement"],"queries":["d7f3a1b9-4c2e-48a6-b5d1-9e8f7c6a3b20"]}},{"id":"AzureSQLAutomaticTuning","name":"AzureSQLAutomaticTuning","tableType":"Microsoft","description":"Automatic Tuning settings changes for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"LogicalServerName","type":"string","description":"Logical server name."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"ForceLastGoodPlanStateOld","type":"string","description":"Old Force Last Good Plan state."},{"name":"ForceLastGoodPlanStateNew","type":"string","description":"New Force Last Good Plan state."},{"name":"CreateIndexStateOld","type":"string","description":"Old Create Index state."},{"name":"CreateIndexStateNew","type":"string","description":"New Create Index state."},{"name":"DropIndexStateOld","type":"string","description":"Old Drop Index state."},{"name":"DropIndexStateNew","type":"string","description":"New Drop Index state."},{"name":"MaintainIndexStateOld","type":"string","description":"Old Maintain Index state."},{"name":"MaintainIndexStateNew","type":"string","description":"New Maintain Index state."},{"name":"DatabaseModeOld","type":"string","description":"Old database tuning mode."},{"name":"DatabaseModeNew","type":"string","description":"New database tuning mode."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e34633c"]}},{"id":"AzureSQLBlocks","name":"AzureSQLBlocks","tableType":"Microsoft","description":"Blocking events for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"Duration","type":"long","description":"Duration of the blocking event in milliseconds."},{"name":"LockMode","type":"string","description":"Lock mode (e.g., X, S, IX, IS)."},{"name":"ResourceOwnerType","type":"string","description":"Resource owner type."},{"name":"BlockedProcessFiltered","type":"string","description":"XML representation of the blocked process report."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e34633d"]}},{"id":"AzureSQLDatabaseWaitStatistics","name":"AzureSQLDatabaseWaitStatistics","tableType":"Microsoft","description":"Database Wait Statistics for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"StartUtcDate","type":"string","description":"Wait statistics interval start time."},{"name":"EndUtcDate","type":"string","description":"Wait statistics interval end time."},{"name":"WaitType","type":"string","description":"Wait type name."},{"name":"DeltaMaxWaitTimeMs","type":"real","description":"Maximum wait time in milliseconds for this wait type during the interval."},{"name":"DeltaSignalWaitTimeMs","type":"real","description":"Signal wait time in milliseconds for this wait type during the interval."},{"name":"DeltaWaitTimeMs","type":"real","description":"Total wait time in milliseconds for this wait type during the interval."},{"name":"DeltaWaitingTasksCount","type":"int","description":"Number of waiting tasks for this wait type during the interval."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e34633e"]}},{"id":"AzureSQLDeadlocks","name":"AzureSQLDeadlocks","tableType":"Microsoft","description":"Deadlock events for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"DeadlockXml","type":"string","description":"XML representation of the deadlock graph."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e34633f"]}},{"id":"AzureSQLErrors","name":"AzureSQLErrors","tableType":"Microsoft","description":"Error events for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"QueryHash","type":"string","description":"Query hash."},{"name":"QueryPlanHash","type":"string","description":"Query plan hash."},{"name":"Message","type":"string","description":"Error message."},{"name":"ErrorNumber","type":"int","description":"Error number."},{"name":"Severity","type":"int","description":"Error severity level."},{"name":"UserDefined","type":"int","description":"User defined error flag."},{"name":"State","type":"int","description":"Error state."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e346341"]}},{"id":"AzureSQLQueryStoreRuntimeStatistics","name":"AzureSQLQueryStoreRuntimeStatistics","tableType":"Microsoft","description":"Query Store Runtime Statistics for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"interval_start_time","type":"long","description":"Interval start time."},{"name":"interval_end_time","type":"long","description":"Interval end time."},{"name":"logical_io_writes","type":"long","description":"Logical IO writes."},{"name":"max_logical_io_writes","type":"long","description":"Maximum logical IO writes."},{"name":"physical_io_reads","type":"long","description":"Physical IO reads."},{"name":"max_physical_io_reads","type":"long","description":"Maximum physical IO reads."},{"name":"logical_io_reads","type":"long","description":"Logical IO reads."},{"name":"max_logical_io_reads","type":"long","description":"Maximum logical IO reads."},{"name":"page_server_reads","type":"long","description":"Page server reads."},{"name":"max_page_server_reads","type":"long","description":"Maximum page server reads."},{"name":"execution_type","type":"long","description":"Execution type."},{"name":"count_executions","type":"long","description":"Count of executions."},{"name":"cpu_time","type":"long","description":"CPU time in microseconds."},{"name":"max_cpu_time","type":"long","description":"Maximum CPU time in microseconds."},{"name":"dop","type":"long","description":"Degree of parallelism."},{"name":"max_dop","type":"long","description":"Maximum degree of parallelism."},{"name":"rowcount","type":"long","description":"Row count."},{"name":"max_rowcount","type":"long","description":"Maximum row count."},{"name":"query_max_used_memory","type":"long","description":"Query maximum used memory."},{"name":"max_query_max_used_memory","type":"long","description":"Maximum query maximum used memory."},{"name":"duration","type":"long","description":"Duration in microseconds."},{"name":"max_duration","type":"long","description":"Maximum duration in microseconds."},{"name":"num_physical_io_reads","type":"long","description":"Number of physical IO reads."},{"name":"max_num_physical_io_reads","type":"long","description":"Maximum number of physical IO reads."},{"name":"log_bytes_used","type":"long","description":"Log bytes used."},{"name":"max_log_bytes_used","type":"long","description":"Maximum log bytes used."},{"name":"query_id","type":"long","description":"Query identifier."},{"name":"query_hash","type":"string","description":"Query hash."},{"name":"plan_id","type":"long","description":"Plan identifier."},{"name":"replica_group_id","type":"long","description":"Replica group identifier."},{"name":"is_primary","type":"long","description":"Is primary replica."},{"name":"query_plan_hash","type":"string","description":"Query plan hash."},{"name":"statement_sql_handle","type":"string","description":"Statement SQL handle."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e346343"]}},{"id":"AzureSQLQueryStoreWaitStatistics","name":"AzureSQLQueryStoreWaitStatistics","tableType":"Microsoft","description":"Query Store Wait Statistics for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"OperationName","type":"string","description":"The operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"IntervalStartTime","type":"long","description":"Interval start time."},{"name":"IntervalEndTime","type":"long","description":"Interval end time."},{"name":"ExecType","type":"int","description":"Execution type."},{"name":"WaitCategory","type":"string","description":"Wait category."},{"name":"CountExecutions","type":"long","description":"Number of executions."},{"name":"TotalQueryWaitTimeMs","type":"real","description":"Total query wait time in milliseconds."},{"name":"MaxQueryWaitTimeMs","type":"real","description":"Maximum query wait time in milliseconds."},{"name":"IsParameterizable","type":"string","description":"Whether the query is parameterizable."},{"name":"StatementType","type":"string","description":"Statement type."},{"name":"QueryId","type":"long","description":"Query ID."},{"name":"StatementKeyHash","type":"string","description":"Statement key hash."},{"name":"PlanId","type":"long","description":"Plan ID."},{"name":"ReplicaGroupId","type":"long","description":"Replica group ID."},{"name":"IsPrimary","type":"long","description":"Is primary replica."},{"name":"QueryParamType","type":"int","description":"Query parameter type."},{"name":"QueryHash","type":"string","description":"Query hash."},{"name":"QueryPlanHash","type":"string","description":"Query plan hash."},{"name":"StatementSqlHandle","type":"string","description":"Statement SQL handle."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e34633b"]}},{"id":"AzureSQLResourceUsageStats","name":"AzureSQLResourceUsageStats","tableType":"Microsoft","description":"Resource Usage Statistics for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"SKU","type":"string","description":"Service tier SKU."},{"name":"virtual_core_count","type":"string","description":"Virtual core count."},{"name":"avg_cpu_percent","type":"string","description":"Average CPU percentage."},{"name":"reserved_storage_mb","type":"string","description":"Reserved storage in MB."},{"name":"storage_space_used_mb","type":"string","description":"Storage space used in MB."},{"name":"io_requests","type":"string","description":"Number of IO requests."},{"name":"io_bytes_read","type":"string","description":"IO bytes read."},{"name":"io_bytes_written","type":"string","description":"IO bytes written."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e346345"]}},{"id":"AzureSQLTimeouts","name":"AzureSQLTimeouts","tableType":"Microsoft","description":"Timeout events for Azure SQL Database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log was generated."},{"name":"Category","type":"string","description":"Log category."},{"name":"ResourceGroup","type":"string","description":"Resource group."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"ElasticPoolName","type":"string","description":"Elastic pool name if applicable."},{"name":"DatabaseName","type":"string","description":"Database name."},{"name":"ErrorState","type":"int","description":"Error state code."},{"name":"QueryHash","type":"string","description":"Query hash."},{"name":"QueryPlanHash","type":"string","description":"Query plan hash."},{"name":"Location","type":"string","description":"Azure region location."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"resourceTypes":["microsoft.sql/servers"],"solutions":["LogManagement"],"queries":["a1b2c3d4-e5f6-4192-8fce-2e543e346348"]}},{"id":"BehaviorAnalytics","name":"BehaviorAnalytics","tableType":"Microsoft","description":"This table stores the enriched events for Sentinel UEBA, providing behavior analytics over raw data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceRecordId","type":"string","description":"The unique Id of the source raw event."},{"name":"TimeGenerated","type":"datetime","description":"Time when the raw event was generated (UTC)."},{"name":"TimeProcessed","type":"datetime","description":"Time when enrichment processing occurred (UTC)."},{"name":"ActivityType","type":"string","description":"The activity type that triggered the event."},{"name":"ActionType","type":"string","description":"The specific type of action that triggered the event."},{"name":"UserName","type":"string","description":"User name of the account."},{"name":"UserPrincipalName","type":"string","description":"User principal name of the account."},{"name":"EventSource","type":"string","description":"Data source for this event."},{"name":"SourceIPAddress","type":"string","description":"The source IP address."},{"name":"SourceIPLocation","type":"string","description":"The source Geo location based on the IP address."},{"name":"SourceDevice","type":"string","description":"The hostname of the source device."},{"name":"DestinationIPAddress","type":"string","description":"The destination IP address."},{"name":"DestinationIPLocation","type":"string","description":"The destination Geo location based on the IP address."},{"name":"DestinationDevice","type":"string","description":"The hostname of the destination device."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"ActorName","type":"string","description":"The name of the user initiating the action that generated the event."},{"name":"ActorPrincipalName","type":"string","description":"The principal name of the user initiating the action that generated the event."},{"name":"TargetName","type":"string","description":"The name of the target user in the action that generated the event."},{"name":"TargetPrincipalName","type":"string","description":"The name of the target user in the action that generated the event."},{"name":"Device","type":"string","description":"The name of the device on which the event occurred or which reported the event, depending on the schema."},{"name":"UsersInsights","type":"dynamic","description":"Users metadata and insights."},{"name":"DevicesInsights","type":"dynamic","description":"Devices metadata and insights."},{"name":"ActivityInsights","type":"dynamic","description":"Activity and behavioral insights."},{"name":"SourceSystem","type":"string","description":"The entity provider source system."},{"name":"NativeTableName","type":"string","description":"The original table from which the record was fetched."},{"name":"InvestigationPriority","type":"int","description":"Investigation priority score."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["BehaviorAnalyticsInsights"]}},{"id":"BehaviorEntities","name":"BehaviorEntities","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about entities (file, process, device, user, and others) that are involved in a behavior or observation, including detected threats.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques."},{"name":"Categories","type":"string","description":"Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"EntityType","type":"string","description":"Type of object, such as a file, a process, a device, or a user."},{"name":"EntityRole","type":"string","description":"Indicates whether the entity is impacted or merely related."},{"name":"DetailedEntityRole","type":"string","description":"The role of the entity in the behavior"},{"name":"FileName","type":"string","description":"Name of the file involved in the alert. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"FolderPath","type":"string","description":"Folder containing the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"SHA256","type":"string","description":"SHA-256 of the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"FileSize","type":"long","description":"Size of the file in bytes. Empty unless EntityType is \"File\" or \"Process\""},{"name":"ThreatFamily","type":"string","description":"Malware family that the suspicious or malicious file or process has been classified under."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email in UUID format, generated by Office 365."},{"name":"EmailSubject","type":"string","description":"Subject of the email."},{"name":"EmailClusterId","type":"string","description":"Identifier for the group of similar emails clustered based on heuristic analysis of their contents."},{"name":"Application","type":"string","description":"Application that performed the recorded action."},{"name":"ApplicationId","type":"string","description":"Unique identifier for the application."},{"name":"OAuthApplicationId","type":"string","description":"Unique identifier of the third-party OAuth application in UUID format."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"BehaviorInfo","name":"BehaviorInfo","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about behaviors, which in the context of Microsoft 365 Defender refers to a conclusion or insight based on one or more raw events, which can provide analysts more context in investigations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques."},{"name":"Description","type":"string","description":"Description of the behavior."},{"name":"Categories","type":"string","description":"Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"AttackTechniques","type":"string","description":"MITRE ATT&CK techniques associated with the activity that triggered the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"StartTime","type":"datetime","description":"Date and time of the first activity related to the behavior."},{"name":"EndTime","type":"datetime","description":"Date and time of the last activity related to the behavior."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"BlockchainApplicationLog","name":"BlockchainApplicationLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"NodeLocation","type":"string"},{"name":"BlockchainNodeName","type":"string","isPreferredFacet":true},{"name":"BlockchainMessage","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.blockchain/blockchainmembers"]}},{"id":"BlockchainProxyLog","name":"BlockchainProxyLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"LogLevel","type":"string","isPreferredFacet":true},{"name":"NodeLocation","type":"string"},{"name":"BlockchainNodeName","type":"string","isPreferredFacet":true},{"name":"EthMethod","type":"string","isPreferredFacet":true},{"name":"Agent","type":"string"},{"name":"Code","type":"string","isPreferredFacet":true},{"name":"NodeHost","type":"string"},{"name":"RequestMethodName","type":"string","isPreferredFacet":true},{"name":"BlockchainMemberName","type":"string","isPreferredFacet":true},{"name":"Consortium","type":"string","isPreferredFacet":true},{"name":"Remote","type":"string"},{"name":"RequestSize","type":"int"},{"name":"Tenant","type":"string"},{"name":"PublicUser","type":"string"},{"name":"RequestTime","type":"real"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.blockchain/blockchainmembers"]}},{"id":"CCFApplicationLogs","name":"CCFApplicationLogs","tableType":"Microsoft","description":"Contains the logs generated in the CCF application.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Level","type":"string","description":"An error or informational message indicating if the service processed the request."},{"name":"Message","type":"string","description":"The Log message."},{"name":"File","type":"string","description":"The file name that generated the log message."},{"name":"LineNumber","type":"int","description":"The line number in the file that the message refers to."},{"name":"Location","type":"string","description":"The Azure datacenter region where the pod is deployed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.confidentialledger/managedccfs"],"solutions":["LogManagement"],"queries":["3d08f663-9b40-4dcb-824c-e073806d5257"]}},{"id":"CDBCassandraRequests","name":"CDBCassandraRequests","tableType":"Microsoft","description":"This table details data plane operations, specifically for Cassandra API accounts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the Cassandra API data plane request."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account against which this request was issued."},{"name":"OperationName","type":"string","description":"The Cassandra API operation that was executed."},{"name":"UserAgent","type":"string","description":"The user agent suffix of the client issuing the request."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this Cassandra API request."},{"name":"ErrorCode","type":"string","description":"The error code (if applicable) for this request."},{"name":"DurationMs","type":"real","description":"The server side execution time (in ms) for this request."},{"name":"RequestCharge","type":"real","description":"The RU (Request Unit) consumption for this request."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database against which this request was issued."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB table/container against which this request was issued."},{"name":"AuthorizationTokenType","type":"string","description":"The authorization token used for this request."},{"name":"RetryCount","type":"int","description":"The number of server side retries issued for this request."},{"name":"Address","type":"string","description":"The IP address of the client that issued this request."},{"name":"PIICommandText","type":"string","description":"Full query text with parameters (if opted in) for this request."},{"name":"RateLimitingDelayMs","type":"real","description":"The estimated time (in ms) spent in retrying due to rate limited operations."},{"name":"RetriedDueToRateLimiting","type":"bool","description":"Boolean flag indicating if this request was retried server side due to throttles."},{"name":"RegionName","type":"string","description":"The region against which this request was issued."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) of the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBControlPlaneRequests","name":"CDBControlPlaneRequests","tableType":"Microsoft","description":"This table details all control plane operations executed on the account, which include modifications to the regional failover policy, indexing policy, IAM role assignments, backup/restore policies, VNet and firewall rules, private links as well as updates and deletes of the account.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when this Control Plane operation was executed against the Cosmos DB account."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account."},{"name":"ActivityId","type":"string","description":"The Activity ID of the operation."},{"name":"OperationName","type":"string","description":"The Control Plane Operation that was executed."},{"name":"HttpStatusCode","type":"int","description":"The HTTP status code of the control plane operation."},{"name":"Result","type":"string","description":"The result of the operation indicating either success or failure."},{"name":"RegionName","type":"string","description":"The region in which this control plan operation was executed."},{"name":"HttpMethod","type":"string","description":"The HTTP method issued for this control plane operation."},{"name":"CurrentWriteRegion","type":"string","description":"The current write region for this account (applies when a regional failover is triggered to choose a new write region)."},{"name":"NewWriteRegion","type":"string","description":"The new write region for the Cosmos DB account (after a user-initiated failover operation is executed)."},{"name":"IpRangeFilter","type":"string","description":"The IP range filter specified as part of the VNet rules for the Cosmos DB account."},{"name":"EnableVirtualNetworkFilter","type":"bool","description":"Boolean flag indicating if VNet filters were enabled for the account."},{"name":"VirtualNetworkResourceEntries","type":"string","description":"The list of IP addresses being included as part of the VNet rule for the account."},{"name":"EnablePrivateEndpointConnection","type":"bool","description":"Boolean flag to enable private endpoints for the Cosmos DB account."},{"name":"PrivateEndpointConnections","type":"string","description":"The list of private endpoints for the Cosmos DB account (in each region)."},{"name":"PrivateEndpointArmUrl","type":"string","description":"The ARM URL of the private endpoint created for the account."},{"name":"DefaultConsistencyLevel","type":"string","description":"The default consistency level for the Cosmos DB account."},{"name":"EnableAutomaticFailover","type":"bool","description":"Boolean flag to enable automatic failover for the Cosmos DB account."},{"name":"MaxStalenessIntervalInSeconds","type":"real","description":"The maximum staleness value (in seconds) for the Cosmos DB account when using the Bounded Staleness consistency setting."},{"name":"MaxStalenessPrefix","type":"string","description":"The max staleness prefix for the Cosmos DB account when using the Bounded Staleness consistency setting."},{"name":"MultipleWriteLocations","type":"bool","description":"Boolean flag indicating if the Cosmos DB account is a multi-master account."},{"name":"Cors","type":"string","description":"Collection of account’s Cross Origin Resource Sharing Rules"},{"name":"BackupIntervalInMinutes","type":"int","description":"The time (in minutes) between consecutive backup snapshots for the Cosmos DB account. Valid range: 60 - 1440 minutes."},{"name":"BackupRetentionIntervalInHours","type":"int","description":"The duration of time (in hours) for which backup snapshots are retained for the Cosmos DB account. Valid range: 8 - 720 hours."},{"name":"BackupStorageRedundancy","type":"string","description":"The type of backup storage redundancy for the Cosmos DB account."},{"name":"TargetBackupMode","type":"string","description":"The backup mode after update. This can be either Continuous or Periodic."},{"name":"TargetContinuousTier","type":"string","description":"The continuous tier after updating. This can be either Continuous7Days or Continuous30Days."},{"name":"VnetResourceGroupName","type":"string","description":"The name of the resource group within which the VNet is created."},{"name":"VirtualNetworkName","type":"string","description":"The name of the Vnet for the account."},{"name":"VnetDatabaseAccountEntries","type":"string","description":"The list of virtual networks specified for the account."},{"name":"AcledSubnets","type":"string","description":"The ACL’d subnets for the account."},{"name":"VnetLocation","type":"string","description":"The Azure region in which the VNet for the account is location."},{"name":"VnetArmUrl","type":"string","description":"The ARM URL for the VNet for the account."},{"name":"SqlQueryTextTraceType","type":"bool","description":"Boolean flag indicating if full query text logging is enabled."},{"name":"EnableDataPlaneRequestsTrace","type":"bool","description":"Boolean flag indicating if diagnostic logs are enabled for all Data Plane Operations."},{"name":"EnableControlPlaneRequestsTrace","type":"bool","description":"Boolean flag indicting if diagnostic logs are enabled for Control Plane operations."},{"name":"EnableMongoRequestsTrace","type":"bool","description":"Boolean flag indicating if diagnostic logs are enabled for all Mongo API operations."},{"name":"EnableCassandraRequestsTrace","type":"bool","description":"Boolean flag indicating if diagnostic logs are enabled for all Cassandra API operations."},{"name":"EnableGremlinRequestsTrace","type":"bool","description":"Boolean flag indicating if diagnostic logs are enabled for Gremlin operations."},{"name":"DurationMs","type":"real","description":"The time taken (in milliseconds) for this control plane operation to complete."},{"name":"RoleDefinitionId","type":"string","description":"The Id of the IAM role created for the account."},{"name":"RoleDefinitionName","type":"string","description":"The name of the IAM role created for the account."},{"name":"RoleDefinitionType","type":"string","description":"The type of IAM role created for the account."},{"name":"RoleDefinitionAssignableScopes","type":"string","description":"The assignable scopes for the IAM role created for the account."},{"name":"RoleDefinitionPermissions","type":"string","description":"The permissions associated with the IAM role created for the account."},{"name":"RoleAssignmentId","type":"string","description":"The role assignment Id for the IAM role created for the account."},{"name":"AssociatedRoleDefinitionId","type":"string","description":"The ID of the IAM role definition for the IAM role created for the account."},{"name":"RoleAssignmentPrincipalId","type":"string","description":"The Principal ID associated with the IAM Role Assignment created for the account."},{"name":"RoleAssignmentPrincipalType","type":"string","description":"The Principal type of the IAM role assignment created for the account."},{"name":"RoleAssignmentScope","type":"string","description":"The scope of access for the IAM role created for the account."},{"name":"ApiKind","type":"string","description":"The API kind for the account (SQL, Graph, Mongo, Cassanda, Table) that is specified during account creation."},{"name":"ApiKindResourceType","type":"string","description":"The resource against which this Control Plane operation was executed (e.g. Database, Container etc.)"},{"name":"OperationType","type":"string","description":"The type of control plane operation, which was executed. Examples of operations included Add/Remove region, Indexing Policy updates, VNet and firewall rule creation, Backup Retention Policy changes etc."},{"name":"ResourceUri","type":"string","description":"The URI of the Cosmos DB resource (e.g. Database, Container) against which the control plane operation was execution."},{"name":"ResourceDetails","type":"string","description":"The specific resource within the account against which the Control Plane Operation was executed. For e.g. the index for the container for which the indexing policy was created or updated."},{"name":"IsServiceManagedFailover","type":"bool","description":"Boolean flag to indicate if the failover event was initiated by the service or by the customer."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBDataPlaneRequests","name":"CDBDataPlaneRequests","tableType":"Microsoft","description":"The DataPlaneRequests table captures every data plane operation for the Cosmos DB account. Data Plane requests are operations executed to create, update, delete or retrieve data within the account.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the data plane request was issued."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account."},{"name":"OperationName","type":"string","description":"The specific data plane operation executed against the account."},{"name":"ConnectionMode","type":"string","description":"The connection mode used by the client issuing the request – (Direct or Gateway mode)."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this data plane operation"},{"name":"UserAgent","type":"string","description":"The name of the user specified user agent suffix (as specified when initializing the Cosmos DB client) when running in Direct mode."},{"name":"RequestResourceType","type":"string","description":"The Cosmos DB resource type within the account against which the data plane request was executed, can be one of Database, Collection, Document, Attachment, User, Permission, StoredProcedure, Trigger, UserDefinedFunction, Offer."},{"name":"RequestResourceId","type":"string","description":"The ID of the specific Cosmos DB resource within the account against which the data plane request was executed."},{"name":"StatusCode","type":"int","description":"The HTTP status code response for the data plane request, highlighting details of the success/failure of the request."},{"name":"ClientIpAddress","type":"string","description":"The IP address of the client VM issuing the request."},{"name":"RequestCharge","type":"real","description":"The RUs (Request Units) consumed by this operation."},{"name":"DurationMs","type":"real","description":"The server-side execution time (in milliseconds) for this request."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) for the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"RegionName","type":"string","description":"The Azure region to which this request was issued."},{"name":"PartitionId","type":"string","description":"The physical partition ID for the Cosmos DB container against which the request was issued."},{"name":"AadAppliedRoleAssignmentId","type":"string","description":"The ID of the applied role assignment for the caller issuing the data plane request."},{"name":"AadPrincipalId","type":"string","description":"The AAD Principal ID of the caller issuing the data plane request."},{"name":"DatabaseName","type":"string","description":"The Cosmos DB database against which the request was issued."},{"name":"CollectionName","type":"string","description":"The Cosmos DB container against which the request was issued."},{"name":"ResourceTokenPermissionId","type":"string","description":"The ID of the resource token associated with the resource accessed by this request."},{"name":"ResourceTokenPermissionMode","type":"string","description":"The permission mode of the resource token associated with the resource accessed by this request."},{"name":"ResourceTokenUserRid","type":"string","description":"The user ID associated with the resource token for the resource accessed by this request."},{"name":"KeyType","type":"string","description":"The authorization type (Primary/Secondary Read/Write key) for this request when running in Direct mode."},{"name":"AuthTokenType","type":"string","description":"The authorization type (System Read/Write key) for this request by the Cosmos DB Gateway service when running in Gateway mode or using the REST API."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBDataPlaneRequests15M","name":"CDBDataPlaneRequests15M","tableType":"Microsoft","description":"The CDBDataPlaneRequests5M table consolidates logs for data-plane requests every fifteen minutes. These logs are aggregated based on the columns in the CDBDataPlaneRequests table. For detailed information about the log context, please refer to the CDBDataPlaneRequests table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the 15 minute interval for the aggregation."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account."},{"name":"OperationName","type":"string","description":"The specific data plane operation executed against the account."},{"name":"ConnectionMode","type":"string","description":"The connection mode used by the client issuing the requests in the interval – (Direct or Gateway mode)."},{"name":"UserAgent","type":"string","description":"The name of the user specified user agent suffix (as specified when initializing the Cosmos DB client) when running in Direct mode."},{"name":"RequestResourceType","type":"string","description":"The Cosmos DB resource type within the account against which the data plane requests in the interval were executed, can be one of Database, Collection, Document, Attachment, User, Permission, StoredProcedure, Trigger, UserDefinedFunction, Offer."},{"name":"RequestResourceId","type":"string","description":"Deprecated. The ID of the specific Cosmos DB resource within the account against which the data plane requests in the interval were executed."},{"name":"StatusCode","type":"int","description":"The HTTP status code response for the data plane request set, highlighting details of the success/failure of the request set."},{"name":"ClientIpAddress","type":"string","description":"The IP address of the client VM issuing the requests in the interval."},{"name":"TotalRequestCharge","type":"real","description":"The total RUs (Request Units) consumed by all operations in this interval."},{"name":"AvgRequestCharge","type":"real","description":"The average RUs (Request Units) consumed by an operation in this interval."},{"name":"MaxRequestCharge","type":"real","description":"The maximum number of RUs (Request Units) consumed by an operation in this interval."},{"name":"TotalDurationMs","type":"real","description":"The sum of the server-side execution times (in milliseconds) for the requests in this interval."},{"name":"AvgDurationMs","type":"real","description":"The average server-side execution times (in milliseconds) for the requests in this interval."},{"name":"MaxDurationMs","type":"real","description":"The highest server-side execution time (in milliseconds) of a request in this interval."},{"name":"TotalRequestLength","type":"real","description":"The total payload size (in bytes) for the all requests in this interval."},{"name":"AvgRequestLength","type":"real","description":"The average payload size (in bytes) for the requests in this interval."},{"name":"MaxRequestLength","type":"real","description":"The highest payload size (in bytes) for a request in this interval."},{"name":"TotalResponseLength","type":"real","description":"The total payload size (in bytes) of the server response in this interval."},{"name":"AvgResponseLength","type":"real","description":"The average payload size (in bytes) of the server response in this interval."},{"name":"MaxResponseLength","type":"real","description":"The highest payload size (in bytes) of the server response in this aggregation."},{"name":"RegionName","type":"string","description":"The Azure region to which the requests in this interval were issued."},{"name":"PartitionId","type":"string","description":"The physical partition ID for the Cosmos DB container against which the requests in this interval were issued."},{"name":"AadAppliedRoleAssignmentId","type":"string","description":"The ID of the applied role assignment for the caller issuing the data plane requests in this interval."},{"name":"AadPrincipalId","type":"string","description":"The AAD Principal ID of the caller issuing the data plane requests in this interval."},{"name":"DatabaseName","type":"string","description":"The Cosmos DB database against which the requests in this interval were issued."},{"name":"CollectionName","type":"string","description":"The Cosmos DB container against which the requests in this interval were issued."},{"name":"ResourceTokenPermissionId","type":"string","description":"The ID of the resource token associated with the resource accessed by the requests in this interval."},{"name":"ResourceTokenPermissionMode","type":"string","description":"The permission mode of the resource token associated with the resource accessed by this requests in this interval."},{"name":"ResourceTokenUserRid","type":"string","description":"The user ID associated with the resource token for the resource accessed by the requests in this interval."},{"name":"KeyType","type":"string","description":"The authorization type (Primary/Secondary Read/Write key) for this request set when running in Direct mode."},{"name":"AuthTokenType","type":"string","description":"The authorization type (System Read/Write key) for this request set by the Cosmos DB Gateway service when running in Gateway mode or using the REST API."},{"name":"RequestCount","type":"real","description":"The number of requests aggregated in this interval."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBDataPlaneRequests5M","name":"CDBDataPlaneRequests5M","tableType":"Microsoft","description":"The CDBDataPlaneRequests5M table consolidates logs for data-plane requests every five minutes. These logs are aggregated based on the columns in the CDBDataPlaneRequests table. For detailed information about the log context, please refer to the CDBDataPlaneRequests table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the 5 minute interval for the aggregation."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account."},{"name":"OperationName","type":"string","description":"The specific data plane operation executed against the account."},{"name":"ConnectionMode","type":"string","description":"The connection mode used by the client issuing the requests in the interval – (Direct or Gateway mode)."},{"name":"UserAgent","type":"string","description":"The name of the user specified user agent suffix (as specified when initializing the Cosmos DB client) when running in Direct mode."},{"name":"RequestResourceType","type":"string","description":"The Cosmos DB resource type within the account against which the data plane requests in the interval were executed, can be one of Database, Collection, Document, Attachment, User, Permission, StoredProcedure, Trigger, UserDefinedFunction, Offer."},{"name":"RequestResourceId","type":"string","description":"Deprecated. The ID of the specific Cosmos DB resource within the account against which the data plane requests in the interval were executed."},{"name":"StatusCode","type":"int","description":"The HTTP status code response for the data plane request, highlighting details of the success/failure of the request."},{"name":"ClientIpAddress","type":"string","description":"The IP address of the client VM issuing the requests in the interval."},{"name":"TotalRequestCharge","type":"real","description":"The total RUs (Request Units) consumed by all operations in this interval."},{"name":"AvgRequestCharge","type":"real","description":"The average RUs (Request Units) consumed by an operation in this interval."},{"name":"MaxRequestCharge","type":"real","description":"The maximum number of RUs (Request Units) consumed by an operation in this interval."},{"name":"TotalDurationMs","type":"real","description":"The sum of the server-side execution times (in milliseconds) for the requests in this interval."},{"name":"AvgDurationMs","type":"real","description":"The average server-side execution times (in milliseconds) for the requests in this interval."},{"name":"MaxDurationMs","type":"real","description":"The highest server-side execution time (in milliseconds) of a request in this interval."},{"name":"TotalRequestLength","type":"real","description":"The total payload size (in bytes) for the all requests in this interval."},{"name":"AvgRequestLength","type":"real","description":"The average payload size (in bytes) for the requests in this interval."},{"name":"MaxRequestLength","type":"real","description":"The highest payload size (in bytes) for a request in this interval."},{"name":"TotalResponseLength","type":"real","description":"The total payload size (in bytes) of the server response in this interval."},{"name":"AvgResponseLength","type":"real","description":"The average payload size (in bytes) of the server response in this interval."},{"name":"MaxResponseLength","type":"real","description":"The highest payload size (in bytes) of the server response in this aggregation."},{"name":"RegionName","type":"string","description":"The Azure region to which the requests in this interval were issued."},{"name":"PartitionId","type":"string","description":"The physical partition ID for the Cosmos DB container against which the requests in this interval were issued."},{"name":"AadAppliedRoleAssignmentId","type":"string","description":"The ID of the applied role assignment for the caller issuing the data plane requests in this interval."},{"name":"AadPrincipalId","type":"string","description":"The AAD Principal ID of the caller issuing the data plane requests in this interval."},{"name":"DatabaseName","type":"string","description":"The Cosmos DB database against which the requests in this interval were issued."},{"name":"CollectionName","type":"string","description":"The Cosmos DB container against which the requests in this interval were issued."},{"name":"ResourceTokenPermissionId","type":"string","description":"The ID of the resource token associated with the resource accessed by the requests in this interval."},{"name":"ResourceTokenPermissionMode","type":"string","description":"The permission mode of the resource token associated with the resource accessed by this requests in this interval."},{"name":"ResourceTokenUserRid","type":"string","description":"The user ID associated with the resource token for the resource accessed by the requests in this interval."},{"name":"KeyType","type":"string","description":"The authorization type (Primary/Secondary Read/Write key) for this request set when running in Direct mode."},{"name":"AuthTokenType","type":"string","description":"The authorization type (System Read/Write key) for this request set by the Cosmos DB Gateway service when running in Gateway mode or using the REST API."},{"name":"RequestCount","type":"real","description":"The number of requests aggregated in this interval."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBGremlinRequests","name":"CDBGremlinRequests","tableType":"Microsoft","description":"This table details data plane operations, specifically for Graph API accounts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when this Graph API operation was executed on the server."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account against which this request was issued."},{"name":"OperationName","type":"string","description":"The name of the Gremlin operation that was executed."},{"name":"UserAgent","type":"string","description":"The user agent suffix of the client issuing the request."},{"name":"ErrorCode","type":"string","description":"The error code (if applicable) for this request."},{"name":"AuthorizationTokenType","type":"string","description":"The authorization token used for this request."},{"name":"RetryCount","type":"int","description":"The number of server side retries issued for this request."},{"name":"Address","type":"string","description":"The IP address of the client, which issued this request."},{"name":"PIICommandText","type":"string","description":"Full query with parameters (if opted in) for this request."},{"name":"RateLimitingDelayMs","type":"real","description":"The estimated time (in ms) spent retrying due to rate limited operations."},{"name":"RetriedDueToRateLimiting","type":"bool","description":"Boolean flag indicating if this request was retried server side due to throttles."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database against which this request was issued."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB table/container against which this request was issued."},{"name":"DurationMs","type":"real","description":"The server-side execution time (in ms) for this request."},{"name":"RequestCharge","type":"real","description":"The RUs (Request Units) consumed by this operation."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) of the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"RegionName","type":"string","description":"The region against which this request was issued."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this Graph API request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBMongoRequests","name":"CDBMongoRequests","tableType":"Microsoft","description":"This table details data plane operations, specifically for Mongo API accounts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the Mongo API data plane request."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account against which this Mongo API request was issued."},{"name":"OperationName","type":"string","description":"The Mongo API operation that was executed "},{"name":"UserAgent","type":"string","description":"The user agent suffix associated with the client issuing the request."},{"name":"OpCode","type":"string","description":"The operation code for the Mongo API request."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this Mongo API request."},{"name":"ErrorCode","type":"string","description":"The error code (if applicable) for this request."},{"name":"DurationMs","type":"real","description":"The server-side execution time (in ms) for this request."},{"name":"RequestCharge","type":"real","description":"The RU (Request Unit) consumption for this request."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database against which this request was issued."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB container against which this request was issued."},{"name":"AuthorizationTokenType","type":"string","description":"The authorization token used for this request."},{"name":"RetryCount","type":"int","description":"The number of server side retries executed for this request."},{"name":"Address","type":"string","description":"The IP address of the client VM which issued the request."},{"name":"PIICommandText","type":"string","description":"Full text query (if opted in) for this Mongo API request."},{"name":"RateLimitingDelayMs","type":"real","description":"The estimated time (in ms) spent retrying due to rate limited operations."},{"name":"RetriedDueToRateLimiting","type":"bool","description":"Boolean flag indicating if this request was retried server side due to throttles."},{"name":"RegionName","type":"string","description":"The region against which this request was issued."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) of the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"UserId","type":"string","description":"The user ID associated with the client issuing the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBPartitionKeyRUConsumption","name":"CDBPartitionKeyRUConsumption","tableType":"Microsoft","description":"This table details the RU (Request Unit) consumption for logical partition keys in each region, within each of their physical partitions. This data can be used to identify hot partitions from a request volume perspective.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the request against the physical partition was issued."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account containing the physical partition."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) which can be correlated with the CDBDataPlaneRequests table for additional debugging."},{"name":"PartitionKey","type":"string","description":"The logical partition key for which RU (Request Unit) consumption statistics were retrieved."},{"name":"PartitionKeyRangeId","type":"string","description":"The physical partition containing the logical partition key against which the RU (Request Unit) consuming operation was issued."},{"name":"OperationName","type":"string","description":"The data plane operation that consumed RUs (Request Units) for this logical partition key."},{"name":"RegionName","type":"string","description":"The Azure region from which statistics for this partition were retrieved."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database, which contains the partition."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB collection, which contains the partition."},{"name":"RequestCharge","type":"real","description":"The RUs (Request Units) consumed by this request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBPartitionKeyStatistics","name":"CDBPartitionKeyStatistics","tableType":"Microsoft","description":"This table provides outlier logical partition keys that have consumed more storage space than others. Statistics are based on a sub-sampling of partition keys within the collection and hence these are approximate. Partition keys that are below 1GB of storage may not show up in the reported statistics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when statistics for this logical partition key were generated."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account containing the dataset for which partition key stats were generated."},{"name":"RegionName","type":"string","description":"The Azure region from which statistics for this partition were retrieved."},{"name":"PartitionKey","type":"string","description":"The logical partition key for which storage statistics were retrieved."},{"name":"SizeKb","type":"int","description":"The storage size (in KB) for the logical partition key within the physical partition."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database, which contains the partition."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB collection, which contains the partition."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBQueryRuntimeStatistics","name":"CDBQueryRuntimeStatistics","tableType":"Microsoft","description":"This table details query operations executed against a SQL API account. By default, the query text and its parameters are obfuscated to avoid logging PII data with full text query logging available by request.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when this query operation was executed."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account against which the query operation was issued."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database containing the Cosmos DB container against which this query was issued."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB container against which this query was issued."},{"name":"PartitionKeyRangeId","type":"string","description":"The physical partition to which this query was issued."},{"name":"QueryText","type":"string","description":"The query text (obfuscated by default, full query string provided upon request) for the operation."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for each execution of this query, which can be correlating with the CDBDataPlaneRequests table for additional debugging."},{"name":"CorrelatedActivityId","type":"string","description":"The unique identifier (GUID) for this query operation, which can be used to link multiple executions of the same query."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CDBTableApiRequests","name":"CDBTableApiRequests","tableType":"Microsoft","description":"This table details data plane operations, specifically for Table API accounts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the Table API data plane request."},{"name":"AccountName","type":"string","description":"The name of the Cosmos DB account against which this request was issued."},{"name":"OperationName","type":"string","description":"The Table API operation that was executed."},{"name":"UserAgent","type":"string","description":"The user agent suffix of the client issuing the request."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this Table API request."},{"name":"ErrorCode","type":"string","description":"The error code (if applicable) for this request."},{"name":"DurationMs","type":"real","description":"The server side execution time (in ms) for this request."},{"name":"RequestCharge","type":"real","description":"The RU (Request Unit) consumption for this request."},{"name":"TableName","type":"string","description":"The name of the Cosmos DB table against which this request was issued."},{"name":"AuthorizationTokenType","type":"string","description":"The authorization token used for this request."},{"name":"Address","type":"string","description":"The IP address of the client that issued this request."},{"name":"ClientRequestId","type":"string","description":"The unique client request identifier (GUID) for this Table API request."},{"name":"PIICommandText","type":"string","description":"Full query text with parameters (if opted in) for this request."},{"name":"RegionName","type":"string","description":"The region against which this request was issued."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) of the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.documentdb/databaseaccounts"],"solutions":["LogManagement"]}},{"id":"CIEventsAudit","name":"CIEventsAudit","tableType":"Microsoft","description":"All API requests in the context of the Customer Insights instance, for example all user actions while configuring and using the instance. POST|PUT|DELETE|PATCH operations go into this category.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"EventType","type":"string","description":"Always ApiEvent, marking the log event as API event."},{"name":"OperationName","type":"string","description":"Name of the operation represented by this event."},{"name":"CorrelationId","type":"string","description":"The ID for the correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Category","type":"string","description":"Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational."},{"name":"ResultType","type":"string","description":"Status of the event. Running, Skipped, Successful, Failure."},{"name":"ResultSignature","type":"string","description":"Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."},{"name":"DurationMs","type":"long","description":"Duration of the operation in milliseconds."},{"name":"CallerIPAddress","type":"string","description":"Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"UserAgent","type":"string","description":"Browser agent sending the request or unknown."},{"name":"Method","type":"string","description":"HTTP method: GET/POST/PUT/PATCH/HEAD"},{"name":"Path","type":"string","description":"Relative path of the request."},{"name":"Origin","type":"string","description":"URI indicating where a fetch originates from or unknown."},{"name":"OperationStatus","type":"string","description":"Success for HTTP status code = 500."},{"name":"CallerObjectId","type":"string","description":"Azure Active Directory ObjectId of the caller."},{"name":"InstanceId","type":"string","description":"Customer Insights instanceId."},{"name":"UserRole","type":"string","description":"Assigned role for the user or app."},{"name":"RequiredRoles","type":"string","description":"Required roles to do the operation. Admin role is allowed to do all operations."},{"name":"Claims","type":"string","description":"Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration."},{"name":"UserPrincipalName","type":"string","description":"The UserPrincipalName is the Azure AD username for the user accounts."},{"name":"Audience","type":"string","description":"The audience for which the accessToken was requested for."},{"name":"Level","type":"string","description":"Severity level of the event, is one of: Informational, Warning, Error, or Critical."},{"name":"Uri","type":"string","description":"Absolute request URI."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.d365customerinsights/instances"],"solutions":["LogManagement"],"queries":["d42180dc-be37-4b53-9c02-302848dfff5f","c72b0389-6dc7-40de-9e90-ce5ade614d46","427943d1-85ad-4fc2-b268-3da41e4a6c1a","e71bcfbf-4518-41ea-b013-80e249d62c28","bd46892d-853b-4b2e-a72d-040189673031"]}},{"id":"CIEventsOperational","name":"CIEventsOperational","tableType":"Microsoft","description":"Events generated using the service, for example GET requests or the execution events of a workflow.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp of the event (UTC)."},{"name":"EventType","type":"string","description":"The type of the event. Either ApiEvent or WorkflowEvent"},{"name":"OperationName","type":"string","description":"Name of the operation represented by this event. {OperationType}.[WorkFlow|Task][Started|Completed]."},{"name":"CorrelationId","type":"string","description":"The ID for the correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ResultType","type":"string","description":"Status of the event. Running, Skipped, Successful, Failure."},{"name":"DurationMs","type":"long","description":"Duration of the operation in milliseconds."},{"name":"Level","type":"string","description":"Severity level of the event, is one of: Informational, Warning or Error."},{"name":"WorkflowJobId","type":"string","description":"Identifier of the workflow run. All Workflow and Tasks events within the workflow execution have the same workflowJobId."},{"name":"OperationType","type":"string","description":"Identifier of the operation."},{"name":"OperationStatus","type":"string","description":"Success for HTTP Status code = 500."},{"name":"TasksCount","type":"int","description":"Workflow only. Number of tasks the Workflow triggers."},{"name":"SubmittedBy","type":"string","description":"Workflow events only. The Azure Active Directory objectId of the user who triggered the workflow, see also properties.workflowSubmissionKinds."},{"name":"WorkflowType","type":"string","description":"Full or incremental refresh."},{"name":"WorkflowSubmissionKind","type":"string","description":"OnDemand or Scheduled."},{"name":"WorkflowStatus","type":"string","description":"Running, Successful."},{"name":"StartTime","type":"datetime","description":"Specifies the date and time that the workflow job was started (UTC)"},{"name":"EndTime","type":"datetime","description":"Specifies the date and time that the workflow job ended (UTC)"},{"name":"SubmittedTime","type":"datetime","description":"Specifies the date and time that the workflow job was submitted (UTC)"},{"name":"InstanceId","type":"string","description":"Customer Insights instance ID."},{"name":"Identifier","type":"string","description":"Depending on the OperationType in can be: the guid of the export configuration, the guid of the Enrichment, the Entity Name."},{"name":"FriendlyName","type":"string","description":"User friendly Name of the Export or the Entity which is processed."},{"name":"Error","type":"string","description":"Error Message with more details."},{"name":"AdditionalInformation","type":"string","description":"Contains AffectedEntities, MessageCode and entityCount."},{"name":"Category","type":"string","description":"Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational."},{"name":"ResultSignature","type":"string","description":"Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."},{"name":"CallerIPAddress","type":"string","description":"Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address."},{"name":"UserAgent","type":"string","description":"Browser agent sending the request or unknown."},{"name":"Method","type":"string","description":"HTTP method: GET/POST/PUT/PATCH/HEAD"},{"name":"Path","type":"string","description":"Relative path of the request."},{"name":"Origin","type":"string","description":"URI indicating where a fetch originates from or unknown."},{"name":"CallerObjectId","type":"string","description":"Azure Active Directory ObjectId of the caller."},{"name":"UserRole","type":"string","description":"Assigned role for the user or app."},{"name":"RequiredRoles","type":"string","description":"Required roles to do the operation. Admin role is allowed to do all operations."},{"name":"Claims","type":"string","description":"Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration."},{"name":"UserPrincipalName","type":"string","description":"The UserPrincipalName is the Azure AD username for the user accounts."},{"name":"Audience","type":"string","description":"The audience for which the accessToken was requested for."},{"name":"Uri","type":"string","description":"Absolute request URI."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.d365customerinsights/instances"],"solutions":["LogManagement"],"queries":["6fabff7b-d466-43a6-b5e4-e91acd00a155","5de254d1-fd54-4468-a243-6756670c51ca","e71bcfbf-4518-41ea-b013-80e249d62c28","3888a9d5-61f3-43e1-af05-40cf805d0dc2"]}},{"id":"CampaignInfo","name":"CampaignInfo","tableType":"Microsoft","description":"This table shows information about campaigns identified by Microsoft Defender for Office 365.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"CampaignName","type":"string","description":"Name of the email campaign."},{"name":"CampaignId","type":"string","description":"Unique identifier for the campaign, generated by Office 365."},{"name":"CampaignType","type":"string","description":"Category of the campaign."},{"name":"CampaignSubType","type":"string","description":"Contains more details about the campaign, like the brand being phished, or related malware campaigns, if available."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email, generated by Office 365."},{"name":"RecipientEmailAddress","type":"string","description":"Email address of the recipient, or email address of the recipient after distribution list expansion."},{"name":"ReportId","type":"string","description":"Unique identifier for the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"CassandraAudit","name":"CassandraAudit","tableType":"Microsoft","description":"Detailed audit records for CQL operations and login attempts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"ClusterName","type":"string","description":"Cluster name."},{"name":"ClientIP","type":"string","description":"Client IP address."},{"name":"ClientPort","type":"string","description":"Client port."},{"name":"CoordinatorIP","type":"string","description":"Host address of the coordinator node."},{"name":"User","type":"string","description":"Username of the authenticated user."},{"name":"BatchId","type":"string","description":"Internal identifier shared by all statements in a batch operation."},{"name":"Status","type":"string","description":"Value is either ATTEMPT or FAILED."},{"name":"Operation","type":"string","description":"The CQL statement or a textual description of the operation."},{"name":"OperationNaked","type":"string","description":"The CQL statement or a textual description of the operation, without bound values appended to prepared statements."},{"name":"ExternalUserId","type":"string","description":"External user identity."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/cassandraclusters"],"solutions":["LogManagement"]}},{"id":"CassandraLogs","name":"CassandraLogs","tableType":"Microsoft","description":"Cassandra general logging messages (system.log).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"ClusterName","type":"string","description":"Cluster name."},{"name":"Level","type":"string","description":"Severity level of the event, will be one of INFO, WARM, ERROR, or OFF."},{"name":"AddressIp","type":"string","description":"IP address of the node that generated the logging event."},{"name":"ThreadName","type":"string","description":"Name of the thread that generated the logging event."},{"name":"ThreadId","type":"string","description":"ID of the thread that generated the logging event."},{"name":"SourceFile","type":"string","description":"File name where the logging request was issued."},{"name":"SourceLine","type":"int","description":"Line number where the logging request was issued."},{"name":"Message","type":"string","description":"Application supplied message associated with the logging event."},{"name":"Exception","type":"string","description":"Throwable trace bound to the logging event, by default this will output the full trace as one would normally find with a call to Throwable.printStackTrace()."},{"name":"EventProduct","type":"string","description":"Product of the logging event, e.g. cassandra, dse, solr."},{"name":"EventCategory","type":"string","description":"Category of the logging event, e.g. startup, garbage_collection, compaction."},{"name":"EventType","type":"string","description":"type of the logging event, e.g. commit_log_replay_skipped, unknown_table."},{"name":"CassandraKeyspace","type":"string","description":"Cassandra keyspace."},{"name":"CassandraTable","type":"string","description":"Cassandra table."},{"name":"PartitionKey","type":"string","description":"Partition key."},{"name":"PartitionSize","type":"int","description":"Partition size."},{"name":"TombstonedCells","type":"int","description":"The number of tombstoned cells."},{"name":"LiveCells","type":"int","description":"The number of live cells."},{"name":"CassandraKey","type":"string","description":"Cassandra key."},{"name":"RequestedColumns","type":"int","description":"The number of columns requested."},{"name":"SliceStart","type":"string","description":"The start of the column slice inclusive."},{"name":"SliceEnd","type":"string","description":"The end of the the column slice inclusive."},{"name":"DeletionInfo","type":"string","description":"Deletion info."},{"name":"CodeCacheBefore","type":"long","description":"Code cache before garbage collection (in bytes). Code cache stores native code generated by JVM."},{"name":"CodeCacheAfter","type":"long","description":"Code cache after garbage collection (in bytes). Code cache stores native code generated by JVM."},{"name":"Collections","type":"int","description":"The number of garbage collections."},{"name":"CompressedClassSpaceAfter","type":"long","description":"Compressed class space after garbage collection (in bytes). Compressed class space stores class information referred to by the objects in the JavaHeap."},{"name":"CompressedClassSpaceBefore","type":"long","description":"Compressed class space before garbage collection (in bytes). Compressed class space stores class information referred to by the objects in the JavaHeap."},{"name":"DurationMs","type":"int","description":"Duration."},{"name":"EdenSpaceBefore","type":"long","description":"Eden space before garbage collection (in bytes). Eden space is the memory region where objects are allocated when they are created."},{"name":"EdenSpaceAfter","type":"long","description":"Eden space after garbage collection (in bytes). Eden space is the memory region where objects are allocated when they are created."},{"name":"GCType","type":"string","description":"The type of garbage collection, e.g. ParNew, MarkSweepCompact, G1 Old."},{"name":"MaxMemory","type":"long","description":"The maximum amount of memory (in bytes) that can be used for memory management."},{"name":"MetaspaceBefore","type":"long","description":"Metaspace before garbage collection (in bytes). Metaspace stores classes metadata."},{"name":"MetaspaceAfter","type":"long","description":"Metaspace after garbage collection (in bytes). Metaspace stores classes metadata."},{"name":"OldGenAfter","type":"long","description":"Old Generation after garbage collection (in bytes). Old Generation is used to store long surviving objects."},{"name":"OldGenBefore","type":"long","description":"Old Generation before garbage collection (in bytes). Old Generation is used to store long surviving objects."},{"name":"PercentFull","type":"real","description":"The percentage of full heap."},{"name":"PermGenAfter","type":"long","description":"Permanent Generation space after garbage collection (in bytes). Permanent generation stores classes metadata (renamed to Metaspace in Java 8)."},{"name":"PermGenBefore","type":"long","description":"Permanent Generation space before garbage collection (in bytes). Permanent generation stores classes metadata (renamed to Metaspace in Java 8)."},{"name":"SurvivorSpaceBefore","type":"long","description":"Survivor space before garbage collection (in bytes). Survivor space stores the objects that have survived the garbage collection of the Eden space."},{"name":"SurvivorSpaceAfter","type":"long","description":"Survivor space after garbage collection (in bytes). Survivor space stores the objects that have survived the garbage collection of the Eden space."},{"name":"UsedMemory","type":"long","description":"The amount of memory currently used (in bytes)."},{"name":"DroppedCrossNodeTimeout","type":"int","description":"The number of messages dropped due to cross node timeout in last 5000ms."},{"name":"DroppedInternalTimeout","type":"int","description":"The number of messages dropped due to internal timeout in last 5000ms."},{"name":"DroppedMessagesType","type":"string","description":"The type of messages dropped in last 5000ms."},{"name":"DroppedMessages","type":"int","description":"The number of messages dropped in last 5000ms."},{"name":"Endpoint","type":"string","description":"IP address of an endpoint."},{"name":"HostId","type":"string","description":"The GUID assigned in the Cassandra cluster to uniquely identify this node. See the system.local table or nodetool status to find information about the host by its HostId."},{"name":"PendingTasks","type":"int","description":"The number of pending tasks in gossip stage."},{"name":"SessionId","type":"string","description":"Unique string identifying what query was running when this log was emitted. Use SHOW SESSION to find details of the query's activity."},{"name":"SSTableName","type":"string","description":"SSTable name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":[],"resourceTypes":["microsoft.documentdb/cassandraclusters"],"solutions":["LogManagement"],"queries":["7f99e5e3-4b53-4ac2-8b96-3f2a5f92c7f9","d2752945-c33f-4a6b-9128-e2f8e2dbf6a1"]}},{"id":"ChaosStudioExperimentEventLogs","name":"ChaosStudioExperimentEventLogs","tableType":"Microsoft","description":"Chao Studio Experiment Orchestration events. Displays Start/Stop events of each Step/Branch/Action in experiment runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The operation associated with event."},{"name":"Location","type":"string","description":"The location of the experiment."},{"name":"CorrelationId","type":"string","description":"The ID for the Experiment run."},{"name":"SeverityLevel","type":"string","description":"Severity level of the event, one of: Informational, Warning, Error, Critical."},{"name":"SpanType","type":"string","description":"One of experiment span types: Experiment, Branch, Step, or Action."},{"name":"Status","type":"string","description":"Status of the span. For SpanType of Step or Branch, status is one of Started or Stopped. For Action, status is one of Started, Stopping, Stopped or Failed. For Experiment run, status is one of Started, Complete, Cancelling, Cancelled, Failed."},{"name":"Error","type":"string","description":"Error detail of the span."},{"name":"Step","type":"string","description":"Experiment Step ID of the span."},{"name":"Branch","type":"string","description":"Experiment Branch ID of the span."},{"name":"Action","type":"string","description":"Fault name of the action."},{"name":"Target","type":"string","description":"Target resource ID of the fault."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.chaos/experiments"],"solutions":["LogManagement"],"queries":["16191aba-3eee-4973-b338-7077300f32e1","151d25cf-7e9a-48eb-98ff-fe39a595ddff"]}},{"id":"CloudAppEvents","name":"CloudAppEvents","tableType":"Microsoft","description":"Information about activities in various cloud apps and services covered by Microsoft Cloud App Security.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountId","type":"string","description":"An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers"},{"name":"AccountType","type":"string","description":"Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"RawEventData","type":"dynamic","description":"Raw event information from the source application or service in JSON format"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"ObjectId","type":"string","description":"Unique identifier of the object that the recorded action was applied to"},{"name":"ObjectType","type":"string","description":"The type of object, such as a file or a folder, that the recorded action was applied to"},{"name":"ObjectName","type":"string","description":"Name of the object that the recorded action was applied to"},{"name":"ActivityObjects","type":"dynamic","description":"List of objects, such as files or folders, that were involved in the recorded activity"},{"name":"ActivityType","type":"string","description":"Type of activity that triggered the event"},{"name":"UserAgent","type":"string","description":"User agent information from the web browser or other client application"},{"name":"ISP","type":"string","description":"Internet service provider associated with the IP address"},{"name":"City","type":"string","description":"City where the client IP address is geolocated"},{"name":"CountryCode","type":"string","description":"Two-letter code indicating the country where the client IP address is geolocated"},{"name":"IsAnonymousProxy","type":"bool","description":"Indicates whether the IP address belongs to a known anonymous proxy"},{"name":"IsExternalUser","type":"bool","description":"Indicates whether a user inside the network doesn't belong to the organization’s domain"},{"name":"IsImpersonated","type":"bool","description":"Indicates whether the activity was performed by one user for another (impersonated) user"},{"name":"IPAddress","type":"string","description":"IP address assigned to the device during communication"},{"name":"IPCategory","type":"string","description":"Additional information about the IP address"},{"name":"IPTags","type":"dynamic","description":"Customer-defined information applied to specific IP addresses and IP address ranges"},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7"},{"name":"DeviceType","type":"string","description":"Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer"},{"name":"IsAdminOperation","type":"bool","description":"Indicates whether the activity was performed by an administrator"},{"name":"AccountDisplayName","type":"string","description":"Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD"},{"name":"AppInstanceId","type":"int","description":"Unique identifier for the instance of an application"},{"name":"ApplicationId","type":"int","description":"Unique identifier for the application"},{"name":"Application","type":"string","description":"Application that performed the recorded action"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"UserAgentTags","type":"dynamic","description":"More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"AuditSource","type":"string","description":"Cloud enviorment source of the cloud audit event. Cloud be Azure, AWS, GCP, AliCloud or other"},{"name":"LastSeenForUser","type":"dynamic","description":"Number of days since each statistical feature for the user was last seen"},{"name":"OAuthAppId","type":"string","description":"A unique identifier that's assigned to an application when it’s registered to Entra with OAuth 2.0."},{"name":"SessionData","type":"dynamic","description":"Session identifiers (if provided by the audit source)"},{"name":"UncommonForUser","type":"dynamic","description":"List of features observed to be statistically uncommon for the user that performed the activity"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["f3e18c86-c0aa-4d1a-8f30-6e8c6cd3cad2"]}},{"id":"CloudAuditEvents","name":"CloudAuditEvents","tableType":"Microsoft","description":"Contains information about cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"DataSource","type":"string","description":"Data source for the cloud audit events, can be GCP (for Google Cloud Platform), AWS (for Amazon Web Services), Azure (for Azure Resource Manager), Kubernetes Audit (for Kubernetes), or other cloud platforms"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event, can be: Unknown, Create, Read, Update, Delete, Other"},{"name":"OperationName","type":"string","description":"Audit event operation name as it appears in the record, usually includes both resource type and operation"},{"name":"CloudResourceId","type":"string","description":"Unique identifier of the cloud resource accessed"},{"name":"IPAddress","type":"string","description":"The client IP address used to access the cloud resource or control plane"},{"name":"IsAnonymousProxy","type":"bool","description":"Indicates whether the IP address belongs to a known anonymous proxy (1) or no (0)"},{"name":"CountryCode","type":"string","description":"Two-letter code indicating the country where the client IP address is geolocated"},{"name":"City","type":"string","description":"City where the client IP address is geolocated"},{"name":"Isp","type":"string","description":"Internet service provider (ISP) associated with the IP address"},{"name":"UserAgent","type":"string","description":"User agent information from the web browser or other client application"},{"name":"RawEventData","type":"dynamic","description":"Full raw event information from the data source in JSON format"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the audit event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["9ad198e4-a2d5-4a5c-926d-fc67f1941a9f","56a5cc12-e9d0-4b30-b566-2b28952db73b","6068c9c7-ce57-40ee-9cb2-bcf4023e9963"]}},{"id":"CloudDnsEvents","name":"CloudDnsEvents","tableType":"Microsoft","description":"Contains information about DNS activity events from cloud infrastructure environments.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"AzureResourceId","type":"string","description":"Unique identifier of the Azure resource associated with the process"},{"name":"AwsResourceName","type":"string","description":"Unique identifier specific to Amazon Web Services devices, containing the Amazon resource name"},{"name":"GcpFullResourceName","type":"string","description":"Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID for GCP"},{"name":"KubernetesResource","type":"string","description":"Unique identifier for the Kubernetes resource that includes the namespace, resource type and name"},{"name":"KubernetesNamespace","type":"string","description":"The Kubernetes namespace name"},{"name":"KubernetesPodName","type":"string","description":"The Kubernetes pod name"},{"name":"ContainerName","type":"string","description":"Name of the container in Kubernetes or another runtime environment"},{"name":"ContainerId","type":"string","description":"The container identifier in Kubernetes or another runtime environment"},{"name":"ImageName","type":"string","description":"Container image name or ID"},{"name":"ProcessName","type":"string","description":"The name of the process that initiated the DNS query"},{"name":"ProcessId","type":"long","description":"Process ID that initiated the DNS query"},{"name":"DnsEventType","type":"string","description":"Type of event associated with DNS operation (for example, query)"},{"name":"DnsEventSubType","type":"string","description":"Either request or response"},{"name":"DnsQuery","type":"string","description":"The domain that needs to be resolved"},{"name":"DnsQueryTypeName","type":"string","description":"The DNS resource record type name as defined by the Internet Assigned Numbers Authority (IANA)"},{"name":"DnsResponseCodeName","type":"string","description":"The DNS response code name as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DnsNetworkDuration","type":"long","description":"The DNS request duration in milliseconds"},{"name":"TransactionIdHex","type":"string","description":"The DNS unique hex transaction ID"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"CloudHsmServiceOperationAuditLogs","name":"CloudHsmServiceOperationAuditLogs","tableType":"Microsoft","description":"This table contains HSM Commands send to your Azure Cloud HSM resource's HSM partitions. These logs capture all HSM operations performed by Customer over E2E channel on each HSM partition of that Cloud HSM resource. They can be used to monitor events and configure necessary alerts on your Cloud HSM resource.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when operation occured."},{"name":"ResultType","type":"string","description":"Result of the request."},{"name":"OperationName","type":"string","description":"Name of the operation"},{"name":"CallerIpAddress","type":"string","description":"IP address of the client that made the request."},{"name":"ClientSdkPackageVersion","type":"string","description":"Version of the client SDK package."},{"name":"MemberId","type":"string","description":"Member ID of HSM in the Cloud HSM cluster."},{"name":"Opcode","type":"string","description":"Operation code in HEX string format."},{"name":"ClientInfo","type":"string","description":"User agent information."},{"name":"Sku","type":"dynamic","description":"Information about the Cloud HSM SKU including family and name."},{"name":"PoolType","type":"string","description":"Cloud HSM pool type."},{"name":"ResultSignature","type":"string","description":"Short signature of the result."},{"name":"ResultDescription","type":"string","description":"More detailed description of the result."},{"name":"DurationMs","type":"int","description":"Time it took to service the request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.hardwaresecuritymodules/cloudhsmclusters"],"solutions":["LogManagement"],"queries":["e1d8c76d-8a12-4e91-a04d-1aa38423af60","78169da5-08d5-4abb-a419-8abcae4b8279","711f80bd-d89f-4c07-84f6-e053b0d5c8ed"]}},{"id":"CloudProcessEvents","name":"CloudProcessEvents","tableType":"Microsoft","description":"Contains information about process events in multicloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine as protected by the organization's Microsoft Defender for Cloud.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"AzureResourceId","type":"string","description":"Unique identifier of the Azure resource associated with the process"},{"name":"AwsResourceName","type":"string","description":"Unique identifier specific to Amazon Web Services devices, containing the Amazon resource name"},{"name":"GcpFullResourceName","type":"string","description":"Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID for GCP"},{"name":"ContainerImageName","type":"string","description":"The container image name or ID, if it exists"},{"name":"KubernetesNamespace","type":"string","description":"The Kubernetes namespace name"},{"name":"KubernetesPodName","type":"string","description":"The Kubernetes pod name"},{"name":"KubernetesResource","type":"string","description":"Identifier value that includes namespace, resource type and name"},{"name":"ContainerName","type":"string","description":"Name of the container in Kubernetes or another runtime environment"},{"name":"ContainerId","type":"string","description":"The container identifier in Kubernetes or another runtime environment"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event. See the in-portal schema reference for details."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to"},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to"},{"name":"ProcessId","type":"long","description":"Process ID (PID) of the newly created process"},{"name":"ProcessName","type":"string","description":"The name of the process"},{"name":"ParentProcessName","type":"string","description":"The name of the parent process"},{"name":"ParentProcessId","type":"string","description":"The process ID (PID) of the parent process"},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process"},{"name":"ProcessCreationTime","type":"datetime","description":"Date and time the process was created"},{"name":"ProcessCurrentWorkingDirectory","type":"string","description":"Current working directory of the running process"},{"name":"AccountName","type":"string","description":"User name of the account"},{"name":"LogonId","type":"long","description":"Identifier for a logon session. This identifier is unique on the same pod or container between restarts."},{"name":"InitiatingProcessId","type":"string","description":"Process ID (PID) of the process that initiated the event"},{"name":"AdditionalFields","type":"string","description":"Additional information about the event in JSON array format"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["55cf1c68-c638-42eb-84d8-7e76eced6737","20c91d09-47f6-4b2b-8d22-4ef6e6c2b8c4","3b623afd-c690-47fd-9304-e3f678ad715b"]}},{"id":"CloudStorageAggregatedEvents","name":"CloudStorageAggregatedEvents","tableType":"Microsoft","description":"Contains information about storage activity and related events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"DataAggregationStartTime","type":"datetime","description":"The start time during which the data was aggregated"},{"name":"DataAggregationEndTime","type":"datetime","description":"The end time during which the data was aggregated"},{"name":"DataSource","type":"string","description":"The source of the aggregated logs"},{"name":"AzureSubscriptionId","type":"string","description":"Unique identifier assigned to the Azure subscription"},{"name":"ResourceGroup","type":"string","description":"Name of the resource group where the storage account resides"},{"name":"StorageAccount","type":"string","description":"The identifier for the storage account"},{"name":"StorageContainer","type":"string","description":"The identifier for the storage container"},{"name":"StorageFileShare","type":"string","description":"The identifier for the storage file share"},{"name":"ServiceType","type":"string","description":"Specifies the type of storage service (for example, Blob, ADLS Gen2, Files.REST, Files.SMB)"},{"name":"IpAddress","type":"string","description":"The IP addresses from which the storage was accessed"},{"name":"UserAgentHeader","type":"string","description":"Details of the user agent accessing the storage (for example, browser or application)"},{"name":"OperationNamesList","type":"dynamic","description":"A list of storage operations performed (for example, CreateContainer, DeleteContainer)"},{"name":"AuthenticationType","type":"string","description":"The authentication method used to access the storage (for example, AccountKey, SAS, Oauth)"},{"name":"AccountObjectId","type":"string","description":"The unique identifier of the object is making the storage access"},{"name":"AccountTenantId","type":"string","description":"The unique identifier of the Azure tenant"},{"name":"AccountApplicationId","type":"string","description":"The application ID associated with the storage access"},{"name":"AccountUpn","type":"string","description":"The user principal name of the accessing user"},{"name":"AccountType","type":"long","description":"The account type used"},{"name":"OperationsCount","type":"int","description":"The total number of storage operations performed"},{"name":"SuccessfulOperationsCount","type":"int","description":"The count of successful storage operations"},{"name":"FailedOperationsCount","type":"int","description":"The count of failed storage operations"},{"name":"FirstEventTimestamp","type":"datetime","description":"The timestamp of the first observed operation in the aggregation period"},{"name":"LastEventTimestamp","type":"datetime","description":"The timestamp of the last observed operation in the aggregation period"},{"name":"TotalResponseLength","type":"int","description":"The total response length of all GET operations during the aggregation period"},{"name":"SuccessfulReadOperations","type":"int","description":"The count of successful read operations"},{"name":"DistinctGetOperations","type":"int","description":"The count of distinct GET operations performed"},{"name":"AnonymousSuccessfulOperations","type":"int","description":"The count of successful anonymous operations"},{"name":"HasAnonymousResourceNotFoundFailures","type":"bool","description":"Indicates whether anonymous resource not found failures occurred"},{"name":"CountryName","type":"string","description":"The name of the country from where the storage was accessed"},{"name":"CityName","type":"string","description":"The name of the city from where the storage was accessed"},{"name":"ProvinceName","type":"string","description":"The name of the province or state from where the storage was accessed"},{"name":"ClientSystemServiceName","type":"string","description":"The name of the system service is in the data center"},{"name":"ClientCloudPlatformName","type":"string","description":"The name of the cloud platform where the data center is located"},{"name":"IsTorExitNode","type":"bool","description":"Indicates whether the IP address is a Tor exit node"},{"name":"IsKnownSuspiciousIp","type":"bool","description":"Indicates whether the IP address is known to be suspicious"},{"name":"IsPrivateIp","type":"bool","description":"Indicates whether the IP address is private"},{"name":"SuspiciousUserAgentName","type":"string","description":"The name of the suspicious user agent accessing the storage"},{"name":"HashReputationMd5List","type":"dynamic","description":"A list of MD5 hash reputations for the accessed resources"},{"name":"AzureResourceId","type":"string","description":"The Azure Resource ID of the storage account"},{"name":"Location","type":"string","description":"The location of the storage account (region)"},{"name":"ReportId","type":"string","description":"GUID to identify the record in the specific table"},{"name":"ActionType","type":"string","description":"Type of action (aggregated logs)"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the event in JSON array format"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["76a0586c-7122-4fc4-abd0-348a6b852174","0d531240-ad3d-4714-91a9-3e36bf51a607","0cd8d3ed-6d62-4bf4-b854-3a5ca4b8c25c"]}},{"id":"CommonSecurityLog","name":"CommonSecurityLog","tableType":"Microsoft","description":"This table is for collecting events in the Common Event Format, that are most often sent from different security appliances such as Check Point, Palo Alto and more.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event collection time in UTC."},{"name":"DeviceVendor","type":"string","description":"String that together with device product and version definitions, uniquely identifies the type of sending device."},{"name":"DeviceProduct","type":"string","description":"String that together with device product and version definitions, uniquely identifies the type of sending device."},{"name":"DeviceVersion","type":"string","description":"String that together with device product and version definitions, uniquely identifies the type of sending device."},{"name":"DeviceEventClassID","type":"string","description":"String or integer that serves as a unique identifier per event type."},{"name":"Activity","type":"string","description":"A string that represents a human-readable and understandable description of the event."},{"name":"LogSeverity","type":"string","description":"A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High."},{"name":"OriginalLogSeverity","type":"string","description":"A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field"},{"name":"AdditionalExtensions","type":"string","description":"A placeholder for additional fields. Fields are logged as key-value pairs."},{"name":"DeviceAction","type":"string","description":"The action mentioned in the event."},{"name":"ApplicationProtocol","type":"string","description":"The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on."},{"name":"EventCount","type":"int","description":"A count associated with the event, showing how many times the same event was observed."},{"name":"DestinationDnsDomain","type":"string","description":"The DNS part of the fully-qualified domain name (FQDN)."},{"name":"DestinationServiceName","type":"string","description":"The service that is targeted by the event. For example: sshd."},{"name":"DestinationTranslatedAddress","type":"string","description":"Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address."},{"name":"DestinationTranslatedPort","type":"int","description":"Port after translation, such as a firewall Valid port numbers: 0 - 65535."},{"name":"CommunicationDirection","type":"string","description":"Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound."},{"name":"DeviceDnsDomain","type":"string","description":"The DNS domain part of the full qualified domain name (FQDN)."},{"name":"DeviceExternalID","type":"string","description":"A name that uniquely identifies the device generating the event."},{"name":"DeviceFacility","type":"string","description":"The facility generating the event. For example: auth or local1."},{"name":"DeviceInboundInterface","type":"string","description":"The interface on which the packet or data entered the device. For example: ethernet1/2."},{"name":"DeviceNtDomain","type":"string","description":"The Windows domain of the device address."},{"name":"DeviceOutboundInterface","type":"string","description":"Interface on which the packet or data left the device."},{"name":"DevicePayloadId","type":"string","description":"Unique identifier for the payload associated with the event."},{"name":"ProcessName","type":"string","description":"Process name associated with the event. For example: in UNIX, the process generating the syslog entry."},{"name":"DeviceTranslatedAddress","type":"string","description":"Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address."},{"name":"DestinationHostName","type":"string","description":"The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host."},{"name":"DestinationMACAddress","type":"string","description":"The destination MAC address (FQDN)."},{"name":"DestinationNTDomain","type":"string","description":"The Windows domain name of the destination address."},{"name":"DestinationProcessId","type":"int","description":"The ID of the destination process associated with the event."},{"name":"DestinationUserPrivileges","type":"string","description":"Defines the destination use's privileges. Valid values: Admninistrator, User, Guest."},{"name":"DestinationProcessName","type":"string","description":"The name of the event’s destination process, such as telnetd or sshd."},{"name":"DestinationPort","type":"int","description":"Destination port. Valid values: 0 - 65535."},{"name":"DestinationIP","type":"string","description":"The destination IpV4 address that the event refers to in an IP network."},{"name":"DeviceTimeZone","type":"string","description":"Timezone of the device generating the event."},{"name":"DestinationUserID","type":"string","description":"Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0."},{"name":"DestinationUserName","type":"string","description":"Identifies the destination user by name."},{"name":"DeviceAddress","type":"string","description":"The IPv4 address of the device generating the event."},{"name":"DeviceName","type":"string","description":"The FQDN associated with the device node, when a node is available. For example: host.domain.com or host."},{"name":"DeviceMacAddress","type":"string","description":"The MAC address of the device generating the event."},{"name":"ProcessID","type":"int","description":"Defines the ID of the process on the device generating the event."},{"name":"EndTime","type":"datetime","description":"The time at which the activity related to the event ended."},{"name":"ExternalID","type":"int","description":"Soon to be a deprecated field. Will be replaced by ExtID."},{"name":"ExtID","type":"string","description":"An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event."},{"name":"FileCreateTime","type":"string","description":"Time when the file was created."},{"name":"FileHash","type":"string","description":"Hash of a file."},{"name":"FileID","type":"string","description":"An ID associated with a file, such as the inode."},{"name":"FileModificationTime","type":"string","description":"Time when the file was last modified."},{"name":"FilePath","type":"string","description":"Full path to the file, including the filename. For example: C:\\ProgramFiles\\WindowsNT\\Accessories\\wordpad.exe or /usr/bin/zip."},{"name":"FilePermission","type":"string","description":"The file's permissions. For example: '2,1,1'."},{"name":"FileType","type":"string","description":"File type, such as pipe, socket, and so on."},{"name":"FileName","type":"string","description":"The file's name, without the path."},{"name":"FileSize","type":"int","description":"The size of the file in bytes."},{"name":"ReceivedBytes","type":"long","description":"Number of bytes transferred inbound."},{"name":"Message","type":"string","description":"A message that gives more details about the event."},{"name":"OldFileCreateTime","type":"string","description":"Time when the old file was created."},{"name":"OldFileHash","type":"string","description":"Hash of the old file."},{"name":"OldFileID","type":"string","description":"And ID associated with the old file, such as the inode."},{"name":"OldFileModificationTime","type":"string","description":"Time when the old file was last modified."},{"name":"OldFileName","type":"string","description":"Name of the old file."},{"name":"OldFilePath","type":"string","description":"Full path to the old file, including the filename. For example: C:\\ProgramFiles\\WindowsNT\\Accessories\\wordpad.exe or /usr/bin/zip."},{"name":"OldFilePermission","type":"string","description":"Permissions of the old file. For example: '2,1,1'."},{"name":"OldFileSize","type":"int","description":"The size of the old file in bytes."},{"name":"OldFileType","type":"string","description":"File type of the old file, such as a pipe, socket, and so on."},{"name":"SentBytes","type":"long","description":"Number of bytes transferred outbound."},{"name":"EventOutcome","type":"string","description":"Displays the outcome, usually as ‘success’ or ‘failure’."},{"name":"Protocol","type":"string","description":"Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP."},{"name":"Reason","type":"string","description":"The reason an audit event was generated. For example 'bad password' or 'unknown user'. This could also be an error or return code. Example: '0x1234'."},{"name":"RequestURL","type":"string","description":"The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com."},{"name":"RequestClientApplication","type":"string","description":"The user agent associated with the request."},{"name":"RequestContext","type":"string","description":"Describes the content from which the request originated, such as the HTTP Referrer."},{"name":"RequestCookies","type":"string","description":"Cookies associated with the request."},{"name":"RequestMethod","type":"string","description":"The method used to access a URL. Valid values include methods such as POST, GET, and so on."},{"name":"ReceiptTime","type":"string","description":"The time at which the event related to the activity was received. Different then the 'Timegenerated' field, which is when the event was recieved in the log collector machine."},{"name":"SourceHostName","type":"string","description":"Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com."},{"name":"SourceMACAddress","type":"string","description":"Source MAC address."},{"name":"SourceNTDomain","type":"string","description":"The Windows domain name for the source address."},{"name":"SourceDnsDomain","type":"string","description":"The DNS domain part of the complete FQDN."},{"name":"SourceServiceName","type":"string","description":"The service responsible for generating the event."},{"name":"SourceTranslatedAddress","type":"string","description":"Identifies the translated source that the event refers to in an IP network."},{"name":"SourceTranslatedPort","type":"int","description":"Source port after translation, such as a firewall. Valid port numbers are 0 - 65535."},{"name":"SourceProcessId","type":"int","description":"The ID of the source process associated with the event."},{"name":"SourceUserPrivileges","type":"string","description":"The source user's privileges. Valid values include: Administrator, User, Guest."},{"name":"SourceProcessName","type":"string","description":"The name of the event's source process."},{"name":"SourcePort","type":"int","description":"The source port number. Valid port numbers are 0 - 65535."},{"name":"SourceIP","type":"string","description":"The source that an event refers to in an IP network, as an IPv4 address."},{"name":"StartTime","type":"datetime","description":"The time when the activity that the event refers to started."},{"name":"SourceUserID","type":"string","description":"Identifies the source user by ID."},{"name":"SourceUserName","type":"string","description":"Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field."},{"name":"EventType","type":"int","description":"Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events."},{"name":"DeviceEventCategory","type":"string","description":"Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: '/Monitor/Disk/Read'."},{"name":"DeviceCustomIPv6Address1","type":"string","description":"One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomIPv6Address1Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomIPv6Address2","type":"string","description":"One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomIPv6Address2Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomIPv6Address3","type":"string","description":"One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomIPv6Address3Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomIPv6Address4","type":"string","description":"One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomIPv6Address4Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomFloatingPoint1","type":"real","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomFloatingPoint1Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomFloatingPoint2","type":"real","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomFloatingPoint2Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomFloatingPoint3","type":"real","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomFloatingPoint3Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomFloatingPoint4","type":"real","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary."},{"name":"DeviceCustomFloatingPoint4Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomNumber1","type":"int","description":"Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1."},{"name":"FieldDeviceCustomNumber1","type":"long","description":"One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomNumber1Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomNumber2","type":"int","description":"Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2."},{"name":"FieldDeviceCustomNumber2","type":"long","description":"One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomNumber2Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomNumber3","type":"int","description":"Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3."},{"name":"FieldDeviceCustomNumber3","type":"long","description":"One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomNumber3Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString1","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString1Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString2","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString2Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString3","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString3Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString4","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString4Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString5","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString5Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomString6","type":"string","description":"One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomString6Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomDate1","type":"string","description":"One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomDate1Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"DeviceCustomDate2","type":"string","description":"One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible."},{"name":"DeviceCustomDate2Label","type":"string","description":"All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field."},{"name":"FlexDate1","type":"string","description":"A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary."},{"name":"FlexDate1Label","type":"string","description":"The label field is a string and describes the purpose of the flex field."},{"name":"FlexNumber1","type":"int","description":"Number fields available to map Int data that does not apply to any other field in this dictionary."},{"name":"FlexNumber1Label","type":"string","description":"The label that describes the value in FlexNumber1"},{"name":"FlexNumber2","type":"int","description":"Number fields available to map Int data that does not apply to any other field in this dictionary."},{"name":"FlexNumber2Label","type":"string","description":"The label that describes the value in FlexNumber2"},{"name":"FlexString1","type":"string","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary."},{"name":"FlexString1Label","type":"string","description":"The label field is a string and describes the purpose of the flex field."},{"name":"FlexString2","type":"string","description":"One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary."},{"name":"FlexString2Label","type":"string","description":"The label field is a string and describes the purpose of the flex field."},{"name":"RemoteIP","type":"string","description":"The remote IP address, derived from the event's direction value, if possible."},{"name":"RemotePort","type":"string","description":"The remote port, derived from the event's direction value, if possible."},{"name":"MaliciousIP","type":"string","description":"If one of the IP in the message was correlate with the current TI feed we have it will show up here."},{"name":"ThreatSeverity","type":"int","description":"The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion."},{"name":"IndicatorThreatType","type":"string","description":"The threat type of the MaliciousIP according to our TI feed."},{"name":"ThreatDescription","type":"string","description":"The threat description of the MaliciousIP according to our TI feed."},{"name":"ThreatConfidence","type":"string","description":"The threat confidence of the MaliciousIP according to our TI feed."},{"name":"ReportReferenceLink","type":"string","description":"Link to the report of the TI feed."},{"name":"MaliciousIPLongitude","type":"real","description":"The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion."},{"name":"MaliciousIPLatitude","type":"real","description":"The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion."},{"name":"MaliciousIPCountry","type":"string","description":"The country of the MaliciousIP according to the GEO information at the time of the record ingestion."},{"name":"Computer","type":"string","description":"Host, from Syslog."},{"name":"SourceSystem","type":"string","description":"Hard coded- 'OpsManager'."},{"name":"SimplifiedDeviceAction","type":"string","description":"A mapped version of DeviceAction, such as Denied > Deny."},{"name":"CollectorHostName","type":"string","description":"The hostname of the collector machine running the agent."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/cef","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["Security","SecurityInsights"],"queries":["1cf50156-0581-4890-8563-e04def3dbd26","86016240-9a8e-4aa3-8195-73609ef95294"]}},{"id":"CommunicationComplianceActivity","name":"CommunicationComplianceActivity","tableType":"Microsoft","description":"Office communication compliance audit logs. Used for monitoring policy compliance violation.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in UTC when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"UserType","type":"string","description":"The type of user that performed the operation."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types includes: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"ObjectId","type":"string","description":"For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"EventProduct","type":"string","description":"The Microsoft service name."},{"name":"EventVendor","type":"string","description":"The vendor service name."},{"name":"IsPolicyHit","type":"bool","description":"Indication if the there is a hit on a defined policy."},{"name":"SRPolicyId","type":"string","description":"Policy Id."},{"name":"SRPolicyName","type":"string","description":"Policy name."},{"name":"SRRuleMatchDetails","type":"dynamic","description":"Policy matches."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["d6a06676-95e8-4632-b949-44bc00f0793f"]}},{"id":"ComputerGroup","name":"ComputerGroup","tableType":"Microsoft","description":"Computer groups that can be used to scope log queries to a set of computers. Includes the computers in each group.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"OpsManager for all records of this type.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the computer group was created or updated.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of the member computer.","isPreferredFacet":true},{"name":"Group","type":"string","description":"Name of the group.","isPreferredFacet":true},{"name":"GroupId","type":"string","description":"ID of the group."},{"name":"GroupSourceName","type":"string","description":"Name of the source that the group was collected from. For Active Directory this is the domain name.","isPreferredFacet":true},{"name":"GroupSource","type":"string","description":"Source that group was collected from. Possible values are ActiveDirectory WSUSWSUSClientTargeting.","isPreferredFacet":true},{"name":"GroupFullName","type":"string","description":"Full path to the group including the source and source name.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor","virtualmachines","management"],"solutions":["LogManagement"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"ConfidentialWatchlist","name":"ConfidentialWatchlist","tableType":"Microsoft","description":"Azure Sentinel confidential Watchlist contains imported data from CSV files that can be used to join or filter as an alert/incident condition.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isDimensionTable":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"AzureTenantId","type":"string","description":"The AAD tenant ID to which this Watchlist table belongs."},{"name":"WatchlistId","type":"string","description":"The Resource Manager Watchlist resource name."},{"name":"WatchlistItemId","type":"string","description":"The Watchlist item unique ID."},{"name":"WatchlistName","type":"string","description":"The display name of Watchlist."},{"name":"WatchlistAlias","type":"string","description":"The unique string referring to the Watchlist."},{"name":"Source","type":"string","description":"The input source of the Watchlist."},{"name":"Provider","type":"string","description":"The input provider of the Watchlist."},{"name":"CreatedBy","type":"dynamic","description":"The JSON object with the user who created the Watchlist or Watchlist item, including: Object ID, email and name."},{"name":"UpdatedBy","type":"dynamic","description":"The JSON object with the user who last updated the Watchlist or Watchlist item, including: Object ID, email and name."},{"name":"CreatedTimeUTC","type":"datetime","description":"The time (UTC) when the Watchlist or Watchlist item was first created."},{"name":"LastUpdatedTimeUTC","type":"datetime","description":"The time (UTC) when Watchlist or Watchlist item was last updated."},{"name":"Notes","type":"string","description":"The notes provided by user."},{"name":"Tags","type":"string","description":"The JSON array of tags provided by user."},{"name":"DefaultDuration","type":"string","description":"The JSON object describing the default duration to live that each item of a Watchlist should inherit on creation. The default duration has this format : P(n)Y(n)M(n)DT(n)H(n)M(n)S, where P, Y, M, DT, H, M and S are invariant. For example, P3Y6M4DT12H30M9S represents a duration of three years, six months, four days, twelve hours, thirty minutes, and nine seconds."},{"name":"TimeToLive","type":"datetime","description":"The time to live for a Watchlist record, expressed as a date and time of day (e.g. 2020-08-20T17:00:00.9618037Z). Its original value is inherited from Watchlist’s default duration. If TimeToLive passes, the record is considered deleted. A record's duration can be extended at any time by updating the TimeToLive value."},{"name":"WatchlistItem","type":"dynamic","description":"The JSON object with key-value pairs from the input Watchlist source."},{"name":"EntityMapping","type":"dynamic","description":"The JSON object with Azure Sentinel entity mapping to input columns."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events."},{"name":"SearchKey","type":"string","description":"The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address."},{"name":"WatchlistCategory","type":"string","description":"The Watchlist category provided by user."},{"name":"_DTTimestamp","type":"datetime","description":"The time (UTC) when the event was generated."},{"name":"_DTItemId","type":"string","description":"The Watchlist or Watchlist item unique ID. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item has unique ID and belongs to a Watchlist. The containing Watchlist can identified using the 'WatchlistId'."},{"name":"_DTItemType","type":"string","description":"Distinguish between a Watchlist and a Watchlist item. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item type will belong to a Watchlist type and the containing Watchlist can identified using the 'WatchlistId'."},{"name":"_DTItemStatus","type":"string","description":"Was the Watchlist or Watchlist item created, updated or deleted by user. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. If a Watchlist is added, the the status would be 'Created'. If the name of the Watchlist is updated from 'RiskyUsers' to 'RiskyEmployees' the status would be 'Updated'."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["957d87b7-6acf-4cae-85b0-c45c65e69d0d","cc80f907-6e9d-4ec0-99f6-e6dbc2ecd528"]}},{"id":"ConfigurationChange","name":"ConfigurationChange","tableType":"Microsoft","description":"View changes to in-guest configuration data such as Files Software Registry Keys Windows Services and Linux Daemons","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ConfigChangeType","type":"string","description":"Type of configuration item that changed: Files Software WindowsServices Registry Daemons","isPreferredFacet":true},{"name":"ChangeCategory","type":"string","description":"The type of change that occurred: Added Removed Modified","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"SoftwareType","type":"string","description":"Type of the software: Application Package Update","isPreferredFacet":true},{"name":"SoftwareName","type":"string","description":"Name of the software","isPreferredFacet":true},{"name":"Previous","type":"string","description":"Previous value"},{"name":"Current","type":"string","description":"Current value"},{"name":"Publisher","type":"string","description":"Software publisher name","isPreferredFacet":true},{"name":"Location","type":"string"},{"name":"SoftwareDescription","type":"string","description":"Description of the software"},{"name":"SvcChangeType","type":"string","description":"Service property that was changed","isPreferredFacet":true},{"name":"SvcDisplayName","type":"string","description":"Human-frinedly name for the service","isPreferredFacet":true},{"name":"SvcName","type":"string","description":"Name of the service","isPreferredFacet":true},{"name":"SvcState","type":"string","description":"Current state of the service","isPreferredFacet":true},{"name":"SvcPreviousState","type":"string","description":"Previous state of the service"},{"name":"SvcStartupType","type":"string","description":"Startup behavior of the service","isPreferredFacet":true},{"name":"SvcPreviousStartupType","type":"string","description":"Previous startup behavior of the service"},{"name":"SvcAccount","type":"string","description":"User account that is associated with the service executable explicitly to provide a security context for the service","isPreferredFacet":true},{"name":"SvcPreviousAccount","type":"string","description":"Previous user account that was associated with the sevice executable"},{"name":"SvcRunlevels","type":"string","description":"Modes used by the daemon for system operation","isPreferredFacet":true},{"name":"SvcPreviousRunlevels","type":"string","description":"Previous modes used by the daemon for system operation"},{"name":"SvcController","type":"string","description":"Parent process for the daemon","isPreferredFacet":true},{"name":"SvcPreviousController","type":"string","description":"Previous parent process for the daemon"},{"name":"SvcPath","type":"string","description":"The file path to the executable for the service"},{"name":"SvcPreviousPath","type":"string","description":"Previous file path to the executable for the service"},{"name":"RegistryKey","type":"string","description":"Registry key name","isPreferredFacet":true},{"name":"Hive","type":"string","description":"Registry hive for the changed registry key","isPreferredFacet":true},{"name":"ValueName","type":"string","description":"Name of the value for the registry key being tracked","isPreferredFacet":true},{"name":"ValueData","type":"string","description":"Data contained in the value and registry key being tracked"},{"name":"PreviousValueData","type":"string","description":"Previous registry value data"},{"name":"ValueType","type":"string","description":"Type of the value for the registry key being tracked"},{"name":"PreviousValueType","type":"string","description":"Previous registry value type"},{"name":"Name","type":"string","isPreferredFacet":true},{"name":"FileSystemPath","type":"string","description":"File system path for the changed file"},{"name":"Size","type":"long","description":"Current size of the changed file"},{"name":"PreviousSize","type":"long","description":"Previous file size"},{"name":"DateCreated","type":"datetime","description":"Date that the item was created"},{"name":"PreviousDateCreated","type":"datetime","description":"Previous date created time"},{"name":"DateModified","type":"datetime","description":"Date that the item was last modified"},{"name":"PreviousDateModified","type":"datetime","description":"Previous date modified time"},{"name":"Attributes","type":"string"},{"name":"PreviousAttributes","type":"string","description":"Previous attributes value"},{"name":"Acls","type":"string","description":"The Access-Control List specifies which users or system processes are granted access to objects"},{"name":"PreviousAcls","type":"string","description":"Previous Acl value"},{"name":"FieldsChanged","type":"string","description":"Fields that were changed as part of the change record","isPreferredFacet":true},{"name":"FileContentChecksum","type":"string","description":"Checksum of the file content"},{"name":"PreviousFileContentChecksum","type":"string","description":"Previous file content checksum value"},{"name":"SourceSystem","type":"string"},{"name":"ManagementGroupName","type":"string","description":"Name of a resource's assigned management group","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"VMUUID","type":"string"},{"name":"LastSnapshotAge","type":"long","description":"Age of the last snapshot"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management"],"solutions":["ChangeTracking"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"ConfigurationData","name":"ConfigurationData","tableType":"Microsoft","description":"View the last reported state for in-guest configuration data such as Files Software Registry Keys Windows Services and Linux Daemons","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ConfigDataType","type":"string","description":"Type of configuration item: Files Software WindowsServices Registry Daemons","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"SvcDisplayName","type":"string","description":"Human-frinedly name for the service","isPreferredFacet":true},{"name":"SvcName","type":"string","description":"Name of the service","isPreferredFacet":true},{"name":"SvcState","type":"string","description":"Current state of the service","isPreferredFacet":true},{"name":"SvcStartupType","type":"string","description":"Startup behavior of the service","isPreferredFacet":true},{"name":"SvcAccount","type":"string","description":"User account that is associated with the service executable explicitly to provide a security context for the service","isPreferredFacet":true},{"name":"SvcRunlevels","type":"string","description":"Modes used by the daemon for system operation","isPreferredFacet":true},{"name":"SvcController","type":"string","description":"Service property that was changed","isPreferredFacet":true},{"name":"SvcPath","type":"string","description":"The file path to the executable for the service"},{"name":"SvcDescription","type":"string","description":"Parent process for the daemon"},{"name":"SourceSystem","type":"string"},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"VMUUID","type":"string"},{"name":"SoftwareType","type":"string","description":"Type of the software: Application Package Update","isPreferredFacet":true},{"name":"SoftwareName","type":"string","description":"Name of the software","isPreferredFacet":true},{"name":"Publisher","type":"string","description":"Software publisher name","isPreferredFacet":true},{"name":"CurrentVersion","type":"string","description":"Current software version"},{"name":"Architecture","type":"string","description":"Instruction set architecture for the software being tracked","isPreferredFacet":true},{"name":"Location","type":"string"},{"name":"SoftwareDescription","type":"string","description":"Description of the software"},{"name":"Name","type":"string","isPreferredFacet":true},{"name":"FileSystemPath","type":"string","description":"File system path for the reporting file"},{"name":"Size","type":"long","description":"Size of the file"},{"name":"DateCreated","type":"datetime","description":"Created date of the file"},{"name":"DateModified","type":"datetime","description":"Last modified date of the file"},{"name":"Attributes","type":"string"},{"name":"Acls","type":"string","description":"The Access-Control List specifies which users or system processes are granted access to objects"},{"name":"FileContentChecksum","type":"string","description":"Checksum of the reporting file"},{"name":"RegistryKey","type":"string","description":"Registy key name","isPreferredFacet":true},{"name":"Hive","type":"string","description":"Registry hive for the reporting registry key","isPreferredFacet":true},{"name":"ValueName","type":"string","description":"Name of the value for the registry key being tracked","isPreferredFacet":true},{"name":"ValueData","type":"string","description":"Data contained in the value and registry key being tracked"},{"name":"ValueType","type":"string","description":"Type of the value for the registry key being tracked"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management"],"solutions":["ChangeTracking"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"ContainerAppConsoleLogs","name":"ContainerAppConsoleLogs","tableType":"Microsoft","description":"Logs generated by Container Apps within a Container App Environment. This includes logs generated on the stdout or stderr streams by all containers in the app. It also includes all Dapr sidecar container logs but does not include any system or platform level logs produced by the Container App Environment itself.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Container App generating this log."},{"name":"ContainerName","type":"string","description":"The name of the container generating this log."},{"name":"ContainerGroupName","type":"string","description":"The name of the container's pod (Container App replica) generating this log."},{"name":"ContainerImage","type":"string","description":"The image used in the container instance that generated this log."},{"name":"Stream","type":"string","description":"The stream where the log was emitted."},{"name":"ContainerGroupId","type":"string","description":"The ID of the container's pod (Container App replica) generating this log."},{"name":"EnvironmentName","type":"string","description":"The name of the Container App Environment generating this log."},{"name":"Log","type":"string","description":"The log generated by the user's Container App."},{"name":"ContainerAppName","type":"string","description":"The name of the Container App generating this log."},{"name":"ContainerId","type":"string","description":"The ID of the Container App generating this log."},{"name":"RevisionName","type":"string","description":"The name of the revision generating this log."},{"name":"JobName","type":"string","description":"The name of the kubernetes job running inside a managed AKS environment generating this log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"ContainerAppHTTPLogs","name":"ContainerAppHTTPLogs","tableType":"Microsoft","description":"Logs generated by the ingress envoy in a Container App Environment. This includes one record per HTTP request handled by the environment's ingress, with request and response metadata such as method, path, status code, and request duration.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Container App generating this log."},{"name":"Method","type":"string","description":"The HTTP method of the request."},{"name":"Path","type":"string","description":"The request path sent to the Container App. May contain query string parameters that include sensitive values such as authentication tokens or API keys."},{"name":"Authority","type":"string","description":"The Host or :authority header of the HTTP request."},{"name":"Protocol","type":"string","description":"The HTTP protocol version used for the request."},{"name":"UserAgent","type":"string","description":"The User-Agent header from the client."},{"name":"XForwardedFor","type":"string","description":"The X-Forwarded-For header indicating the client IP chain. Contains end-user client IP addresses; treat as personally identifiable information."},{"name":"StatusCode","type":"int","description":"The HTTP response status code returned to the client."},{"name":"ResponseCodeDetails","type":"string","description":"Additional context for the response code, such as the reason the request was completed or terminated."},{"name":"ResponseFlags","type":"string","description":"Response flags describing how the request was handled by the ingress."},{"name":"BytesReceived","type":"long","description":"Number of bytes received in the request body."},{"name":"BytesSent","type":"long","description":"Number of bytes sent in the response body."},{"name":"RequestDuration","type":"long","description":"The total time, in milliseconds, taken to process the request."},{"name":"StartTime","type":"datetime","description":"Timestamp (UTC) when the ingress started processing the request."},{"name":"RequestId","type":"string","description":"The unique identifier assigned to this request by the ingress. May be a value supplied by an upstream client via the x-request-id header."},{"name":"ConnectionId","type":"string","description":"The unique connection identifier assigned to this request by the ingress."},{"name":"UpstreamHost","type":"string","description":"Address of the upstream container endpoint that served this request."},{"name":"UpstreamRequestAttemptCount","type":"int","description":"Number of upstream attempts made to fulfil this request."},{"name":"EnvironmentName","type":"string","description":"The name of the Container App Environment generating this log."},{"name":"ContainerAppName","type":"string","description":"The name of the Container App generating this log."},{"name":"RevisionName","type":"string","description":"The name of the revision generating this log."},{"name":"ReplicaName","type":"string","description":"The name of the Container App replica generating this log."},{"name":"EnvoyPodName","type":"string","description":"The name of the ingress envoy pod that handled this request."},{"name":"EnvoyContainerId","type":"string","description":"The container ID of the ingress envoy pod that handled this request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"ContainerAppSystemLogs","name":"ContainerAppSystemLogs","tableType":"Microsoft","description":"Platform Logs generated by a Container App Environment. These logs are generated by system components and any underlying infrastructure. Events related to revision management, Dapr, Keda and Envoy can be found here.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Container App generating this log."},{"name":"ContainerName","type":"string","description":"The name of the container generating this log."},{"name":"EnvironmentName","type":"string","description":"The name of the Container App Environment generating this log."},{"name":"Log","type":"string","description":"The log generated by the Container App Environment."},{"name":"RevisionName","type":"string","description":"The name of the revision generating this log."},{"name":"Type","type":"string","description":"For events emitted by the Container App Environment. Type indicates the severity level of the event."},{"name":"ContainerAppName","type":"string","description":"The name of Container App generating this log."},{"name":"ReplicaName","type":"string","description":"The name of Container App replica generating this log."},{"name":"Reason","type":"string","description":"The reason why this event was generated."},{"name":"EventSource","type":"string","description":"The name of project generating this log. This includes but is not limited to systems components in the Container App Environments or open source integrations such as Keda or Dapr."},{"name":"Count","type":"int","description":"How many times this log has been seen."},{"name":"JobName","type":"string","description":"The name of the Job generating this log."},{"name":"ComponentName","type":"string","description":"The name of component name."},{"name":"ComponentType","type":"string","description":"The type of component such as SpringCloudConfig, SpringCloudEureka, etc."},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.app/managedenvironments"],"solutions":["LogManagement"]}},{"id":"ContainerEvent","name":"ContainerEvent","tableType":"Microsoft","description":"Container Event Customer Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the event was generated by the Azure service processing the request corresponding the event."},{"name":"ContainerGroup","type":"string","description":"The name of the container group associated with the record."},{"name":"ContainerGroupInstanceID","type":"string","description":"A unique identifier for the container group associated with the record."},{"name":"ContainerID","type":"string","description":"A unique identifier for the container associated with the record."},{"name":"ContainerName","type":"string","description":"The name of the container associated with the record."},{"name":"Count","type":"int","description":"How many times the event has occurred since the last poll."},{"name":"Location","type":"string","description":"The location of the resource associated with the record."},{"name":"Message","type":"string","description":"If applicable, the message from the container."},{"name":"OSType","type":"string","description":"The name of the operating system the container is based on."},{"name":"Reason","type":"string","description":"."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.containerinstance/containergroups"],"solutions":["LogManagement"]}},{"id":"ContainerImageInventory","name":"ContainerImageInventory","tableType":"Microsoft","description":"Inventory of container images and their attributes that were discovered by the agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. This will be 'Containers'","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer name/Node name","isPreferredFacet":true},{"name":"ImageID","type":"string","description":"Image ID of the container image","isPreferredFacet":true},{"name":"Repository","type":"string","isPreferredFacet":true},{"name":"Image","type":"string","description":"Name of Container Image","isPreferredFacet":true},{"name":"ImageTag","type":"string","description":"Tag of the container image","isPreferredFacet":true},{"name":"ImageSize","type":"string","description":"Size of the container image [amount of data (on disk) that is used for the writable layer]","isPreferredFacet":true},{"name":"VirtualSize","type":"string","description":"Virtual Size of the Container Image [Total amount of disk-space used for the read-only image data]","isPreferredFacet":true},{"name":"Running","type":"int","description":"Count of containers with this image that are in running state","isPreferredFacet":true},{"name":"Stopped","type":"int","description":"Count of containers with this image that are in stopped state","isPreferredFacet":true},{"name":"Failed","type":"int","description":"Count of containers with this image that are in failed state","isPreferredFacet":true},{"name":"Paused","type":"int","description":"Count of containers with this image that are in paused state","isPreferredFacet":true},{"name":"TotalContainer","type":"long","description":"Count of containers with this ContainerImage","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights","Containers"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"ContainerInstanceLog","name":"ContainerInstanceLog","tableType":"Microsoft","description":"Container Instance Customer Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the event was generated by the Azure service processing the request corresponding the event."},{"name":"ContainerGroup","type":"string","description":"The name of the container group associated with the record."},{"name":"ContainerID","type":"string","description":"A unique identifier for the container associated with the record."},{"name":"ContainerImage","type":"string","description":"The name of the container image associated with the record."},{"name":"ContainerName","type":"string","description":"The name of the container associated with the record."},{"name":"Location","type":"string","description":"The location of the resource associated with the record."},{"name":"Message","type":"string","description":"If applicable, the message from the container."},{"name":"OSType","type":"string","description":"The name of the operating system the container is based on."},{"name":"Source","type":"string","description":"Name of the logging component."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.containerinstance/containergroups"],"solutions":["LogManagement"]}},{"id":"ContainerInventory","name":"ContainerInventory","tableType":"Microsoft","description":"Inventory of containers and their attributes that are monitored by the agent","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. This will be 'Containers'","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer name/Node name","isPreferredFacet":true},{"name":"ContainerID","type":"string","description":"Unique ContainerID","isPreferredFacet":true},{"name":"Name","type":"string","description":"Name of the container","isPreferredFacet":true},{"name":"ContainerHostname","type":"string","description":"Host name (which is pod name) as seen by the container.","isPreferredFacet":true},{"name":"ImageID","type":"string","description":"Container Image ID","isPreferredFacet":true},{"name":"Repository","type":"string","description":"Container's Remote repository","isPreferredFacet":true},{"name":"Image","type":"string","description":"Container Image Name ","isPreferredFacet":true},{"name":"ImageTag","type":"string","description":"Container Image Tag ","isPreferredFacet":true},{"name":"ContainerState","type":"string","description":"Last known state of the container","isPreferredFacet":true},{"name":"Ports","type":"string","description":"Container's port bindings","isPreferredFacet":true},{"name":"Links","type":"string","description":"Container's legacy Hostconfig links","isPreferredFacet":true},{"name":"ExitCode","type":"int","description":"Container exit code","isPreferredFacet":true},{"name":"ComposeGroup","type":"string","description":"Docker Compose Project name. Comes from container label : com.docker.compose.project","isPreferredFacet":true},{"name":"EnvironmentVar","type":"string","description":"Container's environment variables","isPreferredFacet":true},{"name":"Command","type":"string","description":"entrypoint and the command executed for all running containers","isPreferredFacet":true},{"name":"CreatedTime","type":"datetime","description":"Container creation time"},{"name":"StartedTime","type":"datetime","description":"Container start time"},{"name":"FinishedTime","type":"datetime","description":"Container termination time"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights","Containers"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"ContainerLog","name":"ContainerLog","tableType":"Microsoft","description":"Log lines collected from stdout and stderr streams for containers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Deprecated.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer or node that's generating the log.","isPreferredFacet":true},{"name":"TimeOfCommand","type":"datetime","description":"Time that the agent processed the log. This is an optional field mainly useful for troubleshooting latency issues on the agent."},{"name":"ContainerID","type":"string","description":"Container ID for log source as seen by Docker engine.","isPreferredFacet":true},{"name":"Image","type":"string","description":"Container Image for log source as seen by Docker engine.","isPreferredFacet":true},{"name":"ImageTag","type":"string","description":"Used by Container solution only. Not populated by Azure Monitor for Containers.","isPreferredFacet":true},{"name":"Repository","type":"string","description":"Used by Container solution only. Not populated by Azure Monitor for Containers.","isPreferredFacet":true},{"name":"Name","type":"string","description":"Unique name of the container the form PODUid/ContainerName.","isPreferredFacet":true},{"name":"LogEntry","type":"string","description":"Actual log line."},{"name":"LogEntrySource","type":"string","description":"Source of the log line. Possible values are stdout or stderr.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container","applications"],"solutions":["AzureResources","ContainerInsights","Containers"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"ContainerLogV2","name":"ContainerLogV2","tableType":"Microsoft","description":"Kubernetes Container logs in V2 schema. This is the successor of ContainerLog. This has a friendlier schema, specifically for Kubernetes orchestrated containers in pods. With this feature enabled, previously split container logs are stitched together and sent as single entries to the ContainerLogV2 table. The schema now supports container log lines of up to to 64 KB. The schema also supports .NET and Go stack traces, which appear as single entries.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Computer","type":"string","description":"Name of the Computer/Node generating the log."},{"name":"ContainerId","type":"string","description":"Container ID of the log source as seen by the Container engine."},{"name":"ContainerName","type":"string","description":"Name of the Container generating the log."},{"name":"PodName","type":"string","description":"Kubernetes Pod name for the Container generating the log."},{"name":"PodNamespace","type":"string","description":"Kubernetes Namespace for the container's pod."},{"name":"LogMessage","type":"dynamic","description":"Log message from stdout or stderr. Being a dynamic field, json log messages can be queried without parse_json."},{"name":"LogSource","type":"string","description":"Source of the Log message. Possible vlaues are stdout or stderr."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"KubernetesMetadata","type":"dynamic","description":"Kubernetes Metadata including podUid, podLabels, podAnnotations and container image details, etc."},{"name":"LogLevel","type":"string","description":"Categorize logs based on importance and severity. Possible values: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE, UNKNOWN."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"],"solutions":["AzureResources","ContainerInsights"]}},{"id":"ContainerNetworkLogs","name":"ContainerNetworkLogs","tableType":"Microsoft","description":"Network flow logs for Azure Container Networking Services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the flow was recorded (flow.time)."},{"name":"UUID","type":"string","description":"The UUID of the flow (flow.uuid)."},{"name":"Verdict","type":"string","description":"The verdict of the flow (e.g., FORWARDED, DROPPED) (flow.verdict)."},{"name":"DropReason","type":"string","description":"The description of the drop reason if the verdict is DROPPED. (flow.drop_reason_desc)."},{"name":"IP","type":"dynamic","description":"The IP values of the flow. Including ip source, ip destination, ip is encrypted and ip version."},{"name":"Layer4","type":"dynamic","description":"The layer 4 information of the flow such as the protocol, source port, destination port, and TCP flags."},{"name":"SourceIdentity","type":"int","description":"The security identity number for the source (flow.source.identity)."},{"name":"SourceClusterName","type":"string","description":"The name of the source cluster (flow.source.cluster_name)."},{"name":"SourceNamespace","type":"string","description":"The namespace of the source (flow.source.namespace)."},{"name":"SourcePodName","type":"string","description":"The name of the source pod (flow.source.pod_name)."},{"name":"SourceWorkloads","type":"dynamic","description":"Array of workloads associated with the source, including name and kind (flow.source.workloads)."},{"name":"DestinationIdentity","type":"int","description":"Security identity number for the destination (flow.destination.identity)."},{"name":"DestinationClusterName","type":"string","description":"The name of the destination cluster (flow.destination.cluster_name)."},{"name":"DestinationNamespace","type":"string","description":"The namespace of the destination (flow.destination.namespace)."},{"name":"DestinationPodName","type":"string","description":"The name of the destination pod (flow.destination.pod_name)."},{"name":"DestinationWorkloads","type":"dynamic","description":"Array of workloads associated with the destination, including name and kind (flow.destination.workloads)."},{"name":"FlowType","type":"string","description":"Type of the flow (e.g., L3_L4, L7 SOCK) (flow.Type)."},{"name":"NodeName","type":"string","description":"Name of the node where the flow was captured (flow.node_name)."},{"name":"Layer7","type":"dynamic","description":"L7 flow type if Flow_Type is L7 (e.g., DNS, HTTP, Kafka) (flow.l7.type)."},{"name":"Reply","type":"bool","description":"Indicates if the flow is a reply (flow.is_reply.value)."},{"name":"EventType","type":"dynamic","description":"Event type details (flow.event_type)."},{"name":"Service","type":"dynamic","description":"Service details of the flow."},{"name":"TrafficDirection","type":"string","description":"Direction of the traffic (e.g., INGRESS, EGRESS) (flow.traffic_direction)."},{"name":"TraceObservationPoint","type":"string","description":"Point of observation in the trace (e.g., TO_ENDPOINT) (flow.trace_observation_point)."},{"name":"IngressFlowCount","type":"int","description":"Number of packets sent from the source to the destination since the last update."},{"name":"EgressFlowCount","type":"int","description":"Number of packets sent from the destination to the source since the last update."},{"name":"UnknownDirectionFlowCount","type":"int","description":"Number of unknown flows since the last update."},{"name":"Policies","type":"dynamic","description":"Combined entry for all policies that allowed or denied ingress/egress (flow.egress_allowed_by, flow.ingress_allowed_by, flow.egress_denied_by, flow.ingress_denied_by)."},{"name":"AdditionalFlowData","type":"dynamic","description":"Additional flow data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["LogManagement"],"queries":["571b97f3-d68b-41eb-b1ac-6c40a38fbb4d","54bb9cdf-3eb8-4f1b-bb39-a2e578bceecb"]}},{"id":"ContainerNodeInventory","name":"ContainerNodeInventory","tableType":"Microsoft","description":"Table that stores Container host/node information","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. ","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer","isPreferredFacet":true},{"name":"OperatingSystem","type":"string","description":"Nodes host OS Image","isPreferredFacet":true},{"name":"DockerVersion","type":"string","description":"Container runtime version","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"ContainerRegistryLoginEvents","name":"ContainerRegistryLoginEvents","tableType":"Microsoft","description":"Azure Container Registry Login Auditing Logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"OperationName","type":"string"},{"name":"LoginServer","type":"string"},{"name":"Identity","type":"string"},{"name":"JwtId","type":"string"},{"name":"Region","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"ResultType","type":"string"},{"name":"ResultDescription","type":"string"},{"name":"CallerIpAddress","type":"string"},{"name":"DurationMs","type":"string"},{"name":"UserAgent","type":"string"},{"name":"Category","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["LogManagement"],"resourceTypes":["microsoft.containerregistry/registries"]}},{"id":"ContainerRegistryRepositoryEvents","name":"ContainerRegistryRepositoryEvents","tableType":"Microsoft","description":"Azure Container Registry Repository Auditing Logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"OperationName","type":"string"},{"name":"LoginServer","type":"string"},{"name":"Identity","type":"string"},{"name":"Repository","type":"string"},{"name":"Tag","type":"string"},{"name":"Digest","type":"string"},{"name":"MediaType","type":"string"},{"name":"Size","type":"int"},{"name":"ArtifactType","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Region","type":"string"},{"name":"ResultType","type":"string"},{"name":"Category","type":"string"},{"name":"ResultDescription","type":"string"},{"name":"CallerIpAddress","type":"string"},{"name":"DurationMs","type":"string"},{"name":"UserTenantId","type":"string"},{"name":"UserAgent","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["LogManagement"],"resourceTypes":["microsoft.containerregistry/registries"]}},{"id":"ContainerServiceLog","name":"ContainerServiceLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeOfCommand","type":"datetime"},{"name":"ContainerID","type":"string","isPreferredFacet":true},{"name":"Image","type":"string","isPreferredFacet":true},{"name":"ImageTag","type":"string","isPreferredFacet":true},{"name":"Repository","type":"string","isPreferredFacet":true},{"name":"Command","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights","Containers"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"CopilotActivity","name":"CopilotActivity","tableType":"Microsoft","description":"Audit logs for Copilot and other AI workloads. Extensible for future AI audit types.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp of the audit event."},{"name":"RecordId","type":"string","description":"Unique identifier for the audit record."},{"name":"RecordType","type":"string","description":"Normalized record type name (e.g., CopilotInteraction, UpdateCopilotSettings)."},{"name":"ActorName","type":"string","description":"User principal name or email address."},{"name":"ActorUserId","type":"string","description":"Internal user key or GUID."},{"name":"ActorUserType","type":"string","description":"Type of user (e.g., Regular, Admin, System)."},{"name":"OrganizationId","type":"string","description":"Organization GUID."},{"name":"SrcIpAddr","type":"string","description":"IP address of the client."},{"name":"ClientRegion","type":"string","description":"Region of the client."},{"name":"Workload","type":"string","description":"The workload or product (e.g., Copilot, AzureOpenAI)."},{"name":"Version","type":"string","description":"Version of the audit schema or event."},{"name":"AppHost","type":"string","description":"Application that hosts copilot."},{"name":"AppIdentity","type":"string","description":"Identity of the application hosting the copilot interaction."},{"name":"LLMEventData","type":"dynamic","description":"Parsed LLM event data (for copilot different RecordTypes)."},{"name":"AIModelName","type":"string","description":"Name of the AI model used (for extensibility)."},{"name":"AIModelVersion","type":"string","description":"Version of the AI model used."},{"name":"LogVersion","type":"string","description":"Version of the LLM log format."},{"name":"AgentName","type":"string","description":"A friendly readable name of the agent."},{"name":"AgentId","type":"string","description":"The version number or version ID of the agent involved."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["a1b2c3d4-e5f6-7890-abcd-ef1234567890","b2c3d4e5-f6g7-8901-bcde-f12345678901","c3d4e5f6-g7h8-9012-cdef-123456789012","d4e5f6g7-h8i9-0123-defg-234567890123","e5f6g7h8-i9j0-1234-efgh-345678901234","f6g7h8i9-j0k1-2345-fghi-456789012345"]}},{"id":"CoreAzureBackup","name":"CoreAzureBackup","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"AgentVersion","type":"string","isPreferredFacet":true},{"name":"AzureBackupAgentVersion","type":"string","isPreferredFacet":true},{"name":"AzureDataCenter","type":"string","isPreferredFacet":true},{"name":"BackupItemAppVersion","type":"string","isPreferredFacet":true},{"name":"BackupItemFriendlyName","type":"string"},{"name":"BackupItemName","type":"string"},{"name":"BackupItemProtectionState","type":"string","isPreferredFacet":true},{"name":"BackupItemFrontEndSize","type":"real"},{"name":"BackupItemType","type":"string","isPreferredFacet":true},{"name":"BackupItemUniqueId","type":"string"},{"name":"BackupManagementServerType","type":"string","isPreferredFacet":true},{"name":"BackupManagementServerUniqueId","type":"string"},{"name":"BackupManagementType","type":"string","isPreferredFacet":true},{"name":"BackupManagementServerName","type":"string"},{"name":"BackupManagementServerOSVersion","type":"string","isPreferredFacet":true},{"name":"BackupManagementServerVersion","type":"string","isPreferredFacet":true},{"name":"LatestRecoveryPointLocation","type":"string","isPreferredFacet":true},{"name":"LatestRecoveryPointTime","type":"datetime"},{"name":"OldestRecoveryPointLocation","type":"string","isPreferredFacet":true},{"name":"OldestRecoveryPointTime","type":"datetime"},{"name":"PolicyUniqueId","type":"string"},{"name":"ProtectedContainerFriendlyName","type":"string"},{"name":"ProtectedContainerLocation","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerName","type":"string"},{"name":"ProtectedContainerOSType","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerOSVersion","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerProtectionState","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerType","type":"string","isPreferredFacet":true},{"name":"ProtectedContainerUniqueId","type":"string"},{"name":"ProtectedContainerWorkloadType","type":"string","isPreferredFacet":true},{"name":"ProtectionGroupName","type":"string"},{"name":"ResourceGroupName","type":"string","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","isPreferredFacet":true},{"name":"SecondaryBackupProtectionState","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"StorageReplicationType","type":"string","isPreferredFacet":true},{"name":"SubscriptionId","type":"string","isPreferredFacet":true},{"name":"VaultName","type":"string"},{"name":"VaultTags","type":"string","isPreferredFacet":true},{"name":"VaultUniqueId","type":"string"},{"name":"ArchiveTierLatestRecoveryPointLocation","type":"string"},{"name":"ArchiveTierLatestRecoveryPointTime","type":"datetime"},{"name":"ArchiveTierOldestRecoveryPointLocation","type":"string"},{"name":"ArchiveTierOldestRecoveryPointTime","type":"datetime"},{"name":"ArchiveTierStorageReplicationType","type":"string"},{"name":"IsArchiveEnabled","type":"bool"},{"name":"DatasourceSetFriendlyName","type":"string"},{"name":"DatasourceSetResourceId","type":"string"},{"name":"DatasourceSetType","type":"string"},{"name":"DatasourceFriendlyName","type":"string"},{"name":"DatasourceResourceId","type":"string"},{"name":"DatasourceType","type":"string"},{"name":"BillingGroupUniqueId","type":"string"},{"name":"BillingGroupFriendlyName","type":"string"},{"name":"DatasourceResourceGroupName","type":"string"},{"name":"DatasourceSubscriptionId","type":"string"},{"name":"BackupItemId","type":"string"},{"name":"StorageConsumedInMBs","type":"real"},{"name":"ArchiveTierStorageConsumedInMBs","type":"real"},{"name":"VaultType","type":"string"},{"name":"PolicyName","type":"string"},{"name":"PolicyId","type":"string"},{"name":"ExtendedProperties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.recoveryservices/vaults"],"functions":["19551c5e-1e3e-4425-a1d7-c846a0bca2a1","19551c5e-1e3e-4425-a1d7-c846a0bca2a2","19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a5","19551c5e-1e3e-4425-a1d7-c846a0bca2a6","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"CrowdStrikeAlerts","name":"CrowdStrikeAlerts","tableType":"Microsoft","description":"The CrowdStrikeAlerts table contains logs from the CrowdStrike Alerts API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the alert was generated."},{"name":"AgentId","type":"string","description":"Unique identifier for the CrowdStrike agent that generated the alert."},{"name":"AggregateId","type":"string","description":"Identifier for aggregated alerts from the same source."},{"name":"AssignedToName","type":"string","description":"Name of the user assigned to handle the alert."},{"name":"AssignedToUid","type":"string","description":"User ID of the assigned user."},{"name":"AssignedToUuid","type":"string","description":"UUID of the assigned user."},{"name":"Cid","type":"string","description":"Customer ID in the CrowdStrike platform."},{"name":"CompositeId","type":"string","description":"Composite identifier combining multiple alert attributes."},{"name":"Confidence","type":"int","description":"Confidence score of the alert (0-100)."},{"name":"CrawledTimestamp","type":"datetime","description":"Timestamp when the alert data was last crawled."},{"name":"CreatedTimestamp","type":"datetime","description":"Timestamp when the alert was first created."},{"name":"DataDomains","type":"dynamic","description":"Domains associated with the alert."},{"name":"Description","type":"string","description":"Detailed description of the alert."},{"name":"DisplayName","type":"string","description":"Human-readable name for the alert."},{"name":"EmailSent","type":"bool","description":"Indicates if an email notification was sent for this alert."},{"name":"External","type":"bool","description":"Indicates if the alert originated from an external source."},{"name":"Id","type":"string","description":"Unique identifier for the alert."},{"name":"Name","type":"string","description":"Name of the alert."},{"name":"Objective","type":"string","description":"The attacker's presumed objective."},{"name":"PatternId","type":"int","description":"Identifier for the detection pattern that triggered the alert."},{"name":"Platform","type":"string","description":"Operating system or platform where the alert was detected."},{"name":"Product","type":"string","description":"CrowdStrike product that generated the alert."},{"name":"Scenario","type":"string","description":"Security scenario that triggered the alert."},{"name":"SecondsToResolved","type":"int","description":"Time in seconds from alert creation to resolution."},{"name":"SecondsToTriaged","type":"int","description":"Time in seconds from alert creation to triage."},{"name":"Severity","type":"int","description":"Severity level of the alert."},{"name":"SeverityName","type":"string","description":"Text representation of the severity level."},{"name":"ShowInUi","type":"bool","description":"Indicates if the alert should be displayed in the user interface."},{"name":"SourceProducts","type":"dynamic","description":"List of products that contributed to this alert."},{"name":"SourceVendors","type":"dynamic","description":"List of vendors associated with the alert sources."},{"name":"Status","type":"string","description":"Current status of the alert."},{"name":"Tactic","type":"string","description":"MITRE ATT&CK tactic associated with the alert."},{"name":"TacticId","type":"string","description":"Identifier of the MITRE ATT&CK tactic."},{"name":"Tags","type":"dynamic","description":"Custom tags associated with the alert."},{"name":"Technique","type":"string","description":"MITRE ATT&CK technique associated with the alert."},{"name":"TechniqueId","type":"string","description":"Identifier of the MITRE ATT&CK technique."},{"name":"Timestamp","type":"datetime","description":"Time when the alert event occurred."},{"name":"AlertType","type":"string","description":"The type or category of the CrowdStrike alert."},{"name":"UpdatedTimestamp","type":"datetime","description":"Time when the alert was last updated."},{"name":"AllegedFiletype","type":"string","description":"The suspected file type of the malicious file associated with the alert."},{"name":"Categorization","type":"string","description":"Categorization of the alert."},{"name":"ChildProcessIds","type":"dynamic","description":"List of child process IDs spawned by the detected process."},{"name":"CloudIndicator","type":"bool","description":"Indicates if the alert involves cloud-based indicators."},{"name":"Cmdline","type":"string","description":"Command line used to execute the detected process."},{"name":"ContextTimestamp","type":"string","description":"Timestamp providing additional context for the alert."},{"name":"CorrelationRuleCreateCase","type":"bool","description":"Indicates if the correlation rule is configured to create a case."},{"name":"CorrelationRuleExecutionId","type":"string","description":"Execution ID of the correlation rule that triggered the alert."},{"name":"CorrelationRuleId","type":"string","description":"Identifier of the correlation rule that triggered the alert."},{"name":"CorrelationRuleUserId","type":"string","description":"User ID associated with the correlation rule."},{"name":"CorrelationRuleUserUuid","type":"string","description":"UUID of the user associated with the correlation rule."},{"name":"DetectionId","type":"string","description":"Unique identifier for the detection associated with the alert."},{"name":"Device","type":"dynamic","description":"Information about the device where the alert was detected."},{"name":"EndTime","type":"string","description":"Timestamp when the alert activity ended."},{"name":"EnrichedEntities","type":"dynamic","description":"Enriched entity information associated with the alert."},{"name":"EventCorrelationId","type":"string","description":"Correlation ID linking related events."},{"name":"EventIds","type":"string","description":"Event IDs associated with the alert."},{"name":"FalconHostLink","type":"string","description":"Link to the alert details in the CrowdStrike Falcon console."},{"name":"Filename","type":"string","description":"Name of the file associated with the alert."},{"name":"Filepath","type":"string","description":"Full path to the file associated with the alert."},{"name":"GlobalPrevalence","type":"string","description":"Global prevalence rating of the detected file."},{"name":"GrandparentDetails","type":"dynamic","description":"Details about the grandparent process in the process tree."},{"name":"HasTruncatedEntities","type":"bool","description":"Indicates if the alert entities have been truncated."},{"name":"IndicatorId","type":"string","description":"Identifier for the indicator of compromise that triggered the alert."},{"name":"IocContext","type":"dynamic","description":"Context information about the indicator of compromise."},{"name":"IsClosed","type":"bool","description":"Indicates if the alert has been closed."},{"name":"LeadId","type":"string","description":"Identifier for the lead associated with the alert."},{"name":"LeadType","type":"string","description":"Type of the lead associated with the alert."},{"name":"LocalAddressIp4","type":"string","description":"IPv4 address of the local endpoint."},{"name":"LocalAddressIp6","type":"string","description":"IPv6 address of the local endpoint."},{"name":"LocalPrevalence","type":"string","description":"Local prevalence rating within the organization."},{"name":"LocalProcessId","type":"string","description":"Local process ID on the system where the alert occurred."},{"name":"LogonDomain","type":"string","description":"Domain used for user logon associated with the alert."},{"name":"Md5","type":"string","description":"MD5 hash of the file associated with the alert."},{"name":"MitreAttack","type":"dynamic","description":"MITRE ATT&CK tactics and techniques associated with the alert."},{"name":"OriginCid","type":"string","description":"Customer ID of the originating tenant."},{"name":"OriginalCorrelationRulesEntitiesCount","type":"int","description":"Original count of correlation rule entities."},{"name":"OriginalIndicatorEntitiesCount","type":"int","description":"Original count of indicator entities."},{"name":"ParentDetails","type":"dynamic","description":"Details about the parent process in the process tree."},{"name":"ParentProcessId","type":"string","description":"Process ID of the parent process."},{"name":"PatternDisposition","type":"int","description":"Numerical identifier for the action taken by the detection pattern."},{"name":"PatternDispositionDescription","type":"string","description":"Text description of the pattern disposition action."},{"name":"PatternDispositionDetails","type":"dynamic","description":"Detailed information about the pattern disposition."},{"name":"PolyId","type":"string","description":"Poly ID associated with the alert."},{"name":"PriorityDetails","type":"dynamic","description":"Priority details associated with the alert."},{"name":"ProcessEndTime","type":"string","description":"Timestamp when the detected process ended."},{"name":"ProcessId","type":"string","description":"Process ID of the detected process."},{"name":"ProcessStartTime","type":"string","description":"Timestamp when the detected process started."},{"name":"Score","type":"int","description":"Score associated with the alert."},{"name":"Sha1","type":"string","description":"SHA1 hash of the file associated with the alert."},{"name":"Sha256","type":"string","description":"SHA256 hash of the file associated with the alert."},{"name":"SignalEndTimestamp","type":"string","description":"Timestamp when the signal ended."},{"name":"SignalStartTimestamp","type":"string","description":"Timestamp when the signal started."},{"name":"SignalUpdatedTimestamp","type":"string","description":"Timestamp when the signal was last updated."},{"name":"SourceEndpointAddressIp4","type":"string","description":"IPv4 address of the source endpoint."},{"name":"SourceEndpointAddressIp6","type":"string","description":"IPv6 address of the source endpoint."},{"name":"SourceIps","type":"dynamic","description":"List of source IP addresses associated with the alert."},{"name":"StartTime","type":"string","description":"Timestamp when the alert activity started."},{"name":"TemplateInstanceId","type":"int","description":"Instance ID of the detection template used."},{"name":"ThreatgraphIndicators","type":"dynamic","description":"Threat graph indicators associated with the alert."},{"name":"TriggeringProcessGraphId","type":"string","description":"Graph ID of the process that triggered the alert."},{"name":"UserId","type":"string","description":"User ID associated with the alert."},{"name":"UserName","type":"string","description":"Username associated with the alert."},{"name":"Users","type":"dynamic","description":"List of users associated with the alert."},{"name":"VendorPatternId","type":"string","description":"Vendor-specific pattern identifier."},{"name":"XdrEventId","type":"string","description":"XDR event ID associated with the alert."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["a9b8c7d6-5e4f-3a2b-1c0d-9e8f7a6b5c4d"]}},{"id":"CrowdStrikeAuditEvents","name":"CrowdStrikeAuditEvents","tableType":"Microsoft","description":"The CrowdStrikeAuditEvents table contains audit and detection event logs from CrowdStrike that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (in UTC) when the log entry was generated."},{"name":"EventType","type":"string","description":"The type of event, used to filter logs."},{"name":"CustomerIdString","type":"string","description":"The customer ID string."},{"name":"Nonce","type":"string","description":"A unique nonce value."},{"name":"AgentIdString","type":"string","description":"The agent ID string."},{"name":"ExternalApiType","type":"string","description":"The external API type."},{"name":"PolicyId","type":"string","description":"Policy identifier."},{"name":"Severity","type":"string","description":"Numerical severity level."},{"name":"SeverityName","type":"string","description":"Text representation of the severity level."},{"name":"UserName","type":"string","description":"Username who performed the action."},{"name":"Tactic","type":"string","description":"MITRE ATT&CK tactic."},{"name":"Technique","type":"string","description":"MITRE ATT&CK technique."},{"name":"ProcessId","type":"string","description":"Process ID associated with the IOC."},{"name":"ComputerName","type":"string","description":"Name of the computer where the IOC was detected."},{"name":"MD5String","type":"string","description":"MD5 hash of the file."},{"name":"ParentProcessId","type":"string","description":"Process ID of the parent process."},{"name":"FileName","type":"string","description":"Name of the file associated with the IOC."},{"name":"FilePath","type":"string","description":"Full path to the file."},{"name":"CommandLine","type":"string","description":"Command line used to execute the process."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device."},{"name":"RuleId","type":"string","description":"Identifier of the recon rule."},{"name":"RuleName","type":"string","description":"Name of the recon rule."},{"name":"SourceVendors","type":"string","description":"Vendors associated with the detection source."},{"name":"SourceProducts","type":"string","description":"Products associated with the detection source."},{"name":"DataDomains","type":"string","description":"Data domains associated with the event."},{"name":"Status","type":"string","description":"Status of the report execution."},{"name":"EventUuid","type":"string","description":"Unique UUID for the event."},{"name":"Cid","type":"string","description":"Customer ID in the CrowdStrike platform."},{"name":"Eid","type":"string","description":"Event ID."},{"name":"UserId","type":"string","description":"User ID associated with the activity."},{"name":"UserIp","type":"string","description":"IP address of the user making the API call."},{"name":"OperationName","type":"string","description":"Name of the operation performed."},{"name":"ServiceName","type":"string","description":"Name of the service (e.g., api_request)."},{"name":"Success","type":"bool","description":"Whether the API call was successful."},{"name":"ApiClientId","type":"string","description":"API client ID used for the request."},{"name":"RequestAccept","type":"string","description":"Accept header of the request."},{"name":"RequestMethod","type":"string","description":"HTTP method of the request (e.g., POST, GET)."},{"name":"RequestPath","type":"string","description":"Path of the API request."},{"name":"RequestContentType","type":"string","description":"Content type of the request."},{"name":"StatusCode","type":"string","description":"HTTP status code of the response."},{"name":"ElapsedTime","type":"string","description":"Elapsed time of the request."},{"name":"ElapsedMicroseconds","type":"string","description":"Elapsed time in microseconds."},{"name":"ReceivedTime","type":"datetime","description":"Time the request was received."},{"name":"UserAgent","type":"string","description":"User agent string of the request."},{"name":"RequestUriLength","type":"string","description":"Length of the request URI."},{"name":"TraceId","type":"string","description":"Trace ID for request tracing."},{"name":"Produces","type":"string","description":"Content type produced by the API."},{"name":"Consumes","type":"string","description":"Content type consumed by the API."},{"name":"Scopes","type":"string","description":"API scopes used for the request."},{"name":"Message","type":"string","description":"Message associated with the audit event."},{"name":"Source","type":"string","description":"Source of the audit event."},{"name":"SourceIp","type":"string","description":"Source IP address."},{"name":"AuditKeyValues","type":"string","description":"JSON string containing audit key-value pairs."},{"name":"AppId","type":"string","description":"Application ID."},{"name":"AuditEventType","type":"string","description":"Event type from the audit attributes."},{"name":"Offset","type":"string","description":"Stream offset value."},{"name":"Partition","type":"string","description":"Stream partition."},{"name":"AccountId","type":"string","description":"Cloud account ID."},{"name":"PolicyStatement","type":"string","description":"Description of the CSPM policy that was triggered."},{"name":"CloudProvider","type":"string","description":"Cloud provider (e.g., aws, azure, gcp)."},{"name":"CloudService","type":"string","description":"Cloud service involved (e.g., EC2, S3)."},{"name":"EventAction","type":"string","description":"Action that triggered the IOA (e.g., TerminateInstances)."},{"name":"EventSource","type":"string","description":"Source of the event (e.g., aws.cloudtrail)."},{"name":"UserSourceIp","type":"string","description":"Source IP of the user."},{"name":"Region","type":"string","description":"Cloud region (e.g., us-west-2)."},{"name":"ResourcesId","type":"string","description":"Identifier of the cloud resource."},{"name":"ResourceIdType","type":"string","description":"Type of the resource identifier (e.g., Instance Id)."},{"name":"ResourcesName","type":"string","description":"Name of the cloud resource."},{"name":"ResourceCreateTime","type":"datetime","description":"Creation time of the resource."},{"name":"CloudPlatform","type":"string","description":"Cloud platform (e.g., AWS, Azure, GCP)."},{"name":"Disposition","type":"string","description":"Assessment result (e.g., Failed, Passed)."},{"name":"ResourceUrl","type":"string","description":"URL to the resource in the cloud console."},{"name":"Finding","type":"string","description":"Details of the finding."},{"name":"ResourceAttributes","type":"string","description":"JSON string containing resource attributes."},{"name":"Tags","type":"string","description":"JSON string containing resource tags."},{"name":"ReportUrl","type":"string","description":"URL to the CSPM assessment report."},{"name":"NotificationId","type":"string","description":"Unique identifier for the recon notification."},{"name":"Highlights","type":"string","description":"JSON string containing highlights of the notification."},{"name":"MatchedTimestamp","type":"datetime","description":"Timestamp when the match was found."},{"name":"RuleTopic","type":"string","description":"Topic of the recon rule (e.g., Credential Exposure)."},{"name":"RulePriority","type":"string","description":"Priority of the recon rule."},{"name":"ItemId","type":"string","description":"Identifier of the matched item."},{"name":"ItemType","type":"string","description":"Type of the matched item."},{"name":"ItemPostedTimestamp","type":"datetime","description":"Timestamp when the item was posted."},{"name":"SessionId","type":"string","description":"Unique identifier for the remote response session."},{"name":"HostnameField","type":"string","description":"Hostname of the target system."},{"name":"EndTimestamp","type":"datetime","description":"Unix epoch timestamp when the session ended."},{"name":"StartTimestamp","type":"datetime","description":"Unix epoch timestamp when the session started."},{"name":"UserUuid","type":"string","description":"UUID of the user who owns the scheduled report."},{"name":"ExecutionId","type":"string","description":"Execution identifier for the report run."},{"name":"ReportId","type":"string","description":"Unique identifier for the report."},{"name":"ReportName","type":"string","description":"Name of the scheduled report."},{"name":"ReportType","type":"string","description":"Type of the report (e.g., spotlight_vulnerabilities)."},{"name":"ReportFileReference","type":"string","description":"File reference path for downloading the report."},{"name":"StatusMessage","type":"string","description":"Status message for the report execution."},{"name":"ProcessStartTime","type":"datetime","description":"Timestamp when the detected process started."},{"name":"ProcessEndTime","type":"datetime","description":"Timestamp when the detected process ended."},{"name":"Hostname","type":"string","description":"Name of the host where the event occurred."},{"name":"Name","type":"string","description":"Name of the detection (e.g., Attacker Methodology)."},{"name":"Description","type":"string","description":"Detailed description of the detection."},{"name":"SHA256String","type":"string","description":"SHA256 hash of the detected file."},{"name":"SHA1String","type":"string","description":"SHA1 hash of the detected file."},{"name":"LogonDomain","type":"string","description":"Logon domain associated with the detection."},{"name":"FalconHostLink","type":"string","description":"Link to the detection details in the CrowdStrike Falcon console."},{"name":"AgentId","type":"string","description":"Unique identifier for the CrowdStrike agent."},{"name":"CompositeId","type":"string","description":"Composite identifier combining multiple detection attributes."},{"name":"LocalIp","type":"string","description":"Local IP address of the host."},{"name":"MACAddress","type":"string","description":"MAC address of the host."},{"name":"Objective","type":"string","description":"Objective of the detection (e.g., Follow Through)."},{"name":"PatternDispositionDescription","type":"string","description":"Description of the pattern disposition action."},{"name":"PatternDispositionValue","type":"string","description":"Numerical value of the pattern disposition."},{"name":"PatternDispositionFlags","type":"string","description":"JSON string containing flags indicating various pattern disposition actions."},{"name":"ParentImageFileName","type":"string","description":"Image file name of the parent process."},{"name":"ParentCommandLine","type":"string","description":"Command line of the parent process."},{"name":"GrandParentImageFileName","type":"string","description":"Image file name of the grandparent process."},{"name":"GrandParentCommandLine","type":"string","description":"Command line of the grandparent process."},{"name":"HostGroups","type":"string","description":"Host groups the system belongs to."},{"name":"PatternId","type":"string","description":"Identifier for the detection pattern."},{"name":"AggregateId","type":"string","description":"Aggregate identifier for related detections."},{"name":"ParentImageFilePath","type":"string","description":"Full path to the parent process image file."},{"name":"GrandParentImageFilePath","type":"string","description":"Full path to the grandparent process image file."},{"name":"LocalIpv6","type":"string","description":"Local IPv6 address of the host."},{"name":"PlatformId","type":"string","description":"Platform ID (e.g., 0=Windows, 1=Mac, 2=Linux)."},{"name":"PlatformName","type":"string","description":"Name of the platform (e.g., Windows, Linux, Mac)."},{"name":"MitreAttack","type":"string","description":"JSON string containing MITRE ATT&CK framework details."},{"name":"CloudIndicator","type":"string","description":"Indicates if the detection involves cloud-based indicators."},{"name":"RiskScore","type":"string","description":"Risk score associated with the detection."},{"name":"CustomerId","type":"string","description":"Customer identifier in the CrowdStrike platform."},{"name":"Ipv","type":"string","description":"IP version (ipv4 or ipv6)."},{"name":"ConnectionDirection","type":"string","description":"Direction of the network connection."},{"name":"Flags","type":"string","description":"JSON string containing firewall rule flags (Audit, Log, Monitor)."},{"name":"IcmpCode","type":"string","description":"ICMP code if the protocol is ICMP."},{"name":"IcmpType","type":"string","description":"ICMP type if the protocol is ICMP."},{"name":"ImageFileName","type":"string","description":"Image file name of the process associated with the event."},{"name":"LocalAddress","type":"string","description":"Local IP address involved in the firewall event."},{"name":"LocalPort","type":"string","description":"Local port number involved in the firewall event."},{"name":"MatchCount","type":"string","description":"Number of times the firewall rule was matched."},{"name":"MatchCountSinceLastReport","type":"string","description":"Number of matches since the last report."},{"name":"NetworkProfile","type":"string","description":"Network profile identifier."},{"name":"Pid","type":"string","description":"Process ID associated with the firewall event."},{"name":"PolicyName","type":"string","description":"Name of the firewall policy."},{"name":"Protocol","type":"string","description":"Network protocol (e.g., 1=ICMP, 6=TCP, 17=UDP)."},{"name":"RemoteAddress","type":"string","description":"Remote IP address involved in the firewall event."},{"name":"RemotePort","type":"string","description":"Remote port number involved in the firewall event."},{"name":"RuleAction","type":"string","description":"Action taken by the firewall rule."},{"name":"RuleDescription","type":"string","description":"Description of the firewall rule."},{"name":"RuleFamilyId","type":"string","description":"Family identifier of the firewall rule."},{"name":"RuleGroupName","type":"string","description":"Name of the firewall rule group."},{"name":"TreeId","type":"string","description":"Tree identifier for the process tree."},{"name":"Hash","type":"string","description":"Credential hash observed spreading across hosts."},{"name":"SourceEndpointName","type":"string","description":"Name of the source endpoint."},{"name":"SourceEndpointIp","type":"string","description":"IP address of the source endpoint."},{"name":"DestinationEndpointName","type":"string","description":"Name of the destination endpoint."},{"name":"DestinationEndpointIp","type":"string","description":"IP address of the destination endpoint."},{"name":"AuthenticationProtocol","type":"string","description":"Authentication protocol used (e.g., NTLM, Kerberos)."},{"name":"SpreadCount","type":"string","description":"Number of hosts the hash has been observed on."},{"name":"FirstSeen","type":"datetime","description":"First time the hash spreading was observed."},{"name":"LastSeen","type":"datetime","description":"Last time the hash spreading was observed."},{"name":"IncidentDescription","type":"string","description":"Description of the hash spreading incident."},{"name":"Category","type":"string","description":"Category of the identity protection event (e.g., Incident)."},{"name":"IncidentType","type":"string","description":"Type of identity protection incident (e.g., GoldenTicketAlert)."},{"name":"StartTime","type":"datetime","description":"Start time of the event."},{"name":"EndTime","type":"datetime","description":"End time of the event."},{"name":"EndpointName","type":"string","description":"Name of the endpoint involved in the incident."},{"name":"EndpointIp","type":"string","description":"IP address of the endpoint involved in the incident."},{"name":"NumbersOfAlerts","type":"string","description":"Number of alerts associated with the incident."},{"name":"NumberOfCompromisedEntities","type":"string","description":"Number of compromised entities in the incident."},{"name":"State","type":"string","description":"Current state of the incident (e.g., IN_PROGRESS, CLOSED)."},{"name":"IdentityProtectionIncidentId","type":"string","description":"Unique identifier for the identity protection incident."},{"name":"ContextTimeStamp","type":"datetime","description":"Context timestamp of the IDP detection event (Unix epoch)."},{"name":"SourceAccountDomain","type":"string","description":"Domain of the source account."},{"name":"SourceAccountName","type":"string","description":"Name of the source account."},{"name":"SourceAccountUpn","type":"string","description":"User principal name of the source account."},{"name":"SourceAccountObjectSid","type":"string","description":"Object SID of the source account."},{"name":"CurrentPrivileges","type":"string","description":"Current privilege level of the account."},{"name":"PreviousPrivileges","type":"string","description":"Previous privilege level of the account."},{"name":"AddedPrivileges","type":"string","description":"Privileges that were added to the account."},{"name":"IncidentStartTime","type":"datetime","description":"Start time of the incident (Unix epoch)."},{"name":"IncidentEndTime","type":"datetime","description":"End time of the incident (Unix epoch)."},{"name":"FineScore","type":"string","description":"Fine score of the incident."},{"name":"LateralMovement","type":"string","description":"Lateral movement indicator for the incident."},{"name":"IncidentId","type":"string","description":"Unique identifier for the incident."},{"name":"HostId","type":"string","description":"Identifier of the host involved in the incident."},{"name":"SensorId","type":"string","description":"Unique identifier for the CrowdStrike sensor on the mobile device."},{"name":"MobileDetectionId","type":"string","description":"Unique identifier for the mobile detection."},{"name":"TacticId","type":"string","description":"The MITRE ATT&CK tactic ID associated with the detection."},{"name":"TechniqueId","type":"string","description":"The MITRE ATT&CK technique ID associated with the detection."},{"name":"TacticIds","type":"string","description":"MITRE ATT&CK tactic IDs associated with the detection."},{"name":"Tactics","type":"string","description":"MITRE ATT&CK tactics associated with the detection."},{"name":"TechniqueIds","type":"string","description":"MITRE ATT&CK technique IDs associated with the detection."},{"name":"Techniques","type":"string","description":"MITRE ATT&CK techniques associated with the detection."},{"name":"Author","type":"string","description":"Author of the detection rule."},{"name":"XdrType","type":"string","description":"Type of XDR detection (e.g., xdr)."},{"name":"SHA256Hashes","type":"string","description":"SHA256 hashes associated with the detection."},{"name":"SensorIds","type":"string","description":"Sensor IDs associated with the detection."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"CrowdStrikeCases","name":"CrowdStrikeCases","tableType":"Microsoft","description":"The CrowdStrikeCases table contains logs from the CrowdStrike Cases API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the host data was ingested."},{"name":"Id","type":"string","description":"The unique ID of the case."},{"name":"Cid","type":"string","description":"The unique customer account ID that the case belongs to."},{"name":"Name","type":"string","description":"The user-defined case name."},{"name":"Description","type":"string","description":"The user-provided description of the case."},{"name":"Status","type":"string","description":"The current status of the case (new, closed, in_progress, reopened)."},{"name":"Severity","type":"int","description":"The current user-provided severity rating of the case (1-100)."},{"name":"SeverityInfo","type":"dynamic","description":"Additional information about the severity of the case."},{"name":"CreatedTimestamp","type":"datetime","description":"The date and time the case was created."},{"name":"UpdatedTimestamp","type":"datetime","description":"The date and time the case was last updated."},{"name":"StartTimestamp","type":"datetime","description":"The date and time the case was started."},{"name":"EndTimestamp","type":"datetime","description":"The date and time the case was ended."},{"name":"Version","type":"int","description":"The current case version."},{"name":"Tags","type":"dynamic","description":"A list of user-defined labels applied to the case."},{"name":"AssignedTo","type":"dynamic","description":"Details about the user who is currently assigned to the case."},{"name":"CreatedBy","type":"dynamic","description":"Details about the user who created the case."},{"name":"LastUpdatedBy","type":"dynamic","description":"Details about the user who last updated the case."},{"name":"Consistency","type":"dynamic","description":"Background processing details associated with updates made to the case."},{"name":"Evidence","type":"dynamic","description":"Evidence associated with the case (alerts, events)."},{"name":"AnalysisResults","type":"dynamic","description":"The results of analyzing the case evidence (alerts, cloud_assets, events, files, hosts, users)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["4e44198b-0072-4be0-a2aa-60b8804da78f"]}},{"id":"CrowdStrikeDetections","name":"CrowdStrikeDetections","tableType":"Microsoft","description":"The CrowdStrikeDetections table contains logs from the CrowdStrike Detections API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the detection was ingested."},{"name":"AdversaryIds","type":"dynamic","description":"List of adversary IDs associated with the detection."},{"name":"Behaviors","type":"dynamic","description":"List of behaviors detected that contributed to this detection."},{"name":"BehaviorsProcessed","type":"dynamic","description":"List of behaviors that have been processed and analyzed."},{"name":"CreatedTimestamp","type":"datetime","description":"Timestamp when the detection was first created."},{"name":"DateUpdated","type":"string","description":"Date when the detection record was last updated."},{"name":"DetectionId","type":"string","description":"Unique identifier for the detection."},{"name":"FirstBehavior","type":"datetime","description":"Timestamp of the first behavior in the detection sequence."},{"name":"HostInfo","type":"dynamic","description":"Information about the host where the detection occurred."},{"name":"LastBehavior","type":"datetime","description":"Timestamp of the most recent behavior in the detection."},{"name":"MaxConfidence","type":"int","description":"Maximum confidence score across all behaviors in the detection."},{"name":"MaxSeverity","type":"int","description":"Maximum severity level across all behaviors in the detection."},{"name":"MaxSeverityDisplayName","type":"string","description":"Text representation of the maximum severity level."},{"name":"OverwatchNotes","type":"string","description":"Notes added by CrowdStrike Overwatch analysts."},{"name":"AgentScanId","type":"string","description":"Identifier for the agent scan that detected this threat."},{"name":"UpdatedTimestamp","type":"datetime","description":"Timestamp when the detection was last updated."},{"name":"EmailSent","type":"bool","description":"Indicates if an email notification was sent for this detection."},{"name":"SecondsToResolved","type":"int","description":"Time in seconds from detection creation to resolution."},{"name":"SecondsToTriaged","type":"int","description":"Time in seconds from detection creation to triage."},{"name":"ShowInUi","type":"bool","description":"Indicates if the detection should be displayed in the user interface."},{"name":"Status","type":"string","description":"Current status of the detection (e.g., new, in_progress, resolved)."},{"name":"AllegedFiletype","type":"string","description":"The suspected file type of the malicious file."},{"name":"ChildProcessIds","type":"dynamic","description":"List of child process IDs spawned by the detected process."},{"name":"CloudIndicator","type":"bool","description":"Indicates if the detection involves cloud-based indicators."},{"name":"Cmdline","type":"string","description":"Command line used to execute the detected process."},{"name":"DetectionContext","type":"dynamic","description":"Additional context information about the detection."},{"name":"Device","type":"dynamic","description":"Information about the device where the detection occurred."},{"name":"FalconHostLink","type":"string","description":"Link to the detection details in the CrowdStrike Falcon console."},{"name":"Filename","type":"string","description":"Name of the file associated with the detection."},{"name":"Filepath","type":"string","description":"Full path to the file associated with the detection."},{"name":"GlobalPrevalence","type":"string","description":"Global prevalence rating of the detected file."},{"name":"GrandparentDetails","type":"dynamic","description":"Details about the grandparent process in the process tree."},{"name":"Incident","type":"dynamic","description":"Associated incident information if the detection is part of an incident."},{"name":"IndicatorId","type":"string","description":"Identifier for the indicator of compromise (IOC) that triggered the detection."},{"name":"IocContext","type":"dynamic","description":"Context information about the indicator of compromise."},{"name":"LocalPrevalence","type":"string","description":"Local prevalence rating of the detected file within the organization."},{"name":"LocalProcessId","type":"string","description":"Local process ID on the system where the detection occurred."},{"name":"LogonDomain","type":"string","description":"Domain used for user logon associated with the detection."},{"name":"Md5","type":"string","description":"MD5 hash of the detected file."},{"name":"NetworkAccesses","type":"dynamic","description":"List of network connections made by the detected process."},{"name":"OsName","type":"string","description":"Operating system name where the detection occurred."},{"name":"ParentDetails","type":"dynamic","description":"Details about the parent process in the process tree."},{"name":"ParentProcessId","type":"string","description":"Process ID of the parent process."},{"name":"PatternDisposition","type":"int","description":"Numerical identifier for the action taken by the detection pattern."},{"name":"PatternDispositionDescription","type":"string","description":"Text description of the pattern disposition action."},{"name":"PatternDispositionDetails","type":"dynamic","description":"Detailed information about the pattern disposition."},{"name":"ProcessEndTime","type":"string","description":"Timestamp when the detected process ended."},{"name":"ProcessId","type":"string","description":"Process ID of the detected process."},{"name":"ProcessStartTime","type":"string","description":"Timestamp when the detected process started."},{"name":"Quarantined","type":"bool","description":"Indicates if the detected file was quarantined."},{"name":"QuarantinedFiles","type":"dynamic","description":"List of files that were quarantined as part of this detection."},{"name":"ScanId","type":"string","description":"Identifier for the scan that detected the threat."},{"name":"Sha256","type":"string","description":"SHA256 hash of the detected file."},{"name":"Sha1","type":"string","description":"SHA1 hash of the detected file."},{"name":"TemplateInstanceId","type":"int","description":"Instance ID of the detection template used."},{"name":"TemplateInterfaceId","type":"int","description":"Interface ID of the detection template."},{"name":"TemplateInterfaceName","type":"string","description":"Name of the detection template interface."},{"name":"TreeId","type":"string","description":"Identifier for the process tree associated with the detection."},{"name":"TreeRoot","type":"string","description":"Root process identifier of the process tree."},{"name":"TriggeringProcessGraphId","type":"string","description":"Graph ID of the process that triggered the detection."},{"name":"DetectionType","type":"string","description":"Type or category of the detection."},{"name":"UserId","type":"string","description":"User ID associated with the detected process."},{"name":"UserName","type":"string","description":"Username associated with the detected process."},{"name":"UserPrincipal","type":"string","description":"User principal name (UPN) associated with the detected process."},{"name":"AssignedToName","type":"string","description":"Name of the user assigned to investigate the detection."},{"name":"AssignedToUid","type":"string","description":"User ID of the assigned investigator."},{"name":"AssignedToUuid","type":"string","description":"UUID of the assigned investigator."},{"name":"Cid","type":"string","description":"Customer ID in the CrowdStrike platform."},{"name":"CompositeId","type":"string","description":"Composite identifier combining multiple detection attributes."},{"name":"Confidence","type":"int","description":"Confidence score of the detection (0-100)."},{"name":"CrawledTimestamp","type":"datetime","description":"Timestamp when the detection data was last crawled."},{"name":"Description","type":"string","description":"Description of the detection."},{"name":"EndTime","type":"datetime","description":"Timestamp when the detection ended."},{"name":"Entities","type":"dynamic","description":"Entities associated with the detection."},{"name":"EntityValues","type":"dynamic","description":"Values of the entities associated with the detection."},{"name":"Id","type":"string","description":"Unique identifier for the detection."},{"name":"MitreAttack","type":"dynamic","description":"MITRE ATT&CK tactics and techniques associated with the detection."},{"name":"Name","type":"string","description":"Name of the detection."},{"name":"References","type":"dynamic","description":"References associated with the detection."},{"name":"SourceEventModel","type":"string","description":"Source event model associated with the detection."},{"name":"Tactics","type":"dynamic","description":"Tactics associated with the detection."},{"name":"TacticIds","type":"dynamic","description":"IDs of the tactics associated with the detection."},{"name":"Techniques","type":"dynamic","description":"Techniques associated with the detection."},{"name":"TechniqueIds","type":"dynamic","description":"IDs of the techniques associated with the detection."},{"name":"XdrDetectionId","type":"string","description":"XDR detection ID associated with the detection."},{"name":"AddedPrivileges","type":"dynamic","description":"Privileges added during the detection process."},{"name":"AggregateId","type":"string","description":"Aggregate ID associated with the detection."},{"name":"Objective","type":"string","description":"Objective associated with the detection."},{"name":"PolyId","type":"string","description":"Poly ID associated with the detection."},{"name":"PreviousPrivileges","type":"string","description":"Privileges previously held before the detection process."},{"name":"Privileges","type":"string","description":"Current privileges associated with the detection."},{"name":"Scenario","type":"string","description":"Scenario associated with the detection."},{"name":"Severity","type":"int","description":"Severity level of the detection."},{"name":"SeverityName","type":"string","description":"Name of the severity level associated with the detection."},{"name":"SourceAccountDomain","type":"string","description":"Source account domain associated with the detection."},{"name":"SourceAccountName","type":"string","description":"Source account name associated with the detection."},{"name":"SourceAccountObjectGuid","type":"string","description":"Source account object GUID associated with the detection."},{"name":"SourceAccountObjectSid","type":"string","description":"Source account object SID associated with the detection."},{"name":"SourceAccountSamAccountName","type":"string","description":"Source account SAM account name associated with the detection."},{"name":"SourceAccountUpn","type":"string","description":"Source account UPN associated with the detection."},{"name":"Tactic","type":"string","description":"Tactic associated with the detection."},{"name":"Technique","type":"string","description":"Technique associated with the detection."},{"name":"TacticId","type":"string","description":"ID of the tactic associated with the detection."},{"name":"TechniqueId","type":"string","description":"ID of the technique associated with the detection."},{"name":"TemplateInstanceIdText","type":"string","description":"Instance ID of the detection template used (string representation)."},{"name":"TemplateInterfaceIdText","type":"string","description":"Interface ID of the detection template (string representation)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["f8a1b2c3-4d5e-6f7a-8b9c-0d1e2f3a4b5c"]}},{"id":"CrowdStrikeHosts","name":"CrowdStrikeHosts","tableType":"Microsoft","description":"The CrowdStrikeHosts table contains logs from the CrowdStrike Hosts API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the host data was ingested."},{"name":"AgentLoadFlags","type":"string","description":"Flags indicating the load status of the CrowdStrike agent."},{"name":"AgentLocalTime","type":"string","description":"Local time of the system where the agent is installed."},{"name":"AgentVersion","type":"string","description":"Version of the installed CrowdStrike agent."},{"name":"BaseImageVersion","type":"string","description":"Version of the base operating system image."},{"name":"BiosManufacturer","type":"string","description":"Manufacturer of the system BIOS."},{"name":"BiosVersion","type":"string","description":"Version of the system BIOS."},{"name":"BuildNumber","type":"string","description":"Operating system build number."},{"name":"ChassisType","type":"string","description":"Type of system chassis (numerical identifier)."},{"name":"ChassisTypeDesc","type":"string","description":"Description of the system chassis type."},{"name":"Cid","type":"string","description":"Cid the CrowdStrike platform."},{"name":"ConfigIdBase","type":"string","description":"Base configuration ID for the CrowdStrike agent."},{"name":"ConfigIdBuild","type":"string","description":"Build configuration ID for the CrowdStrike agent."},{"name":"ConfigIdPlatform","type":"string","description":"Platform-specific configuration ID for the CrowdStrike agent."},{"name":"ConnectionIp","type":"string","description":"IP address used by the host to connect to CrowdStrike cloud."},{"name":"ConnectionMacAddress","type":"string","description":"MAC address of the network interface used for CrowdStrike connection."},{"name":"CpuSignature","type":"string","description":"Unique identifier for the CPU architecture and features."},{"name":"CpuVendor","type":"string","description":"Manufacturer of the CPU."},{"name":"DefaultGatewayIp","type":"string","description":"IP address of the default network gateway."},{"name":"DeploymentType","type":"string","description":"Type of CrowdStrike agent deployment on the host."},{"name":"DetectionSuppressionStatus","type":"string","description":"Status of detection suppression rules applied to the host."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in CrowdStrike platform."},{"name":"DevicePolicies","type":"dynamic","description":"List of security policies applied to the device."},{"name":"Email","type":"string","description":"Email address associated with the host or primary user."},{"name":"ExternalIp","type":"string","description":"External IP address of the host."},{"name":"FilesystemContainmentStatus","type":"string","description":"Status of filesystem containment feature for the host."},{"name":"FirstLoginTimestamp","type":"string","description":"Timestamp of the first user login on the host."},{"name":"FirstSeen","type":"string","description":"Timestamp when the host was first seen by CrowdStrike."},{"name":"GroupHash","type":"string","description":"Hash identifier for the host's group membership."},{"name":"Groups","type":"dynamic","description":"List of security groups the host belongs to."},{"name":"HostHiddenStatus","type":"string","description":"Indicates if the host is hidden from normal visibility."},{"name":"HostUtcOffset","type":"string","description":"UTC time offset for the host's timezone."},{"name":"Hostname","type":"string","description":"Network hostname of the system."},{"name":"InstanceId","type":"string","description":"Cloud instance identifier (if applicable)."},{"name":"InternetExposure","type":"string","description":"Level of internet exposure for the host."},{"name":"K8sClusterGitVersion","type":"string","description":"Git version of the Kubernetes cluster deployment."},{"name":"K8sClusterId","type":"string","description":"Unique identifier for the Kubernetes cluster."},{"name":"K8sClusterVersion","type":"string","description":"Version of the Kubernetes cluster."},{"name":"KernelVersion","type":"string","description":"Version of the operating system kernel."},{"name":"LastLoginTimestamp","type":"string","description":"Timestamp of the most recent user login."},{"name":"LastLoginUid","type":"string","description":"User ID of the last user to log in."},{"name":"LastLoginUser","type":"string","description":"Username of the last user to log in."},{"name":"LastLoginUserSid","type":"string","description":"Security identifier (SID) of the last user to log in."},{"name":"LastReboot","type":"string","description":"Timestamp of the last system reboot."},{"name":"LastSeen","type":"string","description":"Timestamp when the host was last seen active by CrowdStrike."},{"name":"LinuxSensorMode","type":"string","description":"Operating mode of the CrowdStrike sensor on Linux systems."},{"name":"LocalIp","type":"string","description":"Local/Internal IP address of the host."},{"name":"MacAddress","type":"string","description":"Primary MAC address of the host."},{"name":"MachineDomain","type":"string","description":"Domain name the machine is joined to."},{"name":"MajorVersion","type":"string","description":"Major version number of the operating system."},{"name":"ManagedApps","type":"dynamic","description":"List of applications managed by CrowdStrike on the host."},{"name":"Meta","type":"dynamic","description":"Additional metadata about the host."},{"name":"MigrationCompletedTime","type":"string","description":"Timestamp when agent migration was completed."},{"name":"MinorVersion","type":"string","description":"Minor version number of the operating system."},{"name":"ModifiedTimestamp","type":"string","description":"Timestamp when the host record was last modified."},{"name":"Notes","type":"dynamic","description":"Custom notes or annotations about the host."},{"name":"OsBuild","type":"string","description":"Build number of the operating system."},{"name":"OsProductName","type":"string","description":"Product name of the operating system."},{"name":"OsVersion","type":"string","description":"Version string of the operating system."},{"name":"Ou","type":"dynamic","description":"Organizational Unit information for the host."},{"name":"PlatformId","type":"string","description":"Unique identifier for the platform type."},{"name":"PlatformName","type":"string","description":"Name of the platform."},{"name":"PodAnnotations","type":"dynamic","description":"Kubernetes pod annotations associated with the host."},{"name":"PodHostIp4","type":"string","description":"IPv4 address of the Kubernetes pod host."},{"name":"PodHostIp6","type":"string","description":"IPv6 address of the Kubernetes pod host."},{"name":"PodHostname","type":"string","description":"Hostname of the Kubernetes pod."},{"name":"PodId","type":"string","description":"Unique identifier for the Kubernetes pod."},{"name":"PodIp4","type":"string","description":"IPv4 address assigned to the Kubernetes pod."},{"name":"PodIp6","type":"string","description":"IPv6 address assigned to the Kubernetes pod."},{"name":"PodLabels","type":"dynamic","description":"Labels assigned to the Kubernetes pod."},{"name":"PodName","type":"string","description":"Name of the Kubernetes pod."},{"name":"PodNamespace","type":"string","description":"Kubernetes namespace where the pod is deployed."},{"name":"PodServiceAccountName","type":"string","description":"Name of the Kubernetes service account used by the pod."},{"name":"PointerSize","type":"string","description":"Memory pointer size of the system architecture (32/64 bit)."},{"name":"Policies","type":"dynamic","description":"List of all security policies applied to the host."},{"name":"ProductType","type":"string","description":"Type of product or system (numerical identifier)."},{"name":"ProductTypeDesc","type":"string","description":"Description of the product or system type."},{"name":"ProvisionStatus","type":"string","description":"Current provisioning status of the host."},{"name":"ReducedFunctionalityMode","type":"string","description":"Indicates if the host is running in reduced functionality mode."},{"name":"ReleaseGroup","type":"string","description":"Group identifier for software release management."},{"name":"RtrState","type":"string","description":"State of Real Time Response functionality."},{"name":"SerialNumber","type":"string","description":"System serial number from BIOS/hardware."},{"name":"ServicePackMajor","type":"string","description":"Major version of installed service pack."},{"name":"ServicePackMinor","type":"string","description":"Minor version of installed service pack."},{"name":"ServiceProvider","type":"string","description":"Cloud service provider hosting the system."},{"name":"ServiceProviderAccountId","type":"string","description":"Account identifier from the cloud service provider."},{"name":"SiteName","type":"string","description":"Name of the site where the host is located."},{"name":"Status","type":"string","description":"Current operational status of the host."},{"name":"SystemManufacturer","type":"string","description":"Manufacturer of the system hardware."},{"name":"SystemProductName","type":"string","description":"Product name or model of the system."},{"name":"Tags","type":"dynamic","description":"Custom tags assigned to the host."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"CrowdStrikeIncidents","name":"CrowdStrikeIncidents","tableType":"Microsoft","description":"The CrowdStrikeIncidents table contains logs from the CrowdStrike Incidents API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the incident data was ingested."},{"name":"AssignedTo","type":"string","description":"ID of the user assigned to the incident."},{"name":"AssignedToName","type":"string","description":"Name of the user assigned to handle the incident."},{"name":"Cid","type":"string","description":"Customer ID in the CrowdStrike platform."},{"name":"Created","type":"datetime","description":"Timestamp when the incident was created."},{"name":"Description","type":"string","description":"Detailed description of the incident."},{"name":"EmailState","type":"string","description":"Current state of email notifications for the incident."},{"name":"End","type":"datetime","description":"Timestamp when the incident was closed or resolved."},{"name":"EventsHistogram","type":"dynamic","description":"Timeline of events associated with the incident."},{"name":"FineScore","type":"int","description":"Severity score assigned to the incident."},{"name":"GroupingIds","type":"dynamic","description":"List of IDs used to group related incidents."},{"name":"HostIds","type":"dynamic","description":"List of host IDs involved in the incident."},{"name":"Hosts","type":"dynamic","description":"Detailed information about affected hosts."},{"name":"IncidentId","type":"string","description":"Unique identifier for the incident."},{"name":"IncidentType","type":"int","description":"Numerical identifier for the type of incident."},{"name":"LmHostIds","type":"dynamic","description":"List of host IDs associated with Lightweight Mode."},{"name":"LmHostsCapped","type":"bool","description":"Indicates if the number of Lightweight Mode hosts was capped."},{"name":"LmTypes","type":"int","description":"Types of Lightweight Mode configurations."},{"name":"LmraHostIds","type":"dynamic","description":"List of host IDs associated with LMRA (Lightweight Mode Remote Access)."},{"name":"LmraHostsCapped","type":"bool","description":"Indicates if the number of LMRA hosts was capped."},{"name":"ModifiedTimestamp","type":"datetime","description":"Timestamp when the incident was last modified."},{"name":"Name","type":"string","description":"Name or title of the incident."},{"name":"Objectives","type":"dynamic","description":"List of attacker objectives identified in the incident."},{"name":"Start","type":"datetime","description":"Timestamp when the incident started."},{"name":"State","type":"string","description":"Current state of the incident."},{"name":"Status","type":"int","description":"Numerical status code of the incident."},{"name":"Tactics","type":"dynamic","description":"List of MITRE ATT&CK tactics identified in the incident."},{"name":"Tags","type":"dynamic","description":"Custom tags associated with the incident."},{"name":"Techniques","type":"dynamic","description":"List of MITRE ATT&CK techniques identified in the incident."},{"name":"Users","type":"dynamic","description":"List of users involved in or affected by the incident."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["b1c2d3e4-f5a6-7b8c-9d0e-1f2a3b4c5d6e"]}},{"id":"CrowdStrikeVulnerabilities","name":"CrowdStrikeVulnerabilities","tableType":"Microsoft","description":"The CrowdStrikeVulnerabilities table contains logs from the CrowdStrike Vulnerabilities API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the event was ingested."},{"name":"Id","type":"string","description":"Unique identifier for the vulnerability record."},{"name":"Cid","type":"string","description":"Customer ID in the CrowdStrike platform."},{"name":"Aid","type":"string","description":"Agent ID of the system where vulnerability was detected."},{"name":"VulnerabilityId","type":"string","description":"Unique identifier for the specific vulnerability."},{"name":"DataProviders","type":"dynamic","description":"List of data providers that reported this vulnerability."},{"name":"CreatedTimestamp","type":"datetime","description":"Timestamp when the vulnerability was first detected."},{"name":"UpdatedTimestamp","type":"datetime","description":"Timestamp when the vulnerability record was last updated."},{"name":"Status","type":"string","description":"Current status of the vulnerability."},{"name":"Apps","type":"dynamic","description":"List of affected applications."},{"name":"SuppressionInfo","type":"dynamic","description":"Information about vulnerability suppression if applied."},{"name":"Confidence","type":"string","description":"Confidence level of the vulnerability detection."},{"name":"App","type":"dynamic","description":"Detailed information about the affected application."},{"name":"Cve","type":"dynamic","description":"Common Vulnerabilities and Exposures (CVE) information."},{"name":"HostInfo","type":"dynamic","description":"Information about the affected host system."},{"name":"Remediation","type":"dynamic","description":"Remediation steps or recommendations for the vulnerability."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DCRLogErrors","name":"DCRLogErrors","tableType":"Microsoft","description":"Errors registered during DCR-based data collection and transformation.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"Name of the operation, Can be Ingestion or Transformation."},{"name":"CorrelationId","type":"string","description":"The ID for the correlated events. Can be used to identify correlated events between multiple tables."},{"name":"InputStreamId","type":"string","description":"Stream name of the input."},{"name":"Message","type":"string","description":"Error describing the issue."},{"name":"ClientRequestId","type":"string","description":"Guid passed in x-ms-client-request-id header while ingesting data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.insights/datacollectionrules"],"solutions":["LogManagement"],"queries":["d7d0e750-f20c-4d13-8887-2d088f25bb68"]}},{"id":"DCRLogTroubleshooting","name":"DCRLogTroubleshooting","tableType":"Microsoft","description":"Logs from DCR-based data collection and transformation to help with troubleshooting of DCR configuration and flow.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"Name of the operation, Can be Ingestion or Transformation."},{"name":"CorrelationId","type":"string","description":"The ID for the correlated events. Can be used to identify correlated events between multiple tables."},{"name":"InputStreamId","type":"string","description":"Stream name of the input."},{"name":"Message","type":"string","description":"Error describing the issue."},{"name":"ClientRequestId","type":"string","description":"Guid passed in x-ms-client-request-id header while ingesting data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"DHAppReliability","name":"DHAppReliability","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"ComputerID","type":"string"},{"name":"ConfigMgrClientID","type":"string"},{"name":"Computer","type":"string"},{"name":"DeviceLastSeenTime","type":"datetime"},{"name":"AppFileName","type":"string"},{"name":"AppFileDisplayName","type":"string"},{"name":"AppFileVersion","type":"string","isPreferredFacet":true},{"name":"AppName","type":"string"},{"name":"AppVersion","type":"string"},{"name":"OSBuildNumber","type":"int"},{"name":"OSRevisionNumber","type":"int","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"Publisher","type":"string"},{"name":"HasUsageTrailing","type":"bool"},{"name":"HasUsageDaily","type":"bool"},{"name":"HasCrashesTrailing","type":"bool"},{"name":"HasCrashesDaily","type":"bool"},{"name":"HasHangsTrailing","type":"bool"},{"name":"HasHangsDaily","type":"bool"},{"name":"HasIncidentsTrailing","type":"bool"},{"name":"HasIncidentsDaily","type":"bool"},{"name":"CrashFreeDevicesPercentForIndustryTrailing","type":"real"},{"name":"HangFreeDevicesPercentForIndustryTrailing","type":"real"},{"name":"IncidentFreeDevicesPercentForIndustryTrailing","type":"real"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHDriverReliability","name":"DHDriverReliability","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"DeviceLastSeenTime","type":"datetime"},{"name":"DriverKernelModeCrashCount","type":"int"},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverPercentCrashFreeDevicesForIndustry","type":"real"},{"name":"DriverVendor","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string"},{"name":"HardwareType","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHLogonFailures","name":"DHLogonFailures","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"ComputerID","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string"},{"name":"Country","type":"string","isPreferredFacet":true},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"ModelFamily","type":"string"},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"OSArchitecture","type":"string"},{"name":"OSEdition","type":"string"},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSBuildNumber","type":"int"},{"name":"OSRevisionNumber","type":"int","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"ProviderName","type":"string","isPreferredFacet":true},{"name":"LogonStatus","type":"string"},{"name":"LogonSubStatus","type":"string"},{"name":"SignInFailureReason","type":"string","isPreferredFacet":true},{"name":"SuggestedSignInRemediation","type":"string"},{"name":"SignInUserError","type":"string","isPreferredFacet":true},{"name":"SignInFailureCount","type":"long"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHLogonMetrics","name":"DHLogonMetrics","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"ComputerID","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string"},{"name":"Country","type":"string","isPreferredFacet":true},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"ModelFamily","type":"string","isPreferredFacet":true},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"OSArchitecture","type":"string","isPreferredFacet":true},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSBuildNumber","type":"int","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int"},{"name":"ProviderId","type":"string"},{"name":"ProviderName","type":"string","isPreferredFacet":true},{"name":"SignInIndustrySuccessRate","type":"real"},{"name":"SignInSuccessRate","type":"real"},{"name":"PreferredSignInProviderId","type":"string"},{"name":"PreferredSignInProviderName","type":"string"},{"name":"TotalDailySignIns","type":"long"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHOSCrashData","name":"DHOSCrashData","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string"},{"name":"KernelModeCrashBugCheckCode","type":"string","isPreferredFacet":true},{"name":"KernelModeCrashCount","type":"int"},{"name":"KernelModeCrashFailureId","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHOSReliability","name":"DHOSReliability","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"AbnormalShutdownCount","type":"int"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"ConfigMgrClientID","type":"string"},{"name":"Country","type":"string","isPreferredFacet":true},{"name":"DeviceLastSeenTime","type":"datetime"},{"name":"KernelModeCrashCount","type":"int"},{"name":"KernelModeCrashFreePercentForIndustry","type":"real"},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"ModelFamily","type":"string","isPreferredFacet":true},{"name":"OSArchitecture","type":"string"},{"name":"OSBuildNumber","type":"int"},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int"},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DHWipAppLearning","name":"DHWipAppLearning","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"ConfigMgrClientID","type":"string"},{"name":"EventFiredTime","type":"datetime"},{"name":"WipActionType","type":"string","isPreferredFacet":true},{"name":"WipAppId","type":"string","isPreferredFacet":true},{"name":"WipAppIdType","type":"string","isPreferredFacet":true},{"name":"WipAppRuleType","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["DeviceHealthProd"]}},{"id":"DNSQueryLogs","name":"DNSQueryLogs","tableType":"Microsoft","description":"DNS query logs enable customers to monitor the DNS traffic in their virtual networks and help securing their DNS infrastructure.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"Name of the operation."},{"name":"Version","type":"string","description":"The version number of the query log format."},{"name":"Region","type":"string","description":"The region where the virtual network was created in."},{"name":"VirtualNetworkId","type":"string","description":"The ID of the virtual network that the query originated in."},{"name":"QueryName","type":"string","description":"The domain name (contoso.com) or subdomain name (www.contoso.com) that was specified in the query."},{"name":"QueryType","type":"string","description":"Either the DNS record type that was specified in the request, or ANY."},{"name":"QueryClass","type":"string","description":"Specifies the protocol family. For example, IN for Internet."},{"name":"ResponseCode","type":"int","description":"Response code that resolver returned in response to the DNS query."},{"name":"Answer","type":"dynamic","description":"Array of answers for DNS query."},{"name":"Authority","type":"dynamic","description":"Array of authority DNS servers for DNS query."},{"name":"AdditionalRecords","type":"dynamic","description":"Array of additional resource records."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the instance that the query originated from."},{"name":"SourcePort","type":"int","description":"The port on the instance that the query originated from."},{"name":"DestinationIpAddress","type":"string","description":"The IP address of the instance that the query was sent to (outbound endpoints)."},{"name":"DestinationPort","type":"int","description":"The port on the instance that the query was sent to."},{"name":"Transport","type":"string","description":"The protocol (UDP or TCP) used to submit the DNS query."},{"name":"PrivateResolverEndpointId","type":"string","description":"The ID of the resolver endpoint. Can be inbound, or outbound."},{"name":"QueryResponseTime","type":"int","description":"Response time for resolution of DNS query."},{"name":"ResolutionPath","type":"string","description":"Resolution path can be private zones, ruleset, or public DNS resolution."},{"name":"ResolverPolicyId","type":"string","description":"The ID of the security policy which filtered the query."},{"name":"ResolverPolicyRuleAction","type":"string","description":"Result after evaluation of the policy rules."},{"name":"ResolverPolicyDomainListId","type":"string","description":"The ID of the domain list which was hit."},{"name":"DnsForwardingRulesetId","type":"string","description":"The ID of the DNS forwarding ruleset which was hit."},{"name":"DnsForwardingRulesetDomain","type":"string","description":"The domain which was hit in the DNS Forwarding ruleset."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.network/dnsresolverpolicies"],"solutions":["LogManagement"],"queries":["24310862-5ed4-41f6-b7b0-66176ac8a4f3"]}},{"id":"DSMAzureBlobStorageLogs","name":"DSMAzureBlobStorageLogs","tableType":"Microsoft","description":"Azure Blob Storage resource logs enriched with data sensitivity context provided by Azure Purview.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the first request was received by storage."},{"name":"Location","type":"string","description":"The location of storage account."},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed. For example: GetBlob, DeleteBlob."},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request. E.g. OAuth, SAS, etc."},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester."},{"name":"RequesterObjectId","type":"string","description":"The Open Authorization (OAuth) object ID that is used as the requester."},{"name":"RequesterTenantId","type":"string","description":"The Open Authorization (OAuth) tenant ID that is used as the requester."},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token."},{"name":"RequesterUpn","type":"string","description":"The user principal names (UPN) of requestor."},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown."},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested."},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester."},{"name":"UserAgentHeader","type":"string","description":"The user-agent header value."},{"name":"Category","type":"string","description":"The category of requested operation."},{"name":"AggregationCount","type":"long","description":"Number of events that were aggregated into a single entry."},{"name":"AggregationLastEventTime","type":"datetime","description":"The time (UTC) when the last request was received by storage."},{"name":"SumResponseBodySize","type":"long","description":"The sum of packets in responses written by the storage service, in bytes. If request(s) are unsuccessful, this value may be empty."},{"name":"ResourceSubscriptionId","type":"string","description":"The subscription ID (GUID) of the storage account being accessed."},{"name":"ResourceGroup","type":"string","description":"The Resource Group name of the storage account that was accessed."},{"name":"AccountName","type":"string","description":"The name of the storage account."},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate resource logs with data sensitivity logs."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement"]}},{"id":"DSMDataClassificationLogs","name":"DSMDataClassificationLogs","tableType":"Microsoft","description":"Contains data classification information provided by Azure Purview and is used to correlate storage resource logs with data sensitivity information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when Azure Purview scan of asset occurred."},{"name":"Uri","type":"string","description":"Uniform resource identifier representing the asset that was scanned."},{"name":"Classifications","type":"dynamic","description":"JSON containing the list of classifications that were discovered."},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate resource logs with data sensitivity logs."},{"name":"SourceType","type":"string","description":"Type of resource that was scanned by Azure Purview (Azure Blob, Azure File, etc.)."},{"name":"AssetType","type":"string","description":"Type of asset that was scanned by Azure Purview (e.g., File, Table)."},{"name":"AssetLastScanTime","type":"datetime","description":"The time (UTC) when the resource scan for sensitivity was performed by Azure Purview."},{"name":"ClassificationDetails","type":"dynamic","description":"For every classification found in the resource - corresponding Instance Count (i.e. how many occurrences of a specific type of classification was present) and Confidence (i.e. Match Accuracy) is listed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","resources"],"solutions":["LogManagement"]}},{"id":"DSMDataLabelingLogs","name":"DSMDataLabelingLogs","tableType":"Microsoft","description":"Contains data sensitivity labeling information provided by Azure Purview and is used to correlate storage resource logs with data sensitivity information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when Azure Purview scan of asset occurred."},{"name":"Uri","type":"string","description":"Uniform resource identifier representing the resource that was scanned."},{"name":"SensitivityLabelName","type":"string","description":"The name of sensitive label found and/or applied."},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate resource logs with data sensitivity logs."},{"name":"AssetLastScanTime","type":"datetime","description":"The time (UTC) when the resource scan for sensitivity was performed by Azure Purview."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","resources"],"solutions":["LogManagement"]}},{"id":"DataSetOutput","name":"DataSetOutput","tableType":"Microsoft","description":"The raw collected data from DCR datasets.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the log was generated. This column can be used to construct a time series or to filter data to a specific time window. Example: 2014-05-25T08:20:03.123456Z."},{"name":"DataSetRunId","type":"string","description":"The identifier of the Data Set run for which this data was collected."},{"name":"RawData","type":"string","description":"An arbitrary string containing the collected data for this log record. The data format, encoding, etc. will vary by collection. Local transformation of collected data is supported. Example: 'svchost.exe','1996','0','Unknown','8,384K', '0:00:06'."},{"name":"RawDataLabel","type":"string","description":"Short string that uniquely identifies the format of the collected RawData. Example: Microsoft.TaskList-csv."},{"name":"DataSourceName","type":"string","description":"Data source name as provided by DCR. Example: GenerateTaskList."},{"name":"DataSetRunSeqNum","type":"int","description":"A monotonically increasing counter for each log collected during a data set collection.Enables sequential ordering of logs that may have identical timestamps and identifying lost logs within a collection instance."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection","microsoft.compute/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"],"queries":["37325c2f-a267-4c55-8b85-3a315e9e50a3"]}},{"id":"DataSetRuns","name":"DataSetRuns","tableType":"Microsoft","description":"This table contains status and other information about data sources that were collected as part of DCR datasets.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the log was generated. This column can be used to construct a time series or to filter data to a specific time window. Example: 2014-05-25T08:20:03.123456Z."},{"name":"Name","type":"string","description":"The name field from the DCR used for data collection. Example: CollectPeformanceReport."},{"name":"DataSetRunId","type":"string","description":"Randomly generated unique indentifier (brace-less UUID) for each collecction instance. This column enables selecting all data associated with the same collection."},{"name":"DCRId","type":"string","description":"The ARM resource Id of the Data Collection Rule (DCR) that produced the data. This column enables selecting all data associated with the same DCR."},{"name":"CorrelationParams","type":"dynamic","description":"A set of parameters, in JSON, that provide identifiers or other strings used to correlate triggers or workflows that initiated the data set run. For example, if the collection was triggered by an Alert, this column will contain the Alert Resource ID. This column may be empty if the data set run has no known correlations. This column enables selecting all data associated with a common trigger."},{"name":"Status","type":"string","description":"The operation status of the data set collection. This status could apply to the data set or data source. Example: DataSetRunInProgress or DataSourceCollectionSucceeded."},{"name":"StatusDetail","type":"dynamic","description":"Additional information about the status of the data set collection, in JSON."},{"name":"TimeoutMinutes","type":"int","description":"The duration, in minutes, that a data set collection or data source collection can execute before timing out."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection","microsoft.compute/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"],"queries":["37325c2f-a267-4c55-8b85-3a315e9e50a3"]}},{"id":"DataTransferOperations","name":"DataTransferOperations","tableType":"Microsoft","description":"Logs generated by Azure Data Transfer as objects are transferred. These logs can be used to determine if an object has successfully transferred, failed to transfer, or is in the process of transferring. A typical use case would be an objects latest status of 'InTransit' indicating that the object is still transferring and no action needs to be taken.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"CorrelationId","type":"string","description":"Correlates different log messages for the same object."},{"name":"FlowId","type":"string","description":"The internal ID of the customer's flow."},{"name":"ObjectName","type":"string","description":"Name of the customer's object."},{"name":"ObjectLastUpdated","type":"datetime","description":"Timestamp (in UTC) when the object was last updated."},{"name":"Status","type":"string","description":"The status of the object as it is transferred. The status will let a customer know when the transfer has started, when it has finished, and if it has failed."},{"name":"Description","type":"string","description":"Description of the object's state as it is transferred."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.azuredatatransfer/connections"],"solutions":["LogManagement"],"queries":["1681882b-e00c-408b-8cd3-4f0b58374d7a","9d7c3fe3-1f56-4a92-9888-7ba597e3b0d2"]}},{"id":"DatabricksAccounts","name":"DatabricksAccounts","tableType":"Microsoft","description":"Databricks Accounts audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksApps","name":"DatabricksApps","tableType":"Microsoft","description":"Audit logs for Databricks lakehouse apps.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksBrickStoreHttpGateway","name":"DatabricksBrickStoreHttpGateway","tableType":"Microsoft","description":"Contains Databricks Brick Store Http Gateway logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksBudgetPolicyCentral","name":"DatabricksBudgetPolicyCentral","tableType":"Microsoft","description":"Audit logs for Databricks BudgetPolicyCentral.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksCapsule8Dataplane","name":"DatabricksCapsule8Dataplane","tableType":"Microsoft","description":"Audit logs for Databricks service capsule8-alerts-dataplane.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and status code."},{"name":"RequestParams","type":"dynamic","description":"Parameters, key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksClamAVScan","name":"DatabricksClamAVScan","tableType":"Microsoft","description":"Audit logs for Databricks clamav scan service","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and status code."},{"name":"RequestParams","type":"dynamic","description":"Parameters, key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksCloudStorageMetadata","name":"DatabricksCloudStorageMetadata","tableType":"Microsoft","description":"Contains Databricks Cloud Storage Metadata logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksClusterLibraries","name":"DatabricksClusterLibraries","tableType":"Microsoft","description":"Audit logs for actions taken on cluster libraries in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and status code."},{"name":"RequestParams","type":"dynamic","description":"Parameters, key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksClusterPolicies","name":"DatabricksClusterPolicies","tableType":"Microsoft","description":"Audit logs for Databricks cluster policies.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksClusters","name":"DatabricksClusters","tableType":"Microsoft","description":"Databricks Clusters audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksDBFS","name":"DatabricksDBFS","tableType":"Microsoft","description":"Databricks DBFS audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksDashboards","name":"DatabricksDashboards","tableType":"Microsoft","description":"Contains Databricks Dashboards logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksDataMonitoring","name":"DatabricksDataMonitoring","tableType":"Microsoft","description":"Contains Databricks Data Monitoring logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksDataRooms","name":"DatabricksDataRooms","tableType":"Microsoft","description":"Audit logs for Databricks data rooms.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksDatabricksSQL","name":"DatabricksDatabricksSQL","tableType":"Microsoft","description":"Databricks databrickssql audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksDeltaPipelines","name":"DatabricksDeltaPipelines","tableType":"Microsoft","description":"Databricks delta pipelines audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksFeatureStore","name":"DatabricksFeatureStore","tableType":"Microsoft","description":"Audit logs for events related to Databricks ML Feature Store operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksFiles","name":"DatabricksFiles","tableType":"Microsoft","description":"Audit logs for the files service in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksFilesystem","name":"DatabricksFilesystem","tableType":"Microsoft","description":"Contains Databricks Filesystem logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksGenie","name":"DatabricksGenie","tableType":"Microsoft","description":"Audit logs for Databricks workspaces customer support access events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksGitCredentials","name":"DatabricksGitCredentials","tableType":"Microsoft","description":"Databricks Git credentials audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"dynamic","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksGlobalInitScripts","name":"DatabricksGlobalInitScripts","tableType":"Microsoft","description":"Audit logs for events related to creation, modification etc. of Databricks cluster global init scripts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksGroups","name":"DatabricksGroups","tableType":"Microsoft","description":"Audit logs for Databricks groups.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksIAMRole","name":"DatabricksIAMRole","tableType":"Microsoft","description":"Audit logs for events of changing IAM role ACLs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksIngestion","name":"DatabricksIngestion","tableType":"Microsoft","description":"Contains Databricks Ingestion logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksInstancePools","name":"DatabricksInstancePools","tableType":"Microsoft","description":"Databricks Instance Pools audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksJobs","name":"DatabricksJobs","tableType":"Microsoft","description":"Databricks Jobs audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksLakeviewConfig","name":"DatabricksLakeviewConfig","tableType":"Microsoft","description":"Audit logs for the Lakeview configuration service in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksLineageTracking","name":"DatabricksLineageTracking","tableType":"Microsoft","description":"Contains Databricks Lineage Tracking logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksMLflowAcledArtifact","name":"DatabricksMLflowAcledArtifact","tableType":"Microsoft","description":"Audit logs for events of reading and writing Databricks MLflow ACLed artifacts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksMLflowExperiment","name":"DatabricksMLflowExperiment","tableType":"Microsoft","description":"Audit logs for events related to manipulation of Databricks MLflow experiments.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksMarketplaceConsumer","name":"DatabricksMarketplaceConsumer","tableType":"Microsoft","description":"Contains Databricks Marketplace Consumer logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksMarketplaceProvider","name":"DatabricksMarketplaceProvider","tableType":"Microsoft","description":"Audit logs for Marketplace provider in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksModelRegistry","name":"DatabricksModelRegistry","tableType":"Microsoft","description":"Databricks model registry audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksNotebook","name":"DatabricksNotebook","tableType":"Microsoft","description":"Databricks Notebook audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksOnlineTables","name":"DatabricksOnlineTables","tableType":"Microsoft","description":"Audit logs for online tables in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksPartnerHub","name":"DatabricksPartnerHub","tableType":"Microsoft","description":"Audit logs for Databricks partner hub service.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and status code."},{"name":"RequestParams","type":"dynamic","description":"Parameters, key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksPredictiveOptimization","name":"DatabricksPredictiveOptimization","tableType":"Microsoft","description":"Contains Databricks Predictive Optimization logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksRBAC","name":"DatabricksRBAC","tableType":"Microsoft","description":"Audit logs for role based access control in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksRFA","name":"DatabricksRFA","tableType":"Microsoft","description":"Audit logs for request for access events in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksRemoteHistoryService","name":"DatabricksRemoteHistoryService","tableType":"Microsoft","description":"Audit logs for events adding and deleting credentials for Databricks remote history service.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksRepos","name":"DatabricksRepos","tableType":"Microsoft","description":"Databricks repos audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksSQL","name":"DatabricksSQL","tableType":"Microsoft","description":"Audit logs for events related to creation, modification etc. of Databricks SQL endpoints.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The schema version of the Databricks operation-based diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log message that can be used to deduplicate them."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"The unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksSQLPermissions","name":"DatabricksSQLPermissions","tableType":"Microsoft","description":"Databricks SQL Permissions audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksSSH","name":"DatabricksSSH","tableType":"Microsoft","description":"Databricks SSH audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksSecrets","name":"DatabricksSecrets","tableType":"Microsoft","description":"Databricks Secrets audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksServerlessRealTimeInference","name":"DatabricksServerlessRealTimeInference","tableType":"Microsoft","description":"Audit logs from Databricks model serving v2 API service.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"dynamic","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksTables","name":"DatabricksTables","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"OperationVersion","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Identity","type":"string","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string"},{"name":"LogId","type":"string"},{"name":"ServiceName","type":"string"},{"name":"UserAgent","type":"string"},{"name":"SessionId","type":"string"},{"name":"ActionName","type":"string"},{"name":"RequestId","type":"string"},{"name":"Response","type":"string"},{"name":"RequestParams","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksUnityCatalog","name":"DatabricksUnityCatalog","tableType":"Microsoft","description":"Databricks unity catalog audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksVectorSearch","name":"DatabricksVectorSearch","tableType":"Microsoft","description":"Audit logs for Vector Search in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksWebTerminal","name":"DatabricksWebTerminal","tableType":"Microsoft","description":"Databricks web terminal audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"dynamic","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"dynamic","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"dynamic","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksWebhookNotifications","name":"DatabricksWebhookNotifications","tableType":"Microsoft","description":"Audit logs for webhook notifications in Databricks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DatabricksWorkspace","name":"DatabricksWorkspace","tableType":"Microsoft","description":"Databricks Workspace audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of the action (UTC).","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The action, such as login, logout, read, write, etc.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The Databricks schema version of the diagnostic log format.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The service that logged the request.","isPreferredFacet":true},{"name":"Identity","type":"string","description":"Information about the user that makes the requests.","isPreferredFacet":true},{"name":"SourceIPAddress","type":"string","description":"The IP address of the source request."},{"name":"LogId","type":"string","description":"The unique identifier for the log messages."},{"name":"ServiceName","type":"string","description":"The service of the source request."},{"name":"UserAgent","type":"string","description":"The browser or API client used to make the request."},{"name":"SessionId","type":"string","description":"Session ID of the action."},{"name":"ActionName","type":"string","description":"The action of the request."},{"name":"RequestId","type":"string","description":"Unique request ID."},{"name":"Response","type":"string","description":"The HTTP response to the request, including error message (if applicable), result, and statusCode."},{"name":"RequestParams","type":"string","description":"Parameter key-value pairs used in the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.databricks/workspaces"]}},{"id":"DatabricksWorkspaceFiles","name":"DatabricksWorkspaceFiles","tableType":"Microsoft","description":"Audit logs for on Databricks workspace files.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Identity","type":"dynamic","description":"The identity of the user who performed the operation."},{"name":"SourceIpAddress","type":"string","description":"The IP address of the client that performed the operation."},{"name":"LogId","type":"string","description":"The log ID in Databricks domain."},{"name":"ServiceName","type":"string","description":"The service name."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"SessionId","type":"string","description":"The session ID."},{"name":"ActionName","type":"string","description":"The action name."},{"name":"RequestId","type":"string","description":"The request ID."},{"name":"RequestParams","type":"dynamic","description":"The request parameters."},{"name":"Response","type":"dynamic","description":"The response."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.databricks/workspaces"],"solutions":["LogManagement"]}},{"id":"DataverseActivity","name":"DataverseActivity","tableType":"Microsoft","description":"Contains Microsoft Dataverse audit logs. It's typically used to track Dataverse and Dynamics 365 activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"SourceRecordId","type":"string","description":"Unique identifier of an audit record."},{"name":"UserAgent","type":"string","description":"The user agent."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"Operation","type":"string","description":"The name of the operation that the user is performing."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization."},{"name":"UserType","type":"string","description":"The type of user that performed the operation. See the UserType table in Office 365 management activity api schema documentation for details on the types of users."},{"name":"UserKey","type":"string","description":"An alternative ID for the user identified in the UserId property."},{"name":"ResultStatus","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not."},{"name":"OriginalObjectId","type":"string","description":"The ObjectId for Dataverse operation or business activity."},{"name":"UserId","type":"string","description":"The Dataverse user ID of the user who performed the action (specified in the Operation property) that resulted in the record being logged."},{"name":"UserUpn","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged."},{"name":"ClientIp","type":"string","description":"The IP address of the device that was used when the activity was logged."},{"name":"CorrelationId","type":"string","description":"A unique value used to associate related rows."},{"name":"CrmOrganizationUniqueName","type":"string","description":"Unique name of the organization."},{"name":"InstanceUrl","type":"string","description":"URL to the instance."},{"name":"ItemUrl","type":"string","description":"URL to the record emitting the log."},{"name":"ItemType","type":"string","description":"The type of object that was accessed or modified. See the ItemType table for details on the types of objects."},{"name":"Message","type":"string","description":"Name of the message called in the Dynamics 365 SDK."},{"name":"EntityId","type":"string","description":"Unique identifier of the entity."},{"name":"EntityName","type":"string","description":"Name of the entity in the organization."},{"name":"Fields","type":"dynamic","description":"JSON of Key Value pair reflecting the values that were created or updated."},{"name":"Query","type":"string","description":"The query filter parameters used while executing the FetchXML."},{"name":"QueryResults","type":"dynamic","description":"One or multiple unique records returned by the Retrieve and Retrieve Multiple SDK message call."},{"name":"ServiceContextId","type":"string","description":"The unique id associated with service context."},{"name":"ServiceContextIdType","type":"string","description":"Application defined token to define context use."},{"name":"ServiceName","type":"string","description":"Name of the Service generating the log."},{"name":"SystemUserId","type":"string","description":"Unique identifier of the user GUID in the organization."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["9fb56969-bd66-46b7-9c43-1aae797a302a"]}},{"id":"DefenderIoTRawEvent","name":"DefenderIoTRawEvent","tableType":"Microsoft","description":"Table is part of Microsoft Defender for IoT. It contains IoT security raw event properties of new and future events. These logs can be used to monitor your new operational, diagnostic and security raw events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"IoTRawEventId","type":"string","description":"The internal raw event ID.","isPreferredFacet":true},{"name":"RawEventType","type":"string","description":"The type of the raw event - security, operational or diagnostic.","isPreferredFacet":true},{"name":"RawEventName","type":"string","description":"The name of the raw event."},{"name":"TimeGenerated","type":"datetime","description":"The date and time the raw event was generated.","isPreferredFacet":true},{"name":"TimeStamp","type":"datetime","description":"The date and time the raw event was first detected."},{"name":"RawEventCategory","type":"string","description":"The category of the raw event - periodic or triggered.","isPreferredFacet":true},{"name":"IsEmpty","type":"bool","description":"Property identifying if the raw event contains data.","isPreferredFacet":true},{"name":"AgentVersion","type":"string","description":"The version of the agent.","isPreferredFacet":true},{"name":"AssociatedResourceId","type":"string","description":"The associated Azure resource ID.","isPreferredFacet":true},{"name":"AzureSubscriptionId","type":"string","description":"The Azure subscription ID."},{"name":"DeviceId","type":"string","description":"The device ID.","isPreferredFacet":true},{"name":"EventDetails","type":"dynamic","description":"Additional raw event details."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["AzureSecurityOfThings"]}},{"id":"DevCenterAgentHealthLogs","name":"DevCenterAgentHealthLogs","tableType":"Microsoft","description":"Agent health logs pertaining to the underlying Azure VM of the dev box.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)."},{"name":"ActivityId","type":"string","description":"The activity ID of the event."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"SessionHostName","type":"string","description":"Name of underlying Virtual Machine."},{"name":"SessionHostResourceId","type":"string","description":"The ARM path of the session host."},{"name":"AgentVersion","type":"string","description":"The version of the WVD Agent running on the Virtual Machine."},{"name":"Status","type":"string","description":"The current status of the VM, whether its healthy or not."},{"name":"LastHeartBeat","type":"datetime","description":"The time recorded when there was a change in the health status."},{"name":"UpgradeState","type":"string","description":"The last known state from a previous update."},{"name":"SessionHostHealthCheckResult","type":"dynamic","description":"The set of results on health checks."},{"name":"CloudPcId","type":"string","description":"The cloud pc id of the dev box."},{"name":"DevBoxName","type":"string","description":"The chosen display name for the dev box."},{"name":"SubnetResourceId","type":"string","description":"The subnet resource id for the network of the dev box."},{"name":"NicResourceId","type":"string","description":"The NIC resource ID for the dev box."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"solutions":["LogManagement"],"queries":["be18b9bb-7cde-4b04-961a-b08db7f51882"]}},{"id":"DevCenterBillingEventLogs","name":"DevCenterBillingEventLogs","tableType":"Microsoft","description":"Billing event related to DevCenter resources. Logs contains information about the quantity and unit charged per meter.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The resource operation name for the log."},{"name":"BilledResourceId","type":"string","description":"The resource within the DevCenter that gets billed."},{"name":"UsageResourceUniqueId","type":"string","description":"The unique ID of the consumption resource."},{"name":"UsageResourceName","type":"string","description":"The name of the consumption resource."},{"name":"BillingRegion","type":"string","description":"The billing region of the consomption resource."},{"name":"Sku","type":"string","description":"The Sku of the consumption resource. Can be DZH319G7LNXM, DZH3144F2XK5, DZH31814TZNG, etc."},{"name":"UserId","type":"string","description":"User ID consuming the resource."},{"name":"StartTime","type":"datetime","description":"Time (UTC) when the consumption started."},{"name":"EndTime","type":"datetime","description":"Time (UTC) when the consumption ended."},{"name":"Quantity","type":"real","description":"The amount of usage in terms of the specified unit."},{"name":"UnitType","type":"string","description":"The unit in which the type of usage is measured. Can be Hourly or Monthly."},{"name":"UsageType","type":"string","description":"The type of resource being consumed."},{"name":"IsOverMonthlyBillingCap","type":"bool","description":"Whether the consumption is included in the monthly cap."},{"name":"MeterId","type":"string","description":"The meter ID for the consumption."},{"name":"EventId","type":"string","description":"The event ID used for deduping consumption events."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"solutions":["LogManagement"],"queries":["25f8bafd-7cf8-4eb9-a10b-b8e23442f666","000c951d-5d77-4590-ab98-813149c42682"]}},{"id":"DevCenterConnectionLogs","name":"DevCenterConnectionLogs","tableType":"Microsoft","description":"Connection events which include information around when a dev box was connected to, if the connection was successful and what client was used in connecting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)"},{"name":"ActivityId","type":"string","description":"The activity ID of the event."},{"name":"OperationName","type":"string","description":"The name of the operation"},{"name":"SessionHostName","type":"string","description":"Name of underlying Virtual Machine"},{"name":"SessionHostResourceId","type":"string","description":"The ARM path of the session host"},{"name":"State","type":"string","description":"The state of the connection attempt"},{"name":"ClientType","type":"string","description":"The type of the client that is connecting (if available)."},{"name":"ClientVersion","type":"string","description":"The version of the OS of the client."},{"name":"SessionHostPoolType","type":"string","description":"The type of session host pool - either SharedDesktop or PersonalDesktop."},{"name":"UdpType","type":"string","description":"The type of transport used by the RDP connection."},{"name":"CloudPcId","type":"string","description":"The cloud pc id of the dev box."},{"name":"DevBoxName","type":"string","description":"The chosen display name for the dev box."},{"name":"SubnetResourceId","type":"string","description":"The subnet resource id for the network of the dev box."},{"name":"NicResourceId","type":"string","description":"The NIC resource ID for the dev box."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"solutions":["LogManagement"]}},{"id":"DevCenterDiagnosticLogs","name":"DevCenterDiagnosticLogs","tableType":"Microsoft","description":"Data plane audit logs related to your dev center resources. Will display information concerning stop/start/deletes on dev boxes and environments.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation stage of the service from which the log entry was generated."},{"name":"TargetResourceId","type":"string","description":"Dataplane ID of the affected resource."},{"name":"CallerIdentity","type":"string","description":"User ID that created the request."},{"name":"OperationResult","type":"string","description":"Displays whether operation was successful or unsuccessful."},{"name":"ResponseCode","type":"string","description":"HTTP status code of the completed operation."},{"name":"CorrelationId","type":"string","description":"ID which groups operation logs for ease of debugging."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"solutions":["LogManagement"],"queries":["44a38a05-1147-4795-bd5e-fa808308375f"]}},{"id":"DevCenterResourceOperationLogs","name":"DevCenterResourceOperationLogs","tableType":"Microsoft","description":"Operation logs pertaining to DevCenter resources, including information around resource health status changes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation stage of the service from which the log entry was generated."},{"name":"SubResourceId","type":"string","description":"The resource within the DevCenter that this log relates to."},{"name":"Message","type":"string","description":"The log message which has details about the state of the resource."},{"name":"Region","type":"string","description":"The region the resource is located in."},{"name":"CorrelationId","type":"string","description":"ID which groups operation logs for ease of debugging."},{"name":"AdditionalProperties","type":"dynamic","description":"Property bag of dimensions that are useful for this entry."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.devcenter/devcenters"],"solutions":["LogManagement"],"queries":["51e6c592-e4f1-d373-e927-aab82f9c1044"]}},{"id":"DeviceAppCrash","name":"DeviceAppCrash","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"AppID","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceAppLaunch","name":"DeviceAppLaunch","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"AppID","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceBehaviorEntities","name":"DeviceBehaviorEntities","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about entities (file, process, device, user, and others) that are involved in a behavior or observation, including detected threats.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques."},{"name":"Categories","type":"string","description":"Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"EntityType","type":"string","description":"Type of object, such as a file, a process, a device, or a user."},{"name":"EntityRole","type":"string","description":"Indicates whether the entity is impacted or merely related."},{"name":"DetailedEntityRole","type":"string","description":"The role of the entity in the behavior"},{"name":"FileName","type":"string","description":"Name of the file involved in the alert. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"FolderPath","type":"string","description":"Folder containing the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"SHA256","type":"string","description":"SHA-256 of the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"FileSize","type":"long","description":"Size of the file in bytes. Empty unless EntityType is \"File\" or \"Process\""},{"name":"ThreatFamily","type":"string","description":"Malware family that the suspicious or malicious file or process has been classified under."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email in UUID format, generated by Office 365."},{"name":"EmailSubject","type":"string","description":"Subject of the email."},{"name":"EmailClusterId","type":"string","description":"Identifier for the group of similar emails clustered based on heuristic analysis of their contents."},{"name":"Application","type":"string","description":"Application that performed the recorded action."},{"name":"ApplicationId","type":"string","description":"Unique identifier for the application."},{"name":"OAuthApplicationId","type":"string","description":"Unique identifier of the third-party OAuth application in UUID format."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceBehaviorInfo","name":"DeviceBehaviorInfo","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about behaviors, which in the context of Microsoft 365 Defender refers to a conclusion or insight based on one or more raw events, which can provide analysts more context in investigations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques."},{"name":"Description","type":"string","description":"Description of the behavior."},{"name":"Categories","type":"string","description":"Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"AttackTechniques","type":"string","description":"MITRE ATT&CK techniques associated with the activity that triggered the alert. Defined by the MITRE ATT&CK Matrix for Enterprise."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the alert information."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"StartTime","type":"datetime","description":"Date and time of the first activity related to the behavior."},{"name":"EndTime","type":"datetime","description":"Date and time of the last activity related to the behavior."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCalendar","name":"DeviceCalendar","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"ResultCode","type":"int","isPreferredFacet":true},{"name":"SyncStatus","type":"string"},{"name":"ErrorMessage","type":"string"},{"name":"DelaySeconds","type":"int"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceCleanup","name":"DeviceCleanup","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"State","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceConnectSession","name":"DeviceConnectSession","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"sessionType","type":"string"},{"name":"sessionClass","type":"string"},{"name":"sessionConnected","type":"bool"},{"name":"sessionDurationMilliSeconds","type":"real"},{"name":"wasCleanShutdown","type":"bool"},{"name":"Opcode","type":"int"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceCustomFileEvents","name":"DeviceCustomFileEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) file events table for the Custom Collection scenario. This table contains file creation, modification, and other file system events for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FileOriginIP","type":"string","description":"IP address where the file was downloaded from."},{"name":"FileOriginReferrerUrl","type":"string","description":"URL of the web page that links to the downloaded file."},{"name":"FileOriginUrl","type":"string","description":"URL where the file was downloaded from."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"IsAzureInfoProtectionApplied","type":"bool","description":"Indicates whether the file is encrypted by Azure Information Protection."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"PreviousFileName","type":"string","description":"Original name of the file that was renamed as a result of the action."},{"name":"PreviousFolderPath","type":"string","description":"Original folder containing the file before the recorded action was applied."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"RequestAccountDomain","type":"string","description":"Domain of the account used to remotely initiate the activity."},{"name":"RequestAccountName","type":"string","description":"User name of account used to remotely initiate the activity."},{"name":"RequestAccountSid","type":"string","description":"Security Identifier (SID) of the account used to remotely initiate the activity."},{"name":"RequestProtocol","type":"string","description":"Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS."},{"name":"RequestSourceIP","type":"string","description":"IPv4 or IPv6 address of the remote device that initiated the activity."},{"name":"RequestSourcePort","type":"int","description":"Source port on the remote device that initiated the activity."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"SensitivityLabel","type":"string","description":"Label applied to an email, file, or other content to classify it for information protection."},{"name":"SensitivitySubLabel","type":"string","description":"Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently."},{"name":"ShareName","type":"string","description":"Name of shared folder containing the file."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCustomImageLoadEvents","name":"DeviceCustomImageLoadEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) image load events table for the Custom Collection scenario. This table contains contains DLL loading events on the endpoint for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Domain of the account."},{"name":"FolderPath","type":"string","description":"Domain of the account."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCustomNetworkEvents","name":"DeviceCustomNetworkEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device network events table for the Custom Collection scenario. This table contains contains information about network connections and related events initiated by processes running on the endpoint for anything explicitly requested by the customer for collection..","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the initiating process."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the initiating process."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the initiating process."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the initiating process."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the initiating process."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the initiating process."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the initiating process."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the initiating process (image file)."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the initiating process."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the initiating process (image file)."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the initiating process."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the initiating process."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the initiating process (image file)."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"LocalIPType","type":"string","description":"Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast."},{"name":"LocalPort","type":"int","description":"TCP port on the local machine used during communication."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"Protocol","type":"string","description":"IP protocol used, whether TCP or UDP."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteIPType","type":"string","description":"Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast."},{"name":"RemotePort","type":"int","description":"TCP port on the remote device that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCustomProcessEvents","name":"DeviceCustomProcessEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) process events table for the Custom Collection scenario. This table contains contains information about process creation and related events on the endpoint for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessLogonId","type":"long","description":"Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"InitiatingProcessFileSize","type":"long","description":"The size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"LogonId","type":"long","description":"Identifier for a logon session. This identifier is unique on the same machine only between restarts."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"ProcessCreationTime","type":"datetime","description":"Date and time the process was created."},{"name":"ProcessId","type":"long","description":"Process ID (PID) of the newly created process."},{"name":"ProcessIntegrityLevel","type":"string","description":"Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.."},{"name":"ProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process."},{"name":"ProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the newly created process."},{"name":"ProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the newly created process."},{"name":"ProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the newly created process."},{"name":"ProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the newly created process."},{"name":"ProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the newly created process."},{"name":"ProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the newly created process."},{"name":"InitiatingProcessSignerType","type":"string","description":"Type of file signer of the process (image file) that initiated the event."},{"name":"InitiatingProcessSignatureStatus","type":"string","description":"Information about the signature status of the process (image file) that initiated the event."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"CreatedProcessSessionId","type":"long","description":"Windows session ID of the created process."},{"name":"IsProcessRemoteSession","type":"bool","description":"Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"ProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the created process’s RDP session was initiated."},{"name":"ProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the created process’s RDP session was initiated."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"ProcessUniqueId","type":"string","description":"Unique identifier of the process; this is equal to the Process Start Key in Windows devices."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCustomRegistryEvents","name":"DeviceCustomRegistryEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device registry events for the Custom Collection scenario. This table contains contains creation and modification of registry entries on the endpoint, and information about the processes initiating such events for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the initiating process."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the initiating process."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the initiating process."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the initiating process."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the initiating process."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the initiating process."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the initiating process."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the initiating process (image file)."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the initiating process."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the initiating process (image file)."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the initiating process."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the initiating process."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the initiating process (image file)."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process."},{"name":"InitiatingProcessFileSize","type":"long","description":"The size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"PreviousRegistryKey","type":"string","description":"Original registry key before it was modified."},{"name":"PreviousRegistryValueData","type":"string","description":"Original data of the registry value before it was modified."},{"name":"PreviousRegistryValueName","type":"string","description":"Original name of the registry value before it was modified."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueType","type":"string","description":"Data type, such as binary or string, of the registry value that the recorded action was applied to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceCustomScriptEvents","name":"DeviceCustomScriptEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) script execution events table for the Custom Collection scenario. This table contains information about script execution and related process details for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns."},{"name":"Timestamp","type":"datetime","description":"Date and time when the record was generated."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessSignatureStatus","type":"string","description":"Information about the signature status of the process (image file) that initiated the event."},{"name":"InitiatingProcessSignerType","type":"string","description":"Type of file signer of the process (image file) that initiated the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process's RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process's RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"ScriptContent","type":"string","description":"Content of the executed script."},{"name":"ScriptContentSHA256","type":"string","description":"SHA256 over the script content."},{"name":"RuleName","type":"string","description":"Name of the rule that collected the event"},{"name":"RuleLastModificationTime","type":"datetime","description":"Date and time when the rule that collected the event was last modified."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"DeviceEtw","name":"DeviceEtw","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"status","type":"int"},{"name":"appName","type":"string"},{"name":"type","type":"int"},{"name":"period","type":"int"},{"name":"wakeEnabled","type":"bool"},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ThreadId","type":"int"},{"name":"ProcessId","type":"string"},{"name":"ActivityId","type":"string"},{"name":"ProviderId","type":"string"},{"name":"tags","type":"string","isPreferredFacet":true},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceEvents","name":"DeviceEvents","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountSid","type":"string","description":"Security identifier (SID) of the account."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Domain of the account."},{"name":"FileOriginIP","type":"string","description":"IP address where the file was downloaded from."},{"name":"FileOriginUrl","type":"string","description":"URL where the file was downloaded from."},{"name":"FolderPath","type":"string","description":"Domain of the account."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessLogonId","type":"long","description":"Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"LocalPort","type":"int","description":"TCP port on the local machine used during communication."},{"name":"LogonId","type":"long","description":"Identifier for a logon session. This identifier is unique on the same machine only between restarts."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"ProcessId","type":"long","description":"Process ID (PID) of the newly created process."},{"name":"ProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RemoteDeviceName","type":"string","description":"Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemotePort","type":"int","description":"TCP port on the remote device that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the file that ran the process responsible for the event."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"ProcessCreationTime","type":"datetime","description":"Date and time the process was created."},{"name":"CreatedProcessSessionId","type":"long","description":"Windows session ID of the created process."},{"name":"IsProcessRemoteSession","type":"bool","description":"Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"ProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the created process’s RDP session was initiated."},{"name":"ProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the created process’s RDP session was initiated."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceFileCertificateInfo","name":"DeviceFileCertificateInfo","tableType":"Microsoft","description":"Certificate information of signed files obtained from certificate verification events on endpoints.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"CertificateSerialNumber","type":"string","description":"Identifier for the certificate that is unique to the issuing certificate authority (CA)."},{"name":"CrlDistributionPointUrls","type":"string","description":"A list of network shares URLs that contains certificates and certificate revocation (CRLs)."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"IsRootSignerMicrosoft","type":"bool","description":"Indicates whether the signer of the root certificate is Microsoft."},{"name":"IsSigned","type":"bool","description":"Indicates whether the file is signed."},{"name":"IsTrusted","type":"bool","description":"Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes."},{"name":"Issuer","type":"string","description":"Information about the issuing certificate authority (CA)."},{"name":"IssuerHash","type":"string","description":"Unique hash value identifying issuing certificate authority (CA)."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ReportId","type":"long","description":"Unique identifier for the event."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SignatureType","type":"string","description":"Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file."},{"name":"Signer","type":"string","description":"Information about the signer of the file."},{"name":"SignerHash","type":"string","description":"Unique hash value identifying the signer."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"CertificateCountersignatureTime","type":"datetime","description":"Date and time (UTC) the certificate was countersigned."},{"name":"CertificateCreationTime","type":"datetime","description":"Date and time (UTC) the certificate was created."},{"name":"CertificateExpirationTime","type":"datetime","description":"Certificate expiry date and time (UTC)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceFileEvents","name":"DeviceFileEvents","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains file creation, modification, and other file system events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FileOriginIP","type":"string","description":"IP address where the file was downloaded from."},{"name":"FileOriginReferrerUrl","type":"string","description":"URL of the web page that links to the downloaded file."},{"name":"FileOriginUrl","type":"string","description":"URL where the file was downloaded from."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"IsAzureInfoProtectionApplied","type":"bool","description":"Indicates whether the file is encrypted by Azure Information Protection."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"PreviousFileName","type":"string","description":"Original name of the file that was renamed as a result of the action."},{"name":"PreviousFolderPath","type":"string","description":"Original folder containing the file before the recorded action was applied."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"RequestAccountDomain","type":"string","description":"Domain of the account used to remotely initiate the activity."},{"name":"RequestAccountName","type":"string","description":"User name of account used to remotely initiate the activity."},{"name":"RequestAccountSid","type":"string","description":"Security Identifier (SID) of the account used to remotely initiate the activity."},{"name":"RequestProtocol","type":"string","description":"Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS."},{"name":"RequestSourceIP","type":"string","description":"IPv4 or IPv6 address of the remote device that initiated the activity."},{"name":"RequestSourcePort","type":"int","description":"Source port on the remote device that initiated the activity."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"SensitivityLabel","type":"string","description":"Label applied to an email, file, or other content to classify it for information protection."},{"name":"SensitivitySubLabel","type":"string","description":"Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently."},{"name":"ShareName","type":"string","description":"Name of shared folder containing the file."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceHardwareHealth","name":"DeviceHardwareHealth","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceHealth","name":"DeviceHealth","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"State","type":"string"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceHeartbeat","name":"DeviceHeartbeat","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"SerialNumber","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceImageLoadEvents","name":"DeviceImageLoadEvents","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Domain of the account."},{"name":"FolderPath","type":"string","description":"Domain of the account."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceInfo","name":"DeviceInfo","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Machine information, including OS information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"ClientVersion","type":"string","description":"Version of the endpoint agent or sensor running on the machine."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"DeviceObjectId","type":"string","description":"Unique identifier for the device in Azure AD."},{"name":"IsAzureADJoined","type":"bool","description":"Boolean indicator of whether machine is joined to the Azure Active Directory."},{"name":"LoggedOnUsers","type":"dynamic","description":"List of all users that are logged on the machine at the time of the event in JSON array format."},{"name":"MachineGroup","type":"string","description":"Machine group used to determine access to the machine and apply group-specific settings."},{"name":"OSArchitecture","type":"string","description":"Architecture of the operating system running on the machine."},{"name":"OSBuild","type":"long","description":"Build version of the operating system running on the machine."},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7."},{"name":"OSVersion","type":"string","description":"Version of the operating system running on the machine."},{"name":"PublicIP","type":"string","description":"Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy."},{"name":"RegistryDeviceTag","type":"string","description":"Device tag added through the registry."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"AadDeviceId","type":"string","description":"Unique identifier for the device in Azure Active Directory."},{"name":"DeviceCategory","type":"string","description":"Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown."},{"name":"DeviceSubtype","type":"string","description":"Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute."},{"name":"DeviceType","type":"string","description":"Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer."},{"name":"JoinType","type":"string","description":"The device's Azure Active Directory join type."},{"name":"MergedDeviceIds","type":"string","description":"Previous device IDs that have been assigned to the same device."},{"name":"MergedToDeviceId","type":"string","description":"The most recent device ID assigned to a device."},{"name":"Model","type":"string","description":"Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute."},{"name":"OnboardingStatus","type":"string","description":"Indicates whether the device is currently onboarded or not to Microsoft Defender for Endpoint or if the device is not supported."},{"name":"OSDistribution","type":"string","description":"Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms."},{"name":"OSVersionInfo","type":"string","description":"Additional information about the OS version, such as the popular name, code name, or version number."},{"name":"Vendor","type":"string","description":"Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute."},{"name":"SensorHealthState","type":"string","description":"Indicates health of the device’s EDR sensor, if onboarded to Microsoft Defender For Endpoint."},{"name":"IsExcluded","type":"bool","description":"Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences."},{"name":"ExclusionReason","type":"string","description":"Indicates the reason for device exclusion."},{"name":"AssetValue","type":"string","description":"Indicates the value of a device as assigned by the user."},{"name":"ExposureLevel","type":"string","description":"Indicates the exposure level of a device."},{"name":"IsInternetFacing","type":"bool","description":"Indicates whether the device is internet-facing."},{"name":"DeviceManualTags","type":"string","description":"Device tags created manually using the portal UI or public API."},{"name":"DeviceDynamicTags","type":"string","description":"Device tags added and removed dynamically based on dynamic rules."},{"name":"AzureResourceId","type":"string","description":"Unique identifier of the Azure resource associated with the device."},{"name":"AwsResourceName","type":"string","description":"Unique identifier of the AWS resource associated with the device."},{"name":"GcpFullResourceName","type":"string","description":"Unique identifier of the AWS resource associated with the device."},{"name":"AzureVmId","type":"string","description":"Unique identifier assigned to the device in Azure."},{"name":"AzureVmSubscriptionId","type":"string","description":"Unique identifier of the Azure subscription associated with the device."},{"name":"CloudPlatforms","type":"string","description":"Thse cloud platforms that the device belongs to-can be Azure, Amazon Web Services, Google Cloud Platform and Azure Arc."},{"name":"HardwareUuid","type":"string","description":"Universally Unique Identifier (UUID) of the device’s hardware."},{"name":"HostDeviceId","type":"string","description":"Device ID of the device running Windows Subsystem for Linux."},{"name":"IsTransient","type":"bool","description":"Indicates whether this device is classified as short-lived or transient based on the frequency of appearance of the device on the network."},{"name":"MitigationStatus","type":"string","description":"Indicates the mitigation action applied to a device."},{"name":"OsBuildRevision","type":"string","description":"Build revision number of the operating system running on the machine."},{"name":"RestrictedDeviceSecurityOperations","type":"string","description":"The response categories that have been turned off on a device if its security operations settings is set to restricted. If the device's security operations settings is set to full operations, the value is null."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceLogonEvents","name":"DeviceLogonEvents","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Sign-ins and other authentication events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountSid","type":"string","description":"Security identifier (SID) of the account."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FailureReason","type":"string","description":"Information explaining why the recorded action failed."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"IsLocalAdmin","type":"bool","description":"Boolean indicator of whether the user is a local administrator on the machine."},{"name":"LogonId","type":"long","description":"Identifier for a logon session. This identifier is unique on the same machine only between restarts."},{"name":"LogonType","type":"string","description":"Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"Protocol","type":"string","description":"Protocol used during the communication."},{"name":"RemoteDeviceName","type":"string","description":"Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteIPType","type":"string","description":"Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast."},{"name":"RemotePort","type":"int","description":"TCP port on the remote device that was being connected to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceNetworkEvents","name":"DeviceNetworkEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device network events table. This table contains contains information about network connections and related events initiated by processes running on the endpoint.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the initiating process."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the initiating process."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the initiating process."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the initiating process."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the initiating process."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the initiating process."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the initiating process."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the initiating process (image file)."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the initiating process."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the initiating process (image file)."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the initiating process."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the initiating process."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the initiating process (image file)."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process."},{"name":"InitiatingProcessFileSize","type":"long","description":"Size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"LocalIPType","type":"string","description":"Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast."},{"name":"LocalPort","type":"int","description":"TCP port on the local machine used during communication."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"Protocol","type":"string","description":"IP protocol used, whether TCP or UDP."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteIPType","type":"string","description":"Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast."},{"name":"RemotePort","type":"int","description":"TCP port on the remote device that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceNetworkInfo","name":"DeviceNetworkInfo","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device network information table. This table contains Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ConnectedNetworks","type":"dynamic","description":"Networks that the adapter is connected to. Each JSON element in the array contains the network name, category (public, private or domain), a description, and a flag indicating if it is connected publicly to the internet."},{"name":"DefaultGateways","type":"dynamic","description":"Default gateway addresses in JSON array format."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"DnsAddresses","type":"dynamic","description":"DNS server addresses in JSON array format."},{"name":"IPAddresses","type":"dynamic","description":"JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and the IP class (RFC 1918 & RFC 4291)."},{"name":"IPv4Dhcp","type":"string","description":"IPv4 address of the configured DHCP server."},{"name":"IPv6Dhcp","type":"string","description":"IPv6 address of the configured DHCP server."},{"name":"MacAddress","type":"string","description":"MAC address of the network adapter."},{"name":"MachineGroup","type":"string","description":"The machine-group which this machine is associated to. This group is used by role-based access control to determine access to the machine."},{"name":"NetworkAdapterName","type":"string","description":"Name of the network adapter."},{"name":"NetworkAdapterStatus","type":"string","description":"Operational status of the network adapter."},{"name":"NetworkAdapterType","type":"string","description":"Network adapter type."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and/or Timestamp columns."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"TunnelType","type":"string","description":"Tunneling protocol, when the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH."},{"name":"NetworkAdapterVendor","type":"string","description":"Name of the manufacturer or vendor of the network adapter."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceProcessEvents","name":"DeviceProcessEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device process events table. This table contains contains information about process creation and related events on the endpoint.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessLogonId","type":"long","description":"Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"InitiatingProcessFileSize","type":"long","description":"The size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"LogonId","type":"long","description":"Identifier for a logon session. This identifier is unique on the same machine only between restarts."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"ProcessCreationTime","type":"datetime","description":"Date and time the process was created."},{"name":"ProcessId","type":"long","description":"Process ID (PID) of the newly created process."},{"name":"ProcessIntegrityLevel","type":"string","description":"Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.."},{"name":"ProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process."},{"name":"ProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the newly created process."},{"name":"ProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the newly created process."},{"name":"ProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the newly created process."},{"name":"ProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the newly created process."},{"name":"ProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the newly created process."},{"name":"ProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the newly created process."},{"name":"InitiatingProcessSignerType","type":"string","description":"Type of file signer of the process (image file) that initiated the event."},{"name":"InitiatingProcessSignatureStatus","type":"string","description":"Information about the signature status of the process (image file) that initiated the event."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"CreatedProcessSessionId","type":"long","description":"Windows session ID of the created process."},{"name":"IsProcessRemoteSession","type":"bool","description":"Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"ProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the created process’s RDP session was initiated."},{"name":"ProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the created process’s RDP session was initiated."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"ProcessUniqueId","type":"string","description":"Unique identifier of the process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceRegistryEvents","name":"DeviceRegistryEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) device registry events table. This table contains contains creation and modification of registry entries on the endpoint, and information about the processes initiating such events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the initiating process."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the initiating process."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the initiating process."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the initiating process."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the initiating process."},{"name":"InitiatingProcessCommandLine","type":"string","description":"Command line used to run the initiating process."},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the initiating process."},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the initiating process (image file)."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the initiating process."},{"name":"InitiatingProcessIntegrityLevel","type":"string","description":"Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the initiating process (image file)."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the initiating process."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the initiating process."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the initiating process (image file)."},{"name":"InitiatingProcessSHA256","type":"string","description":"SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead."},{"name":"InitiatingProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process."},{"name":"InitiatingProcessFileSize","type":"long","description":"The size of the file (bytes) that ran the process responsible for the event."},{"name":"InitiatingProcessVersionInfoCompanyName","type":"string","description":"The company name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductName","type":"string","description":"The product name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoProductVersion","type":"string","description":"The product version in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoInternalFileName","type":"string","description":"The internal file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoOriginalFileName","type":"string","description":"The original file name in version information (image file) responsible for the event."},{"name":"InitiatingProcessVersionInfoFileDescription","type":"string","description":"The description in version information (image file) responsible for the event."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"PreviousRegistryKey","type":"string","description":"Original registry key before it was modified."},{"name":"PreviousRegistryValueData","type":"string","description":"Original data of the registry value before it was modified."},{"name":"PreviousRegistryValueName","type":"string","description":"Original name of the registry value before it was modified."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueType","type":"string","description":"Data type, such as binary or string, of the registry value that the recorded action was applied to."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitiatingProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitiatingProcessSessionId","type":"long","description":"Windows session ID of the initiating process."},{"name":"IsInitiatingProcessRemoteSession","type":"bool","description":"Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)."},{"name":"InitiatingProcessRemoteSessionDeviceName","type":"string","description":"Device name of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessRemoteSessionIP","type":"string","description":"IP address of the remote device from which the initiating process’s RDP session was initiated."},{"name":"InitiatingProcessUniqueId","type":"string","description":"Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceSkypeHeartbeat","name":"DeviceSkypeHeartbeat","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"State","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceSkypeSignIn","name":"DeviceSkypeSignIn","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"HealthServiceId","type":"string","isPreferredFacet":true},{"name":"EventName","type":"string","isPreferredFacet":true},{"name":"ProviderId","type":"string"},{"name":"Opcode","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SurfaceHub"]}},{"id":"DeviceTvmSecureConfigurationAssessment","name":"DeviceTvmSecureConfigurationAssessment","tableType":"Microsoft","description":"Threat & vulnerability management assessment events, indicating the status of various security configurations on devices.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Timestamp","type":"datetime","description":"Date and time when the record was generated"},{"name":"ConfigurationImpact","type":"real","description":"Rated impact of the configuration to the overall configuration score (1-10)"},{"name":"Context","type":"dynamic","description":"Machine data configuration context"},{"name":"IsCompliant","type":"bool","description":"Indicates whether the configuration or policy is properly configured"},{"name":"IsApplicable","type":"bool","description":"Indicates whether the configuration or policy is applicable"},{"name":"IsExpectedUserImpact","type":"bool","description":"Indicates if user impact is expected when configuration applied"},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7"},{"name":"ConfigurationId","type":"string","description":"Unique identifier for a specific configuration"},{"name":"ConfigurationCategory","type":"string","description":"Category or grouping to which the configuration belongs"},{"name":"ConfigurationSubcategory","type":"string","description":"Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features."},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["09786294-08ad-48b1-b467-55ff30e7ca28"]}},{"id":"DeviceTvmSecureConfigurationAssessmentKB","name":"DeviceTvmSecureConfigurationAssessmentKB","tableType":"Microsoft","description":"Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices and includes mappings to various standards and benchmarks.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"Timestamp","type":"datetime","description":"Date and time when the record was generated"},{"name":"ConfigurationId","type":"string","description":"Unique identifier for a specific configuration."},{"name":"ConfigurationImpact","type":"real","description":"Rated impact of the configuration to the overall configuration score (1-10)."},{"name":"ConfigurationName","type":"string","description":"Display name of the configuration."},{"name":"ConfigurationDescription","type":"string","description":"Description of the configuration."},{"name":"RiskDescription","type":"string","description":"Description of any associated risks."},{"name":"ConfigurationCategory","type":"string","description":"Category or grouping to which the configuration belongs."},{"name":"ConfigurationSubcategory","type":"string","description":"Subcategory or subgrouping to which the configuration belongs. Commonly, this describes specific capabilities or features."},{"name":"ConfigurationBenchmarks","type":"dynamic","description":"List of industry benchmarks which recommend the same or similar configuration."},{"name":"Tags","type":"dynamic","description":"Labels representing various attributes, used to identify or categorize a security configuration."},{"name":"RemediationOptions","type":"string","description":"Recommended actions to reduce or address any associated risks"},{"name":"RelatedMitreTechniques","type":"dynamic","description":"Related techniques from Mitre knowledge base."},{"name":"RelatedMitreTactics","type":"dynamic","description":"Related tactics from Mitre knowledge base."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DeviceTvmSoftwareInventory","name":"DeviceTvmSoftwareInventory","tableType":"Microsoft","description":"Inventory of software installed on devices, including their version information and end-of-support status.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7"},{"name":"OSVersion","type":"string","description":"Version of the operating system running on the machine"},{"name":"OSArchitecture","type":"string","description":"Architecture of the operating system running on the machine"},{"name":"SoftwareVendor","type":"string","description":"Name of the software vendor"},{"name":"SoftwareName","type":"string","description":"Name of the software product"},{"name":"SoftwareVersion","type":"string","description":"Version number of the software product"},{"name":"EndOfSupportStatus","type":"string","description":"Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date"},{"name":"EndOfSupportDate","type":"datetime","description":"End-of-support (EOS) or end-of-life (EOL) date of the software product"},{"name":"ProductCodeCpe","type":"string","description":"The standard Common Platform Enumeration (CPE) name of the software product version"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["7014f07d-00e7-48ae-85df-df5913ee6174"]}},{"id":"DeviceTvmSoftwareVulnerabilities","name":"DeviceTvmSoftwareVulnerabilities","tableType":"Microsoft","description":"Captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7"},{"name":"OSVersion","type":"string","description":"Version of the operating system running on the machine"},{"name":"OSArchitecture","type":"string","description":"Architecture of the operating system running on the machine"},{"name":"SoftwareVendor","type":"string","description":"Name of the software vendor"},{"name":"SoftwareName","type":"string","description":"Name of the software product"},{"name":"SoftwareVersion","type":"string","description":"Version number of the software product"},{"name":"CveId","type":"string","description":"Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system"},{"name":"VulnerabilitySeverityLevel","type":"string","description":"Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape"},{"name":"RecommendedSecurityUpdate","type":"string","description":"Name or description of the security update provided by the software vendor to address the vulnerability"},{"name":"RecommendedSecurityUpdateId","type":"string","description":"Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated"},{"name":"CveTags","type":"dynamic","description":"Array of tags relevant to the CVE; example: ZeroDay, NoSecurityUpdate"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["a894f0af-bb74-4525-bf5a-7e0faaf345d4"]}},{"id":"DeviceTvmSoftwareVulnerabilitiesKB","name":"DeviceTvmSoftwareVulnerabilitiesKB","tableType":"Microsoft","description":"Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"Timestamp","type":"datetime","description":"Date and time when the record was generated"},{"name":"CveId","type":"string","description":"Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system."},{"name":"CvssScore","type":"real","description":"Severity score assigned to the security vulnerability under the Common Vulnerability Scoring System (CVSS)."},{"name":"IsExploitAvailable","type":"bool","description":"Indicates whether exploit code for the vulnerability is publicly available."},{"name":"VulnerabilitySeverityLevel","type":"string","description":"Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape."},{"name":"LastModifiedTime","type":"datetime","description":"Date and time the item or related metadata was last modified."},{"name":"PublishedDate","type":"datetime","description":"Date vulnerability was disclosed to the public."},{"name":"VulnerabilityDescription","type":"string","description":"Description of the vulnerability and associated risks."},{"name":"AffectedSoftware","type":"dynamic","description":"List of all software products affected by the vulnerability."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DiscoveryBookshelfAuditLogs","name":"DiscoveryBookshelfAuditLogs","tableType":"Microsoft","description":"Audit logs for Microsoft Discovery bookshelf operations including knowledge base creation, updates, and deletions. Used to track user actions and changes to bookshelf resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log entry was ingested."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the audit event, including the controller and action name."},{"name":"Category","type":"string","description":"The log category of the event."},{"name":"ObjectId","type":"string","description":"The object identifier of the principal that performed the operation."},{"name":"Tenant","type":"string","description":"The Discovery tenant identifier associated with the bookshelf."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.discovery/bookshelves"],"solutions":["LogManagement"],"queries":["6b8cd500-15a6-4311-a97b-806710922c5a","c7ce5ec8-5650-443b-9690-f79167d4ad28","4fc5e32f-d276-4f01-b513-d28ff85ff632"]}},{"id":"DiscoverySupercomputerAuditLogs","name":"DiscoverySupercomputerAuditLogs","tableType":"Microsoft","description":"Audit logs for Microsoft Discovery supercomputer operations including compute provisioning, scaling, and management actions. Used to track user actions and changes to supercomputer resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log entry was ingested."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the audit event, including the controller and action name."},{"name":"Category","type":"string","description":"The log category of the event."},{"name":"ObjectId","type":"string","description":"The object identifier of the principal that performed the operation."},{"name":"Tenant","type":"string","description":"The Discovery tenant identifier associated with the supercomputer."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.discovery/supercomputers"],"solutions":["LogManagement"],"queries":["11e2a947-7cac-4932-b08c-833ca8ed4b66","54954c67-9753-4acb-b9c4-647ed5eb8962","09eb47e3-0af5-4434-9e49-a71e5c3ceeb4"]}},{"id":"DiscoveryWorkspaceAuditLogs","name":"DiscoveryWorkspaceAuditLogs","tableType":"Microsoft","description":"Audit logs for Microsoft Discovery workspace operations including investigation management, task execution, and conversation activities. Used to track user actions and changes to workspace resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the log entry was ingested."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the audit event, including the controller and action name."},{"name":"Category","type":"string","description":"The log category of the event."},{"name":"ObjectId","type":"string","description":"The object identifier of the principal that performed the operation."},{"name":"Tenant","type":"string","description":"The Discovery tenant identifier associated with the workspace."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.discovery/workspaces"],"solutions":["LogManagement"],"queries":["3b6c64fc-9624-45d4-8ca9-387fb3996ecf","f17b9109-4747-4ce4-94d1-bffc4bc04e18","4aa5f9aa-2eea-4297-95b4-37143a962df5"]}},{"id":"DisruptionAndResponseEvents","name":"DisruptionAndResponseEvents","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) table for disruption and response events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"ActionType","type":"string","description":"Type of disruption action taken"},{"name":"DeviceId","type":"string","description":"Unique identifier for the device that reported the event"},{"name":"SourceDeviceId","type":"string","description":"Unique identifier for the device that the attack originated from"},{"name":"TargetDeviceId","type":"string","description":"Unique identifier for the device that was targeted or attacked"},{"name":"TargetDeviceName","type":"string","description":"Name of the device that was targeted or attacked"},{"name":"TargetDomainName","type":"string","description":"Domain name of the device that was targeted or attacked"},{"name":"DeviceName","type":"string","description":"Name of the device that reported the event"},{"name":"DomainName","type":"string","description":"Domain name that the device that reported the event is joined to"},{"name":"InitiatingProcessId","type":"int","description":"Process ID (PID) of the process that triggered that block action"},{"name":"InitiatingProcessFileName","type":"string","description":"Name of the process that triggered the block action"},{"name":"SourceUserSid","type":"string","description":"The security identifier of the account conducting the malicious activity"},{"name":"SourceUserName","type":"string","description":"The user name of the account conducting the malicious activity"},{"name":"SourceUserDomainName","type":"string","description":"The domain name of the account conducting the malicious activity"},{"name":"SourceIpAddress","type":"string","description":"IP address where the attacker communication originated from"},{"name":"SourcePort","type":"int","description":"Port where the attacker communication originated from"},{"name":"IpAddress","type":"string","description":"IP address that the attacker attempted to access"},{"name":"Port","type":"string","description":"Port that the attacker attempted to access"},{"name":"SourceDeviceName","type":"string","description":"Host name of the device where the attack originated from"},{"name":"SourceDomainName","type":"string","description":"Domain name of the device where the attack originated from"},{"name":"AuthenticationProtocol","type":"string","description":"Authentication protocol that the compromised user used to sign in"},{"name":"Service","type":"string","description":"Name of the service the attacker attempted to use"},{"name":"InterfaceUuid","type":"string","description":"Unique identifier (UUID) for the RPC interface that the attacker attempted to access"},{"name":"InterfaceFriendlyName","type":"string","description":"Friendly name of the interface represented by the interface UUID"},{"name":"FileName","type":"string","description":"Name of the file that the attacker attempted to access"},{"name":"ShareName","type":"string","description":"Name of the share location that the attacker attempted to access"},{"name":"LogonType","type":"string","description":"Type of logon session the user attempted"},{"name":"LogonId","type":"long","description":"Identifier for a logon session"},{"name":"SessionId","type":"long","description":"Unique number assigned to a user by a website's server for the duration of the visit or session"},{"name":"CompromisedAccountCount","type":"int","description":"Number of compromised accounts that are part of the policy"},{"name":"PolicyId","type":"string","description":"Unique identifier for the policy"},{"name":"PolicyName","type":"string","description":"Name of the policy"},{"name":"PolicyVersion","type":"string","description":"Version of the policy"},{"name":"PolicyHash","type":"string","description":"Unique hash of the policy"},{"name":"DataSources","type":"string","description":"Products or services that provided information for the event"},{"name":"IsPolicyOn","type":"bool","description":"Indicates the current state of the policy on the device at the time of the disruption event"},{"name":"ReportType","type":"string","description":"The nature and impact level of the reported event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"DnsAuditEvents","name":"DnsAuditEvents","tableType":"Microsoft","description":"DNS server audit events enable change tracking on the DNS server. An audit event is logged each time server, zone, or resource record settings are changed. This includes operational events such as zone transfers, and DNSSEC zone signing and unsigning. This table captures audit events that are not from dynamic updates.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Action","type":"string","description":"If a query meets the criteria of a policy, the action is the response that the policy requires."},{"name":"ActiveKey","type":"string","description":"Signing key of the KSK's active key."},{"name":"Base64Data","type":"string","description":"Key data."},{"name":"BufferSize","type":"int","description":"Size of the buffer used for logging the event data.(in bytes)"},{"name":"ChildZone","type":"string","description":"Name of a child zone."},{"name":"ClientSubnetList","type":"string","description":"The list of IPv4 and IPv6 of the client subnet."},{"name":"ClientSubnetRecord","type":"string","description":"Then name of the client subnet."},{"name":"Condition","type":"string","description":"Specific circumstances or requirements that trigger certain actions or policies."},{"name":"Criteria","type":"string","description":"Criteria or conditions that triggered the event."},{"name":"CryptoAlgorithm","type":"string","description":"The cryptographic algorithm used for securing DNS-related operations."},{"name":"CurrentRolloverStatus","type":"string","description":"The state of the key rollover process from one key to another."},{"name":"CurrentState","type":"string","description":"The current status of a DNS key or zone."},{"name":"DenialOfExistence","type":"string","description":"The method used to prove that a certain DNS record does not exist."},{"name":"Digest","type":"string","description":"A secure fingerprint, allowing DNS resolvers to validate the authenticity of the trust anchor information."},{"name":"DigestType","type":"string","description":"Specifies the type of cryptographic hash algorithm used for generating the digest (hash) value."},{"name":"DistributeTrustAnchor","type":"string","description":"Relates to the distribution of a trust anchor for DNSSEC, which is a secure public key that helps in the validation of DNS data."},{"name":"DnsKeyRecordSetTtl","type":"int","description":"The time-to-live (TTL) value assigned to DNSKEY records when signing a DNS zone. This value determines how long a DNSKEY record will be considered valid before it needs to be refreshed. "},{"name":"DnsKeySignatureValidityPeriod","type":"int","description":"The duration in seconds that a DNSKEY record’s signature is considered valid."},{"name":"DnsQuery","type":"string","description":"The domain that needs to be resolved."},{"name":"DnsQueryType","type":"int","description":"The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA)."},{"name":"DSRecordGenerationAlgorithm","type":"string","description":"The algorithm used to generate the Delegation Signer (DS) record from the DNSKEY record."},{"name":"DSRecordSetTtl","type":"int","description":"The time-to-live (TTL) value for the DS (Delegation Signer) record set."},{"name":"DSSignatureValidityPeriod","type":"int","description":" The period in seconds that a DS (Delegation Signer) record’s signature is considered valid."},{"name":"EnableRfc5011KeyRollover","type":"string","description":"The process of automating the update and rollover of DNSSEC keys in accordance with RFC 5011 standards."},{"name":"EventGuid","type":"string","description":"Unique identifier for the specific event."},{"name":"EventId","type":"string","description":"Identifier for the underlying Windows event."},{"name":"EventString","type":"string","description":"Human-readable description of the event."},{"name":"EventType","type":"string","description":"Type of DNS event (e.g., zone transfer, dynamic update, DNSSEC signing)."},{"name":"FilePath","type":"string","description":"The location of a file or directory that the DNS server is interacting with."},{"name":"Forwarders","type":"string","description":"DNS forwarders used by the server."},{"name":"InitialRolloverOffset","type":"int","description":"The initial time delay (in seconds) before the first rollover action is triggered for a DNSSEC key."},{"name":"IsEnabled","type":"string","description":"This parameter indicates whether the policy or exception list is currently active."},{"name":"IsKeyMasterServer","type":"string","description":"Whether the DNS server is the primary key for a DNSSEC-signed zone."},{"name":"KeyId","type":"string","description":"The unique identifier of a DNSSEC signing key."},{"name":"KeyLength","type":"int","description":"The length of the cryptographic key used in DNSSEC signing operations."},{"name":"KeyMasterServer","type":"string","description":"The DNS server that is responsible for generating and managing the DNSSEC keys for a zone."},{"name":"KeyOrZone","type":"string","description":"The signing key used for authentication and data integrity in a specific DNS zone."},{"name":"KeyProtocol","type":"string","description":"Protocol used for DNSSEC key management (e.g., DNSKEY, DS)."},{"name":"KeyStorageProvider","type":"string","description":"The system or service that is responsible for securely storing the DNSSEC keys."},{"name":"KeyTag","type":"int","description":"A numeric identifier for the cryptographic key used by the DS record."},{"name":"KeyType","type":"string","description":"The type of DNSSEC signing key being used."},{"name":"KskOrZsk","type":"string","description":"The type of signing key used in a specific DNS zone."},{"name":"LastRolloverTime","type":"datetime","description":"The last time a rollover process took place."},{"name":"ListenAddresses","type":"string","description":"IP addresses on which the DNS server listens."},{"name":"LookupValue","type":"string","description":"Type of DNS lookup (e.g., recursive, iterative)."},{"name":"MasterServer","type":"string","description":"The primary DNS server from which a secondary DNS server obtains zone data."},{"name":"Name","type":"string","description":"Specifies the domain name or hostname associated with a specific record."},{"name":"NameServer","type":"string","description":"Name server responsible for the DNS event."},{"name":"NewPropertyValues","type":"string","description":"The set of properties after they were updated for a specific policy or exception list in the DNS server or zone."},{"name":"NewValue","type":"string","description":"The updated value assigned to a specific property key within the DNS zone."},{"name":"NextKey","type":"string","description":"The upcoming key that will be used in the DNS zone signing process after the current active and standby keys."},{"name":"NextRolloverAction","type":"string","description":"The rollover action performed."},{"name":"NextRolloverTime","type":"datetime","description":"The next time a rollover process should happen."},{"name":"NodeName","type":"string","description":"The node name within the DNS zone."},{"name":"NSec3HashAlgorithm","type":"int","description":"The cryptographic hash algorithm used in the NSEC3 protocol for DNSSEC."},{"name":"NSec3Iterations","type":"int","description":"The number of additional hashing iterations a DNSSEC-enabled DNS server uses."},{"name":"NSec3OptOut","type":"string","description":"Indicates if the DNSSEC NSEC3 protocol is configured to allow unsigned delegations."},{"name":"NSec3RandomSaltLength","type":"int","description":"The length of the random salt value used in the NSEC3 protocol for DNSSEC."},{"name":"NSec3UserSalt","type":"string","description":"The user-defined salt value used in the NSEC3 protocol for DNSSEC."},{"name":"OldPropertyValues","type":"string","description":"The set of properties before they were updated for a specific policy or exception list in the DNS server or zone."},{"name":"ParentHasSecureDelegation","type":"string","description":"Whether the parent zone has a secure delegation to the child zone."},{"name":"Policy","type":"string","description":"Defines rules or guidelines for managing specific aspects of DNS behavior."},{"name":"ProcessingOrder","type":"int","description":"Determines the sequence in which policies are applied."},{"name":"PropagationTime","type":"int","description":"Time taken for the event information to propagate. Duration (e.g., milliseconds) or “Immediate” if no delay."},{"name":"PropertyKey","type":"string","description":"Specific property or setting affected by the event."},{"name":"RDATA","type":"string","description":"Represents the data of the resource record that was created, deleted, or scavenged in the DNS zone."},{"name":"RecursionScope","type":"string","description":"A specific area or set of conditions under which DNS recursion is allowed or applied on a DNS server."},{"name":"ReplicationScope","type":"string","description":"Scope of DNS replication (e.g., forest-wide, domain-specific)."},{"name":"RolloverPeriod","type":"int","description":"Time interval for log rollover (e.g., daily, weekly)."},{"name":"RolloverType","type":"string","description":"Type of rollover (e.g., overwrite, append). "},{"name":"ScavengeServers","type":"string","description":"Servers involved in DNS scavenging (aging and cleanup of stale records)."},{"name":"Scope","type":"string","description":"The scope of the event (e.g., server-wide, zone-specific)."},{"name":"Scopes","type":"string","description":"DNS scopes impacted by the event (e.g., global, local)."},{"name":"SecureDelegationPollingPeriod","type":"int","description":"Interval for polling secure delegation information. Numeric value (e.g., minutes) or “Disabled” if not applicable."},{"name":"SeizedOrTransferred","type":"string","description":"Refers to the action taken, either a seizure (when control is forcibly transferred) or a voluntary transfer of the key master role."},{"name":"ServerName","type":"string","description":"Represents the DNS server where the policy or exception list is being configured."},{"name":"Setting","type":"string","description":"Specific DNS configuration setting modified by the event."},{"name":"SignatureInceptionOffset","type":"int","description":"Offset time for DNSSEC signature inception. Duration (e.g., seconds) or “Immediate” if no delay."},{"name":"Source","type":"string","description":"Source of the DNS event (e.g., server, client)."},{"name":"StandbyKey","type":"string","description":"the backup key that will be used if the current active key is compromised or needs to be replaced in the DNS zone signing process."},{"name":"StoreKeysInAD","type":"string","description":"Specifies whether the keys are stored in Active Directory Domain Services (AD DS). This setting applies only to Active Directory-integrated zones when the vendor of KeyStorageProvider is Microsoft."},{"name":"SubTreeAging","type":"string","description":"Mechanism that affects the aging (expiration) of DNS records within a specific subtree or branch of a DNS zone."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"TTL","type":"int","description":"The time-to-live for the DNS record, indicating how long the record should be cached before it is discarded or refreshed."},{"name":"VirtualizationID","type":"string","description":" A unique key to manage and coordinate activities within the virtualized environment."},{"name":"WithNewKeys","type":"string","description":"Indicates whether new DNSSEC keys were generated."},{"name":"WithWithout","type":"string","description":"Whether key signing key (KSK) metadata is included or excluded when exporting DNSSEC settings for a specific zone."},{"name":"Zone","type":"string","description":"The zone related to the activity."},{"name":"ZoneFile","type":"string","description":"The name of the zone file."},{"name":"ZoneName","type":"string","description":"The name of a DNS zone on which the zone which the event relates to."},{"name":"ZoneScope","type":"string","description":"A list of scopes and weights for the zone."},{"name":"ZoneSignatureValidityPeriod","type":"int","description":"The amount of time that signatures that cover all other record sets are valid."},{"name":"AdditionalData","type":"dynamic","description":"Additional information not already scoped into its own dedicated field."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"DnsEvents","name":"DnsEvents","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"SubType","type":"string","isPreferredFacet":true},{"name":"Message","type":"string"},{"name":"TaskCategory","type":"string","isPreferredFacet":true},{"name":"ClientIP","type":"string"},{"name":"Name","type":"string","isPreferredFacet":true},{"name":"Result","type":"string","isPreferredFacet":true},{"name":"IPAddresses","type":"string"},{"name":"QueryType","type":"string","isPreferredFacet":true},{"name":"ResultCode","type":"int","isPreferredFacet":true},{"name":"MaliciousIP","type":"string","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"Confidence","type":"string","isPreferredFacet":true},{"name":"Severity","type":"int","isPreferredFacet":true},{"name":"RemoteIPLongitude","type":"real"},{"name":"RemoteIPLatitude","type":"real"},{"name":"RemoteIPCountry","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"solutions":["DnsAnalytics","SecurityInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"DnsInventory","name":"DnsInventory","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"SubType","type":"string","isPreferredFacet":true},{"name":"ResourceRecordName","type":"string"},{"name":"ResourceRecordType","type":"string","isPreferredFacet":true},{"name":"ZoneName","type":"string","isPreferredFacet":true},{"name":"DomainName","type":"string","isPreferredFacet":true},{"name":"ForestName","type":"string","isPreferredFacet":true},{"name":"ServerIPs","type":"string","isPreferredFacet":true},{"name":"DynamicUpdate","type":"string","isPreferredFacet":true},{"name":"DnsSecSigned","type":"string","isPreferredFacet":true},{"name":"NameServers","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"solutions":["DnsAnalytics","SecurityInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"DurableTaskSchedulerLogs","name":"DurableTaskSchedulerLogs","tableType":"Microsoft","description":"Logs generated by Durable Task Schedulers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation generating this log."},{"name":"Location","type":"string","description":"The location of the Durable Task Scheduler generating this log."},{"name":"Fqdn","type":"string","description":"The fqdn of the Durable Task Scheduler generating this log."},{"name":"Scheduler","type":"string","description":"The name of the Durable Task Scheduler generating this log."},{"name":"TaskHub","type":"string","description":"The name of the TaskHub generating this log."},{"name":"Sku","type":"string","description":"The SKU of the Durable Task Scheduler generating this log."},{"name":"InstanceId","type":"string","description":"The unique identifier of the orchestration instance generating this log entry"},{"name":"RuntimeStatus","type":"string","description":"The current execution state of the orchestration instance (Pending, Running, Completed, Failed, etc.)"},{"name":"WorkerId","type":"string","description":"The identifier of the worker node or process handling the orchestration execution"},{"name":"UserAgent","type":"string","description":"The client application or SDK version information that initiated the orchestration request"},{"name":"Level","type":"int","description":"The severity level of the log entry (Information, Warning, Error, Critical, Debug, Trace)"},{"name":"env_dt_traceId","type":"string","description":"The unique trace identifier used for distributed tracing across the Durable Task Scheduler environment to correlate related log entries and operations."},{"name":"env_dt_spanId","type":"string","description":"The span ID for distributed tracing within the Durable Task Scheduler environment"},{"name":"Log","type":"string","description":"The log generated by the user's Durable Task Scheduler."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.durabletask/schedulers"],"solutions":["LogManagement"],"queries":["dc826897-f00f-4d3d-8f4f-1c8a370a0e78","1e6825d2-847b-4027-a2d7-699d8875f6eb"]}},{"id":"DynamicEventCollection","name":"DynamicEventCollection","tableType":"Microsoft","description":"Microsoft Defender for Endpoints (MDE) table for generic windows events. Fields of the raw events are available as part of the AdditionalFields column.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AccountSid","type":"string","description":"Security identifier (SID) of the account."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"EventId","type":"long","description":"Contains the unique event identifier."},{"name":"InitiatingProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitiatingProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event. In Active Directory, a UPN is the name of a system user in an email address format (for example: john.doe@domain.com)"},{"name":"InitiatingProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitiatingProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitiatingProcessLogonId","type":"long","description":"Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts."},{"name":"InitiatingProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitiatingProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitiatingProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"LocalPort","type":"int","description":"TCP port on the local machine used during communication."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"RemoteDeviceName","type":"string","description":"Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemotePort","type":"int","description":"TCP port on the remote device that was being connected to."},{"name":"ReportId","type":"long","description":"Unique identifier for the event."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["AzureSentinelDSRE"]}},{"id":"DynamicSummary","name":"DynamicSummary","tableType":"Microsoft","description":"Azure Sentinel Dynamic Summary provides a security data storage to persist concentrated findings and summaries for hunting, investigation, search, detection. Summary description and detailed observables can be stored in Log Analytics for further analysis and report generation.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was ingested to Azure Monitor."},{"name":"AzureTenantId","type":"string","description":"The AAD tenant ID to which this DynamicSummary table belongs."},{"name":"SummaryId","type":"string","description":"Summary unique ID."},{"name":"SummaryItemId","type":"string","description":"Summary item unique ID."},{"name":"SummaryName","type":"string","description":"The Summary display name, unique within workspace."},{"name":"RelationName","type":"string","description":"The original data source name."},{"name":"RelationId","type":"string","description":"The original data source ID"},{"name":"SearchKey","type":"string","description":"SearchKey is used to optimize query performance when using DynamicSummary for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address."},{"name":"CreatedBy","type":"dynamic","description":"The JSON object with the user who created summary, including: object ID, email and name."},{"name":"CreatedTimeUTC","type":"datetime","description":"The time (UTC) when the summary was created."},{"name":"UpdatedBy","type":"dynamic","description":"The JSON object with the user who updated summary, including: object ID, email and name."},{"name":"UpdatedTimeUTC","type":"datetime","description":"The time (UTC) when the summary was updated."},{"name":"SummaryDescription","type":"string","description":"The description provided by user."},{"name":"Tactics","type":"dynamic","description":"MITRE ATT&CK tactics are what attackers are trying to achieve. For example, exfiltration."},{"name":"Techniques","type":"dynamic","description":"MITRE ATT&CK techniques are how those tactics are accomplished."},{"name":"SummaryStatus","type":"string","description":"Active or deleted."},{"name":"SourceInfo","type":"dynamic","description":"The JSON object with the data producer info, including source, name, version."},{"name":"Query","type":"string","description":"This is the query that was used to generate the result."},{"name":"QueryStartDate","type":"datetime","description":"Events that occurred after this datetime will be included in the result."},{"name":"QueryEndDate","type":"datetime","description":"Events that occurred before this datetime will be included in the result."},{"name":"EventTimeUTC","type":"datetime","description":"The time (UTC) when the summary item occurred originally."},{"name":"ObservableType","type":"string","description":"Observables are stateful events ot properties that are related to the operation of computing system, which are helpful in identifying indicators of compromise. For example, login."},{"name":"ObservableValue","type":"string","description":"Value for observable type, such as: anomalous RDP activity."},{"name":"PackedContent","type":"dynamic","description":"The JSON object has packed columns which can be generated by using KQL pack_all()."},{"name":"SummaryDataType","type":"string","description":"This flag is used to tell if the record is either a summary level or a summary item level record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["SecurityInsights"]}},{"id":"Dynamics365Activity","name":"Dynamics365Activity","tableType":"Microsoft","description":"Audit logs for Dynamics 365 tenants collected by Azure Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceRecordId","type":"string","description":"Unique identifier of an audit record","isPreferredFacet":true},{"name":"UserAgent","type":"string","description":"The user agent","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"The date and time in Coordinated Universal Time (UTC) when the user performed the activity","isPreferredFacet":true},{"name":"Operation","type":"string","description":"The name of the operation that the user is performing","isPreferredFacet":true},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization","isPreferredFacet":true},{"name":"UserType","type":"string","description":"The type of user that performed the operation. See the UserType table in Office 365 management activity api schema documentation for details on the types of users","isPreferredFacet":true},{"name":"UserKey","type":"string","description":"An alternative ID for the user identified in the UserId property","isPreferredFacet":true},{"name":"OfficeWorkload","type":"string","description":"The Office 365 service where the activity occurred","isPreferredFacet":true},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table in Office 365 management activity api schema documentation for details on the types of audit log records","isPreferredFacet":true},{"name":"ResultStatus","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not","isPreferredFacet":true},{"name":"OriginalObjectId","type":"string","description":"The ObjectId for SharePoint and OneDrive about business activity"},{"name":"UserId","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged","isPreferredFacet":true},{"name":"ClientIP","type":"string","description":"The IP address of the device that was used when the activity was logged","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"A unique value used to associate related rows","isPreferredFacet":true},{"name":"CrmOrganizationUniqueName","type":"string","description":"Unique name of the organization","isPreferredFacet":true},{"name":"InstanceUrl","type":"string","description":"URL to the instance","isPreferredFacet":true},{"name":"ItemUrl","type":"string","description":"URL to the record emitting the log","isPreferredFacet":true},{"name":"ItemType","type":"string","description":"The type of object that was accessed or modified. See the ItemType table for details on the types of objects","isPreferredFacet":true},{"name":"Message","type":"string","description":"Name of the message called in the Dynamics365 SDK","isPreferredFacet":true},{"name":"EntityId","type":"string","description":"Unique identifier of the entity","isPreferredFacet":true},{"name":"EntityName","type":"string","description":"Name of the entity in the organization","isPreferredFacet":true},{"name":"Fields","type":"dynamic","description":"JSON of Key Value pair reflecting the values that were created or updated"},{"name":"Query","type":"string","description":"The query filter parameters used while executing the FetchXML","isPreferredFacet":true},{"name":"QueryResults","type":"dynamic","description":"One or multiple unique records returned by the Retrieve and Retrieve Multiple SDK message call","isPreferredFacet":true},{"name":"ServiceName","type":"string","description":"Name of the Service generating the log","isPreferredFacet":true},{"name":"SystemUserId","type":"string","description":"Unique identifier of the user GUID in the organization"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["SecurityInsights"]}},{"id":"EGNFailedHttpDataPlaneOperations","name":"EGNFailedHttpDataPlaneOperations","tableType":"Microsoft","description":"Log for failed HTTP data plane requests to an Event Grid namespace. It can be used for auditing purposes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"NetworkAccess","type":"string","description":"The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link"},{"name":"CallerIpAddress","type":"string","description":"The IP address of the client issuing the request."},{"name":"TLSVersion","type":"string","description":"The transport layer security (TLS) version used by the client connection. Possible values are: 1.2 and 1.3"},{"name":"AuthenticationType","type":"string","description":"Type of authentication used by the client. SharedAccessKey – request uses the SAS key, SharedAccessSignature – request uses a SAS token generated from SAS key, EntraIdAccessToken – Microsoft Entra issued JSON Web Token (JWT) token, Unknown – None of the above authentication types."},{"name":"ObjectId","type":"string","description":"The Microsoft Entra ObjectId of the caller issuing the request."},{"name":"ResultType","type":"string","description":"The type of the result. Possible values are: Failed."},{"name":"ResultSignature","type":"string","description":"The result of the operation. Possible values are: ServiceError, ClientError, QuotaExceeded, AuthnError, AuthzError, ConnectionLost"},{"name":"TotalOperations","type":"string","description":"The total number of request with above values issued within the minute. These traces aren't emitted for each request. An aggregate for each unique combination of above values is emitted every minute"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"],"queries":["60E4B8B4-31FA-4BA7-9155-44AF1DDA8BA3"]}},{"id":"EGNFailedMqttConnections","name":"EGNFailedMqttConnections","tableType":"Microsoft","description":"Log for failed MQTT connections to an Event Grid namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ResultSignature","type":"string","description":"The result of the operation."},{"name":"ResultDescription","type":"string","description":"Additional description about the result."},{"name":"AuthenticationType","type":"string","description":"Type of authentication used by the client."},{"name":"ClientIdentitySource","type":"string","description":"Source of the identity of the client issuing the request."},{"name":"ClientIdentity","type":"string","description":"Value of the client's identity."},{"name":"SessionName","type":"string","description":"Name of the session provided by the client in the MQTT CONNECT packet's clientId field."},{"name":"Protocol","type":"string","description":"Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"],"queries":["9b5542ef-7676-40ad-999d-efba45f42e9c"]}},{"id":"EGNFailedMqttPublishedMessages","name":"EGNFailedMqttPublishedMessages","tableType":"Microsoft","description":"Log for failed MQTT published messages to an Event Grid namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ResultSignature","type":"string","description":"The result of the operation."},{"name":"ResultDescription","type":"string","description":"Additional description about the result."},{"name":"ClientIdentity","type":"string","description":"Value of the client's identity."},{"name":"SessionName","type":"string","description":"Name of the session provided by the client in the MQTT CONNECT packet's clientId field."},{"name":"Protocol","type":"string","description":"Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS."},{"name":"Qos","type":"int","description":"Quality of service used by the client to publish. Possible values are: 0,1"},{"name":"TopicName","type":"string","description":"MQTT Topic Name used by the client to publish."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"]}},{"id":"EGNFailedMqttSubscriptions","name":"EGNFailedMqttSubscriptions","tableType":"Microsoft","description":"Log for failed MQTT subscriptions to an Event Grid namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ResultSignature","type":"string","description":"The result of the operation."},{"name":"ResultDescription","type":"string","description":"Additional description about the result."},{"name":"TopicFilters","type":"string","description":"MQTT Topic Filters that the client subscribed to."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"]}},{"id":"EGNMqttDisconnections","name":"EGNMqttDisconnections","tableType":"Microsoft","description":"Log for disconnected MQTT connections from an Event Grid namespace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ResultSignature","type":"string","description":"The result of the operation."},{"name":"ResultDescription","type":"string","description":"Additional description about the result."},{"name":"ClientIdentity","type":"string","description":"Value of the client's identity."},{"name":"SessionName","type":"string","description":"Name of the session provided by the client in the MQTT CONNECT packet's clientId field."},{"name":"Protocol","type":"string","description":"Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"],"queries":["22db387f-49a3-4b3e-88a4-13b1b00728b8","7a684553-e9ad-4fd8-a31f-75c1a4db8d2c"]}},{"id":"EGNSuccessfulHttpDataPlaneOperations","name":"EGNSuccessfulHttpDataPlaneOperations","tableType":"Microsoft","description":"Log for successful HTTP data plane requests to an Event Grid namespace. It can be used for auditing purposes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"NetworkAccess","type":"string","description":"The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link"},{"name":"CallerIpAddress","type":"string","description":"The IP address of the client issuing the request."},{"name":"TLSVersion","type":"string","description":"The transport layer security (TLS) version used by the client connection. Possible values are: 1.2 and 1.3"},{"name":"AuthenticationType","type":"string","description":"Type of authentication used by the client. SharedAccessKey – request uses the SAS key, SharedAccessSignature – request uses a SAS token generated from SAS key, EntraIdAccessToken – Microsoft Entra issued JSON Web Token (JWT) token, Unknown – None of the above authentication types."},{"name":"ObjectId","type":"string","description":"The Microsoft Entra ObjectId of the caller issuing the request."},{"name":"ResultType","type":"string","description":"The result of the operation. Possible values are: Succeeded."},{"name":"TotalOperations","type":"string","description":"The total number of request with above values issued within the minute. These traces aren't emitted for each request. An aggregate for each unique combination of above values is emitted every minute"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"],"queries":["60E4B8B4-31FA-4BA7-9155-44AF1DDA8BA3"]}},{"id":"EGNSuccessfulMqttConnections","name":"EGNSuccessfulMqttConnections","tableType":"Microsoft","description":"Log for successful MQTT connections to an Event Grid namesapce. This log can be used for auditing purposes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"AuthenticationType","type":"string","description":"Type of authentication used by the client."},{"name":"ClientIdentitySource","type":"string","description":"Source of the identity of the client issuing the request."},{"name":"ClientIdentity","type":"string","description":"Value of the client's identity."},{"name":"SessionName","type":"string","description":"Name of the session provided by the client in the MQTT CONNECT packet's clientId field."},{"name":"Protocol","type":"string","description":"Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.eventgrid/namespaces"],"solutions":["LogManagement"],"queries":["56bf07f2-0029-4c3a-9eb1-22320fd92b39"]}},{"id":"ETWEvent","name":"ETWEvent","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"ProviderGuid","type":"string"},{"name":"EventSourceName","type":"string","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"Pid","type":"int"},{"name":"Tid","type":"int"},{"name":"OpcodeName","type":"string"},{"name":"KeywordName","type":"string"},{"name":"TaskName","type":"string","isPreferredFacet":true},{"name":"ChannelName","type":"string"},{"name":"AzureDeploymentID","type":"string","isPreferredFacet":true},{"name":"Role","type":"string","isPreferredFacet":true},{"name":"EventMessage","type":"string"},{"name":"Message","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["virtualmachines"],"solutions":["LogManagement"]}},{"id":"EdgeActionConsoleLog","name":"EdgeActionConsoleLog","tableType":"Microsoft","description":"Logs emitted to console by the action code.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log entry was created."},{"name":"TrackingReference","type":"string","description":"The unique reference string that identifies a request served by Front Door, also sent as X-Azure-Ref header to the client."},{"name":"LogMessage","type":"string","description":"The log message emitted by the action code."},{"name":"EdgeActionVersion","type":"string","description":"The version of the action that emitted the log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.cdn/edgeactions"],"solutions":["LogManagement"],"queries":["b30699d3-efa7-4341-acad-b0d745f57061"]}},{"id":"EdgeActionServiceLog","name":"EdgeActionServiceLog","tableType":"Microsoft","description":"Service logs emitted by the Edge Action platform.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log entry was created."},{"name":"TrackingReference","type":"string","description":"The unique reference string that identifies a request served by Front Door, also sent as X-Azure-Ref header to the client."},{"name":"LogMessage","type":"string","description":"The log message emitted by the Edge Action platform."},{"name":"EdgeActionVersion","type":"string","description":"The version of the action associated with this log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.cdn/edgeactions"],"solutions":["LogManagement"],"queries":["b30699d3-efa7-4341-acad-b0d745f57061","c72d1185-3401-4e65-9a9b-424730f26288"]}},{"id":"EmailAttachmentInfo","name":"EmailAttachmentInfo","tableType":"Microsoft","description":"Office 365 attached emails information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FileType","type":"string","description":"File extension type."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email, generated by Office 365."},{"name":"RecipientEmailAddress","type":"string","description":"Email address of the recipient, or email address of the recipient after distribution list expansion."},{"name":"RecipientObjectId","type":"string","description":"Email recipient unique identifier in Azure AD."},{"name":"ReportId","type":"string","description":"Unique identifier for the event."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"SenderDisplayName","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"SenderObjectId","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"ThreatTypes","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats."},{"name":"SenderFromAddress","type":"string","description":"Sender domain in the from header, which is visible to email recipients on their email clients."},{"name":"ThreatNames","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"DetectionMethods","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"FileExtension","type":"string","description":"File extension of the attachment."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["90f66bc3-2a34-4ea7-8849-2a0c1abb9a75","d826f137-f675-459e-a758-5acbc604ce90"]}},{"id":"EmailEvents","name":"EmailEvents","tableType":"Microsoft","description":"Office 365 email events, including email delivery and blocking events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AttachmentCount","type":"int","description":"Number of attachments in the email."},{"name":"AuthenticationDetails","type":"string","description":"List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth)."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"ConfidenceLevel","type":"string","description":"List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is \"High\" or \"Low\"."},{"name":"Connectors","type":"string","description":"Custom instructions that define organizational mail flow and how the email was routed."},{"name":"DetectionMethods","type":"string","description":"Delivery action of the email: Delivered, Junked, Blocked, or Replaced."},{"name":"DeliveryAction","type":"string","description":"Action of the delivered email."},{"name":"DeliveryLocation","type":"string","description":"Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items."},{"name":"EmailClusterId","type":"long","description":"Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents."},{"name":"EmailDirection","type":"string","description":"Email direction: Inbound, Outbound, Intra-org."},{"name":"EmailLanguage","type":"string","description":"Detected language of the email content."},{"name":"EmailAction","type":"string","description":"Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message."},{"name":"EmailActionPolicy","type":"string","description":"Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR)."},{"name":"EmailActionPolicyGuid","type":"string","description":"Unique identifier of the policy that took effect."},{"name":"OrgLevelAction","type":"string","description":"Action taken on the email in response to matches to a policy defined at the organizational level."},{"name":"OrgLevelPolicy","type":"string","description":"Organizational policy that triggered the action taken on the email."},{"name":"InternetMessageId","type":"string","description":"Public-facing identifier for the email that is set by the sending email system."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email, generated by Office 365."},{"name":"RecipientEmailAddress","type":"string","description":"Recipient email address or email address of the recipient after distribution list expansion."},{"name":"RecipientObjectId","type":"string","description":"Email recipient Azure AD identifier."},{"name":"ReportId","type":"string","description":"Unique identifier for the event."},{"name":"SenderDisplayName","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"SenderFromAddress","type":"string","description":"Sender domain in the from header, which is visible to email recipients on their email clients."},{"name":"SenderFromDomain","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats."},{"name":"SenderObjectId","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"SenderIPv4","type":"string","description":"IPv4 address of the last detected mail server that relayed the message."},{"name":"SenderIPv6","type":"string","description":"IPv6 address of the last detected mail server that relayed the message."},{"name":"SenderMailFromAddress","type":"string","description":"Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address."},{"name":"SenderMailFromDomain","type":"string","description":"Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address."},{"name":"Subject","type":"string","description":"Email subject field."},{"name":"ThreatTypes","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats."},{"name":"ThreatNames","type":"string","description":"Sender email address in the from header, which is visible to email recipients on their email clients."},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"LastEventExecutionTime","type":"datetime","description":"Date and time (UTC) when the record was updated post merge."},{"name":"UrlCount","type":"int","description":"Number of embedded URLs in the email."},{"name":"UserLevelAction","type":"string","description":"Action taken on the email in response to matches to a mailbox policy defined by the recipient."},{"name":"UserLevelPolicy","type":"string","description":"End user mailbox policy that triggered the action taken on the email."},{"name":"BulkComplaintLevel","type":"int","description":"Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam."},{"name":"LatestDeliveryLocation","type":"string","description":"Last known location of the email."},{"name":"LatestDeliveryAction","type":"string","description":"Last known action attempted on an email by the service or by an admin through manual remediation."},{"name":"ExchangeTransportRule","type":"string","description":"Mail flow rules (also known as transport rules) are similar to Inbox rules that are available in Outlook and Outlook on the web. The main difference is mail flow rules take action on messages while they're in transit."},{"name":"DistributionList","type":"string","description":"Name of distribution list that the recipient was a member of and to which the email was sent, if applicable; shows top-level distribution list if nested lists are involved"},{"name":"ForwardingInformation","type":"string","description":"A JSON array of forwarding details including the forwarding user and the forwarding type"},{"name":"Context","type":"string","description":"Configuration context data of the machine"},{"name":"To","type":"dynamic","description":"Indicates the addresses which are listed in To fields of an email"},{"name":"Cc","type":"dynamic","description":"Indicates the addresses which are listed in Cc fields of an email"},{"name":"ThreatClassification","type":"string","description":"Indicates the threat classification of the mail"},{"name":"RecipientDomain","type":"string","description":"Domain of the recipient of the email."},{"name":"EmailSize","type":"int","description":"Size of the email message."},{"name":"IsFirstContact","type":"bool","description":"Is this the first contact between sender and reciever."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["44fc0e47-dc0e-4d77-8fcb-0e7aa58b7e92","824be1eb-27b7-44e9-97b6-ceba952b5301"]}},{"id":"EmailPostDeliveryEvents","name":"EmailPostDeliveryEvents","tableType":"Microsoft","description":"Office 365 security events occurred post email delivery to recipient mailbox.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Action","type":"string","description":"Action taken on the entity"},{"name":"ActionResult","type":"string","description":"Result of the action"},{"name":"ActionTrigger","type":"string","description":"Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or String Delivery"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"DeliveryLocation","type":"string","description":"Delivered email location: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items"},{"name":"InternetMessageId","type":"string","description":"Public-facing identifier for the email that is set by the sending email system"},{"name":"NetworkMessageId","type":"string","description":"Email unique identifier generated by Office 365"},{"name":"RecipientEmailAddress","type":"string","description":"Recipient email address or email address of the recipient after distribution list expansion"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"ThreatTypes","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats"},{"name":"DetectionMethods","type":"string","description":"Methods used to detect malware, phishing, or other threats found in the email"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"SenderFromAddress","type":"string","description":"Sender email address in the FROM header, which is visible to email recipients on their email clients"},{"name":"EmailDirection","type":"string","description":"Direction of the email relative to your network: Inbound, Outbound, Intra-org"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["4759e733-d0b0-4415-bd31-72b9765994d6","a2cdbdc7-3abb-426d-a77f-771d6bf5a4f9","fb42f174-b844-4416-8033-9f40cd9162a4"]}},{"id":"EmailUrlInfo","name":"EmailUrlInfo","tableType":"Microsoft","description":"Office 365 emails URLs information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"NetworkMessageId","type":"string","description":"Email unique identifier generated by Office 365"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"Url","type":"string","description":"Information about URLs on Office 365 emails"},{"name":"UrlLocation","type":"string","description":"Indicates which part of the email the URL is located"},{"name":"UrlDomain","type":"string","description":"Domain part of the Url"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["d353de41-be6b-4bd0-9c88-62f8db108f09"]}},{"id":"EnrichedMicrosoft365AuditLogs","name":"EnrichedMicrosoft365AuditLogs","tableType":"Microsoft","description":"This table is part of Identity and Network Access, which contains Enriched Microsoft 365 Audit logs. These logs can be leveraged for policy, risk, and traffic management, as well as to monitor users experience.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time in UTC when the user performed the activity."},{"name":"Id","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"int","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"Operation","type":"string","description":"The name of the user or admin activity that performed the activity."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"UserType","type":"string","description":"The type of user that performed the operation."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types includes: Admin, System, Application, Service Principal and Other."},{"name":"UserKey","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"ResultStatus","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"UserId","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"ClientIp","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"UniqueTokenId","type":"string","description":"The unique token identifier."},{"name":"DeviceId","type":"string","description":"The ID of the source device as reported in the record."},{"name":"DeviceOperatingSystem","type":"string","description":"The client connecting operating system type."},{"name":"DeviceOperatingSystemVersion","type":"string","description":"The client connecting operating system version."},{"name":"SourceIp","type":"string","description":"The IP address from which the connection or session originated."},{"name":"AdditionalProperties","type":"dynamic","description":"Additional activity fields."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"Event","name":"Event","tableType":"Microsoft","description":"Events from Windows Event Log on Windows computers using the Log Analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the event was collected from. Possible values are OpsManager Linux and AzureStorage.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Source","type":"string","description":"Source of the event.","isPreferredFacet":true},{"name":"EventLog","type":"string","description":"Name of the event log that the event was collected from.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of the computer that the event was collected from.","isPreferredFacet":true},{"name":"EventCategory","type":"int","description":"Category of the event.","isPreferredFacet":true},{"name":"EventLevel","type":"int","description":"Severity of the event in numeric form.","isPreferredFacet":true},{"name":"EventLevelName","type":"string","description":"Severity of the event in text form.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"User name of the account that logged the event."},{"name":"Message","type":"string","description":"Event message for the different Languages. The language is defined by the LCID attribute."},{"name":"ParameterXml","type":"string","description":"Event parameter values in XML format."},{"name":"EventData","type":"string","description":"All event data in raw format."},{"name":"EventID","type":"int","description":"Number of the event.","isPreferredFacet":true},{"name":"RenderedDescription","type":"string","description":"Event description with parameter values."},{"name":"ManagementGroupName","type":"string","description":"Name of the management group for System Center Operations Manager agents. For other agents this value is AOI-","isPreferredFacet":true},{"name":"AzureDeploymentID","type":"string","description":"Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage.","isPreferredFacet":true},{"name":"Role","type":"string","description":"Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security","virtualmachines"],"resourceTypes":["microsoft.operationalinsights/workspaces","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.azurestackhci/clusters"],"solutions":["LogManagement"]}},{"id":"ExchangeAssessmentRecommendation","name":"ExchangeAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Exchange assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","description":"ID of the assessment","isPreferredFacet":true},{"name":"RecommendationId","type":"string","description":"ID of the recommendation generated","isPreferredFacet":true},{"name":"Recommendation","type":"string","description":"Generated recommendation","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the recommendation"},{"name":"RecommendationResult","type":"string","description":"Result of the recommendation generated","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"FocusAreaId","type":"string","description":"ID of the Focus Area","isPreferredFacet":true},{"name":"FocusArea","type":"string","description":"Area to be focussed on","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","description":"ID generated for Action Area","isPreferredFacet":true},{"name":"ActionArea","type":"string","description":"The segment in which action is to be performed","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real","description":"Weight of recommendation"},{"name":"Computer","type":"string","description":"The machine from which data is uploaded","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","description":"Type of object which is affected","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","description":"Name of the affected object","isPreferredFacet":true},{"name":"ExchangeOrganization","type":"string"},{"name":"ExchangeAdminGroup","type":"string"},{"name":"ExchangeDAG","type":"string","isPreferredFacet":true},{"name":"ExchangeMailboxDatabase","type":"string","isPreferredFacet":true},{"name":"ExchangePublicFolderDatabase","type":"string"},{"name":"ExchangeServer","type":"string","isPreferredFacet":true},{"name":"ActiveDirectorySite","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","ExchangeAssessment"]}},{"id":"ExchangeOnlineAssessmentRecommendation","name":"ExchangeOnlineAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Exchange Online assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","description":"ID of the assessment","isPreferredFacet":true},{"name":"RecommendationId","type":"string","description":"ID of the recommendation generated","isPreferredFacet":true},{"name":"Recommendation","type":"string","description":"Generated recommendation","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the recommendation"},{"name":"RecommendationResult","type":"string","description":"Result of the recommendation generated","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"FocusAreaId","type":"string","description":"ID of the Focus Area","isPreferredFacet":true},{"name":"FocusArea","type":"string","description":"Area to be focussed on","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","description":"ID generated for Action Area","isPreferredFacet":true},{"name":"ActionArea","type":"string","description":"The segment in which action is to be performed","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real","description":"Weight of recommendation"},{"name":"Computer","type":"string","description":"The machine from which data is uploaded","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","description":"Type of object which is affected","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","description":"Name of the affected object","isPreferredFacet":true},{"name":"O365TenantId","type":"string","description":"ID of O365 Tenant"},{"name":"TenantName","type":"string","description":"Name of the Tenant"},{"name":"Domain","type":"string","description":"Domain of the system"},{"name":"ExchangeOrganization","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","ExchangeOnlineAssessment"]}},{"id":"FailedIngestion","name":"FailedIngestion","tableType":"Microsoft","description":"Failed ingestion operations logs provide detailed information about failed ingest operations. Logs include data source details, as well as error code and failure status (transient or permanent), that can be used for tracking the process of data source ingestion. Users can identify usage errors (permanent bad requests) and handle retries of transient failures. Ingestion logs are supported for queued ingestion to the ingestion endpoint using SDKs, data connections, and connectors.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"FailedOn","type":"datetime","description":"Time at which this ingest operation failed","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"The ingestion's operation ID","isPreferredFacet":true},{"name":"Database","type":"string","description":"The name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"The name of the target table into which the data is ingested","isPreferredFacet":true},{"name":"IngestionSourceId","type":"string","description":"A unique identifier representing the ingested source","isPreferredFacet":true},{"name":"IngestionSourcePath","type":"string","description":"The path of the ingestion data sources or the Azure blob storage URI","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"The final state of this data ingestion operation","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The ingestion's activity ID","isPreferredFacet":true},{"name":"Details","type":"string","description":"Detailed description of the failure and error message","isPreferredFacet":true},{"name":"ErrorCode","type":"string","description":"The failure's error code","isPreferredFacet":true},{"name":"FailureStatus","type":"string","description":"The failure's status. `Permanent`, or `RetryAttemptsExceeded` indicates that the operation exceeded the max retries or max time limit following a recurring transient error","isPreferredFacet":true},{"name":"OriginatesFromUpdatePolicy","type":"bool","description":"Indicates whether or not the failure originate from an update policy","isPreferredFacet":true},{"name":"ShouldRetry","type":"bool","description":"Indicates whether or not the failure is transient and should be retried","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"FileMaliciousContentInfo","name":"FileMaliciousContentInfo","tableType":"Microsoft","description":"This table shows files that were identified as malicious by Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"Workload","type":"string","description":"Information about the workload from which the URL originated from."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"FileOwnerDisplayName","type":"string","description":"Account recorded as owner of the file."},{"name":"FileOwnerUpn","type":"string","description":"Account recorded as owner of the file"},{"name":"LastModifyingAccountUpn","type":"string","description":"Account that last modified this file."},{"name":"DocumentID","type":"string","description":"Unique identifier of the file."},{"name":"ThreatTypes","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats."},{"name":"ThreatNames","type":"string","description":"Detection name for malware or other threats found."},{"name":"DetectionMethods","type":"string","description":"Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats."},{"name":"LastModifiedTime","type":"datetime","description":"Date and time the item, or related metadata was last modified."},{"name":"FileCreationTime","type":"datetime","description":"Timestamp of the file creation."},{"name":"ReportId","type":"string","description":"Unique identifier for the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"FunctionAppLogs","name":"FunctionAppLogs","tableType":"Microsoft","description":"Log generated by Function Apps. It includes logs emitted by the Functions host and logs emitted by customer code. Use these logs to monitor application health, performance, and behavior.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"Category","type":"string","description":"The log category name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of the server that processed the request (e.g., South Central US).","isPreferredFacet":true},{"name":"Message","type":"string","description":"The log message."},{"name":"HostVersion","type":"string","description":"The Functions host version."},{"name":"FunctionInvocationId","type":"string","description":"The invocation ID that logged the message."},{"name":"FunctionName","type":"string","description":"The name of the function that logged the message."},{"name":"HostInstanceId","type":"string","description":"The host instance ID."},{"name":"ActivityId","type":"string","description":"The activity ID that logged the message."},{"name":"Level","type":"string","description":"The log level. Valid values are Trace, Debug, Information, Warning, Error, or Critical."},{"name":"ExceptionDetails","type":"string","description":"The exception details. This includes the exception type, message, and stack trace."},{"name":"ExceptionMessage","type":"string","description":"The exception message."},{"name":"ExceptionType","type":"string","description":"The exception type (e.g., System.InvalidOperationException).","isPreferredFacet":true},{"name":"AppName","type":"string","description":"The Function application name.","isPreferredFacet":true},{"name":"RoleInstance","type":"string","description":"The role instance ID.","isPreferredFacet":true},{"name":"LevelId","type":"int","description":"The integer value of the log level. Valid values are 0 (Trace), 1 (Debug), 2 (Information), 3 (Warning), 4 (Error), or 5 (Critical).","isPreferredFacet":true},{"name":"ProcessId","type":"int","description":"The process ID.","isPreferredFacet":true},{"name":"EventId","type":"int","description":"The event ID.","isPreferredFacet":true},{"name":"EventName","type":"string","description":"The event name.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","applications"],"solutions":["LogManagement"],"resourceTypes":["microsoft.web/sites"]}},{"id":"GCPApigee","name":"GCPApigee","tableType":"Microsoft","description":"The Google ApigeeX data connector provides the capability to ingest Audit logs into Microsoft Sentinel using the Google Apigee API. Refer to [Google Apigee API](https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/?apix=true) documentation for more information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry."},{"name":"LogName","type":"string","description":"The full log name including resource path."},{"name":"ReceiveTimestamp","type":"datetime","description":"Time the log entry was received by Cloud Logging."},{"name":"Operation","type":"dynamic","description":"Contains details about the operation being performed, including the operation ID, producer, and status information."},{"name":"ProtoPayload","type":"dynamic","description":"Holds the structured audit log data, including authentication, method name, resource name, and service-specific information."},{"name":"GCPResource","type":"dynamic","description":"Describes the resource associated with the log entry, including labels and resource type."},{"name":"Severity","type":"string","description":"Indicates the severity level of the log entry or event"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log entry was created or received."},{"name":"Timestamp","type":"datetime","description":"The original timestamp of the event as recorded by the source system."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPAuditLogs","name":"GCPAuditLogs","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) audit logs, ingested from Sentinel's connector, enable you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit Logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the log entry was received by logging."},{"name":"ServiceName","type":"string","description":"The name of the API service performing the operation. For example, 'compute.googleapis.com'."},{"name":"MethodName","type":"string","description":"The name of the service method or operation. For API calls, this should be the name of the API method."},{"name":"GCPResourceName","type":"string","description":"The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name."},{"name":"NumResponseItems","type":"string","description":"The number of items returned from a list or query API method, if applicable."},{"name":"Status","type":"dynamic","description":"The status of the overall operation."},{"name":"AuthenticationInfo","type":"dynamic","description":"Authentication information."},{"name":"AuthorizationInfo","type":"dynamic","description":"Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple."},{"name":"RequestMetadata","type":"dynamic","description":"Metadata about the operation."},{"name":"Request","type":"dynamic","description":"The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property."},{"name":"Response","type":"dynamic","description":"The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property."},{"name":"Metadata","type":"dynamic","description":"Other service-specific data about the request, response, and other information associated with the current audited event."},{"name":"StatusMessage","type":"string","description":"The message status of the overall operation."},{"name":"PrincipalEmail","type":"string","description":"The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the principalSubject field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted."},{"name":"LogName","type":"string","description":"Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made."},{"name":"Timestamp","type":"datetime","description":"The time the event described by the log entry occurred."},{"name":"ProjectId","type":"string","description":"The identifier of the Google Cloud Platform (GCP) project associated with this resource, such as \"my-project\"."},{"name":"Severity","type":"string","description":"Optional. The severity of the log entry. For example, the following filter expression will match log entries with severities INFO, NOTICE, and WARNING."},{"name":"GCPResourceType","type":"string","description":"The identifier of the type associated with this resource, such as 'pubsub_subscription'."},{"name":"Subscription","type":"string","description":"A named resource representing the stream of messages from a single, specific topic, to be delivered to the subscribing application."},{"name":"ResourceLocation","type":"dynamic","description":"The resource location information."},{"name":"ResourceOriginalState","type":"dynamic","description":"The resource original state before mutation. Present only for operations which have successfully modified the targeted resource(s). In general, this field should contain all changed fields, except those that are already been included in request, response, metadata or serviceData fields. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property."},{"name":"ServiceData","type":"dynamic","description":"An object containing fields of an arbitrary type. An additional field \"@type\" contains a URI identifying the type. Example: { \"id\": 1234, \"@type\": \"types.example.com/standard/id\" }."},{"name":"InsertId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["0b4777dd-730e-4b8b-8a13-2bb21f5626c1"]}},{"id":"GCPCDN","name":"GCPCDN","tableType":"Microsoft","description":"The Google Cloud Platform CDN data connector provides the capability to ingest Cloud CDN Audit logs and Cloud CDN Traffic logs into Microsoft Sentinel using the Compute Engine API.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertID","type":"string","description":"A unique identifier for the log entry assigned by the logging system"},{"name":"Timestamp","type":"datetime","description":"The time when the first layer GFE receives the request"},{"name":"Severity","type":"string","description":"Indicates the importance or severity level of the log entry"},{"name":"LogName","type":"string","description":"The full resource name of the log to which this entry belongs"},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log entry was received by the logging system"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was fetched into Microsoft Sentinel"},{"name":"LabelsAPIRootTriggerID","type":"string","description":"The root trigger ID identifying the origin request that caused this log entry"},{"name":"ResourceLabelsBackendServiceID","type":"string","description":"The unique identifier for the GCE backend service"},{"name":"ResourceLabelsBackendBucketID","type":"string","description":"Holds the ResourceLabelsBackendBucketID value recorded in the CDN or load balancer log"},{"name":"ResourceLabelsProjectID","type":"string","description":"The identifier of the Google Cloud project associated with this resource"},{"name":"ResourceLabelsLocation","type":"string","description":"The geographical or regional location of the resource"},{"name":"PayloadType","type":"string","description":"Type URL of the request or response payload"},{"name":"MethodName","type":"string","description":"The name of the API method invoked"},{"name":"NumResponseItems","type":"string","description":"The number of items returned in a list response"},{"name":"ServiceName","type":"string","description":"The Google service processing the request"},{"name":"AuthenticationInfoPrincipalEmail","type":"string","description":"The email of the authenticated identity making the request"},{"name":"AuthorizationInfo","type":"string","description":"Authorization details such as permission name, granted status, and resource type"},{"name":"RequestType","type":"string","description":"Type of the request payload object"},{"name":"RequestKeyName","type":"string","description":"The name of the key used in the request"},{"name":"RequestGroup","type":"string","description":"The reference to instance group used by the backend service"},{"name":"RequestSecurityPolicy","type":"string","description":"The name or full path of the security policy attached to the backend service"},{"name":"RequestCompressionMode","type":"string","description":"Specifies whether and how compression is applied"},{"name":"RequestDescription","type":"string","description":"A custom description associated with the backend service configuration"},{"name":"RequestEnableCDN","type":"bool","description":"Boolean indicating if Cloud CDN is enabled for the backend service"},{"name":"RequestIPAddressSelectionPolicy","type":"string","description":"Specifies IP address family for the backend"},{"name":"RequestLoadBalancingScheme","type":"string","description":"Load balancing scheme used"},{"name":"RequestLocalityLbPolicy","type":"string","description":"Locality-based load balancing strategy"},{"name":"RequestName","type":"string","description":"The name assigned to the resource in the request"},{"name":"RequestPortName","type":"string","description":"The named port of the backend service"},{"name":"RequestProtocol","type":"string","description":"The protocol used"},{"name":"RequestSessionAffinity","type":"string","description":"Affinity setting used to keep sessions on the same backend"},{"name":"RequestTimeoutSec","type":"string","description":"Timeout value (in seconds) for the backend service"},{"name":"RequestBackends","type":"string","description":"Configuration for backend groups"},{"name":"RequestCDNPolicySignedUrlCacheMaxAgeSec","type":"string","description":"Cache TTL for signed URLs in seconds"},{"name":"RequestFingerprint","type":"string","description":"Fingerprint of the request configuration, used for optimistic locking"},{"name":"RequestCDNPolicyCacheMode","type":"string","description":"Cache mode setting"},{"name":"RequestCDNPolicyClientTtl","type":"string","description":"Time-to-live set on responses for clients"},{"name":"RequestCDNPolicyDefaultTtl","type":"string","description":"Default TTL applied when no caching headers are set"},{"name":"RequestCDNPolicyMaxTtl","type":"string","description":"Maximum allowed TTL for cached responses"},{"name":"RequestCDNPolicyNegativeCaching","type":"bool","description":"Boolean indicating if negative caching is enabled"},{"name":"RequestCDNPolicyServeWhileStale","type":"string","description":"Duration responses are served while stale"},{"name":"RequestCDNPolicyCacheKeyPolicyIncludeHost","type":"bool","description":"Whether the host is included in the cache key"},{"name":"RequestCDNPolicyCacheKeyPolicyIncludeProtocol","type":"bool","description":"Whether protocol is included in the cache key"},{"name":"RequestCDNPolicyCacheKeyPolicyIncludeQueryString","type":"bool","description":"Whether the query string is included in the cache key"},{"name":"RequestConnectionDrainingTimeoutSec","type":"string","description":"Time in seconds for draining connections during backend removal"},{"name":"RequestHealthChecks","type":"string","description":"List of health check resources attached to the backend service"},{"name":"RequestLogConfigEnable","type":"bool","description":"Boolean to enable request logging"},{"name":"RequestLogConfigSampleRate","type":"string","description":"Sampling rate for log entries when logging is enabled"},{"name":"RequestMetadataCallerIP","type":"string","description":"IP address of the request initiator"},{"name":"RequestMetadataCallerSuppliedUserAgent","type":"string","description":"User agent string of the request initiator"},{"name":"RequestMetadataDestinationAttributes","type":"string","description":"Attributes of the destination, often empty in public APIs"},{"name":"RequestMetadataRequestAttributesAuth","type":"string","description":"Authentication metadata for the request"},{"name":"RequestMetadataRequestAttributesTime","type":"datetime","description":"Time when the request was initiated"},{"name":"RequestMetadataRequestAttributesReason","type":"string","description":"Encoded reason for the request"},{"name":"ResourceLocationCurrentLocations","type":"string","description":"Region or location associated with the resource"},{"name":"ResponseType","type":"string","description":"Type of the response object returned"},{"name":"ResponseID","type":"string","description":"Unique identifier for the response or operation"},{"name":"ResponseInsertTime","type":"datetime","description":"Time when the response operation was created"},{"name":"ResponseName","type":"string","description":"Name assigned to the long-running operation"},{"name":"ResponseOperationType","type":"string","description":"Type of the operation performed"},{"name":"ResponseProgress","type":"string","description":"Progress of the operation in percentage"},{"name":"ResponseSelfLink","type":"string","description":"URI of the operation"},{"name":"ResponseSelfLinkWithID","type":"string","description":"URI of the operation with ID appended"},{"name":"ResponseStartTime","type":"datetime","description":"Time when the operation started"},{"name":"ResponseStatus","type":"string","description":"Status of the operation"},{"name":"ResponseTargetID","type":"string","description":"ID of the target resource affected by the operation"},{"name":"ResponseTargetLink","type":"string","description":"URI of the affected resource"},{"name":"ResponseUser","type":"string","description":"User who initiated the operation."},{"name":"OperationFirst","type":"bool","description":"Boolean flag indicating this log entry is the first record in a long-running operation"},{"name":"OperationLast","type":"bool","description":"Boolean flag indicating this log entry is the final record in a long-running operation"},{"name":"OperationID","type":"string","description":"Unique identifier for the operation"},{"name":"OperationProducer","type":"string","description":"The service that initiated and owns the operation"},{"name":"SpanID","type":"string","description":"Identifier of the span within a trace"},{"name":"Trace","type":"string","description":"Identifier of the trace"},{"name":"HttpRequestCacheLookup","type":"bool","description":"Boolean flag indicating whether the request attempted a cache lookup before contacting the backend"},{"name":"HttpRequestLatency","type":"string","description":"The latency or total time taken to process the request"},{"name":"HttpRequestRemoteIP","type":"string","description":"The IP address of the client that made the request"},{"name":"HttpRequestRequestMethod","type":"string","description":"HTTP method used for the request"},{"name":"HttpRequestRequestSize","type":"string","description":"Size of the incoming HTTP request in bytes"},{"name":"HttpRequestRequestUrl","type":"string","description":"Full URL that was requested"},{"name":"HttpRequestResponseSize","type":"string","description":"Size of the HTTP response payload sent to the client, in bytes"},{"name":"HttpRequestCacheFillBytes","type":"string","description":"Number of bytes written to the cache from this response"},{"name":"HttpRequestCacheHit","type":"bool","description":"Boolean flag indicating whether the response was served from cache"},{"name":"HttpRequestServerIP","type":"string","description":"IP address of the server (or Google Front End) that processed the request"},{"name":"HttpRequestStatus","type":"string","description":"HTTP status code returned by the server"},{"name":"HttpRequestUserAgent","type":"string","description":"User agent string from the HTTP request header"},{"name":"JsonPayloadType","type":"string","description":"The protobuf type URL describing the type of jsonPayload content in the log"},{"name":"BackendTargetProjectNumber","type":"string","description":"Holds the project number where the backend target—backend service or backend bucket—has been created"},{"name":"CacheDecision","type":"string","description":"Indicates caching decisions taken"},{"name":"CacheID","type":"string","description":"Unique identifier for the cache entry associated with this response"},{"name":"RemoteIP","type":"string","description":"The IP address of the client as seen by the load balancer"},{"name":"StatusDetails","type":"string","description":"Holds a string that explains why the load balancer returned the HTTP status that it did"},{"name":"EnforcedEdgeSecurityPolicyConfiguredAction","type":"string","description":"The configured action that was evaluated in the edge security policy"},{"name":"EnforcedEdgeSecurityPolicyName","type":"string","description":"The name of the edge security policy that was applied to the request"},{"name":"EnforcedEdgeSecurityPolicyOutcome","type":"string","description":"The outcome of applying the policy"},{"name":"EnforcedEdgeSecurityPolicyPriority","type":"string","description":"The priority value of the rule within the edge security policy that matched the request"},{"name":"OverrideResponseCode","type":"string","description":"Holds the override response code applied to the response sent to the client"},{"name":"ErrorService","type":"string","description":"Holds the backend service that provided the custom error response"},{"name":"ErrorBackendStatusDetails","type":"string","description":"Backend-specific error details when a request fails or is served with an error response"},{"name":"AuthzPolicyInfoPolicies","type":"string","description":"The list of Authorization policies that match the request"},{"name":"AuthzPolicyInfoResult","type":"string","description":"Stores information about the Authorization Policy result"},{"name":"LoadBalancingScheme","type":"string","description":"Holds a string that describes which load balancing scheme was used to route the request"},{"name":"ResourceLabelsBackendServiceName","type":"string","description":"The name of the backend service"},{"name":"ResourceLabelsForwardingRuleName","type":"string","description":"The name of the forwarding rule object"},{"name":"ResourceLabelsTargetProxyName","type":"string","description":"The name of the target proxy object referenced by the forwarding rule"},{"name":"ResourceLabelsUrlMapName","type":"string","description":"The name of the URL map object configured to select a backend service"},{"name":"ResourceLabelsZone","type":"string","description":"The zone in which the load balancer is running"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPCloudRun","name":"GCPCloudRun","tableType":"Microsoft","description":"The GCP Cloud Run data connector provides the capability to ingest Cloud Run request logs into Microsoft Sentinel using Pub/Sub. Refer the [Cloud Run Overview](https://cloud.google.com/run/docs/logging) for more details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"Unique identifier for the log entry."},{"name":"JsonPayloadMessage","type":"string","description":"The message field extracted from the jsonPayload."},{"name":"JsonPayloadRequest","type":"string","description":"The request field extracted from the jsonPayload."},{"name":"Labels","type":"string","description":"Generic labels associated with the log entry."},{"name":"LogName","type":"string","description":"The name of the log from which the entry originated."},{"name":"ReceiveTimestamp","type":"datetime","description":"The timestamp when the log entry was received by Log Analytics."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was originally generated in GCP."},{"name":"Severity","type":"string","description":"The severity level of the log entry (e.g., INFO, WARNING, ERROR)."},{"name":"PayloadType","type":"string","description":"The type of payload contained within the log entry."},{"name":"PayloadAuthInfoPrincipalEmail","type":"string","description":"The email address of the principal (user or service account) that initiated the action."},{"name":"PayloadAuthorizationInfo","type":"dynamic","description":"Detailed authorization information for the logged action, represented as a Dynamic (JSON) object."},{"name":"PayloadMethodName","type":"string","description":"The name of the API method that was invoked."},{"name":"PayloadRequestType","type":"string","description":"The type of request made to the Cloud Run service."},{"name":"PayloadRequestName","type":"string","description":"The name of the specific request."},{"name":"PayloadRequestRegion","type":"string","description":"The GCP region where the request originated or was processed."},{"name":"PayloadrequestMetadatacallerSuppliedUserAgent","type":"string","description":"The user agent String provided by the caller."},{"name":"PayloadrequestMetadataDestinationAttributes","type":"string","description":"Attributes related to the destination of the request."},{"name":"PayloadrequestMetadatarequestAttributesAuth","type":"string","description":"Authentication attributes embedded within the request."},{"name":"PayloadrequestMetadatarequestAttributesTime","type":"datetime","description":"The timestamp associated with the request attributes."},{"name":"PayloadResourceLocationCurrentLocations","type":"string","description":"Current location(s) of the resource involved in the log entry."},{"name":"PayloadResourceName","type":"string","description":"The name of the GCP resource relevant to the log entry."},{"name":"PayloadServiceName","type":"string","description":"The name of the GCP service involved in the log entry."},{"name":"PayloadAuthenticationInfoPrincipalSubject","type":"string","description":"The subject identifier of the authenticated principal."},{"name":"PayloadRequestLabelSelector","type":"string","description":"The label selector used in the request, typically for filtering resources."},{"name":"PayloadRequestParent","type":"string","description":"The parent resource of the request."},{"name":"PayloadRequestServiceApiVersion","type":"string","description":"The API version of the Cloud Run service in the request."},{"name":"PayloadRequestServiceKind","type":"string","description":"The 'kind' of the Cloud Run service (e.g., 'Service')."},{"name":"PayloadRequestServiceSpec","type":"string","description":"The specification details of the Cloud Run service in the request."},{"name":"PayloadAuthenticationInfoServiceAccountKeyName","type":"string","description":"The name of the service account key used for authentication."},{"name":"PayloadResponseType","type":"string","description":"The type of response received from the Cloud Run service."},{"name":"PayloadResponseApiVersion","type":"string","description":"The API version of the response from the Cloud Run service."},{"name":"PayloadResponseKind","type":"string","description":"The 'kind' of resource returned in the response (e.g., 'Service')."},{"name":"PayloadResponseSpec","type":"string","description":"The specification details of the resource in the response."},{"name":"PayloadResponseMetadataName","type":"string","description":"The name of the resource within the response metadata."},{"name":"PayloadResponseNameSpace","type":"string","description":"The namespace of the resource within the response."},{"name":"PayloadResponseMetadataAnnotations","type":"string","description":"Annotations associated with the response metadata, typically key-value pairs."},{"name":"PayloadResponseStatus","type":"string","description":"The status of the operation or resource in the response."},{"name":"PayloadResponseMetadataSelfLink","type":"string","description":"The self-link URL for the resource in the response metadata."},{"name":"PayloadResponseMetadataCreationTimestamp","type":"string","description":"The timestamp when the resource in the response metadata was created."},{"name":"PayloadResponseMetadataUID","type":"string","description":"The unique identifier (UID) of the resource in the response metadata."},{"name":"PayloadResponseMetadataGeneration","type":"string","description":"The generation number of the resource in the response metadata."},{"name":"PayloadResponseMetadataResourceVersion","type":"string","description":"The resource version of the resource in the response metadata, indicating its state."},{"name":"PayloadResponseServiceMetadatalabels","type":"string","description":"Labels from the service metadata within the response."},{"name":"PayloadRequestOptionsRequestedPolicyVersion","type":"string","description":"The requested policy version within the request options."},{"name":"PayloadRequestResource","type":"string","description":"The resource specified in the request."},{"name":"PayloadRequestJobApiVersion","type":"string","description":"The API version of the Cloud Run job in the request."},{"name":"PayloadRequestJobKind","type":"string","description":"The 'kind' of the Cloud Run job (e.g., 'Job')."},{"name":"PayloadRequestJobSpec","type":"string","description":"The specification details of the Cloud Run job in the request."},{"name":"PayloadRequestJobMetadataName","type":"string","description":"The name of the Cloud Run job within the request metadata."},{"name":"PayloadRequestJobMetadataNameSpace","type":"string","description":"The namespace of the Cloud Run job within the request metadata."},{"name":"PayloadRequestJobMetadataAnnotations","type":"string","description":"Annotations associated with the Cloud Run job's request metadata."},{"name":"PayloadRequestDomainMappingApiVersion","type":"string","description":"The API version of the Cloud Run domain mapping in the request."},{"name":"PayloadRequestDomainMappingKind","type":"string","description":"The 'kind' of the Cloud Run domain mapping (e.g., 'DomainMapping')."},{"name":"PayloadRequestDomainMappingSpec","type":"string","description":"The specification details of the Cloud Run domain mapping in the request."},{"name":"PayloadRequestDomainMappingMetadataName","type":"string","description":"The name of the Cloud Run domain mapping within the request metadata."},{"name":"PayloadRequestDomainMappingMetadataNameSpace","type":"string","description":"The namespace of the Cloud Run domain mapping within the request metadata."},{"name":"PayloadRequestDomainMappingMetadataAnnotations","type":"string","description":"Annotations associated with the Cloud Run domain mapping's request metadata."},{"name":"PayloadRequestDomainMappingStatus","type":"string","description":"The status of the Cloud Run domain mapping in the request."},{"name":"PayloadRequestServiceMetadataName","type":"string","description":"The name of the Cloud Run service within the request metadata."},{"name":"PayloadRequestServiceMetadataNameSpace","type":"string","description":"The namespace of the Cloud Run service within the request metadata."},{"name":"PayloadRequestServiceMetadataResourceVersion","type":"string","description":"The resource version of the Cloud Run service in the request metadata."},{"name":"PayloadRequestServiceMetadataSelfLink","type":"string","description":"The self-link URL for the Cloud Run service in the request metadata."},{"name":"PayloadRequestServiceMetadataCreationTimestamp","type":"string","description":"The timestamp when the Cloud Run service in the request metadata was created."},{"name":"PayloadRequestServiceMetadataUID","type":"string","description":"The unique identifier (UID) of the Cloud Run service in the request metadata."},{"name":"PayloadRequestServiceMetadataGeneration","type":"string","description":"The generation number of the Cloud Run service in the request metadata."},{"name":"PayloadRequestServiceMetadatalabels","type":"string","description":"Labels from the Cloud Run service metadata within the request."},{"name":"PayloadRequestServiceMetadataAnnotations","type":"string","description":"Annotations associated with the Cloud Run service's request metadata."},{"name":"PayloadRequestServiceStatusConditions","type":"string","description":"Conditions indicating the current state of the Cloud Run service in the request status."},{"name":"PayloadRequestServiceObservedGeneration","type":"string","description":"The observed generation of the Cloud Run service in the request status."},{"name":"PayloadRequestServiceTraffic","type":"string","description":"Traffic distribution settings for the Cloud Run service in the request status."},{"name":"PayloadRequestServiceLatestRevision","type":"string","description":"The name of the latest revision for the Cloud Run service in the request status."},{"name":"PayloadRequestServiceReadyRevision","type":"string","description":"The name of the ready revision for the Cloud Run service in the request status."},{"name":"PayloadRequestServiceServiceURL","type":"string","description":"The URL of the Cloud Run service in the request status."},{"name":"PayloadRequestImageUri","type":"string","description":"The URI of the container image used for the Cloud Run service."},{"name":"PayloadRequestStorageSourceGeneration","type":"string","description":"The generation of the storage source used in the request."},{"name":"PayloadRequestBuildpackBuildBaseImage","type":"string","description":"The base image used by the buildpack for the build process."},{"name":"PayloadRequestBuildpackBuildEnableAutomaticUpdates","type":"string","description":"Indicates whether automatic updates are enabled for the buildpack build."},{"name":"PayloadRequestMetadataRequestAttributesReason","type":"string","description":"The reason specified in the request attributes metadata."},{"name":"ResourceLabelsJobName","type":"string","description":"The name of the associated Cloud Run job."},{"name":"ResourceLabelslocation","type":"string","description":"The GCP location of the Cloud Run resource."},{"name":"ResourceLabelsProjectId","type":"string","description":"The GCP project ID where the Cloud Run resource resides."},{"name":"GCPResourceType","type":"string","description":"The type of GCP resource (e.g., 'CloudRunService', 'CloudRunJob')."},{"name":"ResourceLabelsConfigurationName","type":"string","description":"The name of the associated Cloud Run configuration."},{"name":"ResourceLabelsRevisionName","type":"string","description":"The name of the associated Cloud Run revision."},{"name":"ResourceLabelsServiceName","type":"string","description":"The name of the associated Cloud Run service."},{"name":"PayloadrequestMetadataCallerIp","type":"string","description":"The IP address of the client that made the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPCloudSQL","name":"GCPCloudSQL","tableType":"Microsoft","description":"The GCP Cloud SQL data connector provides the capability to ingest Audit logs into Microsoft Sentinel using the GCP Cloud SQL API. Refer to [GCP cloud SQL Audit Logs](https://cloud.google.com/sql/docs/mysql/audit-logging) documentation for more information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"Unique identifier for the log entry."},{"name":"LogName","type":"string","description":"Name of the log where the entry is recorded."},{"name":"OperationFirst","type":"bool","description":"Indicates if this is the first log entry in an operation."},{"name":"OperationLast","type":"bool","description":"Indicates if this is the last log entry in an operation."},{"name":"OperationId","type":"string","description":"Identifier of the associated operation."},{"name":"OperationProducer","type":"string","description":"The service that produced the operation."},{"name":"PayloadType","type":"string","description":"Type of the payload in the log entry."},{"name":"AuthInfoPrincipalEmail","type":"string","description":"The principal email address initiating the request."},{"name":"AuthInfoPrincipalSubject","type":"string","description":"The subject associated with the principal."},{"name":"AuthInfoServiceAccountKeyName","type":"string","description":"Name of the service account key used for the request."},{"name":"MetadataType","type":"string","description":"Type of metadata associated with the log entry."},{"name":"RequestEnableFinalBackup","type":"bool","description":"Indicates if final backup was enabled in the request."},{"name":"RequestFinalBackupTtlDays","type":"string","description":"Time to live (in days) for the final backup."},{"name":"RequestName","type":"string","description":"Name field from the request payload."},{"name":"RequestFilter","type":"string","description":"Filter used in the request to narrow results."},{"name":"RequestPageSize","type":"string","description":"Page size specified in the request."},{"name":"RequestParent","type":"string","description":"The parent resource under which the request is made."},{"name":"RequestInstance","type":"string","description":"Instance identifier from the request."},{"name":"RequestMaxResults","type":"string","description":"Maximum number of results requested."},{"name":"RequestResourceId","type":"string","description":"ID of the resource being requested."},{"name":"RequestStartTime","type":"datetime","description":"Start time specified in the request."},{"name":"RequestOperation","type":"string","description":"The operation type included in the request."},{"name":"RequestSha1Fingerprint","type":"string","description":"SHA-1 fingerprint associated with the certificate."},{"name":"RequestBodyCommonName","type":"string","description":"Common name used for certificates."},{"name":"RequestBodyKind","type":"string","description":"The kind field in the request body."},{"name":"RequestBodyDescription","type":"string","description":"Description of the instance or operation."},{"name":"RequestBodyLocation","type":"string","description":"Location setting in the request body."},{"name":"RequestBodyCloneContextDestinationInstanceName","type":"string","description":"Destination instance name in clone context."},{"name":"RequestBodyFailoverContext","type":"dynamic","description":"Context for failover configuration."},{"name":"RequestBodyBackup","type":"string","description":"Backup configuration in the request body."},{"name":"RequestBodyNodeCount","type":"string","description":"Number of nodes configured in the request."},{"name":"RequestBodyRotateServerCaContext","type":"dynamic","description":"Server CA rotation configuration context."},{"name":"RequestBodyRestoreInstanceSettingsInstanceUid","type":"string","description":"UID of the instance in restore settings."},{"name":"RequestBodyRestoreInstanceSettingsName","type":"string","description":"Instance name in restore settings."},{"name":"RequestBodyRestoreInstanceSettingsProject","type":"string","description":"Project ID in restore settings."},{"name":"RequestBodyRestoreInstanceSettingsRegion","type":"string","description":"Region in restore settings."},{"name":"RequestBodyInstance","type":"string","description":"Instance details in the request body."},{"name":"RequestDatabase","type":"string","description":"Database name specified in the request."},{"name":"RequestBodyExportContext","type":"dynamic","description":"Export context details."},{"name":"RequestBodySettingsActivationPolicy","type":"string","description":"Activation policy for the instance."},{"name":"RequestBodySettingsActiveDirectoryConfig","type":"string","description":"Active Directory configuration settings."},{"name":"RequestBodySettingsAvailabilityType","type":"string","description":"Availability type setting."},{"name":"RequestBodySettingsRetentinedBackup","type":"string","description":"Retention policy for backups."},{"name":"RequestBodySettingsRetentionUnit","type":"string","description":"Unit of retention for backups."},{"name":"RequestBodySettingsBackupEnabled","type":"bool","description":"Indicates if backups are enabled."},{"name":"RequestBodyProject","type":"string","description":"Project ID in the request body."},{"name":"RequestBodySettingsBackupPointInTimeRecoveryEnabled","type":"string","description":"Flag for point-in-time recovery."},{"name":"RequestBodySettingsBackupLocation","type":"string","description":"Location for backups."},{"name":"RequestBodySettingsBinaryLogEnabled","type":"bool","description":"Indicates if binary logging is enabled."},{"name":"RequestBodySettingsBackupStartTime","type":"string","description":"Scheduled start time for backups."},{"name":"RequestBodySettingsTransactionLogRetentionDays","type":"string","description":"Retention period for transaction logs."},{"name":"RequestBodySettingsConnectionPoolConfig","type":"string","description":"Connection pool configuration."},{"name":"RequestBodySettingsdataCacheConfigDataCacheEnabled","type":"bool","description":"Flag for enabling data cache."},{"name":"RequestBodySettingsDataDiskSizeGb","type":"string","description":"Size of the data disk in GB."},{"name":"RequestBodySettingsDataDiskType","type":"string","description":"Type of data disk used."},{"name":"RequestBodySettingsDeletionProtectionEnabled","type":"bool","description":"Indicates if deletion protection is enabled."},{"name":"RequestBodySettingsEdition","type":"string","description":"Edition of the Cloud SQL instance."},{"name":"RequestBodySettingsEnableGoogleMlIntegration","type":"bool","description":"Flag to enable Google ML integration."},{"name":"RequestBodySettingsInsightsConfig","type":"dynamic","description":"Insights configuration settings."},{"name":"RequestBodySettingsIPConfiguration","type":"dynamic","description":"IP configuration settings."},{"name":"RequestBodySettingsLocationPreference","type":"string","description":"Location preference for the instance."},{"name":"RequestBodySettingsMaintenanceWindow","type":"dynamic","description":"Maintenance window configuration."},{"name":"RequestBodySettingsRetainBackupsOnDelete","type":"bool","description":"Flag to retain backups after deletion."},{"name":"RequestBodySettingsVersion","type":"bool","description":"Version information flag."},{"name":"RequestBodySettingsSqlServerAuditConfigRetentionInterval","type":"datetime","description":"Audit retention interval for SQL Server."},{"name":"RequestBodySettingsSqlServerAuditConfigUploadInterval","type":"datetime","description":"Audit upload interval for SQL Server."},{"name":"RequestBodySettingsStorageAutoResize","type":"bool","description":"Indicates if storage auto-resize is enabled."},{"name":"RequestBodySettingsTier","type":"string","description":"Service tier of the instance."},{"name":"RequestBodySettingsTmeZone","type":"string","description":"Time zone settings for the instance."},{"name":"RequestBodySettingsUserbackuplable","type":"string","description":"User backup label setting."},{"name":"RequestProject","type":"string","description":"Project associated with the request."},{"name":"RequestId","type":"string","description":"Unique ID of the request."},{"name":"RequestMetadataCallerIP","type":"string","description":"IP address of the caller."},{"name":"RequestMetadataRequestAttributesDestinationAttributes","type":"string","description":"Destination attributes for the request."},{"name":"RequestMetadataRequestAttributesAuth","type":"string","description":"Authentication attributes of the request."},{"name":"RequestMetadataRequestAttributesRequestReason","type":"string","description":"Reason for the request."},{"name":"RequestMetadataRequestAttributesRequestTime","type":"datetime","description":"Timestamp when the request was made."},{"name":"GCPResourceName","type":"string","description":"Full resource name of the Cloud SQL instance."},{"name":"ResponseType","type":"string","description":"Type of the response."},{"name":"ResponseClientCert","type":"string","description":"Client certificate in the response."},{"name":"ResponseEphemeralCertKind","type":"string","description":"Kind of ephemeral certificate in the response."},{"name":"ResponseBackupContextBackupId","type":"string","description":"Backup ID from the response's backup context."},{"name":"ResponseBackupContextKind","type":"string","description":"Kind of backup context returned."},{"name":"ResponseBackupContextName","type":"string","description":"Name in the backup context of the response."},{"name":"OperationInsertTime","type":"datetime","description":"Timestamp when the operation was inserted."},{"name":"ResponseInstanceUid","type":"string","description":"Instance UID returned in the response."},{"name":"ResponseKind","type":"string","description":"Kind field of the response."},{"name":"ResponseName","type":"string","description":"Name included in the response."},{"name":"ResponseOperationType","type":"string","description":"Operation type in the response."},{"name":"ResponsePromoteContextPrimary","type":"string","description":"Primary instance in the promote context."},{"name":"ResponsePromoteContextReplica","type":"string","description":"Replica instance in the promote context."},{"name":"ResponseSelfLink","type":"string","description":"Self-link URL of the response resource."},{"name":"ResponseStatus","type":"string","description":"Status of the response operation."},{"name":"ResponseTargetId","type":"string","description":"Target ID in the response."},{"name":"ResponseTargetLink","type":"string","description":"Target link URL in the response."},{"name":"ResponseTargetProject","type":"string","description":"Project associated with the response target."},{"name":"ResponseUser","type":"string","description":"User information from the response."},{"name":"ServiceName","type":"string","description":"Name of the GCP service handling the request."},{"name":"StatusCode","type":"string","description":"Status code returned by the operation."},{"name":"ReceiveTimestamp","type":"datetime","description":"Timestamp when the log was received."},{"name":"ResourceLabelsDatabaseId","type":"string","description":"Database identifier from resource labels."},{"name":"StatusMessage","type":"string","description":"Message describing the status of the operation."},{"name":"ResourceLabelsProjectId","type":"string","description":"Project ID from resource labels."},{"name":"ResourceLabelsRegion","type":"string","description":"Region from resource labels."},{"name":"GCPResourceType","type":"string","description":"Type of the resource."},{"name":"Severity","type":"string","description":"Severity level of the log entry."},{"name":"Timestamp","type":"datetime","description":"Timestamp of the logged event."},{"name":"TimeGenerated","type":"datetime","description":"Time when the log entry was generated."},{"name":"ResponseServerCaCert","type":"string","description":"PEM-encoded CA certificate from the server used for TLS validation"},{"name":"ResponseOperation","type":"string","description":"Indicates the type of operation performed in the response."},{"name":"RequestEndTime","type":"datetime","description":"Timestamp marking when the request processing completed"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPComputeEngine","name":"GCPComputeEngine","tableType":"Microsoft","description":"The Google Cloud Platform Compute Engine data connector provides the capability to ingest Compute Engine Audit logs into Microsoft Sentinel using the Google Cloud Compute Engine API. Refer to [Cloud Compute Engine API](https://cloud.google.com/compute/docs/reference/rest/v1) documentation for more information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry used to prevent duplication."},{"name":"Labels","type":"dynamic","description":"A set of key-value pairs that provide additional metadata about the log entry."},{"name":"LogName","type":"string","description":"The full resource name of the log to which this log entry belongs."},{"name":"Operation","type":"dynamic","description":"Information about an operation associated with the log entry, such as an audit trail or trace context."},{"name":"ProtoPayload","type":"dynamic","description":"The structured payload of the log entry, typically in protocol buffer format; contains detailed event data."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log entry was received by the logging system."},{"name":"GCPResource","type":"dynamic","description":"Information about the monitored resource associated with the log entry, such as VM instance, database, etc."},{"name":"Severity","type":"string","description":"The severity level of the log entry (e.g., DEBUG, INFO, WARNING, ERROR, CRITICAL)."},{"name":"TimeGenerated","type":"datetime","description":"The actual time the event described by the log entry occurred."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPDNS","name":"GCPDNS","tableType":"Microsoft","description":"The Google Cloud Platform DNS data connector provides the capability to ingest Cloud DNS Query logs and Cloud DNS Audit logs into Microsoft Sentinel using the Google Cloud DNS API.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"A unique identifier assigned to each log entry."},{"name":"LogName","type":"string","description":"The name of the log where this entry is stored."},{"name":"PayloadType","type":"string","description":"The format or type of the payload in the log entry."},{"name":"AuthenticationInfoPrincipalEmail","type":"string","description":"Email address of the user or service account performing the action."},{"name":"AuthenticationInfoPrincipalSubject","type":"string","description":"The subject identifier for the principal (user or service account)."},{"name":"AuthorizationInfo","type":"string","description":"Details about the authorization decision for the request."},{"name":"MethodName","type":"string","description":"The API method or operation invoked in the request."},{"name":"RequestAPIType","type":"string","description":"The type of API request being logged."},{"name":"RequestChangeAdditions","type":"string","description":"Details of resource additions in the request."},{"name":"RequestChangeDeletions","type":"string","description":"Details of resource deletions in the request."},{"name":"RequestManagedZoneDescription","type":"string","description":"Description of the managed DNS zone in the request."},{"name":"RequestManagedZoneDnsName","type":"string","description":"The DNS name of the managed zone in the request."},{"name":"RequestManagedZoneName","type":"string","description":"The name of the managed DNS zone in the request."},{"name":"RequestManagedZone","type":"string","description":"Details of the managed DNS zone in the request."},{"name":"RequestManagedZoneVisibility","type":"string","description":"The visibility (public or private) of the managed zone in the request."},{"name":"ReqManZonePrivVisibConfigNetworks","type":"string","description":"List of networks configured for private visibility of the managed zone."},{"name":"RequestName","type":"string","description":"Name of the resource affected by the request."},{"name":"RequestProject","type":"string","description":"Google Cloud project associated with the request."},{"name":"RequestType","type":"string","description":"Type of the request (e.g., Create, Delete, Update)."},{"name":"RequestMetadataCallerIp","type":"string","description":"IP address of the caller initiating the request."},{"name":"ReqmetaCallerSuppliedUserAgent","type":"string","description":"User agent String provided by the caller."},{"name":"ReqmetaRequestAttributesTime","type":"datetime","description":"Timestamp when the request was initiated."},{"name":"GCPResourceName","type":"string","description":"Name of the resource being accessed or modified."},{"name":"ResponseType","type":"string","description":"Type of response returned from the API."},{"name":"ResponseChangeDeletions","type":"string","description":"Details of deletions in the response."},{"name":"ResponseChangeId","type":"string","description":"Identifier for the change request in the response."},{"name":"ResponseChangeStartTime","type":"datetime","description":"Timestamp indicating when the change operation started."},{"name":"ResponseChangeStatus","type":"string","description":"Status of the change operation in the response."},{"name":"ResponseManagedZoneCreationTime","type":"datetime","description":"Timestamp when the managed zone was created."},{"name":"ResponseManagedZoneDescription","type":"string","description":"Description of the managed zone returned in the response."},{"name":"ResponseManagedZoneDnsName","type":"string","description":"DNS name of the managed zone returned in the response."},{"name":"ResponseManagedZoneFingerprint","type":"string","description":"Fingerprint for detecting changes in the managed zone."},{"name":"ResponseManagedZoneId","type":"string","description":"Unique identifier for the managed zone."},{"name":"ResponseManagedZoneName","type":"string","description":"Name of the managed zone returned in the response."},{"name":"ResponseManagedZoneNameServers","type":"string","description":"List of name servers associated with the managed zone."},{"name":"ResponseManagedZoneVisibility","type":"string","description":"Visibility setting (public/private) of the managed zone."},{"name":"ServiceName","type":"string","description":"Name of the Google Cloud service processing the request."},{"name":"StatusCode","type":"string","description":"HTTP status code returned for the request."},{"name":"ResourceLabelsLocation","type":"string","description":"Location of the resource."},{"name":"ResourceLabelsProjectId","type":"string","description":"Google Cloud project ID associated with the resource."},{"name":"GCPResourceType","type":"string","description":"Type of the resource (e.g., compute instance, DNS record)."},{"name":"Severity","type":"string","description":"Log severity level (e.g., INFO, WARNING, ERROR)."},{"name":"Timestamp","type":"datetime","description":"Timestamp when the log entry was recorded."},{"name":"VmProjectId","type":"string","description":"Google Cloud project ID of the network from which the query was sent."},{"name":"Protocol","type":"string","description":"Protocol used (e.g., TCP, UDP)."},{"name":"QueryType","type":"string","description":"DNS query type (RFC 1035 section 4.1.2)."},{"name":"Rdata","type":"string","description":"DNS answer in presentation format."},{"name":"VmInstanceId","type":"string","description":"Compute Engine VM instance ID."},{"name":"VmInstanceName","type":"string","description":"Compute Engine VM instance name."},{"name":"ResponseCode","type":"string","description":"Response code for the operation."},{"name":"AuthAnswer","type":"bool","description":"Indicates if the DNS response is authoritative."},{"name":"QueryName","type":"string","description":"The domain name queried."},{"name":"VmZoneName","type":"string","description":"Name of the VM zone from which the query originated."},{"name":"SourceIP","type":"string","description":"IP address from which the query originated."},{"name":"DestinationIP","type":"string","description":"Target IP address of the request."},{"name":"ReqManZoneCloudLogConfigEnableLogging","type":"bool","description":"Indicates whether logging was enabled in the request for the managed zone."},{"name":"ResManZoneCloudLogConfigEnableLogging","type":"bool","description":"Indicates whether logging was enabled in the response for the managed zone."},{"name":"ResourceLabelsPolicyName","type":"string","description":"Represents the policy name associated with the DNS resource."},{"name":"ResourceLabelsSourceType","type":"string","description":"Specifies the source type of the resource being modified"},{"name":"ResourceLabelsTargetName","type":"string","description":"The target resource name within Google Cloud DNS, such as the managed zone or DNS policy being modified."},{"name":"ResourceLabelsTargetType","type":"string","description":"The type of DNS resource being acted upon"},{"name":"ResourceLabelsZoneName","type":"string","description":"The name of the managed DNS zone related to the operation."},{"name":"RespManZonePrivVisibConfigNetworks","type":"string","description":"Lists networks associated with a private managed zone under private visibility configuration."},{"name":"ResponseChangeAdditions","type":"string","description":"Represents additions made to DNS records (e.g., new A, AAAA, CNAME, or TXT records)."},{"name":"ResponseManagedZoneRrsetCount","type":"string","description":"The total number of resource record sets (RRsets) within a managed zone."},{"name":"ResponseOpZoneContextNewValue","type":"string","description":"The new value after an operation modifies a DNS managed zone."},{"name":"ResponseOpZoneContextOldValue","type":"string","description":"The previous value before an operation modified the DNS managed zone."},{"name":"ResponseOperationId","type":"string","description":"A unique identifier for the DNS operation performed."},{"name":"ResponseOperationStartTime","type":"datetime","description":"The timestamp when the DNS operation started."},{"name":"ResponseOperationStatus","type":"string","description":"The status of the DNS operation"},{"name":"ResponseOperationType","type":"string","description":"The type of DNS operation executed (e.g., create, update, delete)."},{"name":"ResponseOperationUser","type":"string","description":"The user or service account that performed the DNS operation."},{"name":"ServerLatency","type":"string","description":"Measures the latency of the request to Google Cloud DNS."},{"name":"SourceNetwork","type":"string","description":"The originating network of the DNS request."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was created."},{"name":"VmInstanceIdString","type":"string","description":"The VM instance ID (if applicable) associated with the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPFirewallLogs","name":"GCPFirewallLogs","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the log entry was received by logging."},{"name":"VpcSubnetworkName","type":"string","description":"The Subnetnetwork name of the Virtual Private Network(VPC) where the firewall rule applied."},{"name":"VpcName","type":"string","description":"The name of the Virtual Private Network(VPC) where the firewall rule applied."},{"name":"VpcProjectId","type":"string","description":"The project id of the Virtual Private Network(VPC) where the firewall rule applied."},{"name":"Action","type":"string","description":"The Action that of the firewall rule."},{"name":"Direction","type":"string","description":"The direction of that the firewall rule applies."},{"name":"IpPortInfo","type":"dynamic","description":"The information regarding the rule port and protocol."},{"name":"Priority","type":"string","description":"The priority of the rule."},{"name":"Referance","type":"string","description":"The rule that triggered the log."},{"name":"SourceRange","type":"dynamic","description":"The range of the ip addresses that the rule applied to."},{"name":"RemoteLocationCity","type":"string","description":"The city name based on the resource location."},{"name":"RemoteLocationContinent","type":"string","description":"The continent name based on the resource location."},{"name":"RemoteLocationCountry","type":"string","description":"The country name based on the resource location."},{"name":"RemoteLocationRegion","type":"string","description":"The region name based on the resource location."},{"name":"InstanceProjectId","type":"string","description":"the project ID associated with the instance that was involved in the firewall rule event."},{"name":"InstanceRegion","type":"string","description":"the region associated with the instance that was involved in the firewall rule event."},{"name":"InstanceVmName","type":"string","description":"the virtual machine name associated with the instance that was involved in the firewall rule event."},{"name":"InstanceZone","type":"string","description":"the zone associated with the instance that was involved in the firewall rule event."},{"name":"Disposition","type":"string","description":"the final action taken on network traffic that matches a given rule."},{"name":"DestIp","type":"string","description":"the IP address of the target device or service that incoming or outgoing network traffic is trying to reach."},{"name":"DestPort","type":"string","description":"the Port of the target device or service that incoming or outgoing network traffic is trying to reach."},{"name":"Protocol","type":"string","description":"the protocol of the target device or service that incoming or outgoing network traffic is trying to reach."},{"name":"SrcIp","type":"string","description":"the IP address of the source device or service that incoming or outgoing network traffic is trying to reach."},{"name":"SrcPort","type":"string","description":"the Port of the source device or service that incoming or outgoing network traffic is trying to reach."},{"name":"LogName","type":"string","description":"Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made."},{"name":"Timestamp","type":"datetime","description":"The time the event described by the log entry occurred."},{"name":"InsertId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"ProjectId","type":"string","description":"The identifier of the Google Cloud Platform (GCP) project associated with this resource, such as \"my-project\"."},{"name":"ResourceLocation","type":"string","description":"The resource location information."},{"name":"SubnetworkId","type":"string","description":"The resource subnetwork id."},{"name":"ResourceSubnetworkName","type":"string","description":"The resource subnetwork name."},{"name":"GCPResourceType","type":"string","description":"The identifier of the type associated with this resource, such as 'pubsub_subscription'."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPIAM","name":"GCPIAM","tableType":"Microsoft","description":"The Google Cloud Platform IAM audit logs, ingested from Sentinel's connector, eAudit logs relating to Identity and Access Management (IAM) activities within Google Cloud.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp representing the time at which the log entry was generated."},{"name":"ReceiveTimestamp","type":"datetime","description":"Timestamp representing the time when the log entry was received by the system."},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry, typically used for deduplication."},{"name":"LogName","type":"string","description":"The name of the log in which the entry resides."},{"name":"AuthInfoPrincipalEmail","type":"string","description":"The email address associated with the principal (e.g., user, service account) performing the action."},{"name":"AuthInfoPrincipalSubject","type":"string","description":"The subject or identifier associated with the principal performing the action."},{"name":"MethodName","type":"string","description":"The name of the method being invoked."},{"name":"ResourceLabelsProjectId","type":"string","description":"Project ID for the resource being accessed or logged."},{"name":"PayloadType","type":"string","description":"The type of payload being processed or transmitted."},{"name":"RequestMetadataCallerIp","type":"string","description":"The IP address from which the request originated."},{"name":"ServiceName","type":"string","description":"The name of the service that generated the log entry."},{"name":"RequestMetadataCallerSuppliedUserAgent","type":"string","description":"The user-agent String provided by the caller during the request."},{"name":"AuthorizationInfo","type":"string","description":"Information related to the authorization of the request."},{"name":"GCPResourceName","type":"string","description":"The name of the resource involved in the request or logged event."},{"name":"ResourceLabelsMethod","type":"string","description":"The method associated with the resource, often used for filtering or categorization."},{"name":"ResourceLabelsVersion","type":"string","description":"The version of the resource being logged."},{"name":"ResourceLabelsService","type":"string","description":"The service to which the resource belongs."},{"name":"ResourceLabelsLocation","type":"string","description":"The geographical or logical location of the resource."},{"name":"RequestFullResourceName","type":"string","description":"Full name of the resource requested."},{"name":"RequestPageSize","type":"string","description":"The size of the page requested in a paginated request."},{"name":"RequestSkipVisibilityCheck","type":"bool","description":"Boolean indicating whether the visibility check for the request should be skipped."},{"name":"AuthInfoServiceAccountDelegationInfo","type":"string","description":"Delegation information for a service account."},{"name":"OperationId","type":"string","description":"A unique identifier for the operation."},{"name":"OperationProducer","type":"string","description":"The producer (system or service) that initiated the operation."},{"name":"OperationFirst","type":"bool","description":"Boolean indicating whether this is the first operation in a sequence."},{"name":"OperationLast","type":"bool","description":"Boolean indicating whether this is the last operation in a sequence."},{"name":"ResourceLabelsUniqueId","type":"string","description":"A unique identifier for the resource."},{"name":"ResourceLabelsEmailId","type":"string","description":"Email identifier associated with the resource."},{"name":"MetadataIdentityDelegationChain","type":"string","description":"A chain of delegated identities for the request."},{"name":"RequestType","type":"string","description":"The type of request being made."},{"name":"RequestName","type":"string","description":"The name of the request."},{"name":"RequestMetadataRequestAttributesTime","type":"string","description":"Time-related attributes of the request metadata."},{"name":"RequestPolicyEtag","type":"string","description":"The ETag value for the request policy."},{"name":"RequestPolicyAuditConfigs","type":"string","description":"Configuration for auditing in the request policy."},{"name":"RequestPolicyBindings","type":"string","description":"Binding configurations associated with the request policy."},{"name":"RequestResource","type":"string","description":"The resource being requested."},{"name":"ResponseAuditConfigs","type":"string","description":"Audit configurations in the response."},{"name":"ResponseBindings","type":"string","description":"The bindings used in the response."},{"name":"ResponseEtag","type":"string","description":"The ETag value for the response."},{"name":"ServiceDataPolicyDeltaBindingDeltas","type":"string","description":"Changes to policy bindings in the response."},{"name":"NumResponseItems","type":"string","description":"The number of items returned in the response."},{"name":"RequestParent","type":"string","description":"The parent resource of the request."},{"name":"RequestShowDeleted","type":"bool","description":"Boolean indicating if deleted items should be included in the response."},{"name":"RequestRemoveDeletedServiceAccounts","type":"bool","description":"Boolean indicating if deleted service accounts should be removed."},{"name":"RequestIncludeInactiveApiRoles","type":"bool","description":"Boolean indicating whether inactive API roles should be included in the request."},{"name":"AuthenticationInfoPrincipalSubject","type":"string","description":"Subject associated with the authenticated principal in the request."},{"name":"ResponseType","type":"string","description":"The type of response being returned."},{"name":"ServiceDataType","type":"string","description":"The type of service data being logged."},{"name":"RequestGrantType","type":"string","description":"The grant type associated with the request."},{"name":"RequestSubjectTokenType","type":"string","description":"The type of subject token being used in the request."},{"name":"MetadataMappedPrincipal","type":"string","description":"Mapped principal in the metadata."},{"name":"MetadataType","type":"string","description":"The type of metadata being provided."},{"name":"GCPResourceType","type":"string","description":"The type of resource involved in the request."},{"name":"RequestKeyTypes","type":"string","description":"Types of keys involved in the request."},{"name":"RequestView","type":"string","description":"The view or perspective for the request."},{"name":"RequestRequestedTokenType","type":"string","description":"The type of token requested."},{"name":"Severity","type":"string","description":"The severity level of the log entry or request."},{"name":"Timestamp","type":"datetime","description":"The timestamp when the log entry or event occurred."},{"name":"StatusCode","type":"string","description":"The HTTP or operation status code for the response."},{"name":"StatusMessage","type":"string","description":"The message associated with the status code."},{"name":"ServiceDataPermissionDeltaRemovedPermissions","type":"string","description":"Permissions that were removed in the service data policy."},{"name":"RequestUpdateMaskPaths","type":"string","description":"The paths to be updated in the request."},{"name":"ResourceLabelsTopicId","type":"string","description":"The topic ID associated with the resource."},{"name":"ResourceLabelsRoleName","type":"string","description":"The name of the role associated with the resource."},{"name":"ServiceDataPermissionDeltaAddedPermissions","type":"string","description":"Permissions that were added in the service data policy."},{"name":"RequestRoleIncludedPermissions","type":"string","description":"Permissions included in the role in the request."},{"name":"RequestRoleTitle","type":"string","description":"Title of the role being requested."},{"name":"RequestRoleDescription","type":"string","description":"Description of the role being requested."},{"name":"RequestRoleId","type":"string","description":"The unique identifier for the role."},{"name":"ResponseGroupName","type":"string","description":"The group name for the response."},{"name":"ResponseIncludedPermissions","type":"string","description":"Permissions included in the response."},{"name":"ResponseTitle","type":"string","description":"Title associated with the response."},{"name":"ResponseGroupTitle","type":"string","description":"The title of the group in the response."},{"name":"RequestAccountId","type":"string","description":"Account ID associated with the request."},{"name":"RequestServiceAccountDescription","type":"string","description":"Description of the service account being requested."},{"name":"RequestServiceAccountDisplayName","type":"string","description":"Display name of the service account being requested."},{"name":"ResponseOauth2ClientId","type":"string","description":"OAuth2 client ID associated with the response."},{"name":"ResponseName","type":"string","description":"Name associated with the response."},{"name":"ResponseUniqueId","type":"string","description":"Unique identifier for the response."},{"name":"ResponseDescription","type":"string","description":"Description of the response."},{"name":"ResponseProjectId","type":"string","description":"Project ID associated with the response."},{"name":"ResponseDisplayName","type":"string","description":"Display name associated with the response."},{"name":"ResponseEmail","type":"string","description":"Email associated with the response."},{"name":"RequestPrivateKeyType","type":"string","description":"Type of private key being used in the request."},{"name":"ResponseValidBeforeTimeSeconds","type":"string","description":"Time in seconds before the response becomes valid."},{"name":"ResponseValidAfterTimeSeconds","type":"string","description":"Time in seconds after which the response becomes valid."},{"name":"ResponseKeyType","type":"string","description":"The type of key used in the response."},{"name":"ResponseKeyOrigin","type":"string","description":"The origin of the key in the response."},{"name":"ResponsePrivateKeyType","type":"string","description":"The type of private key used in the response."},{"name":"ResponseKeyAlgorithm","type":"string","description":"The key algorithm used in the response."},{"name":"RequestOptionsRequestedPolicyVersion","type":"string","description":"The version of the policy requested."},{"name":"RequestPageToken","type":"string","description":"Token for pagination in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPIDS","name":"GCPIDS","tableType":"Microsoft","description":"The Google Cloud Platform IDS data connector provides the capability to ingest Cloud IDS logs into Microsoft Sentinel using the Compute Engine API. This enables the detection and response to potential threats within the Google Cloud environment by monitoring network traffic and identifying suspicious activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry."},{"name":"LogName","type":"string","description":"The full log name including resource path."},{"name":"ReceiveTimestamp","type":"datetime","description":"Time the log entry was received by Cloud Logging."},{"name":"Application","type":"string","description":"Suspected traffic's application type—for example, SSH."},{"name":"DestinationIPAddress","type":"string","description":"Suspected traffic's destination IP address."},{"name":"DestinationPort","type":"string","description":"Suspected traffic's destination port."},{"name":"ElapsedTime","type":"string","description":"The elapsed time of the session."},{"name":"Network","type":"string","description":" The network associated with the IDS endpoint."},{"name":"RepeatCount","type":"string","description":"The number of sessions with the same source IP, destination IP, application, and type seen within 5 seconds."},{"name":"SessionId","type":"string","description":"An internal numerical identifier applied to each session."},{"name":"SourcePort","type":"string","description":"The source port of the traffic."},{"name":"StartTime","type":"datetime","description":"The time of the session start."},{"name":"TotalBytes","type":"string","description":"The total number of bytes transferred in the session."},{"name":"TotalPackets","type":"string","description":"The total number of packets transferred in the session."},{"name":"AlertSeverity","type":"string","description":"Severity of the threat. One of INFORMATIONAL, LOW, MEDIUM, HIGH, or CRITICAL."},{"name":"AlertTime","type":"datetime","description":"Time when the threat was discovered."},{"name":"Category","type":"string","description":"Sub-type of the threat."},{"name":"CVEs","type":"string","description":"A list of CVEs associated with the threat."},{"name":"Details","type":"string","description":"Additional information about the type of threat."},{"name":"Direction","type":"string","description":"Suspected traffic's direction (client-to-server or server-to-client)."},{"name":"JsonPayloadName","type":"string","description":"Threat name."},{"name":"ThreatId","type":"string","description":"Unique threat identifier."},{"name":"JsonPayloadType","type":"string","description":"Type of the threat."},{"name":"URIOrFilename","type":"string","description":"URI or filename of the relevant threat, if applicable."},{"name":"IPProtocol","type":"string","description":"Suspected traffic's IP protocol."},{"name":"SourceIPAddress","type":"string","description":"Suspected traffic's source IP address."},{"name":"OperationId","type":"string","description":"Unique identifier for the operation, useful for tracking and correlating across logs."},{"name":"OperationFirst","type":"bool","description":"Indicates if this is the first log entry in a sequence of operations."},{"name":"OperationLast","type":"bool","description":"Indicates if this is the last log entry in a sequence of operations."},{"name":"OperationProducer","type":"string","description":"Component or service that generated the operation."},{"name":"PayloadType","type":"string","description":"Type or format of the payload associated with the request."},{"name":"AuthenticationInfoPrincipalEmail","type":"string","description":"Email address of the authenticated user or service account initiating the request."},{"name":"AuthorizationInfo","type":"string","description":"Information about permissions or roles evaluated for the operation."},{"name":"MethodName","type":"string","description":"Name of the API method or function that was invoked."},{"name":"NumResponseItems","type":"string","description":"Number of items returned in the response, if applicable."},{"name":"RequestName","type":"string","description":"Name or identifier of the resource being accessed or modified in the request."},{"name":"RequestType","type":"string","description":"Type of request."},{"name":"RequestParent","type":"string","description":"Parent resource of the request, indicating hierarchy or context."},{"name":"RequestEndpointName","type":"string","description":"Name of the endpoint to which the request was sent."},{"name":"RequestEndpointNetwork","type":"string","description":"Network path or name through which the endpoint was accessed."},{"name":"RequestEndpointSeverity","type":"string","description":"Severity associated with the endpoint in the context of threat detection or access."},{"name":"RequestEndpointTrafficLogs","type":"string","description":"Details or references to traffic logs related to the endpoint request."},{"name":"RequestEndpointId","type":"string","description":"Unique identifier of the endpoint that handled the request."},{"name":"RequestEndpointThreatExceptions","type":"string","description":"Threat exceptions applied to the endpoint for this request, if any."},{"name":"RequestMetadataCallerIP","type":"string","description":"IP address of the caller who initiated the request."},{"name":"RequestMetadataDestinationAttributes","type":"string","description":"Metadata attributes about the destination service or resource."},{"name":"RequestMetadataRequestAttributesTime","type":"datetime","description":"Timestamp of when the request attributes were recorded."},{"name":"RequestMetadataRequestAttributesAuth","type":"string","description":"Authentication-related request attributes, such as tokens or auth levels."},{"name":"RequestMetadataRequestAttributesReason","type":"string","description":"Reason for the request, such as a policy action or user-initiated change."},{"name":"ResourceLocationCurrentLocations","type":"string","description":"Current physical or logical location(s) of the resource at the time of the log entry."},{"name":"ResponseType","type":"string","description":"Type or format of the response returned from the operation."},{"name":"ResponseName","type":"string","description":"Name or ID of the resource returned in the response."},{"name":"ResponseNetwork","type":"string","description":"Network path or identifier associated with the response."},{"name":"ResponseSeverity","type":"string","description":"Severity level of the response, especially in the context of errors or alerts."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log entry was generated and ingested by the logging system."},{"name":"ResponseState","type":"string","description":"State or result of the response action taken for the detected threat."},{"name":"ResponseThreatExceptions","type":"string","description":"List of any threat exceptions applied during the response, allowing specific threats to bypass enforcement."},{"name":"ResponseTrafficLogs","type":"bool","description":"Indicates whether traffic logs were captured for the session or threat response."},{"name":"ServiceName","type":"string","description":"Name of the cloud service associated with the log entry or threat detection."},{"name":"Status","type":"string","description":"Status of the operation or request, such as SUCCESS, FAILURE, or ERROR."},{"name":"ResourceLabelsMethod","type":"string","description":"The method or operation performed on the resource, often linked to an API call or service method."},{"name":"ResourceLabelsProjectId","type":"string","description":"Project ID associated with the resource, typically representing the Google Cloud project."},{"name":"ResourceLabelsService","type":"string","description":"Service label indicating which cloud service."},{"name":"ResourceLabelsId","type":"string","description":"Unique identifier for the resource involved in the log entry."},{"name":"ResourceLabelsLocation","type":"string","description":"Geographic or regional location of the resource."},{"name":"ResourceLabelsResourceContainer","type":"string","description":"Name of the container or logical grouping the resource belongs to (e.g., folder, organization)."},{"name":"Severity","type":"string","description":"Indicates the severity level of the log entry or event."},{"name":"Timestamp","type":"datetime","description":"The original timestamp of the event as recorded by the source system."},{"name":"RequestUpdateMaskPaths","type":"string","description":"The paths to be updated in the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPLoadBalancer","name":"GCPLoadBalancer","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) GCPLoadBalancer logs, enable you to capture network inbound activity from the load balancer and Web Application Firewall (WAF) to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the log entry was received by logging."},{"name":"BackendTargetProjectNumber","type":"string","description":"The Backend Service Project Number."},{"name":"CacheDecision","type":"dynamic","description":"Indicates whether a request was served from the cache or the backend."},{"name":"EnforcedSecurityPolicy","type":"dynamic","description":"Indicates whether a security policy (such as a WAF or access control rules) was applied to a request."},{"name":"PreviewSecurityPolicy","type":"dynamic","description":"Request matches a rule configured for preview (present only when a preview rule would have taken priority over the enforced rule)."},{"name":"EnforcedEdgeSecurityPolicy","type":"dynamic","description":"the edge security policy rule that was enforced."},{"name":"PreviewEdgeSecurityPolicy","type":"dynamic","description":"populated if a request matches an edge security policy rule configured for preview."},{"name":"PayloadRemoteIp","type":"string","description":"The remote ip address of the payload."},{"name":"SecurityPolicyRequestData","type":"dynamic","description":"The security policy data of the request."},{"name":"StatusDetails","type":"string","description":"The status details of the request."},{"name":"Latency","type":"string","description":"The latency of the request."},{"name":"RemoteIp","type":"string","description":"The remote ip of the request."},{"name":"RequestMethod","type":"string","description":"The http method of the request."},{"name":"RequestSize","type":"string","description":"The size of the request."},{"name":"RequestUrl","type":"string","description":"The url of the request."},{"name":"RequestStatus","type":"string","description":"The status code of the request."},{"name":"UserAgent","type":"string","description":"The user agent of the request."},{"name":"BackendServiceName","type":"string","description":"The backend service name in Google Cloud Platform ."},{"name":"ForwardingRuleName","type":"string","description":"The forwarding rule resource of the load balancer in Google Cloud Platform."},{"name":"ProjectId","type":"string","description":"The Project id in Google Cloud Platform"},{"name":"UrlMapName","type":"string","description":"The url map resource name in Google Cloud Platform."},{"name":"Zone","type":"string","description":"The Zone name of the Load Balancer."},{"name":"Severity","type":"string","description":"The severity of the incident."},{"name":"LogName","type":"string","description":"Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made."},{"name":"Timestamp","type":"datetime","description":"The time the event described by the log entry occurred."},{"name":"InsertId","type":"string","description":"Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPMonitoring","name":"GCPMonitoring","tableType":"Microsoft","description":"The Google Cloud Platform Cloud Monitoring data connector ingests Monitoring logs from Google Cloud into Microsoft Sentinel using the Google Cloud Monitoring API. Refer to [Cloud Monitoring API](https://cloud.google.com/monitoring/api/v3) documentation for more details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"MetricLabels","type":"dynamic","description":"Key-value pairs that identify the characteristics of the metric (e.g., instance ID, region, etc.)"},{"name":"MetricType","type":"string","description":"The full path of the metric type being monitored (e.g., 'compute.googleapis.com/instance/cpu/utilization')"},{"name":"MetricKind","type":"string","description":"The type of metric: GAUGE (instant value), DELTA (change over time), or CUMULATIVE (accumulated value)"},{"name":"GCPResource","type":"dynamic","description":"The monitored resource associated with the metric (e.g., VM instance, GKE cluster), includes resource type and labels"},{"name":"ValueType","type":"string","description":"The type of value recorded: INT64, DOUBLE, BOOL, STRING, or DISTRIBUTION"},{"name":"Points","type":"dynamic","description":"A list of time series data points that contain values and timestamps for the metric"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the metric or log entry was generated at the source, representing the actual occurrence time of the data point."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPNAT","name":"GCPNAT","tableType":"Microsoft","description":"The Google Cloud Platform NAT data connector provides the capability to ingest Cloud NAT Audit logs and Cloud NAT Traffic logs into Microsoft Sentinel using the Compute Engine API. Refer the [Product overview](https://cloud.google.com/nat/docs/overview) document for more details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the log was ingested by Log Analytics."},{"name":"InsertId","type":"string","description":"Unique identifier for the log entry within the GCP logging system."},{"name":"LogName","type":"string","description":"Name of the log stream."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log entry was received by GCP Logging."},{"name":"GCPResourceType","type":"string","description":"Type of the monitored GCP resource (e.g., 'router', 'gce_instance')."},{"name":"ProjectId","type":"string","description":"ID of the GCP project that generated the log entry."},{"name":"Region","type":"string","description":"Region of the GCP resource involved in the NAT traffic."},{"name":"RouterId","type":"string","description":"Identifier of the Cloud Router managing the NAT gateway."},{"name":"GatewayName","type":"string","description":"Name of the Cloud NAT gateway instance."},{"name":"AllocationStatus","type":"string","description":"Status of the NAT IP address allocation."},{"name":"SrcIp","type":"string","description":"Source internal IP address from which the traffic originated."},{"name":"SrcPort","type":"string","description":"Source port on the internal VM or resource."},{"name":"DestIp","type":"string","description":"Destination external IP address the traffic was sent to."},{"name":"DestPort","type":"string","description":"Destination port on the remote host."},{"name":"NatIp","type":"string","description":"Public NAT IP address assigned for this flow."},{"name":"NatPort","type":"string","description":"Public NAT port assigned for this flow."},{"name":"Protocol","type":"string","description":"Network protocol used in the connection."},{"name":"VmName","type":"string","description":"Name of the virtual machine that initiated the NAT traffic."},{"name":"EndpointRegion","type":"string","description":"Region of the destination endpoint."},{"name":"EndpointZone","type":"string","description":"Zone of the destination endpoint if applicable."},{"name":"ASN","type":"string","description":"Autonomous System Number (ASN) associated with the destination IP."},{"name":"Country","type":"string","description":"Country of the destination IP address (geo-located)."},{"name":"City","type":"string","description":"City of the destination IP address (geo-located)."},{"name":"DestinationRegion","type":"string","description":"Continent or larger geographical region of the destination."},{"name":"Continent","type":"string","description":"Continent where the destination IP is located."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPNATAudit","name":"GCPNATAudit","tableType":"Microsoft","description":"The Google Cloud Platform NAT data connector provides the capability to ingest Cloud NAT Audit logs and Cloud NAT Traffic logs into Microsoft Sentinel using the Compute Engine API. Refer the [Product overview](https://cloud.google.com/nat/docs/overview) document for more details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time at which the log was generated."},{"name":"InsertId","type":"string","description":"A unique ID for the log entry."},{"name":"LogName","type":"string","description":"The name of the log stream."},{"name":"GCPResourceType","type":"string","description":"Type of the GCP resource."},{"name":"ResourceRegion","type":"string","description":"Region of the GCP resource."},{"name":"RouterId","type":"string","description":"Identifier of the Cloud Router."},{"name":"ProjectId","type":"string","description":"GCP Project ID where the event occurred."},{"name":"Severity","type":"string","description":"Severity level of the event."},{"name":"RootTriggerId","type":"string","description":"Root trigger ID of the operation."},{"name":"ReceiveTimestamp","type":"datetime","description":"Time when the log was received."},{"name":"PayloadType","type":"string","description":"Type of payload in the log."},{"name":"PrincipalEmail","type":"string","description":"Email of the principal initiating the request."},{"name":"PrincipalSubject","type":"string","description":"Subject or identity of the principal."},{"name":"CallerIp","type":"string","description":"IP address of the caller."},{"name":"UserAgent","type":"string","description":"User agent string of the caller."},{"name":"RequestAttributeTime","type":"datetime","description":"Timestamp of the request attribute."},{"name":"RequestAttributeAuth","type":"string","description":"Authorization details of the request."},{"name":"RequestAttributeDestination","type":"string","description":"Destination details of the request."},{"name":"ServiceName","type":"string","description":"Name of the GCP service."},{"name":"MethodName","type":"string","description":"API method invoked."},{"name":"AuthorizationInfo","type":"string","description":"Details about the authorization."},{"name":"GCPResourceName","type":"string","description":"Name of the resource affected."},{"name":"RequestType","type":"string","description":"Type of the request."},{"name":"RequestName","type":"string","description":"Name of the request."},{"name":"RequestNetwork","type":"string","description":"Network where the request was made."},{"name":"PayloadRequestNats","type":"string","description":"NATs request payload."},{"name":"EncryptedInterconnectRouter","type":"bool","description":"Whether the router uses encrypted interconnect."},{"name":"RequestRegion","type":"string","description":"Region where the request originated."},{"name":"RequestSelfLink","type":"string","description":"SelfLink URL of the request resource."},{"name":"RequestId","type":"string","description":"Unique ID of the request."},{"name":"ResponseType","type":"string","description":"Type of the response returned."},{"name":"ResponseName","type":"string","description":"Name of the response."},{"name":"ResponseUser","type":"string","description":"User returned in the response."},{"name":"ResponseTargetId","type":"string","description":"Target ID in the response."},{"name":"ResponseStatus","type":"string","description":"Status of the response."},{"name":"ResponseProgress","type":"string","description":"Progress status of the response."},{"name":"ResponseStartTime","type":"datetime","description":"Start time of the response."},{"name":"ResponseRegion","type":"string","description":"Region associated with the response."},{"name":"ResponseSelfLinkWithId","type":"string","description":"SelfLink URL with ID in the response."},{"name":"ResponseInsertTime","type":"datetime","description":"Insert time of the response."},{"name":"ResponseTargetLink","type":"string","description":"Target link in the response."},{"name":"ResponseSelfLink","type":"string","description":"SelfLink URL of the response."},{"name":"ResponseId","type":"string","description":"Identifier of the response."},{"name":"ResponseOperationType","type":"string","description":"Type of operation performed."},{"name":"ResponseErrorCode","type":"string","description":"Error code if any error occurred."},{"name":"ResponseErrors","type":"string","description":"Details of any errors returned."},{"name":"ResponseErrorMessage","type":"string","description":"Error message returned, if any."},{"name":"ResourceLocation","type":"string","description":"Geographic location of the resource."},{"name":"OperationId","type":"string","description":"Identifier of the operation."},{"name":"OperationProducer","type":"string","description":"Producer of the operation."},{"name":"OperationFirst","type":"bool","description":"Indicates if this is the first operation in the series."},{"name":"OperationLast","type":"bool","description":"Indicates if this is the last operation in the series."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPResourceManager","name":"GCPResourceManager","tableType":"Microsoft","description":"The Google Cloud Platform Resource Manager data connector provides the capability to ingest Resource Manager [Admin Activity and Data Access Audit logs](https://cloud.google.com/resource-manager/docs/audit-logging) into Microsoft Sentinel using the Cloud Resource Manager API. Refer the [Product overview](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) document for more details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the log entry was received by logging."},{"name":"InsertID","type":"string","description":"A unique ID for the log entry used for deduplication."},{"name":"LogName","type":"string","description":"The full resource name of the log (e.g., projects/[PROJECT_ID]/logs/[LOG_ID])."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log entry was received by Cloud Logging."},{"name":"Severity","type":"string","description":"Log level indicating the severity of the event (e.g., INFO, ERROR)."},{"name":"Timestamp","type":"datetime","description":"The time the event described by the log entry occurred."},{"name":"PayloadType","type":"string","description":"The type of the log payload (e.g., protoPayload, textPayload)."},{"name":"MethodName","type":"string","description":"The API method that was called (e.g., google.cloud.resourcemanager.v3.Projects.CreateProject)."},{"name":"GCPResourceName","type":"string","description":"The name of the resource that the operation is acting on."},{"name":"ServiceName","type":"string","description":"The name of the GCP service handling the request (e.g., cloudresourcemanager.googleapis.com)."},{"name":"NumResponseItems","type":"string","description":"The number of items returned in the response, if applicable."},{"name":"AuthenticationInfoPrincipalEmail","type":"string","description":"The email address of the authenticated principal making the request."},{"name":"AuthenticationInfoPrincipalSubject","type":"string","description":"The unique subject identifier for the principal (useful for federated identities)."},{"name":"AuthenticationInfoServiceAccountKeyName","type":"string","description":"The resource name of the service account key used to authenticate the request."},{"name":"AuthorizationInfo","type":"string","description":"Details on the authorization checks performed, including the permissions evaluated."},{"name":"Status","type":"string","description":"The status of the request, including error codes and messages if the operation failed."},{"name":"MetadataType","type":"string","description":"The type of metadata associated with the log entry."},{"name":"MetadataParentDeltaDestinationParentId","type":"string","description":"The destination parent ID when a resource moves between parents (e.g., folder or org)."},{"name":"MetadataParentDeltaDestinationParentType","type":"string","description":"The type of destination parent (e.g., folder, organization)."},{"name":"MetadataParentDeltaSourceParentId","type":"string","description":"The original parent ID of the resource before the move."},{"name":"MetadataParentDeltaSourceParentType","type":"string","description":"The type of source parent (e.g., folder, organization)."},{"name":"RequestType","type":"string","description":"The type of request being made (e.g., Create, Update, Delete)."},{"name":"RequestResource","type":"string","description":"The full representation of the resource included in the request."},{"name":"RequestName","type":"string","description":"The name or ID of the resource targeted by the request."},{"name":"RequestCreateTime","type":"datetime","description":"The timestamp when the resource was created as specified in the request."},{"name":"RequestLifecycleState","type":"string","description":"The lifecycle state of the resource in the request (e.g., ACTIVE, DELETE_REQUESTED)."},{"name":"RequestProjectId","type":"string","description":"The project ID associated with the request."},{"name":"RequestParent","type":"string","description":"The parent resource (e.g., folder or org) under which the request is being made."},{"name":"RequestListValue","type":"string","description":"A list of values specified in the request (e.g., tags, constraints)."},{"name":"RequestPageSize","type":"string","description":"The number of results to return per page in a list request."},{"name":"RequestCustomConstraint","type":"string","description":"Custom constraint configuration specified in the request."},{"name":"RequestDestinationParent","type":"string","description":"The resource name of the destination parent, used in resource moves."},{"name":"RequestUpdateMask","type":"string","description":"A comma-separated list specifying the fields to be updated in a partial update request."},{"name":"RequestConstraint","type":"string","description":"The Org Policy constraint specified in the request."},{"name":"RequestQuery","type":"string","description":"A query String used for filtering results (e.g., in search or list operations)."},{"name":"RequestPolicyAuditConfigs","type":"string","description":"The audit configuration settings defined in the policy request."},{"name":"RequestPolicyBindings","type":"string","description":"A list of role bindings defined in the IAM policy request."},{"name":"RequestPolicyEtag","type":"string","description":"The ETag used for concurrency control in the policy request."},{"name":"RequestPolicyName","type":"string","description":"The resource name of the policy being modified in the request."},{"name":"RequestPolicySpec","type":"string","description":"Detailed specification of the Org Policy being applied."},{"name":"RequestOptionsRequestedPolicyVersion","type":"string","description":"The version of the IAM policy format requested."},{"name":"RequestProjectName","type":"string","description":"The display name of the project specified in the request."},{"name":"RequestProjectProjectId","type":"string","description":"The unique project ID provided in the request."},{"name":"RequestProjectProjectNumber","type":"string","description":"The numerical project identifier."},{"name":"RequestProjectLifecycleState","type":"string","description":"The lifecycle state of the project (e.g., ACTIVE, DELETE_REQUESTED)."},{"name":"RequestProjectCreateTime","type":"datetime","description":"The time the project was created as per the request."},{"name":"RequestProjectLabels","type":"string","description":"Key-value labels assigned to the project in the request."},{"name":"RequestProjectParent","type":"string","description":"The parent resource (folder or organization) under which the project is created."},{"name":"RequestFolderDisplayName","type":"string","description":"The display name of the folder provided in the request."},{"name":"RequestFolderParent","type":"string","description":"The parent resource of the folder specified in the request."},{"name":"RequestTagValueName","type":"string","description":"The full resource name of the tag value in the request."},{"name":"RequestTagKeyName","type":"string","description":"The full resource name of the tag key referenced in the request."},{"name":"RequestTagBindingTagValue","type":"string","description":"The tag value being bound to a resource in the request."},{"name":"RequestTagBindingParent","type":"string","description":"The full name of the resource to which the tag is being bound."},{"name":"RequestMetadataCallerIP","type":"string","description":"The IP address of the caller who made the request."},{"name":"RequestMetadataCallerSuppliedUserAgent","type":"string","description":"The user agent String provided by the caller's client application."},{"name":"RequestMetadataDestinationAttributes","type":"string","description":"Metadata about the request destination, such as port or protocol."},{"name":"RequestMetadataRequestAttributesAuth","type":"string","description":"Authentication attributes related to the request, such as authority selector or principal email."},{"name":"RequestMetadataRequestAttributesTime","type":"datetime","description":"The timestamp when the request was made."},{"name":"RequestMetadataRequestAttributesReason","type":"string","description":"The reason or justification for making the request (if provided)."},{"name":"ResponseType","type":"string","description":"The type of the response payload."},{"name":"ResponseAuditConfigs","type":"string","description":"The audit configurations returned in the response."},{"name":"ResponseBindings","type":"string","description":"The IAM role bindings included in the response."},{"name":"ResponseEtag","type":"string","description":"The ETag used for concurrency control in the response."},{"name":"ResponseCreateTime","type":"datetime","description":"The timestamp when the resource was created, as returned in the response."},{"name":"ResponseDisplayName","type":"string","description":"The display name of the resource returned in the response."},{"name":"ResponseName","type":"string","description":"The full resource name returned in the response."},{"name":"ResponseParent","type":"string","description":"The parent resource name associated with the response."},{"name":"ResponseState","type":"string","description":"The current state of the resource (e.g., ACTIVE, DELETED)."},{"name":"ResponseUpdateTime","type":"datetime","description":"The time when the resource was last updated, as per the response."},{"name":"ResponseLifecycleState","type":"string","description":"The lifecycle state of the resource in the response (e.g., ACTIVE, DELETE_REQUESTED)."},{"name":"ResponseProjectId","type":"string","description":"The project ID returned in the response."},{"name":"ResponseProjectNumber","type":"string","description":"The project ID returned in the response."},{"name":"ResponseLabels","type":"string","description":"The key-value labels attached to the resource in the response."},{"name":"ResponseDescription","type":"string","description":"A description of the resource or result returned in the response."},{"name":"ResponseNamespacedName","type":"string","description":"A namespaced identifier for the resource (used in tagging)."},{"name":"ResponseShortName","type":"string","description":"The short, user-defined name of the resource returned in the response."},{"name":"ResponseTagKey","type":"string","description":"The tag key associated with the resource returned in the response."},{"name":"ResponseTagValue","type":"string","description":"The tag value associated with the resource in the response."},{"name":"ResponseTagValueNamespacedName","type":"string","description":"A fully qualified name (including tag key) for the tag value."},{"name":"ResponsePolicySpec","type":"string","description":"The policy specification returned in the response (Org Policy or IAM policy)."},{"name":"ServiceDataType","type":"string","description":"The type of service-specific data returned in the response."},{"name":"ServiceDataPolicyDeltaBindingDeltas","type":"string","description":"Changes (additions or removals) to IAM bindings as part of the policy delta."},{"name":"GCPResourceType","type":"string","description":"The type of resource involved in the operation (e.g., project, folder, organization)."},{"name":"ResourceLabelsOrganizationId","type":"string","description":"The organization ID associated with the resource."},{"name":"ResourceLabelsFolderId","type":"string","description":"The folder ID associated with the resource."},{"name":"ResourceLabelsProjectId","type":"string","description":"The project ID associated with the resource."},{"name":"ResourceLabelsMethod","type":"string","description":"The method name label used for filtering in logs."},{"name":"ResourceLabelsService","type":"string","description":"The service name label used for filtering in logs."},{"name":"OperationFirst","type":"bool","description":"Indicates whether this is the first log entry for a long-running operation."},{"name":"OperationLast","type":"bool","description":"Indicates whether this is the last log entry for a long-running operation."},{"name":"OperationID","type":"string","description":"An identifier for a long-running operation shared across related log entries."},{"name":"OperationProducer","type":"string","description":"The name of the producer of the operation (e.g., the GCP service executing the operation)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GCPVPCFlow","name":"GCPVPCFlow","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the log entry was received by logging."},{"name":"InsertId","type":"string","description":"A unique identifier assigned to each log entry."},{"name":"BytesSent","type":"string","description":"Amount of bytes sent from the source to the destination."},{"name":"PacketsSent","type":"string","description":"Number of packets sent from the source to the destination."},{"name":"Reporter","type":"string","description":"The side which reported the flow."},{"name":"Rttmsec","type":"string","description":"The measured latency is the time elapsed between sending a SEQ and receiving a corresponding ACK."},{"name":"StartTime","type":"datetime","description":"Timestamp of the first observed packet during the aggregated time interval."},{"name":"EndTime","type":"datetime","description":"Timestamp of the last observed packet during the aggregated time interval."},{"name":"LogName","type":"string","description":"The name of the log where this entry is stored."},{"name":"ReceiveTimestamp","type":"datetime","description":"Timestamp of the event when it was received by the logging service."},{"name":"Timestamp","type":"datetime","description":"Timestamp of the log entry."},{"name":"Location","type":"string","description":"Location of the resource."},{"name":"ProjectId","type":"string","description":"ProjectId of the resource."},{"name":"SubnetworkId","type":"string","description":"ID of the Google Cloud project containing the VPC"},{"name":"SubnetworkName","type":"string","description":"Name of the subnet"},{"name":"GCPResourceType","type":"string","description":"Type of the resource (e.g., compute instance, DNS record)."},{"name":"DestIp","type":"string","description":"Destination IP address"},{"name":"DestPort","type":"string","description":"Destination port"},{"name":"Protocol","type":"string","description":"The IANA protocol number"},{"name":"SrcIp","type":"string","description":"Source IP address"},{"name":"SrcPort","type":"string","description":"Source port"},{"name":"DestInstanceProjectId","type":"string","description":"ID of the Google Cloud project that contains the VM resource"},{"name":"DestInstanceRegion","type":"string","description":"Region of the VM"},{"name":"DestInstanceVmName","type":"string","description":"Instance name of the VM"},{"name":"DestInstanceZone","type":"string","description":"Zone of the VM"},{"name":"DestInstanceGroupName","type":"string","description":"Name of the instance group"},{"name":"DestInstanceGroupZone","type":"string","description":"If the instance group is zonal, this field is populated with the zone of the instance group."},{"name":"DestInstanceGroupRegion","type":"string","description":"If the instance group is regional, this field is populated with the region of the instance group."},{"name":"DestVpcProjectId","type":"string","description":"ID of the Google Cloud project containing the VPC"},{"name":"DestVpcSubnetworkName","type":"string","description":"Name of the subnet"},{"name":"DestVpcSubnetworkRegion","type":"string","description":"Region of the subnet"},{"name":"DestVpcName","type":"string","description":"Name of the network"},{"name":"NetworkServiceDscp","type":"string","description":"If the Differentiated Services field is present in packet headers, this field is populated with the DSCP value."},{"name":"SrcInstanceProjectId","type":"string","description":"ID of the Google Cloud project that contains the source VM resource"},{"name":"SrcInstanceRegion","type":"string","description":"Region of the source VM"},{"name":"SrcInstanceVmName","type":"string","description":"Instance name of the source VM"},{"name":"SrcInstanceZone","type":"string","description":"Zone of the source VM"},{"name":"SrcInstanceGroupName","type":"string","description":"Name of the source instance group"},{"name":"SrcInstanceGroupZone","type":"string","description":"If the source instance group is zonal, this field is populated with the zone of the source instance group."},{"name":"SrcInstanceGroupRegion","type":"string","description":"If the source instance group is regional, this field is populated with the region of the source instance group."},{"name":"SrcVpcProjectId","type":"string","description":"ID of the Google Cloud project containing the VPC"},{"name":"SrcVpcSubnetworkName","type":"string","description":"Name of the source subnet,"},{"name":"SrcVpcSubnetworkRegion","type":"string","description":"Name of the source region"},{"name":"SrcVpcName","type":"string","description":"Name of the source network"},{"name":"DestGoogleServiceType","type":"string","description":"This field is set to GOOGLE_API if the destination is a Google API service."},{"name":"SrcGoogleServiceType","type":"string","description":"This field is set to GOOGLE_API if the source is a Google API service."},{"name":"DestLocationAsn","type":"string","description":"The ASN of the external destination network to which this endpoint belongs."},{"name":"DestLocationContinent","type":"string","description":"Continent for external destination endpoints."},{"name":"DestLocationCity","type":"string","description":"City for external destination endpoints."},{"name":"DestLocationCountry","type":"string","description":"Country for external destination endpoints."},{"name":"DestLocationRegion","type":"string","description":"Region for external destination endpoints."},{"name":"SrcLocationAsn","type":"string","description":"The ASN of the external source network to which this endpoint belongs."},{"name":"SrcLocationContinent","type":"string","description":"Continent for external source endpoints."},{"name":"SrcLocationCountry","type":"string","description":"Country for external source endpoints."},{"name":"SrcLocationCity","type":"string","description":"City for external source endpoints."},{"name":"SrcLocationRegion","type":"string","description":"Region for external source endpoints."},{"name":"InternetRoutingDetailsEgressAsn","type":"string","description":"List of relevant AS paths. If there are multiple AS paths available to the flow, the field might contain more than one AS path."},{"name":"LbBackendGroupName","type":"string","description":"Name of the backend group"},{"name":"LbBackendGroupType","type":"string","description":"Type of the backend group"},{"name":"LbForwardingRuleName","type":"string","description":"Name of the forwarding rule"},{"name":"LbForwardingRuleProjectId","type":"string","description":"Google Cloud project ID of the forwarding rule"},{"name":"LbReporter","type":"string","description":"Cloud Load Balancing reporter. Can be either CLIENT or BACKEND"},{"name":"LbScheme","type":"string","description":"Load balancer scheme"},{"name":"LbUrlMapName","type":"string","description":"Name of the URL map. Populated if the type of the load balancer is APPLICATION_LOAD_BALANCER."},{"name":"LbBackendServiceName","type":"string","description":"Name of the backend service."},{"name":"LbType","type":"string","description":"Load balancer type."},{"name":"LbBackendGroupLocation","type":"string","description":"Location of the backend group"},{"name":"LbVpc","type":"dynamic","description":"VPC network details of the load balancer"},{"name":"SrcGkeClusterLocation","type":"string","description":"Location of the source cluster. This can be a zone or a region depending if the cluster is zonal or regional."},{"name":"SrcGkeClusterName","type":"string","description":"Source GKE cluster name."},{"name":"SrcGkeService","type":"dynamic","description":"Source GKE Service name."},{"name":"SrcGkePodName","type":"string","description":"Name of the source Pod"},{"name":"SrcGkePodNamespace","type":"string","description":"Namespace of the source Pod"},{"name":"SrcGkePodWorkloadName","type":"string","description":"Name of the top-level source workload controller"},{"name":"SrcGkePodWorkloadType","type":"string","description":"Type of the top-level source workload controller."},{"name":"DestGkeClusterLocation","type":"string","description":"Location of the destination cluster. This can be a zone or a region depending if the cluster is zonal or regional."},{"name":"DestGkeClusterName","type":"string","description":"Destination GKE cluster name."},{"name":"DestGkeService","type":"dynamic","description":"Destination GKE Service name."},{"name":"DestGkePodName","type":"string","description":"Name of the destination Pod"},{"name":"DestGkePodNamespace","type":"string","description":"Namespace of the destination Pod"},{"name":"DestGkePodWorkloadName","type":"string","description":"Name of the top-level destination workload controller"},{"name":"DestGkePodWorkloadType","type":"string","description":"Type of the top-level destination workload controller."},{"name":"PscAttachmentProjectId","type":"string","description":"Google Cloud project ID of the service attachment"},{"name":"PscAttachmentRegion","type":"string","description":"Region of the service attachment"},{"name":"PscAttachmentVpc","type":"dynamic","description":"VPC network details of the service attachment"},{"name":"PscEndpointProjectId","type":"string","description":"Google Cloud project ID of the Private Service Connect endpoint"},{"name":"PscEndpointConnectionId","type":"string","description":"Private Service Connect connection ID"},{"name":"PscEndpointRegion","type":"string","description":"Region of the endpoint. Not populated if the target service type is GLOBAL_GOOGLE_APIS."},{"name":"PscEndpointTargetServiceType","type":"string","description":"Target service type. Can be either GLOBAL_GOOGLE_APIS or PUBLISHED_SERVICE."},{"name":"PscEndpointVpc","type":"dynamic","description":"VPC network details of the Private Service Connect endpoint"},{"name":"SrcGatewayProjectId","type":"string","description":"Google Cloud project ID of the gateway"},{"name":"SrcGatewayLocation","type":"string","description":"Region of the gateway"},{"name":"SrcGatewayName","type":"string","description":"Name of the gateway"},{"name":"SrcGatewayType","type":"string","description":"Type of the gateway. Can be INTERCONNECT_ATTACHMENT or VPN_TUNNEL."},{"name":"SrcGatewayVpc","type":"dynamic","description":"VPC network details of the gateway"},{"name":"SrcGatewayInterconnectName","type":"string","description":"If the type of the gateway is INTERCONNECT_ATTACHMENT, this field is populated with the name of the Cloud Interconnect connection on which the VLAN attachment is configured."},{"name":"SrcGatewayInterconnectProjectNumber","type":"string","description":"If the type of the gateway is INTERCONNECT_ATTACHMENT, this field is populated with the Google Cloud project number of the Cloud Interconnect connection on which the VLAN attachment is configured."},{"name":"DestGatewayProjectId","type":"string","description":"Google Cloud project ID of the destination gateway"},{"name":"DestGatewayLocation","type":"string","description":"Region of the destination gateway"},{"name":"DestGatewayName","type":"string","description":"Name of the destination gateway"},{"name":"DestGatewayType","type":"string","description":"Type of the destination gateway. Can be INTERCONNECT_ATTACHMENT or VPN_TUNNEL."},{"name":"DestGatewayVpc","type":"dynamic","description":"VPC network details of the gateway"},{"name":"DestGatewayInterconnectName","type":"string","description":"If the type of the gateway is INTERCONNECT_ATTACHMENT, this field is populated with the name of the Cloud Interconnect connection on which the VLAN attachment is configured."},{"name":"DestGatewayInterconnectProjectNumber","type":"string","description":"If the type of the gateway is INTERCONNECT_ATTACHMENT, this field is populated with the Google Cloud project number of the Cloud Interconnect connection on which the VLAN attachment is configured."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEAPIServer","name":"GKEAPIServer","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system."},{"name":"InsertId","type":"string","description":"Unique ID for the log entry used to prevent duplication."},{"name":"LogName","type":"string","description":"Name of the log stream, usually indicating the source."},{"name":"Pid","type":"string","description":"Process ID that generated the log entry."},{"name":"Severity","type":"string","description":"Log severity level (e.g., INFO, WARNING, ERROR)."},{"name":"SourceFile","type":"string","description":"Source file in the API server codebase where the log originated."},{"name":"SourceLine","type":"string","description":"Line number in the source file."},{"name":"ReceiveTimestamp","type":"datetime","description":"Timestamp when GCP Logging received the log."},{"name":"ClusterName","type":"string","description":"Name of the Kubernetes cluster."},{"name":"ComponentLocation","type":"string","description":"Region or zone where the API server is located."},{"name":"ComponentName","type":"string","description":"Name of the GKE component generating the log (typically apiserver)."},{"name":"Location","type":"string","description":"GCP region or zone."},{"name":"ProjectID","type":"string","description":"GCP project ID where the GKE cluster resides."},{"name":"ComputeResourceName","type":"string","description":"Name of the compute instance or pod."},{"name":"Protocol","type":"string","description":"Protocol used for the request (e.g., HTTP/1.1)."},{"name":"HttpVerb","type":"string","description":"HTTP method (e.g., GET, POST, PUT, DELETE)."},{"name":"URI","type":"string","description":"Full URI of the API request to the Kubernetes API server."},{"name":"Latency","type":"string","description":"Total time taken to serve the request."},{"name":"UserAgent","type":"string","description":"The User-Agent string sent with the request."},{"name":"AuditID","type":"string","description":"Unique identifier for the audit log entry."},{"name":"SrcIP","type":"string","description":"Source IP address of the client that sent the request."},{"name":"Message","type":"string","description":"The content of the log message."},{"name":"Labels","type":"dynamic","description":"Dynamic field containing various labels associated with the log entry."},{"name":"ResponseCode","type":"int","description":"HTTP response status code."},{"name":"ApfPl","type":"string","description":"API Priority and Fairness (APF) Priority Level."},{"name":"ApfFs","type":"string","description":"APF Flow Schema."},{"name":"ApfISeats","type":"int","description":"Number of seats initially allocated by APF."},{"name":"ApfFSeats","type":"int","description":"Final number of seats used after adjustments."},{"name":"ApfAdditionalLatency","type":"string","description":"Additional latency due to APF throttling."},{"name":"ApfExecutionTime","type":"string","description":"Time taken to execute the request excluding APF wait time."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEApplication","name":"GKEApplication","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system."},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry, useful for deduplication."},{"name":"LogName","type":"string","description":"The full resource name of the log (e.g., 'projects/[PROJECT_ID]/logs/[LOG_ID]')."},{"name":"Labels","type":"dynamic","description":"Key-value pairs providing additional metadata about the log entry."},{"name":"Severity","type":"string","description":"The severity level of the log entry (e.g., DEBUG, INFO, WARNING, ERROR)."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log entry was received by the logging system."},{"name":"ClusterName","type":"string","description":"The name of the GKE cluster from which the log entry originated."},{"name":"NamespaceName","type":"string","description":"The Kubernetes namespace associated with the log entry."},{"name":"PodName","type":"string","description":"The name of the Kubernetes pod where the container is running."},{"name":"Location","type":"string","description":"The GCP region or zone where the log entry was generated."},{"name":"ContainerName","type":"string","description":"The name of the container inside the pod that generated the log."},{"name":"JsonPayload","type":"dynamic","description":"Structured JSON-formatted log content if available."},{"name":"ProjectID","type":"string","description":"The ID of the Google Cloud project where the log entry originated."},{"name":"TextPayload","type":"string","description":"Unstructured text message associated with the log entry."},{"name":"ComputeResourceName","type":"string","description":"The name of the underlying compute resource (such as the node or instance)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEAudit","name":"GKEAudit","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system."},{"name":"LogType","type":"string","description":"The category or type of log, such as GKEAudit, indicating the origin of the log data."},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry, used to deduplicate log records."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time when the log entry was received by the logging system."},{"name":"Labels","type":"dynamic","description":"Custom key-value pairs that provide additional metadata for the log entry, such as environment or custom tags."},{"name":"ProtoPayload","type":"dynamic","description":"A structured representation of the audit log entry using the Protobuf format. Contains detailed audit event data such as method name, status, and authentication info."},{"name":"JsonPayload","type":"dynamic","description":"The JSON representation of the log entry payload, often containing key audit data when not using ProtoPayload."},{"name":"Operation","type":"dynamic","description":"Contains information about an operation associated with the log, such as operation ID and producer."},{"name":"Severity","type":"string","description":"The severity level of the log entry (e.g., INFO, WARNING, ERROR). Indicates the importance or impact of the event."},{"name":"logName","type":"string","description":"The full name of the log (e.g., projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity), showing the type and location of the log data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEControllerManager","name":"GKEControllerManager","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system."},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry to prevent duplication."},{"name":"Message","type":"string","description":"The content of the log message."},{"name":"Labels","type":"dynamic","description":"Dynamic field containing various labels associated with the log entry."},{"name":"LogName","type":"string","description":"The full resource name of the log (e.g., projects/{project_id}/logs/{log_id})."},{"name":"Pid","type":"string","description":"The process ID of the component that emitted the log, if available."},{"name":"Severity","type":"string","description":"The severity level of the log (e.g., DEBUG, INFO, WARNING, ERROR)."},{"name":"SourceFile","type":"string","description":"The source file in the Kubernetes codebase where the log originated."},{"name":"SourceLine","type":"string","description":"The line number in the source file where the log was emitted."},{"name":"ReceiveTimestamp","type":"datetime","description":"The time the log was received by Cloud Logging."},{"name":"ClusterName","type":"string","description":"The name of the GKE cluster from which the log was generated."},{"name":"ComponentLocation","type":"string","description":"The zone or region of the Kubernetes component emitting the log."},{"name":"ComponentName","type":"string","description":"The name of the GKE control plane component (e.g., kube-controller-manager)."},{"name":"Location","type":"string","description":"The geographical location (region or zone) of the cluster."},{"name":"ProjectID","type":"string","description":"The Google Cloud project ID where the GKE cluster is hosted."},{"name":"ComputeResourceName","type":"string","description":"The name of the compute resource (e.g., VM name or controller name) associated with the log."},{"name":"Logger","type":"string","description":"The logging class or module that generated the message, often used for categorizing logs."},{"name":"Kind","type":"string","description":"The type of Kubernetes resource being managed or referenced (e.g., Deployment, ReplicaSet)."},{"name":"Key","type":"string","description":"A unique identifier for the Kubernetes resource (typically namespace/name)."},{"name":"Duration","type":"string","description":"The time duration the operation took, generally in seconds with fractional precision (e.g., 1.234567s)."},{"name":"SyncStatus","type":"string","description":"The synchronization status or result of the controller operation (e.g., success, error, requeue)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEHPADecision","name":"GKEHPADecision","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system."},{"name":"InsertId","type":"string","description":"A unique ID assigned to the log entry to ensure de-duplication."},{"name":"Message","type":"string","description":"The content of the log message."},{"name":"Labels","type":"dynamic","description":"Dynamic field containing various labels associated with the log entry."},{"name":"LogName","type":"string","description":"The resource path of the log (e.g., projects/{project_id}/logs/{log_id})."},{"name":"Severity","type":"string","description":"The severity level of the log (e.g., DEBUG, INFO, WARNING, ERROR)."},{"name":"SourceFile","type":"string","description":"The source code file where the log originated from."},{"name":"SourceLine","type":"string","description":"The specific line number in the source file that generated the log."},{"name":"ReceiveTimestamp","type":"datetime","description":"The timestamp when the log was received by the logging system."},{"name":"ClusterName","type":"string","description":"The name of the GKE cluster where the HPA decision occurred."},{"name":"ComponentLocation","type":"string","description":"The physical location (region or zone) of the Kubernetes component emitting the log."},{"name":"ComponentName","type":"string","description":"The name of the GKE control plane component (typically 'horizontal-pod-autoscaler')."},{"name":"Location","type":"string","description":"The geographical location (region or zone) of the cluster."},{"name":"ProjectID","type":"string","description":"The Google Cloud project ID that owns the GKE cluster."},{"name":"ComputeResourceName","type":"string","description":"The name of the compute resource or pod that is being scaled."},{"name":"VMName","type":"string","description":"The name of the VM instance hosting the workload."},{"name":"Zone","type":"string","description":"The specific zone in which the resource resides."},{"name":"ActuationLatencySeconds","type":"real","description":"Time taken (in seconds) to apply the autoscaling decision from the time it was made."},{"name":"ActuationTime","type":"datetime","description":"The timestamp when the autoscaler made a scaling decision."},{"name":"ConfiguredSize","type":"int","description":"The number of replicas configured after the autoscaler decision."},{"name":"HPA","type":"string","description":"The name of the Horizontal Pod Autoscaler making the decision."},{"name":"LeadingMetricIndex","type":"int","description":"Index indicating the metric that most influenced the autoscaling decision."},{"name":"Replicas","type":"int","description":"The current number of replicas before the scaling decision."},{"name":"StartTime","type":"datetime","description":"The time when metric collection or evaluation started for the autoscaler."},{"name":"TargetRefAPIVersion","type":"string","description":"API version of the target resource (e.g., apps/v1)."},{"name":"TargetRefKind","type":"string","description":"Kind of the target Kubernetes resource (e.g., Deployment, StatefulSet)."},{"name":"TargetRefName","type":"string","description":"The name of the target Kubernetes object being scaled."},{"name":"TopLevelLimit","type":"string","description":"The top-level scaling limit set on the number of replicas (e.g., maxReplicas)."},{"name":"TopLevelOverride","type":"string","description":"An override value for top-level limits, if specified (e.g., via policy or admin input)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GKEScheduler","name":"GKEScheduler","tableType":"Microsoft","description":"The Google Cloud Platform (GCP) Kubernetes Engine data connector allows you to monitor containerized applications, track performance metrics, and detect potential threats across your GKE environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp indicating when the log event was created or generated by the source system"},{"name":"Message","type":"string","description":"The content of the log message."},{"name":"Labels","type":"dynamic","description":"Dynamic field containing various labels associated with the log entry."},{"name":"InsertId","type":"string","description":"A unique identifier for the log entry, used to deduplicate log records."},{"name":"LogName","type":"string","description":"The full resource name of the log to which this log entry belongs, typically includes project and log type."},{"name":"Pid","type":"string","description":"Process ID associated with the log entry, if available."},{"name":"Severity","type":"string","description":"The severity level of the log (e.g., INFO, WARNING, ERROR)."},{"name":"SourceFile","type":"string","description":"The source file where the log was generated, if available from sourceLocation."},{"name":"SourceLine","type":"string","description":"The line number in the source file where the log was generated."},{"name":"ReceiveTimestamp","type":"datetime","description":"The timestamp when the log entry was received by the logging system."},{"name":"ClusterName","type":"string","description":"Name of the GKE cluster from which the log originated."},{"name":"ComponentLocation","type":"string","description":"Location or zone of the component (e.g., us-central1-a) within the cluster."},{"name":"ComponentName","type":"string","description":"Name of the component or microservice generating the log (e.g., kube-apiserver)."},{"name":"Location","type":"string","description":"Geographical region or zone of the GKE cluster or resource."},{"name":"ProjectID","type":"string","description":"Google Cloud project ID associated with the log entry."},{"name":"ComputeResourceName","type":"string","description":"Name of the compute resource (e.g., VM instance) related to the log entry."},{"name":"Protocol","type":"string","description":"The protocol used for the request, such as HTTP."},{"name":"HttpVerb","type":"string","description":"The HTTP method used in the request (e.g., GET, POST)."},{"name":"URI","type":"string","description":"The requested URI path extracted from the log message."},{"name":"Latency","type":"string","description":"Request latency duration (e.g., time taken to complete the request)."},{"name":"UserAgent","type":"string","description":"The user agent string from the client that made the request."},{"name":"AuditID","type":"string","description":"An identifier used for tracking the audit trail of the request."},{"name":"SrcIP","type":"string","description":"Source IP address of the client making the request."},{"name":"ResponseCode","type":"int","description":"HTTP status code returned in the response (e.g., 200, 403)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GoogleCloudSCC","name":"GoogleCloudSCC","tableType":"Microsoft","description":"Security Command Center is a comprehensive security and risk management platform for Google Cloud. It offers features such as asset inventory and discovery, vulnerability and threat detection, and risk mitigation and remediation to help you gain insight into your organization's security and data attack surface. This integration enables you to perform tasks related to findings and assets more effectively.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Findings","type":"dynamic","description":"A Dynamic array of all the findings associated with the resource."},{"name":"FindingsResource","type":"dynamic","description":"A Dynamic array of the resource that was affected by the security finding."},{"name":"SourceProperties","type":"dynamic","description":"A map of additional properties about the source of the security finding."},{"name":"TimeGenerated","type":"datetime","description":"The time at which the security finding was first detected."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GoogleWorkspaceReports","name":"GoogleWorkspaceReports","tableType":"Microsoft","description":"The [Google Workspace](https://workspace.google.com/) Activities data connector provides the capability to ingest Activity Events from [Google Workspace API](https://developers.google.com/admin-sdk/reports/reference/rest/v1/activities/list) into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time that the log was generated."},{"name":"Kind","type":"string","description":"The type of API resource. For an activity report, the value is audit#activity."},{"name":"Etag","type":"string","description":"ETag of the entry."},{"name":"OwnerDomain","type":"string","description":"This is the domain that is affected by the report's event. For example domain of Admin console or the Drive application's document owner."},{"name":"SrcIpAddr","type":"string","description":"IP address of the user doing the action."},{"name":"IdApplicationName","type":"string","description":"Application name to which the event belongs."},{"name":"IdCustomerId","type":"string","description":"The unique identifier for a Google Workspace account."},{"name":"IdUniqueQualifier","type":"string","description":"Unique qualifier if multiple events have the same time."},{"name":"IdTime","type":"string","description":"Time of occurrence of the activity. This is in UNIX epoch time in seconds."},{"name":"NetworkIpAsn","type":"dynamic","description":"IP Address of the user doing the action."},{"name":"NetworkInfoRegionCode","type":"string","description":"ISO 3166-1 alpha-2 region code of the user doing the action."},{"name":"NetworkInfoSubdivisionCode","type":"string","description":"ISO 3166-2 region code (states and provinces) for countries of the user doing the action."},{"name":"ActorEmail","type":"string","description":"The primary email address of the actor. May be absent if there is no email address associated with the actor."},{"name":"ActorCallerType","type":"string","description":"The type of actor."},{"name":"ActorProfileId","type":"string","description":"The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID."},{"name":"ActorKey","type":"string","description":"Only present when callerType is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts."},{"name":"ActorApplicationInfoOauthClientId","type":"string","description":"OAuth client id of the third party application used to perform the action."},{"name":"ActorApplicationInfoApplicationName","type":"string","description":"Name of the application used to perform the action."},{"name":"ActorApplicationInfoImpersonation","type":"bool","description":"Whether the application was impersonating a user."},{"name":"ResourceDetails","type":"dynamic","description":"Details of the resource on which the action was performed."},{"name":"EventType","type":"string","description":"Type of event."},{"name":"EventName","type":"string","description":"Name of the event."},{"name":"EventParameters","type":"dynamic","description":"JSON of all parameters that is associated with the Event."},{"name":"AppName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ApplicationName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ClientType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DeviceId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DeviceType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"GroupEmail","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"NewValue","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"OldValue","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"OwnerEmail","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"EventResourceId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"EventResourceName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"RuleName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"SharedDriveId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"TargetDomain","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"UserAgent","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"UserEmail","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"Value","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"Visibility","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"Timestamp","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"BrowserVersion","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ChromeOrgUnitId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentHash","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentRiskLevel","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentSize","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentTransferMethod","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ContentType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DeviceName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DevicePlatform","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DeviceUser","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"EventResult","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"OrgUnitName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ProfileUserName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"ScanId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"TriggerDestination","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"TriggerSource","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"TriggerType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"Url","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"VirtualDeviceId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"AccountState","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Parameter to indicate the account state on the device."},{"name":"ActorIsCollaboratorAccount","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates whether the actor is a collaborator account."},{"name":"ApiKind","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The kind of API request made."},{"name":"ApplicationEdition","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The Google Workspace edition."},{"name":"Billable","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Whether this activity is billable."},{"name":"CalendarId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Calendar Id of the relevant calendar in context of this action (for example the calendar that an event is on, or a calendar being subscribed to). Usually takes the form of the user's email address."},{"name":"ClientId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Client ID to which access has been granted / revoked."},{"name":"DestinationFolderId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the destination folder."},{"name":"DestinationFolderTitle","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The title of the destination folder."},{"name":"DocId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the document."},{"name":"DocTitle","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The title of the document."},{"name":"DocType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The type of the document."},{"name":"DstUserUpn","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DestUserUpn","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"DvcGuid","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the device used."},{"name":"DvcInterfaceGuid","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the device interface."},{"name":"DvcModelName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The model name of the device used."},{"name":"DvcModelNumber","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The model number of the device used."},{"name":"DvcType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The type of the device used."},{"name":"EventEndTime","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The end time of the event."},{"name":"EventGuest","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The email address of the event guest."},{"name":"EventId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the event."},{"name":"EventMessage","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The name of the event."},{"name":"EventOriginalMessage","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. An array representing a chain of events, where each element is a sub-event."},{"name":"EventProduct","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The product associated with the event."},{"name":"EventResponseStatus","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead.The response status of the event."},{"name":"EventStartTime","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The start time of the event."},{"name":"EventTitle","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The title of the event."},{"name":"EventUid","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique identifier of the event."},{"name":"EventVendor","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The vendor of the event."},{"name":"GroupDomain","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The organizational unit (OU) name (path)."},{"name":"IosVendorId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The vendor ID for iOS devices."},{"name":"IosVendorUID","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The vendor UID for iOS devices."},{"name":"IsSecondFactor","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates if the event involves a second-factor authentication attempt."},{"name":"IsSuspicious","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates if the event is considered suspicious."},{"name":"LastSyncAuditDate","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The date of the last synchronization audit."},{"name":"LoginChallengeMethod","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The method used for the login challenge."},{"name":"LoginChallengeStatus","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The status of the login challenge."},{"name":"LoginType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The type of credentials used to attempt login."},{"name":"ModuleName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The new license for this product name."},{"name":"NotificationMessageId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The notification message Id."},{"name":"NotificationMethod","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The method used for the notification."},{"name":"NotificationType","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The type of notification."},{"name":"OldEventTitle","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. If the title of a calendar event has been changed, this is the previous title of the event."},{"name":"OldVisibility","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Old Visibility of Target File."},{"name":"OrganizerCalendarId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Calendar Id of this Event's organizer."},{"name":"OriginatingAppId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The Google Cloud Project ID of the application that performed the action."},{"name":"OsProperty","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Operating System properties."},{"name":"Owner","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The owner of the resource involved in the event."},{"name":"OwnerIsSharedDrive","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates if the owner is a shared drive."},{"name":"OwnerIsTeamDrive","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates if the owner is a team drive."},{"name":"PrimaryEvent","type":"bool","description":"Deprecated. Use EventParameters column to find the value of this column instead. Indicates if the event is the primary event in a chain of events."},{"name":"ProcessName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique name (ID) of the setting that was changed."},{"name":"RegisterPrivelege","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Device Policy app's privilege on the user's device."},{"name":"Resource_Id","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique resource Id of the device."},{"name":"RoleName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The unique name (ID) of the role assigned to the user."},{"name":"Scope","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The scope of the access request."},{"name":"ScopeData","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. Additional data related to the scope."},{"name":"SerialNumber","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The serial number of the device."},{"name":"SourceFolderId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The ID of the source folder if the document is located in a shared drive."},{"name":"SourceFolderTitle","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The title of the source folder if the document is located in a shared drive."},{"name":"TargetCalendarId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The ID of the calendar targeted by the event."},{"name":"TargetUserDomain","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The domain targeted by the event."},{"name":"TargetUserName","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The user targeted by the event."},{"name":"TeamDriveId","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"UserAadid","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. This ID helps correlate events and activities to the correct Google Workspace tenant."},{"name":"UserAgentOriginal","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead. The user agent from the request that triggered this action."},{"name":"VisibilityChange","type":"string","description":"Deprecated. Use EventParameters column to find the value of this column instead."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"GraphNotificationsActivityLogs","name":"GraphNotificationsActivityLogs","tableType":"Microsoft","description":"Microsoft Graph Notifications activity Logs provide details of notifications published for resources in the tenant.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the notification was published."},{"name":"Location","type":"string","description":"The name of the region that served the request."},{"name":"Message","type":"string","description":"The details of the notification"},{"name":"CorrelationId","type":"string","description":"The identifier representing the request."},{"name":"ResourceIdentity","type":"string","description":"The identifier for the message. "},{"name":"ContextId","type":"string","description":"The identifier for the message."},{"name":"ResultDescription","type":"string","description":"The HTTP response for the event."},{"name":"ResultStatusCode","type":"int","description":"The HTTP method of the event."},{"name":"SubscriptionIdentity","type":"string","description":"The subscription id for which notification is delivered"},{"name":"PublicationIds","type":"string","description":"The publication ids of the messages"},{"name":"DurationMs","type":"int","description":"The duration of the request in milliseconds."},{"name":"WorkloadNamespace","type":"string","description":"The workload for which notification gets delivered"},{"name":"WorkloadResource","type":"string","description":"The details related to the resource"},{"name":"ApplicationId","type":"string","description":"The application id"},{"name":"WebHeaders","type":"string","description":"The webheaders for the request"},{"name":"AccountType","type":"string","description":"The account type"},{"name":"LoggingLevel","type":"string","description":"The logging level for the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"HDInsightAmbariClusterAlerts","name":"HDInsightAmbariClusterAlerts","tableType":"Microsoft","description":"Cluster Alerts generated by Ambari.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ReferenceURI","type":"string","description":"The URI to the alert."},{"name":"ClusterName","type":"string","description":"The name of the cluster the alert came from."},{"name":"ComponentName","type":"string","description":"The component that generated the alert."},{"name":"DefinitionId","type":"int","description":"Id of the alert definition."},{"name":"DefinitionName","type":"string","description":"Name of the alert definition"},{"name":"AlertFirmness","type":"string","description":"The firmness of the alert."},{"name":"HostFQDN","type":"string","description":"The FQDN of the host where the alert was generated."},{"name":"HostName","type":"string","description":"The name of the host where the alert was generated."},{"name":"AlertID","type":"int","description":"The ID of the alert message."},{"name":"AlertInstance","type":"string","description":"Instance number of the alert."},{"name":"Label","type":"string","description":"The label of the alert."},{"name":"LatestTimestamp","type":"long","description":"The latest time the alert occurred."},{"name":"OriginalTimestamp","type":"long","description":"The timestamp the alert first occurred."},{"name":"MaintenanceState","type":"string","description":"The maintenance classifaction state of the alert."},{"name":"Occurences","type":"int","description":"The number of times an alert has occurred."},{"name":"RepeatTolerance","type":"int","description":"The total number of occurences an alert can have before being escalated."},{"name":"RepeatToleranceRemaining","type":"int","description":"The amount of occurences left before an alert gets escalted."},{"name":"Scope","type":"string","description":"The scope of the alert."},{"name":"ServiceName","type":"string","description":"The name of the service that generated the alert."},{"name":"State","type":"string","description":"The state of the alert."},{"name":"Text","type":"string","description":"The informational text of the alert."},{"name":"ClusterType","type":"string","description":"The type of cluster where the alert was generated."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightAmbariSystemMetrics","name":"HDInsightAmbariSystemMetrics","tableType":"Microsoft","description":"System metrics from each individual node generated by Ambari.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CpuIdle","type":"real","description":"Percent of CPU time spent in idle state in past cycle."},{"name":"CpuNice","type":"real","description":"Percent of CPU time spent running processes with positive nice values."},{"name":"NumberOfCpu","type":"real","description":"Number of CPU cores running on the node."},{"name":"CpuSystem","type":"real","description":"Percent of CPU time spent running system level processes in past cycle."},{"name":"CpuUser","type":"real","description":"Percent of CPU time spent running user level processes in past cycle."},{"name":"CpuIOWait","type":"real","description":"Percent of CPU time spent waiting for I/O requests in past cycle."},{"name":"DiskFree","type":"real","description":"Amount of free disk space (in GB)."},{"name":"DiskTotal","type":"real","description":"Total disk space (in GB)."},{"name":"ReadBytes","type":"real","description":"Number of bytes read."},{"name":"ReadCount","type":"real","description":"Number of read operations."},{"name":"ReadTime","type":"real","description":"Time spent on read operations."},{"name":"WriteBytes","type":"real","description":"Number of bytes written."},{"name":"WriteCount","type":"real","description":"Number of write operations."},{"name":"WriteTime","type":"real","description":"Time spent on write operations."},{"name":"FifteenMinutLoad","type":"real","description":"load over past 15 minutes."},{"name":"FiveMinuteLoad","type":"real","description":"load over past five minutes."},{"name":"OneMinuteLoad","type":"real","description":"load over past one minute."},{"name":"CachedMemory","type":"real","description":"amount of cached memory in KB."},{"name":"FreeMemory","type":"real","description":"amount of free memory in KB."},{"name":"SharedMemory","type":"real","description":"amount of sharedmemory in KB."},{"name":"TotalMemory","type":"real","description":"total amount of memory in KB."},{"name":"FreeSwapMemory","type":"real","description":"amount of free swap memory in KB."},{"name":"BytesIn","type":"real","description":"Bytes ingested in last timeframe."},{"name":"BytesOut","type":"real","description":"Bytes sent out."},{"name":"PacketsIn","type":"real","description":"Packets ingest in last timeframe."},{"name":"PacketsOut","type":"real","description":"Packets sent out in last timeframe."},{"name":"ProcessesRun","type":"real","description":"Processes run in last timeframe."},{"name":"TotalProcesses","type":"real","description":"Total amount of processes run on host."},{"name":"ClusterName","type":"string","description":"Name of the cluster the host belongs to."},{"name":"HostName","type":"string","description":"Name of the host the record came from."},{"name":"ClusterType","type":"string","description":"Type of cluster the record came from."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightGatewayAuditLogs","name":"HDInsightGatewayAuditLogs","tableType":"Microsoft","description":"Authentication audit logs from HDInsight Gateway nodes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"UserName","type":"string","description":"The username used for the login attempt."},{"name":"Status","type":"string","description":"The outcome of the login attempt."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster."},{"name":"AccessRequestCount","type":"real","description":"Number of login requests associated with the user."},{"name":"ErrorMessage","type":"string","description":"Any error message associated with the login attempt."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHBaseLogs","name":"HDInsightHBaseLogs","tableType":"Microsoft","description":"All logs from HDInsight HBase Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from HBase log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. RegionServer, HMaster)."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHBaseMetrics","name":"HDInsightHBaseMetrics","tableType":"Microsoft","description":"JMX metrics from HBase clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricNamespace","type":"string","description":"Category of metric (value of the jmx query string e.g. Hadoop:service=HBase,name=Master,sub=IPC, etc). "},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. queueSize, receivedBytes, numActiveHandler, etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"Tags","type":"dynamic","description":"Information about the record. For example a record may be tagged with 'master' if it is in the HMaster context."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Type of the cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHadoopAndYarnLogs","name":"HDInsightHadoopAndYarnLogs","tableType":"Microsoft","description":"Logs from HDInsight Hadoop Clusters and YARN-related logs such as ResourceManager, NodeManager, and TimelineServer logs from all cluster types that use YARN.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from Hadoop or YARN log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Type of the cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. YarnTimeLineServer, YarnResourceManager, etc.)."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHadoopAndYarnMetrics","name":"HDInsightHadoopAndYarnMetrics","tableType":"Microsoft","description":"JMX metrics from Hadoop clusters and Yarn JMX metrics from any YARN-based cluster type.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricNamespace","type":"string","description":"Category of metric (value of jmx query URIs e.g. Hadoop:service=ResourceManager,name=QueueMetrics, etc)."},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"Tags","type":"dynamic","description":"Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHiveAndLLAPLogs","name":"HDInsightHiveAndLLAPLogs","tableType":"Microsoft","description":"All logs from HDInsight Hive and LLAP Clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from Hive or LLAP log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Type of the cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. HiveServerLog, WebHCatLog, etc.)."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHiveAndLLAPMetrics","name":"HDInsightHiveAndLLAPMetrics","tableType":"Microsoft","description":"JMX metrics from Hive and LLAP clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricNamespace","type":"string","description":"Category of metric (value of jmx query string e.g. Hadoop:service=LlapDaemon,name=LlapDaemonCacheMetrics, etc). "},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. CacheCapacityRemaining, CacheCapacityRemainingPercentage,CacheCapacityTotal, etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"Tags","type":"dynamic","description":"Information about the record. For example a record may be tagged with 'LlapDaemon' if it came from that process."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Type of the cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHiveQueryAppStats","name":"HDInsightHiveQueryAppStats","tableType":"Microsoft","description":"Hive Query Metrics emitted from the YARN Timeline Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Entity","type":"string","description":"Name of the query's entity."},{"name":"EntityType","type":"string","description":"The type of the query's entity."},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"Tags","type":"dynamic","description":"Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Type of cluster (e.g. LLAP or Hadoop)."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"QuerySubmissionTime","type":"long","description":"Time that query was submitted."},{"name":"QueryCompletionTime","type":"long","description":"Time that query was completed."},{"name":"Domain","type":"string","description":"The domain associated with the query."},{"name":"RequestUser","type":"string","description":"The client user that submitted the request."},{"name":"ExecutionMode","type":"string","description":"The execution mode of the query."},{"name":"User","type":"string","description":"The user of the Hive instance executing the query."},{"name":"Queue","type":"string","description":"The queue the query was served from."},{"name":"TablesRead","type":"string","description":"The tables read by the query."},{"name":"ClientIpAddress","type":"string","description":"The query client's IP address."},{"name":"IsTez","type":"bool","description":"True if the query is a Tez query."},{"name":"IsMapReduce","type":"bool","description":"True if the query is a MapReduce query."},{"name":"ThreadName","type":"string","description":"The name of the thread running the query."},{"name":"HiveInstanceType","type":"string","description":"The type of hive instance running the query."},{"name":"SessionId","type":"string","description":"The session ID of the query."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightHiveTezAppStats","name":"HDInsightHiveTezAppStats","tableType":"Microsoft","description":"Tez Application Metrics emitted from the YARN Resource Manager.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"Tags","type":"dynamic","description":"Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"ApplicationName","type":"string","description":"The name of the application that the metrics describe."},{"name":"ApplicationId","type":"string","description":"The ID of the Application that the metrics describe."},{"name":"User","type":"string","description":"The name of the user of the application."},{"name":"Queue","type":"string","description":"The queue of the application."},{"name":"State","type":"string","description":"The state of the application."},{"name":"FinalStatus","type":"string","description":"The final status of the application if it has reached a terminal state."},{"name":"TrackingUI","type":"string","description":"?."},{"name":"ClusterId","type":"long","description":"The final status of the application if it has reached a terminal state."},{"name":"ApplicationType","type":"string","description":"The type of application."},{"name":"StartedTime","type":"long","description":"The time the application started."},{"name":"FinishedTime","type":"long","description":"The time the application finished."},{"name":"ElapsedTime","type":"long","description":"The time elapsed while the application was running."},{"name":"AMContainerLogs","type":"string","description":"The Application Master? container logs."},{"name":"LogAggregationStatus","type":"string","description":"The log aggregation status."},{"name":"UnmanagedApplication","type":"bool","description":"True if application is unmanaged, false if otherwise."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightJupyterNotebookEvents","name":"HDInsightJupyterNotebookEvents","tableType":"Microsoft","description":"Spark Events Log.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"EventName","type":"string","description":"The name of the event."},{"name":"Dim0","type":"string","description":"Varies based of of type of event."},{"name":"Dim1","type":"datetime","description":"Varies based of of type of event."},{"name":"Dim2","type":"int","description":"Varies based of of type of event."},{"name":"Dim3","type":"int","description":"Varies based of of type of event."},{"name":"Dim4","type":"string","description":"Varies based of of type of event."},{"name":"Dim5","type":"int","description":"Varies based of of type of event."},{"name":"Dim6","type":"string","description":"Varies based of of type of event."},{"name":"Dim7","type":"string","description":"Varies based of of type of event."},{"name":"Dim8","type":"string","description":"Varies based of of type of event."},{"name":"Dim9","type":"string","description":"Varies based of of type of event."},{"name":"Dim10","type":"string","description":"Varies based of of type of event."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the application."},{"name":"Role","type":"string","description":"The type of node the application running the application."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the application."},{"name":"Region","type":"string","description":"The region of the cluster running the application."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the application."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the application"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightKafkaLogs","name":"HDInsightKafkaLogs","tableType":"Microsoft","description":"All logs from HDInsight Kafka Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from Kafka log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. KafkaServer, KafkaController)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightKafkaMetrics","name":"HDInsightKafkaMetrics","tableType":"Microsoft","description":"All metrics from Kafka clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricNamespace","type":"string","description":"Category of metric (e.g. RequestMetrics, BrokerTopicMetrics, KafkaController, etc). "},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. OfflinePartitionsCount, UnderReplicatedPartitions, LeaderCount, etc)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"MetricDataType","type":"string","description":"CollectD datatype of the metric (e.g. gauge, counter, etc.). Determines how metric is portrayed over time. Please reference CollectD documentation for more information: https://collectd.org/wiki/index.php/Data_source ."},{"name":"Tags","type":"string","description":"Information about the record. For example a record may be tagged with 'kafka.network' if it is a network related metric."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightKafkaServerLog","name":"HDInsightKafkaServerLog","tableType":"Microsoft","description":"HDInsight Kafka Server Log","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated"},{"name":"CorrelationId","type":"string","description":"Id of associated events","isPreferredFacet":true},{"name":"Message","type":"string","description":"Entry of Kafka Server Log"},{"name":"ClusterDnsName","type":"string","description":"Name of cluster"},{"name":"HostName","type":"string","description":"Name of host where log was emitted"},{"name":"ClusterType","type":"string","description":"Type of the Cluster"},{"name":"FluentdIngestTimestamp","type":"datetime","description":"Time log was ingested by Fluentd framework"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"HDInsightOozieLogs","name":"HDInsightOozieLogs","tableType":"Microsoft","description":"All logs from Oozie component.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from Oozie log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"ClusterType","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightRangerAuditLogs","name":"HDInsightRangerAuditLogs","tableType":"Microsoft","description":"Audit logs from the Ranger component (only for ESP clusters).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"ClusterType","type":"string","description":"Type of the cluster that emitted the record."},{"name":"RepoType","type":"int","description":"Integer representing the repo type."},{"name":"Repo","type":"string","description":"Name the repo."},{"name":"RequestUser","type":"string","description":"Username associated with the event."},{"name":"AccessName","type":"string","description":"Name of the access method."},{"name":"ClusterResource","type":"string","description":"Resource involved in request event."},{"name":"ClusterResourceType","type":"string","description":"The type of resource accessed."},{"name":"Action","type":"string","description":"Type of action made by the event."},{"name":"Result","type":"int","description":"Status code of the event result."},{"name":"Policy","type":"int","description":"Code representing the policy."},{"name":"Enforcer","type":"string","description":"Name of the policy enforcer."},{"name":"RequestData","type":"string","description":"Source that provides the request data."},{"name":"SessionId","type":"string","description":"ID associated witht the user session."},{"name":"CliType","type":"string","description":"Type of CLI used to create request."},{"name":"CliIpAddress","type":"string","description":"IP address of where CLI request was made."},{"name":"LogType","type":"string","description":"Type of log the record came from."},{"name":"Id","type":"string","description":"ID of the event request."},{"name":"SequenceNumber","type":"int","description":"Sequence number of the event."},{"name":"EventCount","type":"int","description":"Number of events associated with the request."},{"name":"EventDurationMs","type":"int","description":"Duration of the event in milliseconds."},{"name":"Tags","type":"string","description":"List of tags associated with the event."},{"name":"AdditionalInfo","type":"string","description":"Additional info about the request including the remote and forwarded IPs"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSecurityLogs","name":"HDInsightSecurityLogs","tableType":"Microsoft","description":"Security related logs including Ambari Audit and Auth Log.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Message","type":"string","description":"message from log file."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. AmbariAuditLog, AuthLog)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkApplicationEvents","name":"HDInsightSparkApplicationEvents","tableType":"Microsoft","description":"Spark Application Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application id of the application producing the record."},{"name":"SparkUser","type":"string","description":"The Spark User associated with the record."},{"name":"AppAttemptId","type":"string","description":"The application attempt id."},{"name":"AppName","type":"string","description":"The application name."},{"name":"SubmissionTime","type":"datetime","description":"The time (UTC) the application was submitted."},{"name":"CompletionTime","type":"datetime","description":"The time (UTC) the application submission completed."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the application."},{"name":"Role","type":"string","description":"The type of node running the application."},{"name":"Host","type":"string","description":"The fqdn the node was run on."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the application."},{"name":"Region","type":"string","description":"The region of the cluster running the application."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the application."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the application"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkBlockManagerEvents","name":"HDInsightSparkBlockManagerEvents","tableType":"Microsoft","description":"Spark Block Manager Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"ExecutorId","type":"string","description":"The ID of the executor running the application."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"AddedTime","type":"datetime","description":"The time (UTC) the event was added."},{"name":"RemovedTime","type":"datetime","description":"The time (UTC) the application was removed."},{"name":"MaxMemory","type":"long","description":"The max memory usage from the event."},{"name":"MaxOnHeapMemory","type":"long","description":"The max on heap memory usage from the event."},{"name":"MaxOffHeapMemory","type":"long","description":"The max off heap memory usage from the event."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster the Block Manager is running on."},{"name":"Role","type":"string","description":"The type of node the Block Manager is running on."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster the Block Manager is running on."},{"name":"Region","type":"string","description":"The region of the cluster the Block Manager is running on."},{"name":"IpAddress","type":"string","description":"The IP Address of the node the Block Manager is running on."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster the Block Manager is running on."},{"name":"BlockHost","type":"string","description":"The block host."},{"name":"BlockManagerHost","type":"string","description":"The host where the Block Manager is running."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkEnvironmentEvents","name":"HDInsightSparkEnvironmentEvents","tableType":"Microsoft","description":"Spark Environment Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"SparkDeployMode","type":"string","description":"The spark deployment mode of the application."},{"name":"SparkMaster","type":"string","description":"The master mode of the Spark Application"},{"name":"YarnMaxAttempts","type":"int","description":"The max number of attempts Yarn will make for the application."},{"name":"SparkExecutorInstances","type":"int","description":"The number of Spark Executor instances."},{"name":"SparkExecutorMemory","type":"string","description":"The memory usage of the Spark Executor"},{"name":"SparkExecutorCores","type":"int","description":"The number of Executor cores."},{"name":"YarnTags","type":"string","description":"The YARN tag of the application."},{"name":"YarnQueue","type":"string","description":"The type of YARN queue for the application."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the application."},{"name":"Role","type":"string","description":"The type of node running the application."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the application."},{"name":"Region","type":"string","description":"The region of the cluster running the application."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the application."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the application"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkExecutorEvents","name":"HDInsightSparkExecutorEvents","tableType":"Microsoft","description":"Spark Executor Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"ExecutorId","type":"string","description":"The ID of the Spark Executor."},{"name":"ExecutorCores","type":"int","description":"The number of cores the Spark Executor has."},{"name":"AddedTime","type":"datetime","description":"The time (UTC) the Executor was added."},{"name":"RemovedTime","type":"datetime","description":"The time (UTC) the Executor was removed."},{"name":"RemovedReason","type":"string","description":"The reason the Executor was removed."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the Executor."},{"name":"Role","type":"string","description":"The type of node running the Executor."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the Executor."},{"name":"Region","type":"string","description":"The region of the cluster running the Executor."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the Executor."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the Executor."},{"name":"ExecutorHost","type":"string","description":"The host the Executor ran on"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkExtraEvents","name":"HDInsightSparkExtraEvents","tableType":"Microsoft","description":"Spark Extra Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"EventJson","type":"string","description":"Json with information about the event."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the application."},{"name":"Role","type":"string","description":"The type of node running the application."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the application."},{"name":"Region","type":"string","description":"The region of the cluster running the application."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the application."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the application."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkJobEvents","name":"HDInsightSparkJobEvents","tableType":"Microsoft","description":"Spark Job Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"JobId","type":"string","description":"The ID of the job."},{"name":"SubmissionTime","type":"datetime","description":"The time (UTC) the job was submitted."},{"name":"CompletionTime","type":"datetime","description":"The time (UTC) the job was completed."},{"name":"JobResult","type":"string","description":"The result of the job."},{"name":"StageIds","type":"string","description":"The stages included in the job."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the job."},{"name":"Role","type":"string","description":"The type of node running the job."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the job."},{"name":"Region","type":"string","description":"The region of the cluster running the job."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the job."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the job."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkLogs","name":"HDInsightSparkLogs","tableType":"Microsoft","description":"All logs from related to Spark including Jupyter and Livy logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"LogLevel","type":"string","description":"log level of message (INFO, WARN, ERROR, etc.)."},{"name":"Message","type":"string","description":"message from HBase log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. SparkExecutorLog, SparkDriverLog)."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkSQLExecutionEvents","name":"HDInsightSparkSQLExecutionEvents","tableType":"Microsoft","description":"Spark SQL Execution Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"ExecutionId","type":"string","description":"The ID of the Spark SQL execution."},{"name":"StartTime","type":"datetime","description":"The time (UTC) the Spark SQL execution started."},{"name":"EndTime","type":"datetime","description":"The time (UTC) the Spark SQL execution ended."},{"name":"PhysicalPlanDescription","type":"string","description":"The description of the Physical/Logical plan of the Spark SQL execution."},{"name":"SparkPlanInfo","type":"string","description":"Json object containing information on the Spark SQL execution."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the Spark SQL execution."},{"name":"Role","type":"string","description":"The type of node running the Spark SQL execution."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the Spark SQL execution."},{"name":"Region","type":"string","description":"The region of the cluster running the Spark SQL execution."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the Spark SQL execution."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the Spark SQL execution."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkStageEvents","name":"HDInsightSparkStageEvents","tableType":"Microsoft","description":"Spark Stage Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"StageId","type":"string","description":"The ID of the stage."},{"name":"StageName","type":"string","description":"The name of the stage."},{"name":"AttemptId","type":"string","description":"The Id of the stage attempt."},{"name":"TaskCount","type":"int","description":"The count of tasks associated with the stage."},{"name":"SubmissionTime","type":"datetime","description":"The time (UTC) the stage was submitted."},{"name":"CompletionTime","type":"datetime","description":"The time (UTC) the stage was completed."},{"name":"FailureReason","type":"string","description":"The reason for failure if the stage failed."},{"name":"Details","type":"string","description":"The exception details for any stage failures."},{"name":"RDDInfo","type":"string","description":"Json containing information about RDDs used in the stage."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the stage."},{"name":"Role","type":"string","description":"The type of node running the stage."},{"name":"Host","type":"string","description":"The FQDN of the host."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the stage."},{"name":"Region","type":"string","description":"The region of the cluster running the stage."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the stage."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the stage."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkStageTaskAccumulables","name":"HDInsightSparkStageTaskAccumulables","tableType":"Microsoft","description":"Spark Stage Task Accumulables.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"Entity","type":"string","description":"The name of the entity being described."},{"name":"EntityId","type":"string","description":"The ID of the entity."},{"name":"ParentId","type":"string","description":"The ID of the parent entity."},{"name":"MetricId","type":"string","description":"The ID of the metric."},{"name":"MetricName","type":"string","description":"The name of the metric."},{"name":"MetricValue","type":"long","description":"The value of the metric."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster where the metric was collected."},{"name":"Role","type":"string","description":"The type of node where the metric was collected."},{"name":"Host","type":"string","description":"The FQDN of the host where the metric was collected."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster where the metric was collected."},{"name":"Region","type":"string","description":"The region of the cluster where the metric was collected."},{"name":"IpAddress","type":"string","description":"The IP Address of the node where the metric was collected."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster where the metric was collected."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightSparkTaskEvents","name":"HDInsightSparkTaskEvents","tableType":"Microsoft","description":"Spark Task Events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"ApplicationId","type":"string","description":"The application ID of the application producing the record."},{"name":"StageId","type":"string","description":"The ID of the stage associated with the task."},{"name":"TaskId","type":"string","description":"The ID of the task."},{"name":"AttemptId","type":"string","description":"The ID of task attempt."},{"name":"ExecutorId","type":"string","description":"The ID executor."},{"name":"LaunchTime","type":"datetime","description":"The time (UTC) the task was launched."},{"name":"FinishTime","type":"datetime","description":"The time (UTC) the task finished."},{"name":"Failed","type":"bool","description":"Boolean describing whether the task failed."},{"name":"Killed","type":"bool","description":"Boolean describing whether the task was killed."},{"name":"EndReason","type":"string","description":"Reason why the task ended."},{"name":"TaskType","type":"string","description":"The task type."},{"name":"DiskBytesSpilled","type":"long","description":"The number of disk bytes spilled."},{"name":"ExecutorCPUTime","type":"long","description":"The CPU time consumed by the task executor."},{"name":"ExecutorDeserializeCPUTime","type":"long","description":"The CPU time the task executor spent deserializing."},{"name":"ExecutorDeserializeTime","type":"long","description":"The time the task executor spent deserializing."},{"name":"ExecutorRunTime","type":"long","description":"The time task executor spent running."},{"name":"JvmGcTime","type":"long","description":"The time the JVM spent garbage collecting."},{"name":"MemoryBytesSpilled","type":"long","description":"The bytes of memory spilled."},{"name":"ResultSerializationTime","type":"long","description":"The serialization time spent while getting the result."},{"name":"ResultSize","type":"long","description":"Size of the result."},{"name":"ShuffleReadMetrics","type":"long","description":"The metrics associated with shuffle reads."},{"name":"ShuffleWriteMetrics","type":"long","description":"The metrics associated with shuffle writes."},{"name":"InputMetrics","type":"long","description":"The metrics associated with the task input."},{"name":"OutputMetrics","type":"long","description":"The metrics associated with the task output."},{"name":"UpdatedBlocks","type":"long","description":"The number of updated blocks."},{"name":"PeakExecutionMemory","type":"long","description":"The peak amount of memory used during execution."},{"name":"SchedulerDelay","type":"long","description":"The amount of delay the scheduler experienced."},{"name":"RecordsRead","type":"long","description":"The number of records read during the task."},{"name":"BytesRead","type":"long","description":"The number bytes read during the task."},{"name":"RecordsWritten","type":"long","description":"The number of records written by the task."},{"name":"BytesWritten","type":"long","description":"The number of bytes written by the task."},{"name":"ShuffleFetchWaitTime","type":"long","description":"The time spent waitng for fetching."},{"name":"ShuffleTotalBytesRead","type":"long","description":"The number bytes read during the shuffle task."},{"name":"ShuffleTotalBlocksFetched","type":"long","description":"The number of blocks fethced during the shuffle task."},{"name":"ShuffleLocalBlocksFetched","type":"long","description":"The number of local blocks fethced during the shuffle task."},{"name":"ShuffleRemoteBlocksFetched","type":"long","description":"The number of remote blocks fethced during the shuffle task."},{"name":"ShuffleWriteTime","type":"long","description":"The time spent writing during the shuffle task."},{"name":"ShuffleBytesWritten","type":"long","description":"The bytes written during the shuffle task."},{"name":"ShuffleRecordsWritten","type":"long","description":"The number of records written during the shuffle task."},{"name":"NumUpdatedBlockStatuses","type":"long","description":"The number updated block statuses during the task."},{"name":"ClusterTenantId","type":"string","description":"The tenant ID of the cluster running the task."},{"name":"Role","type":"string","description":"The type of node running the task."},{"name":"Host","type":"string","description":"The FQDN of the host running the task."},{"name":"ClusterDnsName","type":"string","description":"The DNS name of the cluster running the task."},{"name":"Region","type":"string","description":"The region of the cluster running the task."},{"name":"IpAddress","type":"string","description":"The IP Address of the node running the task."},{"name":"UserSubscriptionId","type":"string","description":"The subscription ID of the cluster running the task"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightStormLogs","name":"HDInsightStormLogs","tableType":"Microsoft","description":"All Logs from Storm cluster nodes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Message","type":"string","description":"message from Storm log."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"LogType","type":"string","description":"The name of the log file that a record came from (e.g. StormNimbus, StormSupervisor)."},{"name":"LogLevel","type":"string","description":"The severity level of the log (e.g. INFO,WARN, ERROR, etc.)"},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightStormMetrics","name":"HDInsightStormMetrics","tableType":"Microsoft","description":"Cluster Level Metrics from Storm clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"MetricNamespace","type":"string","description":"Category of metric(e.g. StormNimbusMetrics, StormSupervisorMetrics, etc). "},{"name":"MetricName","type":"string","description":"Name of the metric for the record (e.g. num-submitTopology-calls-Count)."},{"name":"MetricValue","type":"real","description":"Value of metric in the record."},{"name":"MetricDataType","type":"string","description":"CollectD datatype of the metric (e.g. gauge, counter, etc.). Determines how metric is portrayed over time. Please reference CollectD documentation for more information: https://collectd.org/wiki/index.php/Data_source ."},{"name":"ClusterName","type":"string","description":"Name of cluster."},{"name":"HostName","type":"string","description":"Name of host where log was emitted."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HDInsightStormTopologyMetrics","name":"HDInsightStormTopologyMetrics","tableType":"Microsoft","description":"Topology Level Metrics from Storm clusters.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Acked","type":"real","description":"The number of Tuple “trees” successfully processed. A value of 0 is expected if no acking is done."},{"name":"AssignedCPUPercent","type":"real","description":"Percent of CPU cores assigned to the topology."},{"name":"AssignedMemOffHeapMB","type":"real","description":"MB of off heap memory assigned to the topology."},{"name":"AssignedMemOnHeapMB","type":"real","description":"MB of on heap memory assigned to the topology."},{"name":"AssignedTotalMemMB","type":"real","description":"MB of total memory assigned to the topology."},{"name":"BoltId","type":"string","description":"The ID of the bolt."},{"name":"Capacity","type":"real","description":"If this is around 1.0, the corresponding Bolt is running as fast as it can, so you may want to increase the Bolt’s parallelism. This is (number executed * average execute latency) / measurement time."},{"name":"ClusterName","type":"string","description":"The name of the cluster."},{"name":"ClusterType","type":"string","description":"The type of the cluster."},{"name":"CompleteLatencyMs","type":"real","description":"The average time (millisecond) a Tuple “tree” takes to be completely processed by the Topology. A value of 0 is expected if no acking is done."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"Debug","type":"bool","description":"Boolean representing whether debug tracing is activated."},{"name":"Emitted","type":"real","description":"The number of Tuples emitted."},{"name":"EncodedBoltId","type":"string","description":"The encoded ID of the bolt."},{"name":"EncodedId","type":"string","description":"The enocded ID of the topology."},{"name":"EncodedSpoutId","type":"string","description":"The encoded ID of the Spout."},{"name":"ErrorHost","type":"string","description":"Host where the error occurred."},{"name":"ErrorPort","type":"string","description":"Port associated with the error."},{"name":"ErrorWorkerLogLink","type":"string","description":"Link to the log of the worker where an error occurred."},{"name":"Executed","type":"real","description":" The number of incoming Tuples processed."},{"name":"ExecuteLatencyMs","type":"real","description":"The average time (millisecond) a Tuple spends in the execute method. The execute method may complete without sending an Ack for the tuple."},{"name":"Executors","type":"int","description":"The number of threads being used to execute a task."},{"name":"ExecutorsTotal","type":"int","description":"The total amount of executors currently used and already used to execute a task."},{"name":"Failed","type":"real","description":"The number of Tuple “trees” that were explicitly failed or timed out before acking was completed. A value of 0 is expected if no acking is done."},{"name":"HostName","type":"string","description":"Hostname of the host the record came from."},{"name":"Id","type":"string","description":"The name of the component the record is from (could be spout, bolt, or name of topology)."},{"name":"InstanceName","type":"string","description":"Type of record shape (there are bolt, spout, topology, and topology_stats record shapes)."},{"name":"LastError","type":"string","description":"Last error to occur in the component."},{"name":"MsgTimeout","type":"real","description":"The number of seconds until a message times out."},{"name":"TopologyName","type":"string","description":"Name of the topology."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Owner","type":"string","description":"Name of the user that owns the topology."},{"name":"ProcessLatencyMs","type":"real","description":"The average time (millisecond) it takes to Ack a Tuple after it is first received. Bolts that join, aggregate or batch may not Ack a tuple until a number of other Tuples have been received(."},{"name":"ReplicationCount","type":"int","description":"The amount of replicas kept by the topology."},{"name":"RequestedCpuPercent","type":"real","description":"The percent of CPU requested by the topology."},{"name":"RequestMemOffHeapMB","type":"real","description":"MB of off heap memory requested by the topology."},{"name":"RequestMemOnHeapMB","type":"real","description":"MB of on heap memory requested by the topology."},{"name":"SamplingPct","type":"real","description":"Percentage of messages sampled to calculate metrics."},{"name":"SchedulerDisplayResource","type":"bool","description":"Boolean describing the scheduler display setting."},{"name":"SpoutId","type":"string","description":"The ID of the spout."},{"name":"Status","type":"string","description":"The status of the topology."},{"name":"Tasks","type":"int","description":"The number of tasks running."},{"name":"TasksTotal","type":"int","description":"The total amount of tasks run."},{"name":"TopologyId","type":"string","description":"The ID of the topology."},{"name":"Transferred","type":"real","description":"The number of Tuples emitted that sent to one or more bolts."},{"name":"Uptime","type":"string","description":"The length of time an Executor (thread) has been alive."},{"name":"UptimeSeconds","type":"real","description":"The amount of time the topology has been running in seconds."},{"name":"Window","type":"real","description":"The time window for the metrics in the record in seconds."},{"name":"WindowHint","type":"string","description":"The time window for the metrics in the record in hours, minutes, seconds format."},{"name":"WindowPretty","type":"string","description":"String description of the time window for the metrics in the record."},{"name":"Workers","type":"string","description":"JSON with worker specific metrics."},{"name":"WorkersTotal","type":"int","description":"The total amount of workers."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.hdinsight/clusters"],"solutions":["LogManagement"]}},{"id":"HealthStateChangeEvent","name":"HealthStateChangeEvent","tableType":"Microsoft","description":"Workload Monitor Health. This data represents state transitions of a health monitor.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the record was generated.","isPreferredFacet":true},{"name":"EvaluationTimestamp","type":"datetime","description":"Timestamp (UTC) when the monitor health state change event was created.","isPreferredFacet":true},{"name":"PreviousMonitorState","type":"string","description":"Previous state of the monitor (Critical, Warning, Healthy, Unknown, None).","isPreferredFacet":true},{"name":"CurrentMonitorState","type":"string","description":"Current state of the monitor (Critical, Warning, Healthy, Unknown, None).","isPreferredFacet":true},{"name":"MonitorResourceId","type":"string","description":"ARM resource id of the monitor.","isPreferredFacet":true},{"name":"MonitorName","type":"string","description":"Name of the monitor, e.g. logical-disks|C:|free-space-mb for Windows platform, filesystems|/var/lib|free-space-mb for Linux platform.","isPreferredFacet":true},{"name":"ParentMonitorName","type":"string","description":"Parent monitor name, e.g. logical-disks|C: for Windows platform, filesystems for Linux platform.","isPreferredFacet":true},{"name":"ImpactStartTimestamp","type":"datetime","description":"Timestamp (UTC) the monitor start change to non-healthy (Critical, Warning) state.","isPreferredFacet":true},{"name":"CurrentStateFirstObservedTimestamp","type":"datetime","description":"Timestamp (UTC) when the current state of the monitor was first observed.","isPreferredFacet":true},{"name":"MonitorType","type":"string","description":"Type of the monitor. Same as the monitor name for static monitors, replaces MonitoredObject with * for dynamic monitors.","isPreferredFacet":true},{"name":"MonitoredObject","type":"string","description":"Object the monitor is monitoring. Values only exist for dynamic monitors, e.g. D: for monitor logical-disks|D:|free-space-mb.","isPreferredFacet":true},{"name":"Evidence","type":"dynamic","description":"Snapshot of samples and reason the monitor changed state.","isPreferredFacet":true},{"name":"MonitorConfiguration","type":"dynamic","description":"Configuration for the monitor. Aggregate monitor configuration is an empty string.","isPreferredFacet":true},{"name":"InstrumentationData","type":"dynamic","description":"Current state of the monitor (Critical, Warning, Healthy, Unknown, None).","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["AzureResources","VMInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"Heartbeat","name":"Heartbeat","tableType":"Microsoft","description":"Records logged by Log Analytics agents once per minute to report on agent health.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. Possible values are OpsManager (Windows agent) or Linux.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","description":"Name of Operations Manager management group.","isPreferredFacet":true},{"name":"ComputerIP","type":"string","description":"IP address of the computer. Note that public IP is used","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer name","isPreferredFacet":true},{"name":"Category","type":"string","description":"Value is Direct Agent SCOM Agent or SCOM Management Server.","isPreferredFacet":true},{"name":"OSType","type":"string","description":"Type of OS. Possible values are Windows or Linux.","isPreferredFacet":true},{"name":"OSName","type":"string","description":"Name of OS.","isPreferredFacet":true},{"name":"OSMajorVersion","type":"string","description":"Operating system major version.","isPreferredFacet":true},{"name":"OSMinorVersion","type":"string","description":"Operating system minor version."},{"name":"Version","type":"string","description":"Version of the agent.","isPreferredFacet":true},{"name":"SCAgentChannel","type":"string","description":"Specfies how agent is connected to workspace. Possible values are Direct or SCManagementServer.","isPreferredFacet":true},{"name":"IsGatewayInstalled","type":"bool","description":"If Log Analytics gateway is installed value is true otherwise value is false.","isPreferredFacet":true},{"name":"RemoteIPLongitude","type":"real","description":"Longitude of computer's geographic location."},{"name":"RemoteIPLatitude","type":"real","description":"Latitude of computer's geographic location."},{"name":"RemoteIPCountry","type":"string","description":"Geographic location where computer is deployed.","isPreferredFacet":true},{"name":"SubscriptionId","type":"string","description":"Subscription ID of the Azure resource running the agent","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","description":"Resource name of the Azure resource running the agent.","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","description":"Resource provider of the Azure resource running the agent","isPreferredFacet":true},{"name":"Resource","type":"string","description":"Resource group name of the Azure resource running the agent.","isPreferredFacet":true},{"name":"ResourceId","type":"string","description":"Resource ID of the Azure resource running the agent. Retained for for backward compatibility. _ResourceId should be used.","isPreferredFacet":true},{"name":"ResourceType","type":"string","description":"Type of the Azure resource running the agent. Examples include virtualmachines or managedclusters.","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string","description":"Environment that hosts the computer: Azure or Non-Azure"},{"name":"Solutions","type":"string","description":"List of solutions deployed on the agent at the moment when Heartbeat was issued."},{"name":"VMUUID","type":"string","description":"Unique identifier of the virtual machine."},{"name":"ComputerPrivateIPs","type":"dynamic","description":"The list of private IP addresses of the computer."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines","container","management"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters","microsoft.automation/automationaccounts"],"solutions":["LogManagement"],"queries":["c8f597f3-9251-468a-86b3-d94ed8ea996d","bdbc27e8-3f5d-4981-9050-5ed7f63615a8","ba8b1839-7334-11ea-bed0-c8348e02520c","ba8e256b-7334-11ea-99d3-c8348e02520c","35883956-d397-42e6-a820-01eaceb11471"]}},{"id":"HuntingBookmark","name":"HuntingBookmark","tableType":"Microsoft","description":"Azure sentinel hunting bookmarks audit table","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"BookmarkId","type":"string","description":"Guid - the bookmark ARM resource name"},{"name":"BookmarkName","type":"string","description":"Bookmark name given by the user"},{"name":"BookmarkType","type":"string","description":"Can be used to mark bookmark origin - currently not used"},{"name":"CreatedBy","type":"string","description":"JSON object with the user who created the bookmark, including: ObjectID, email and name"},{"name":"UpdatedBy","type":"string","description":"JSON object with the user who last updated the bookmark, including: ObjectID, email and name"},{"name":"CreatedTime","type":"datetime","description":"The timestamp of bookmark first creation time"},{"name":"LastUpdatedTime","type":"datetime","description":"The timestamp of bookmark last update time"},{"name":"EventTime","type":"datetime","description":"The timestamp of the original event that is bookmarked"},{"name":"QueryText","type":"string","description":"Original log analytics query text"},{"name":"QueryResultRow","type":"string","description":"JSON object with a single result row of the query"},{"name":"QueryStartTime","type":"datetime","description":"Query time range start time"},{"name":"QueryEndTime","type":"datetime","description":"Query time range end time"},{"name":"Notes","type":"string","description":"Notes provided by user"},{"name":"Entities","type":"string","description":"A serialized JSON of entities mapped by this bookmark"},{"name":"SoftDeleted","type":"bool","description":"Was the bookmark deleted by user"},{"name":"Tags","type":"string","description":"Comma seperated list of tags provided by user"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"IdentityAccountInfo","name":"IdentityAccountInfo","tableType":"Microsoft","description":"This table is populated by Azure Sentinel UEBA with all your users account identities information. It can be used to correlate user information and insights with analytics or hunting queries.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"Timestamp","type":"datetime","description":"Date and time that the line was written to the database."},{"name":"ReportId","type":"string","description":"Unique identifier for the event."},{"name":"SourceProviderAccountId","type":"string","description":"Identifier for the account in the source provider."},{"name":"AccountId","type":"string","description":"Internal identifier for the account."},{"name":"IdentityId","type":"string","description":"Identifier for the identity that the account is linked to."},{"name":"IsPrimary","type":"bool","description":"Indicates if this account is considered as primary account for the linked identity."},{"name":"IdentityLinkType","type":"string","description":"Type of linkage between the account and identity."},{"name":"IdentityLinkReason","type":"string","description":"Reason for linking the account and identity."},{"name":"IdentityLinkTime","type":"datetime","description":"Date and time the account was linked to the identity."},{"name":"IdentityLinkBy","type":"string","description":"The entity that linked the account to the identity."},{"name":"DisplayName","type":"string","description":"Name of the account user displayed in the address book."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"EmailAddress","type":"string","description":"SMTP address of the account."},{"name":"CriticalityLevel","type":"int","description":"The criticality score of the account."},{"name":"DefenderRiskLevel","type":"int","description":"The risk level of the account as calculated by Microsoft Defender."},{"name":"DefenderRiskUpdateTime","type":"datetime","description":"Date and time Microsoft Defender last updated the risk level of the account."},{"name":"IdentityType","type":"string","description":"Type of identity - possible values: User, ServiceAccount"},{"name":"GivenName","type":"string","description":"Given name or first name of the account user."},{"name":"Surname","type":"string","description":"Surname, family name, or last name of the account user."},{"name":"EmployeeId","type":"string","description":"Employee identifier assigned to the user by the organization."},{"name":"Department","type":"string","description":"Name of the department that the account user belongs to."},{"name":"JobTitle","type":"string","description":"Job title of the account user."},{"name":"Address","type":"string","description":"Address of the account user."},{"name":"City","type":"string","description":"City where the account user is located."},{"name":"Country","type":"string","description":"Country or region where the account user is located."},{"name":"Phone","type":"string","description":"The listed phone number of the account user."},{"name":"Manager","type":"string","description":"The listed manager of the account user."},{"name":"Sid","type":"string","description":"Security identifier (SID) of the account."},{"name":"AccountStatus","type":"string","description":"The status of the account."},{"name":"SourceProvider","type":"string","description":"Source application or service of the account."},{"name":"SourceProviderInstanceId","type":"string","description":"Identifier of the source application or service of the account."},{"name":"SourceProviderInstanceDisplayName","type":"string","description":"Display name of the source application or service of the account."},{"name":"AuthenticationMethod","type":"string","description":"Authentication method used to allow the account user to sign in."},{"name":"AuthenticationSourceAcccountId","type":"string","description":"Identifier of the federating account, if authentication method is Federated."},{"name":"EnrolledMfas","type":"dynamic","description":"Configured multifactor authentication methods and status."},{"name":"LastPasswordChangeTime","type":"datetime","description":"Date and time the account password was last changed."},{"name":"GroupMembership","type":"dynamic","description":"Group identifiers assigned to the account."},{"name":"AssignedRoles","type":"dynamic","description":"Role identifiers assigned to the account."},{"name":"EligibleRoles","type":"dynamic","description":"Identifiers for roles the account is eligible to use."},{"name":"TenantMembershipType","type":"string","description":"User type."},{"name":"CreatedDateTime","type":"datetime","description":"Date and time when the user account was created."},{"name":"DeletedDateTime","type":"datetime","description":"Date and time when the user account was deleted."},{"name":"Tags","type":"dynamic","description":"Tags assigned to the account by Defender for Identity."},{"name":"SourceProviderRiskLevel","type":"dynamic","description":"Risk level of the account as it appears in the source provider."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"IdentityDirectoryEvents","name":"IdentityDirectoryEvents","tableType":"Microsoft","description":"Captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"Application","type":"string","description":"Application that performed the recorded action"},{"name":"Protocol","type":"string","description":"Protocol used during the communication"},{"name":"AccountName","type":"string","description":"User name of the account"},{"name":"AccountDomain","type":"string","description":"Domain of the account"},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account"},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account"},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD"},{"name":"AccountDisplayName","type":"string","description":"Name of the account user displayed in the address book"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"IPAddress","type":"string","description":"IP address assigned to the endpoint and used during related network communications"},{"name":"Port","type":"string","description":"TCP port used during communication"},{"name":"DestinationDeviceName","type":"string","description":"Name of the device running the server application that processed the recorded action"},{"name":"DestinationIPAddress","type":"string","description":"IP address of the device running the server application that processed the recorded action"},{"name":"DestinationPort","type":"string","description":"Destination port of related network communications"},{"name":"TargetDeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device that the recorded action was applied to"},{"name":"TargetAccountUpn","type":"string","description":"User principal name (UPN) of the account that the recorded action was applied to"},{"name":"TargetAccountDisplayName","type":"string","description":"Display name of the account that the recorded action was applied to"},{"name":"Location","type":"string","description":"City, country, or other geographic location associated with the event"},{"name":"ISP","type":"string","description":"Internet service provider (ISP) associated with the endpoint IP address"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["09be64ab-51be-4f8c-8c03-17243fbfdfbc","67e621ec-0a84-412a-ac48-1cfd80f30a43"]}},{"id":"IdentityEvents","name":"IdentityEvents","tableType":"Microsoft","description":"Captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"AccountId","type":"string","description":"Unique identifier for the account in the source application"},{"name":"AccountType","type":"string","description":"Type of user account, indicating its general role like User, SystemPrincipal"},{"name":"AccountDisplayName","type":"string","description":"Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user."},{"name":"AccountUpn","type":"string","description":"Alternate ID, email, or name for the account in the source application"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event in the raw format received from the source application"},{"name":"ActionResult","type":"string","description":"Result of the action"},{"name":"ActionFailureReason","type":"string","description":"Information explaining why the recorded action failed"},{"name":"IPAddress","type":"string","description":"IP address assigned to the device and used during related network communications"},{"name":"UserAgent","type":"string","description":"User agent information from the web browser or other client application"},{"name":"TargetObjects","type":"dynamic","description":"List of the target objects of this activity. Target object can be user, group, role, domain, application, and more."},{"name":"Application","type":"string","description":"The source application where this event was received from"},{"name":"ApplicationInstanceId","type":"string","description":"Domain of the source application"},{"name":"ApplicationEventId","type":"string","description":"Raw event ID provided by the source application"},{"name":"ApplicationSessionId","type":"string","description":"Raw session ID provided by the source application"},{"name":"RawEventData","type":"dynamic","description":"Full raw event information from the source application in JSON format"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"IdentityInfo","name":"IdentityInfo","tableType":"Microsoft","description":"This table is populated by Azure Sentinel UEBA with all your users identities information. It can be used to correlate user information and insights with analytics or hunting queries.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time when the event was generated (UTC)"},{"name":"AccountName","type":"string","description":"User name of the account"},{"name":"AccountDomain","type":"string","description":"Domain name of the user account"},{"name":"AccountUPN","type":"string","description":"User principal name of the account"},{"name":"AccountSID","type":"string","description":"The on premises security identifier of the account"},{"name":"AccountObjectId","type":"string","description":"The Azure Active Directory object ID for the account"},{"name":"AccountTenantId","type":"string","description":"The Azure Active Directory Tenant ID of the account"},{"name":"AccountDisplayName","type":"string","description":"The user account display name"},{"name":"GivenName","type":"string","description":"The user account given name"},{"name":"Surname","type":"string","description":"The user account surname"},{"name":"OnPremisesExtensionAttributes","type":"string","description":"OnPremisesExtensionAttributes field from Azure AD"},{"name":"OnPremisesDistinguishedName","type":"string","description":"Active Directory distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas."},{"name":"Tags","type":"string","description":"Relevant information on the user account which is important for investigation: Sensitive\\ VIP\\ Administrator"},{"name":"AccountCreationTime","type":"datetime","description":"The date the user account was created (UTC)"},{"name":"InvestigationPriority","type":"int","description":"The Investigation Priority score of the account"},{"name":"InvestigationPriorityPercentile","type":"int","description":"The account score compared to the organization "},{"name":"RiskLevel","type":"string","description":"The AAD risk level (Low/Medium/High) of the user account"},{"name":"RiskLevelDetails","type":"string","description":"Details regarding the AAD risk level"},{"name":"RiskState","type":"string","description":"Indication if the account is at risk now or if the risk was remediated"},{"name":"BlastRadius","type":"string","description":"The potential impact of the user account in the org (low/medium/high)"},{"name":"GroupMembership","type":"dynamic","description":"Azure AD Groups the user account is a member"},{"name":"AssignedRoles","type":"dynamic","description":"AAD roles the user account is assigned to"},{"name":"Department","type":"string","description":"The user account department as defined in AAD"},{"name":"EmployeeId","type":"string","description":"The employee identifier assigned to the user by the organization"},{"name":"JobTitle","type":"string","description":"The user account job title as defined in AAD"},{"name":"RelatedAccounts","type":"dynamic","description":"Various accounts that correlate to a certain user"},{"name":"MailAddress","type":"string","description":"The user account primary email address"},{"name":"AdditionalMailAddresses","type":"dynamic","description":"Additional email addresses of the user"},{"name":"Manager","type":"string","description":"The user accounts manager alias"},{"name":"StreetAddress","type":"string","description":"The office street address of the user account as defined in AAD"},{"name":"City","type":"string","description":"The city of the user account as defined in AAD"},{"name":"CompanyName","type":"string","description":"The name for the company in which the user works."},{"name":"Country","type":"string","description":"The country of the user account as defined in AAD"},{"name":"State","type":"string","description":"The geographical state of the user account as defined in AAD"},{"name":"Phone","type":"string","description":"The phone number of the user account as defined in AAD"},{"name":"IsAccountEnabled","type":"bool","description":"Indication if the account is enabled in AAD or not"},{"name":"IsServiceAccount","type":"bool","description":"The account is a service account."},{"name":"DeletedDateTime","type":"datetime","description":"The date and time the user was deleted"},{"name":"LastSeenDate","type":"datetime","description":"Date of the last activity observed in this account"},{"name":"UACFlags","type":"string","description":"User Access control flags from AD & AAD"},{"name":"UserState","type":"string","description":"The current state in AAD of the account (Active/Disabled/Dormant/Lockout)"},{"name":"UserStateChangedOn","type":"datetime","description":"Date of the last time the account state was changed (UTC)"},{"name":"UserType","type":"string","description":"The user type as appears in Azure AD"},{"name":"ExtensionProperty","type":"dynamic","description":"ExtensionProperty fields from Azure AD"},{"name":"AccountCloudSID","type":"string","description":"The Azure AD security identifier of the account"},{"name":"IsMFARegistered","type":"bool","description":"Indication if MFA is registered for this user account or not"},{"name":"Applications","type":"string","description":"All known applications this user account accessed"},{"name":"ServicePrincipals","type":"dynamic","description":"Azure AD service principals that are owned by the user"},{"name":"SourceSystem","type":"string","description":"The system where the user is managed"},{"name":"UserAccountControl","type":"dynamic","description":"Security attributes of the user account in the AD domain"},{"name":"ChangeSource","type":"string","description":"The source of the latest change of the entity"},{"name":"EntityRiskScore","type":"dynamic","description":"The risk score of the entity as part of the UEBA scoring process"},{"name":"SAMAccountName","type":"string","description":"The SAM account name of the account."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["BehaviorAnalyticsInsights"]}},{"id":"IdentityLogonEvents","name":"IdentityLogonEvents","tableType":"Microsoft","description":"Authentication activities made through your on-premises Active Directory.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"Application","type":"string","description":"Application that performed the recorded action"},{"name":"LogonType","type":"string","description":"Type of logon session"},{"name":"Protocol","type":"string","description":"Network protocol used"},{"name":"FailureReason","type":"string","description":"Information explaining why the recorded action failed"},{"name":"AccountName","type":"string","description":"User name of the account"},{"name":"AccountDomain","type":"string","description":"Domain of the account"},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account"},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account"},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD"},{"name":"AccountDisplayName","type":"string","description":"Name of the account user displayed in the address book"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"DeviceType","type":"string","description":"Type of device"},{"name":"OSPlatform","type":"string","description":"Platform of the operating system running on the machine"},{"name":"IPAddress","type":"string","description":"IP address assigned to the endpoint and used during related network communications"},{"name":"Port","type":"string","description":"TCP port used during communication"},{"name":"DestinationDeviceName","type":"string","description":"Name of the device running the server application that processed the recorded action"},{"name":"DestinationIPAddress","type":"string","description":"IP address of the device running the server application that processed the recorded action"},{"name":"DestinationPort","type":"string","description":"Destination port of related network communications"},{"name":"TargetDeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device that the recorded action was applied to"},{"name":"TargetAccountDisplayName","type":"string","description":"Display name of the account that the recorded action was applied to"},{"name":"Location","type":"string","description":"City, country, or other geographic location associated with the event"},{"name":"ISP","type":"string","description":"Internet service provider (ISP) associated with the endpoint IP address"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"LastSeenForUser","type":"dynamic","description":"Number of days since each statistical feature for the user was last seen"},{"name":"UncommonForUser","type":"dynamic","description":"List of features observed to be statistically uncommon for the user that performed the activity"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["6c605c9c-6eca-4945-8a42-18833ad3cf42"]}},{"id":"IdentityQueryEvents","name":"IdentityQueryEvents","tableType":"Microsoft","description":"Information about queries performed against Active Directory objects, such as users, groups, devices, and domains.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event"},{"name":"Application","type":"string","description":"Application that performed the recorded action"},{"name":"QueryType","type":"string","description":"Type of query, such as QueryGroup, QueryUser, or EnumerateUsers"},{"name":"QueryTarget","type":"string","description":"Name of user, group, device, domain, or any other entity type being queried"},{"name":"Query","type":"string","description":"String used to run the query"},{"name":"Protocol","type":"string","description":"Protocol used during the communication"},{"name":"AccountName","type":"string","description":"User name of the account"},{"name":"AccountDomain","type":"string","description":"Domain of the account"},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account"},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account"},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Azure AD"},{"name":"AccountDisplayName","type":"string","description":"Name of the account user displayed in the address book"},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device"},{"name":"IPAddress","type":"string","description":"IP address assigned to the endpoint and used during related network communications"},{"name":"Port","type":"string","description":"TCP port used during communication"},{"name":"DestinationDeviceName","type":"string","description":"Name of the device running the server application that processed the recorded action"},{"name":"DestinationIPAddress","type":"string","description":"IP address of the device running the server application that processed the recorded action"},{"name":"DestinationPort","type":"string","description":"Destination port of related network communications"},{"name":"TargetDeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device that the recorded action was applied to"},{"name":"TargetAccountUpn","type":"string","description":"User principal name (UPN) of the account that the recorded action was applied to"},{"name":"TargetAccountDisplayName","type":"string","description":"Display name of the account that the recorded action was applied to"},{"name":"Location","type":"string","description":"City, country, or other geographic location associated with the event"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["68b79dce-2343-49e7-a1a1-1e9c61cc9888"]}},{"id":"IlumioInsights","name":"IlumioInsights","tableType":"Microsoft","description":"Ilumio Insights data connector provides the capability to ingest audit and event logs from the Ilumio Insight API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform and uses the Ilumio Insight API to fetch the events. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the record or event was logged."},{"name":"Name","type":"string","description":"The name or type of the insight or event."},{"name":"AzureResourceId","type":"string","description":"The Azure resource ID associated with the event."},{"name":"ResourceInternalId","type":"string","description":"Internal identifier for the monitored resource within Illumio."},{"name":"IllumioTenantId","type":"string","description":"Tenant ID assigned by Illumio for multi-tenant environments."},{"name":"ResourceTenantId","type":"string","description":"Azure tenant ID to which the resource belongs."},{"name":"ResourceSubId","type":"string","description":"Azure subscription ID that contains the resource."},{"name":"ResourceRegion","type":"string","description":"The Azure region where the resource is deployed."},{"name":"ResourceVnetId","type":"string","description":"Identifier for the Virtual Network (VNet) associated with the resource."},{"name":"IllumioUrl","type":"string","description":"URL to view the record or associated details in the Illumio console."},{"name":"Service","type":"string","description":"The name of the detected or used service (e.g., HTTP, SSH)."},{"name":"Port","type":"int","description":"Source or service port involved in the communication."},{"name":"DestLabel","type":"string","description":"Label or tag assigned to the destination entity."},{"name":"TotalReceivedBytes","type":"int","description":"Total number of bytes received during the communication flow."},{"name":"DestCountry","type":"string","description":"Country where the destination IP is located."},{"name":"DestPort","type":"int","description":"Port number on the destination endpoint."},{"name":"SrcThreatLevel","type":"string","description":"Threat level (e.g., Low, Medium, High) associated with the source IP."},{"name":"SrcCity","type":"string","description":"City where the source IP is geolocated."},{"name":"DestThreatLevel","type":"string","description":"Threat level associated with the destination IP."},{"name":"SrcPort","type":"int","description":"Port number used by the source entity."},{"name":"VEScore","type":"real","description":"Vulnerability exposure score indicating the risk level."},{"name":"DestIsWellKnown","type":"bool","description":"Indicates if the destination is a known/trusted entity."},{"name":"FlowCount","type":"int","description":"Number of flows or sessions detected for this event."},{"name":"CvssSeverity","type":"string","description":"CVSS (Common Vulnerability Scoring System) severity rating."},{"name":"SrcIP","type":"string","description":"IP address of the source."},{"name":"DestIP","type":"string","description":"IP address of the destination."},{"name":"UniqueId","type":"string","description":"A unique identifier for the specific insight or event."},{"name":"DestCity","type":"string","description":"City where the destination IP is geolocated."},{"name":"SrcIsWellKnown","type":"bool","description":"Indicates if the source is a known/trusted entity."},{"name":"Status","type":"string","description":"Current status of the insight (e.g., Active, Resolved)."},{"name":"SrcLabel","type":"string","description":"Label or tag assigned to the source entity."},{"name":"Proto","type":"string","description":"Protocol used in the communication (e.g., TCP, UDP)."},{"name":"TotalSentBytes","type":"int","description":"Total number of bytes sent during the communication flow."},{"name":"SrcCountry","type":"string","description":"Country where the source IP is located."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["32e805e5-fe72-4141-aac4-f49c8ae6d03c"]}},{"id":"InsightsMetrics","name":"InsightsMetrics","tableType":"Microsoft","description":"Table that stores metrics. 'Perf' table also stores many metrics and over time they all will converge to InsightsMetrics for Azure Monitor Solutions ","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. Ex;- 'Insights' ","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer name/Node name that sourced the metric instance","isPreferredFacet":true},{"name":"Origin","type":"string","description":"Source of the metric. Ex;- 'container.azm.ms/telegraf'","isPreferredFacet":true},{"name":"Namespace","type":"string","description":"Name space/Category of the metric. Ex;- 'container.azm.ms/disk' ","isPreferredFacet":true},{"name":"Name","type":"string","description":"Name of the metric","isPreferredFacet":true},{"name":"Val","type":"real","description":"Value of the metric","isPreferredFacet":true},{"name":"Tags","type":"string","description":"Dimensions of the metric in json","isPreferredFacet":true},{"name":"AgentId","type":"string","description":"Unique ID of the agent that sourced the metric instance","isPreferredFacet":true},{"name":"Value","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines","container","resources"],"solutions":["AzureResources","ContainerInsights","InfrastructureInsights","LogManagement","ServiceMap","VMInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.insights/workloadmonitoring","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters","microsoft.devices/iothubs"]}},{"id":"IntuneAuditLogs","name":"IntuneAuditLogs","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string"},{"name":"CorrelationId","type":"string"},{"name":"Identity","type":"string"},{"name":"Properties","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["management"],"solutions":["LogManagement"]}},{"id":"IntuneDeviceComplianceOrg","name":"IntuneDeviceComplianceOrg","tableType":"Microsoft","description":"Intune device compliance specialist report.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated."},{"name":"Result","type":"string","description":"The result of the operation."},{"name":"DeviceName","type":"string","description":"The name of the device."},{"name":"UPN","type":"string","description":"The user principal name."},{"name":"ComplianceState","type":"string","description":"The compliance state of the device.","isPreferredFacet":true},{"name":"OSDescription","type":"string","description":"The operating system of the device.","isPreferredFacet":true},{"name":"OSVersion","type":"string","description":"The version of the operating system.","isPreferredFacet":true},{"name":"OS","type":"string","description":"The operating system of the device.","isPreferredFacet":true},{"name":"OwnerType","type":"string","description":"The type of owner.","isPreferredFacet":true},{"name":"DeviceId","type":"string","description":"The Id of the device."},{"name":"LastContact","type":"string","description":"The date and time of last contact."},{"name":"UserId","type":"string","description":"The Id of the user."},{"name":"IMEI","type":"string","description":"The international mobile equipment identifier of the device."},{"name":"SerialNumber","type":"string","description":"The serial number of the device"},{"name":"RetireAfterDatetime","type":"string","description":"The retire after date time."},{"name":"ManagementAgents","type":"string","description":"The management agents.","isPreferredFacet":true},{"name":"DeviceType","type":"string","description":"The type of the device.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user name."},{"name":"InGracePeriodUntil","type":"string","description":"The device grace period end time."},{"name":"DeviceHealthThreatLevel","type":"string","description":"The device health threat level.","isPreferredFacet":true},{"name":"UserEmail","type":"string","description":"The user email address."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management"],"solutions":["LogManagement"]}},{"id":"IntuneDevices","name":"IntuneDevices","tableType":"Microsoft","description":"Intune devices specialist report.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)"},{"name":"OperationName","type":"string","description":"The name of the operation"},{"name":"Result","type":"string","description":"The result of the operation"},{"name":"SourceSystem","type":"string","description":"Details of source system of the object being provisioned"},{"name":"DeviceId","type":"string","description":"The ID of the device"},{"name":"DeviceName","type":"string","description":"The name of the device"},{"name":"UPN","type":"string","description":"The user principal name"},{"name":"LastContact","type":"string","description":"The date and time of last contact"},{"name":"OSVersion","type":"string","description":"The version of the operating system"},{"name":"OS","type":"string","description":"The operating system of the device"},{"name":"CompliantState","type":"string","description":"The compliant state of the device"},{"name":"Ownership","type":"string","description":"The ownership of the device"},{"name":"ManagedBy","type":"string","description":"The authority that the device is managed by"},{"name":"Model","type":"string","description":"The model of the device"},{"name":"SerialNumber","type":"string","description":"The serial number of the device"},{"name":"Manufacturer","type":"string","description":"The manufacturer of the device"},{"name":"CreatedDate","type":"string","description":"The date and time of the device entry was created"},{"name":"DeviceState","type":"string","description":"The state of the device"},{"name":"UserEmail","type":"string","description":"The user email address"},{"name":"UserName","type":"string","description":"The user name"},{"name":"IMEI","type":"string","description":"The international mobile equipment identifier of the device"},{"name":"PhoneNumber","type":"string","description":"The phone number"},{"name":"DeviceRegistrationState","type":"string","description":"The registration state of the device"},{"name":"ReferenceId","type":"string","description":"The AAD Device ID"},{"name":"ManagedDeviceName","type":"string","description":"The managed device name"},{"name":"GraphDeviceIsManaged","type":"bool","description":"Boolean describing whether the graph device is managed"},{"name":"CategoryName","type":"string","description":"The category name of the device"},{"name":"EncryptionStatusString","type":"string","description":"String describing whether the device is encrypted"},{"name":"SubscriberCarrierNetwork","type":"string","description":"The subscriber carrier network"},{"name":"JoinType","type":"string","description":"The device join type"},{"name":"SupervisedStatusString","type":"string","description":"String describing whether the device is supervised"},{"name":"WifiMacAddress","type":"string","description":"The WiFi MAC address of the device"},{"name":"StorageTotal","type":"long","description":"The total storage size of the device"},{"name":"StorageFree","type":"long","description":"The free storage size of the device"},{"name":"AndroidPatchLevel","type":"string","description":"The Android patch level of the device"},{"name":"MEID","type":"string","description":"The mobile equipment identifier of the device"},{"name":"InGracePeriodUntil","type":"string","description":"The device grace period end time"},{"name":"JailBroken","type":"string","description":"String describing whether the device is jail broken"},{"name":"SkuFamily","type":"string","description":"The stock-keeping unit family of the device"},{"name":"EasID","type":"string","description":"The Emergency Alert System Identification of the device"},{"name":"PrimaryUser","type":"string","description":"The ID of the primary user"},{"name":"BatchId","type":"string","description":"The unique ID for the exported report"},{"name":"IntuneAccountId","type":"string","description":"The Intune Account ID"},{"name":"AADTenantId","type":"string","description":"The AAD Tenant ID"},{"name":"Stats","type":"dynamic","description":"Statistics about the export, including the number of records exported per export"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["management"],"solutions":["LogManagement"]}},{"id":"IntuneOperationalLogs","name":"IntuneOperationalLogs","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Properties","type":"string"},{"name":"Result","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["management"],"solutions":["LogManagement"]}},{"id":"KeyVaults","name":"KeyVaults","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"OperationVersion","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","isPreferredFacet":true},{"name":"ResultSignature","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string"},{"name":"DurationMs","type":"long"},{"name":"CallerIpAddress","type":"string","isPreferredFacet":true},{"name":"CorrelationId","type":"string"},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"Identity_o","type":"string"},{"name":"ClientInfo_s","type":"string","isPreferredFacet":true},{"name":"RequestUri_s","type":"string","isPreferredFacet":true},{"name":"Id_s","type":"string","isPreferredFacet":true},{"name":"VaultProperties_o","type":"string"},{"name":"KeyProperties_o","type":"string"},{"name":"SecretProperties_o","type":"string"},{"name":"HttpStatusCode_d","type":"real"},{"name":"RemoteIPCountry","type":"string","isPreferredFacet":true},{"name":"RemoteIPLatitude","type":"real"},{"name":"RemoteIPLongitude","type":"real"},{"name":"MaliciousIP","type":"string","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"TLPLevel","type":"string","isPreferredFacet":true},{"name":"Confidence","type":"string","isPreferredFacet":true},{"name":"Severity","type":"int","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string"},{"name":"LastReportedDateTime","type":"string"},{"name":"IsActive","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["KeyVault"]}},{"id":"KubeEvents","name":"KubeEvents","tableType":"Microsoft","description":"Table that stores Kubernetes events ","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. ","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Computer","type":"string","description":"Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer","isPreferredFacet":true},{"name":"ObjectKind","type":"string","description":"Kind of kubernetes object applicable for the event [event.InvolvedObject.kind] . Ex;- pod","isPreferredFacet":true},{"name":"Namespace","type":"string","description":"Involved kubernetes object's namespace [event.InvolvedObject.namespace]. Ex;- 'kube-system'","isPreferredFacet":true},{"name":"Name","type":"string","description":"Involved kubernetes object's name [event.InvolvedObject.name]. Ex;- 'autoschedulejob-158393400-gkv4g'","isPreferredFacet":true},{"name":"Reason","type":"string","description":"Reason as seen in kubernetes event [event.reason]","isPreferredFacet":true},{"name":"Message","type":"string","description":"Event message [event.message]","isPreferredFacet":true},{"name":"KubeEventType","type":"string","description":"Type of kubernetes event [event.type]. Ex;- 'Normal' ","isPreferredFacet":true},{"name":"SourceComponent","type":"string","description":"Source component that generated the event [event.source.component] . Ex;- default-scheduler","isPreferredFacet":true},{"name":"FirstSeen","type":"datetime"},{"name":"LastSeen","type":"datetime","description":"Time event was last observed [event.lastTimestamp]"},{"name":"Count","type":"real","description":"Cumulative count of the number of occurences of a specific event [event.count] ."},{"name":"ClusterName","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"ClusterId","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"KubeHealth","name":"KubeHealth","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"MonitorTypeId","type":"string","isPreferredFacet":true},{"name":"MonitorInstanceId","type":"string","isPreferredFacet":true},{"name":"ParentMonitorInstanceId","type":"string","isPreferredFacet":true},{"name":"ClusterId","type":"string","isPreferredFacet":true},{"name":"OldState","type":"string","isPreferredFacet":true},{"name":"NewState","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"TimeFirstObserved","type":"datetime","isPreferredFacet":true},{"name":"MonitorLabels","type":"string","isPreferredFacet":true},{"name":"Details","type":"string","isPreferredFacet":true},{"name":"MonitorConfig","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["AzureResources","ContainerInsights"]}},{"id":"KubeMonAgentEvents","name":"KubeMonAgentEvents","tableType":"Microsoft","description":"Table that stores events from the Kubernetes cluster monitoring agent [Azure Monitor Agent]","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. ","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Category","type":"string","description":"Category of the event. For example: container.azm.ms/promscraping, container.azm.ms/configmap.","isPreferredFacet":true},{"name":"Level","type":"string","description":"Event level for the event. [Error, Warning, Info]","isPreferredFacet":true},{"name":"ClusterId","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"ClusterName","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"Message","type":"string","description":"Event message.","isPreferredFacet":true},{"name":"Tags","type":"string","description":"Dimensions/properties for the event","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"KubeNodeInventory","name":"KubeNodeInventory","tableType":"Microsoft","description":"Table that stores Kubernetes cluster's node information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer.","isPreferredFacet":true},{"name":"ClusterName","type":"string","description":"ID of the Kubernetes cluster from which the event was sourced.","isPreferredFacet":true},{"name":"ClusterId","type":"string","description":"ID of the Kubernetes cluster from which the event was sourced.","isPreferredFacet":true},{"name":"LastTransitionTimeReady","type":"datetime","description":"Last transition to or from ready condition for the node (no matter ready is true/false)."},{"name":"Labels","type":"string","description":"Kubernetes Node Labels.","isPreferredFacet":true},{"name":"Status","type":"string","description":"Comma separated list of node's status.conditions.type for conditions.status that are true.","isPreferredFacet":true},{"name":"KubeletVersion","type":"string","description":"Version of Kubelet in the node.","isPreferredFacet":true},{"name":"KubeProxyVersion","type":"string","description":"Version of KubeProxy in the node.","isPreferredFacet":true},{"name":"CreationTimeStamp","type":"datetime","description":"Node created time."},{"name":"KubernetesProviderID","type":"string","description":"Provider ID for Kubernetes.","isPreferredFacet":true},{"name":"OperatingSystem","type":"string","description":"Node's host OS Image.","isPreferredFacet":true},{"name":"DockerVersion","type":"string","description":"Container runtime version.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"KubePVInventory","name":"KubePVInventory","tableType":"Microsoft","description":"Kubernetes persistent volumes and their properties.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string","description":"The type of agent the data was collected from","isPreferredFacet":true},{"name":"ClusterId","type":"string","description":"The ID of the Kubernetes cluster of the persistent volume","isPreferredFacet":true},{"name":"ClusterName","type":"string","description":"The name of the Kubernetes cluster of the persistent volume","isPreferredFacet":true},{"name":"PVAccessModes","type":"string","description":"A comma separated list of access modes of the persistent volume","isPreferredFacet":true},{"name":"PVCapacityBytes","type":"real","description":"The capacity of the persistent volume measured in bytes"},{"name":"PVCreationTimeStamp","type":"datetime","description":"The Kubernetes persistent volume creation time"},{"name":"PVName","type":"string","description":"The Kubernetes persistent volume name","isPreferredFacet":true},{"name":"PVCName","type":"string","description":"The Kubernetes persistent volume claim name","isPreferredFacet":true},{"name":"PVCNamespace","type":"string","description":"The Kubernetes namespace of the persistent volume claim","isPreferredFacet":true},{"name":"PVStatus","type":"string","description":"The status of the persistent volume: Available, Bound, Released, or Failed","isPreferredFacet":true},{"name":"PVStorageClassName","type":"string","description":"The name of the storage class of the persistent volume","isPreferredFacet":true},{"name":"PVType","type":"string","description":"The type of persistent volume from the list of Kubernetes supported volume plugins","isPreferredFacet":true},{"name":"PVTypeInfo","type":"dynamic","description":"The specific dimensions relating to the type of the persistent volume","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"The date and time the record was created"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"KubePodInventory","name":"KubePodInventory","tableType":"Microsoft","description":"Table that stores kubernetes cluster's Pod & container information","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. ","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer/node name in the cluster that has this pod/container. Unscheduled pods will have this as empty.","isPreferredFacet":true},{"name":"ClusterId","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"ContainerCreationTimeStamp","type":"datetime","description":"Container creation time"},{"name":"PodUid","type":"string","description":"Unique ID of the pod","isPreferredFacet":true},{"name":"PodCreationTimeStamp","type":"datetime","description":"Pod creation time","isPreferredFacet":true},{"name":"InstanceName","type":"string","description":"Not used currently[for future use]","isPreferredFacet":true},{"name":"ContainerRestartCount","type":"int","description":"Restart count for the container","isPreferredFacet":true},{"name":"PodRestartCount","type":"int","description":"Restart count for the pod. [Sum of all restarts of all containers in the pod]","isPreferredFacet":true},{"name":"PodStartTime","type":"datetime","description":"Pod's start time (for started pods)","isPreferredFacet":true},{"name":"ContainerStartTime","type":"datetime","description":"Time container started.","isPreferredFacet":true},{"name":"ServiceName","type":"string","description":"Kubernetes Service the pod belongs to (if any)","isPreferredFacet":true},{"name":"ControllerKind","type":"string","description":"Container/Pod's controller kind. For example: ReplicaSet ","isPreferredFacet":true},{"name":"ControllerName","type":"string","description":"Container/Pod's controller Name. Ex;- kubernetes-dashboard-9f5bf9974 ","isPreferredFacet":true},{"name":"ContainerStatus","type":"string","description":"Container's last observered current state [container.state]","isPreferredFacet":true},{"name":"ContainerID","type":"string","description":"Container's ID"},{"name":"ContainerName","type":"string","description":"Container name. This is in poduid/containername format.","isPreferredFacet":true},{"name":"Name","type":"string","description":"Kubernetes Pod Name"},{"name":"PodLabel","type":"string","description":"Pod Labels"},{"name":"Namespace","type":"string","description":"Kubernetes Namespace for the pod/container","isPreferredFacet":true},{"name":"PodStatus","type":"string","description":"Last observed Pod Status [pod.status.phase]","isPreferredFacet":true},{"name":"ClusterName","type":"string","description":"ID of the kubernetes cluster from which the event was sourced","isPreferredFacet":true},{"name":"PodIp","type":"string","description":"Pod's IP Address"},{"name":"ContainerStatusReason","type":"string","description":"Reason if any for container's status.","isPreferredFacet":true},{"name":"ContainerLastStatus","type":"string","description":"Container's last observed last status"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"],"queries":["5eea8814-60dd-4d3c-bec0-3c364c88e123","8146e954-5df5-4eaa-afe6-1cef6c158456"]}},{"id":"KubeServices","name":"KubeServices","tableType":"Microsoft","description":"Table that stores Kubernetes services information.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"ClusterId","type":"string","description":"ID of the Kubernetes cluster from which the event was sourced.","isPreferredFacet":true},{"name":"ClusterIp","type":"string","description":"Cluster IP address of the service.","isPreferredFacet":true},{"name":"ClusterName","type":"string","description":"Name of the Kubernetes cluster from which the event was sourced.","isPreferredFacet":true},{"name":"Namespace","type":"string","description":"Kubernetes namespace for the service.","isPreferredFacet":true},{"name":"SelectorLabels","type":"string","description":"Selector labels for label based services.","isPreferredFacet":true},{"name":"ServiceName","type":"string","description":"Name of the Kubernetes service.","isPreferredFacet":true},{"name":"ServiceType","type":"string","description":"Type of Kubernetes service [ClusterIP/NodePort/LoadBalancer/ExternalName].","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"solutions":["AzureResources","ContainerInsights"],"resourceTypes":["microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.hybridcontainerservice/provisionedclusters"]}},{"id":"LAJobLogs","name":"LAJobLogs","tableType":"Microsoft","description":"Provides information about jobs executions (e.g. Export Job) within Log Analytics workspace. Including job status, duration, and errors.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) of each status change in the job."},{"name":"JobType","type":"string","description":"The type of the job. e.g. 'Export'."},{"name":"CorrelationId","type":"string","description":"The correlation ID of the Job action. Can be used to reference with logs from other tables, like AzureActivity, or included in support cases."},{"name":"JobId","type":"string","description":"The ID of the job. Can be used as operationId in the operation resource URI (in request response) to get the job’s status or cancel a job."},{"name":"SourceTable","type":"string","description":"The table(s) used in the job's query."},{"name":"Status","type":"string","description":"The job's status, including 'Started', 'Succeeded', 'Canceled, 'Failed'."},{"name":"ResultsRecordCount","type":"long","description":"The number of records in the job's result."},{"name":"ResultsGB","type":"real","description":"The results volume in Gigabytes. e.g. the number of Gigabytes exported to Storage Account."},{"name":"Message","type":"string","description":"A message describing the job's operation or error."},{"name":"Destination","type":"dynamic","description":"The destination information based on the JobType. e.g. 'Export' includes the export target container name and storage Accounts."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["38d33331-aba2-43f7-92c5-c527123edbf6","bd465c3f-0a2c-4ab7-ad8b-43b616528363"]}},{"id":"LAQueryLogs","name":"LAQueryLogs","tableType":"Microsoft","description":"Audit logs for queries executed in Log Analytics Workspaces.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) at which the query was submitted."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events."},{"name":"RecordKind","type":"string","description":"The record kind. Classifies whether the record is backfilled for missed statistics retrieval . If it is not backfilled, the value is empty."},{"name":"AADObjectId","type":"string","description":"AAD ObjectId of the caller, or the 'aai' claim for GDAP scenarios."},{"name":"AADTenantId","type":"string","description":"AAD TenantId of the caller."},{"name":"AADEmail","type":"string","description":"AAD Email of the caller."},{"name":"AADClientId","type":"string","description":"AAD ClientId used by the caller."},{"name":"ConditionalDataAccess","type":"string","description":"Indicates whether the query was executed with an applicable attribute-based access control data access condition (ABAC), and if the condition had an error."},{"name":"QueryTimeRangeStart","type":"datetime","description":"The starting time (UTC) of the time range across which the query was was requested by the caller to be executed."},{"name":"QueryTimeRangeEnd","type":"datetime","description":"The end time (UTC) of the time range across which the query was was requested by the caller to be executed."},{"name":"QueryText","type":"string","description":"The full body of the query as submitted by the user."},{"name":"QueryThumbprint","type":"string","description":"A hash representing the query structure, useful for identifying similar queries."},{"name":"RequestClientApp","type":"string","description":"ClientApp string in the request header (x-ms-app)."},{"name":"RequestTarget","type":"string","description":"ResourceId of the request URL."},{"name":"RequestContext","type":"dynamic","description":"ResourceId of all referenced workspaces, applications, and resources across which the query was requested by the caller to be executed."},{"name":"RequestContextFilters","type":"dynamic","description":"Filters applied to the request context."},{"name":"ResponseCode","type":"int","description":"The HTTP response code for the request."},{"name":"ResponseRowCount","type":"int","description":"The number of rows that were returned."},{"name":"ResponseDurationMs","type":"real","description":"The duration (in ms) that the query took to execute."},{"name":"StatsCPUTimeMs","type":"real","description":"The CPU (in ms) used in the execution of this query."},{"name":"StatsDataProcessedStart","type":"datetime","description":"The starting time (UTC) of the time range across which the data processed."},{"name":"StatsDataProcessedEnd","type":"datetime","description":"The end time (UTC) of the time range across which the data processed."},{"name":"StatsWorkspaceCount","type":"int","description":"The number of workspaces that the query accessed, either explicitly or otherwise."},{"name":"StatsRegionCount","type":"int","description":"The number of regions that the workspaces accessed are spread across."},{"name":"IsBillableQuery","type":"bool","description":"Indicates whether query execution is billed."},{"name":"ScannedGB","type":"real","description":"For billable queries, like Basic logs queries, indicates the total GB of data scanned in the query."},{"name":"WorkspaceRegion","type":"string","description":"The region of the queried workspace."},{"name":"IsWorkspaceInFailover","type":"bool","description":"Indicates whether the queried workspace was in failover mode."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["89e77e30-828d-4e3d-96a2-d28befa4275b","c6eb80df-d93e-451d-8a78-500adeb829ca","4a4819f6-4d4f-4c1e-8f9f-445c957af054","78b49d99-ccb7-4791-ba0c-73fbf2104daa","9edff33b-7951-4601-a50b-1da5fea7a127","3b374e0c-6e5c-4367-88a8-10d265ce5e42"]}},{"id":"LASummaryLogs","name":"LASummaryLogs","tableType":"Microsoft","description":"Provides Summary logs rules execution details, including run status, duration and errors. Can be used to view bins executions statuses, identify rules that take a long time to complete, and failures that could be optimized in query, or shorted bin time.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The bin execution start time (UTC). It represents the time bin processing started, and decoupled from bin time range. For example, TimeGenerated can be 2023-01-01T3:05:10.123Z when processing hourly bin between 2:00 - 3:00."},{"name":"BinStartTime","type":"datetime","description":"The bin start time (UTC). For example, value can be 2023-01-01T2:00:00.000Z for bin processed between 2:00 - 3:00."},{"name":"BinSize","type":"int","description":"The time ranges summarization is performed in minutes. For example, when bin is 60, summarization is performed every 60 minutes."},{"name":"Status","type":"string","description":"The bin execution status. Can be Started, Succeeded or Failed."},{"name":"QueryDurationMs","type":"long","description":"The execution duration in milliseconds."},{"name":"ResultsRecordCount","type":"long","description":"The number of records returned in aggregation."},{"name":"Message","type":"string","description":"An error message when applicable."},{"name":"RuleName","type":"string","description":"The rule name."},{"name":"RuleLastModifiedTime","type":"datetime","description":"The time the rule last modified. Can be used to reason changes in results, duration, etc."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["323226e0-df9e-4287-92aa-3795cf8a964e"]}},{"id":"LIATrackingEvents","name":"LIATrackingEvents","tableType":"Microsoft","description":"Diagnostics data for B2B messages in Azure Logic Apps. After you set up B2B communication between trading partners in your integration account, those partners can exchange messages by using protocols such as AS2, X12, and EDIFACT. To check that this communication works the way you expect, you can enable monitoring in your integration account. These minitoring logs appear here.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when this event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event."},{"name":"OperationVersion","type":"string","description":"The version of the operation represented by this event."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events."},{"name":"TrackingId","type":"string","description":"The tracking ID."},{"name":"SourceType","type":"string","description":"The tracking events source type."},{"name":"WorkflowName","type":"string","description":"The name of the workflow."},{"name":"WorkflowVersion","type":"string","description":"The version of the workflow."},{"name":"WorkflowSystemId","type":"string","description":"The workflow system tracking ID."},{"name":"WorkflowSubscriptionId","type":"string","description":"The subscription ID of the workflow."},{"name":"WorkflowResourceGroup","type":"string","description":"The resource group name of the workflow."},{"name":"WorkflowRunId","type":"string","description":"The logic app run ID."},{"name":"WorkflowRunTrackingId","type":"string","description":"The tracking ID of the run."},{"name":"WorkflowRunClientTrackingId","type":"string","description":"The client tracking ID of the run."},{"name":"WorkflowOperationName","type":"string","description":"The logic app operation name."},{"name":"WorkflowRepeatItemScopeName","type":"string","description":"The repeat item scope name."},{"name":"WorkflowRepeatItemIndex","type":"int","description":"The repeat item index."},{"name":"WorkflowRepeatItemBatchIndex","type":"int","description":"The index of the repeat item batch."},{"name":"WorkflowOperationTrackingId","type":"string","description":"The tracking ID of the logic app operation."},{"name":"WorkflowOperationCorrelationId","type":"string","description":"The correlation ID of the logic app operation."},{"name":"WorkflowOperationClientRequestId","type":"string","description":"The client request ID of the logic app operation."},{"name":"WorkflowOperationOperationTrackingId","type":"string","description":"The operation tracking ID of the logic app operation."},{"name":"EventTime","type":"datetime","description":"The event time."},{"name":"EventRecordType","type":"string","description":"The Tracking record type."},{"name":"Error","type":"dynamic","description":"The tracking event error information."},{"name":"AgreementProperties","type":"dynamic","description":"Agreement properties for the electronic data interchange functional group."},{"name":"MessageProperties","type":"dynamic","description":"Message properties for the electronic data interchange functional group."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.logic/integrationaccounts"],"solutions":["LogManagement"]}},{"id":"LedgerTransactionLogs","name":"LedgerTransactionLogs","tableType":"Microsoft","description":"Logs related to Ledger transactions on Azure Confidential Ledger.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Level","type":"string","description":"An error or informational message indicating if the service processed the request."},{"name":"Message","type":"string","description":"The Log message."},{"name":"File","type":"string","description":"The file name that generated the log message."},{"name":"Location","type":"string","description":"The Azure datacenter region where the pod is deployed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"solutions":["LogManagement"],"queries":["f986ae23-a5e3-4b1a-8c7f-d3209a0267a7"]}},{"id":"LedgerUserDefinedLogs","name":"LedgerUserDefinedLogs","tableType":"Microsoft","description":"Logs related to User Defined Functions and User Defined Endpoints on Azure Confidential Ledger.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Level","type":"string","description":"An error or informational message indicating if the service processed the request."},{"name":"Message","type":"string","description":"The Log message."},{"name":"File","type":"string","description":"The file name that generated the log message."},{"name":"Location","type":"string","description":"The Azure datacenter region where the pod is deployed."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit","applications"],"resourceTypes":["microsoft.confidentialledger/ledgers"],"solutions":["LogManagement"],"queries":["a68218d8-84d3-45ce-87c5-1ff89cbe9eaf"]}},{"id":"LinuxAuditLog","name":"LinuxAuditLog","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"ManagementGroup","type":"string"},{"name":"TimeUploaded","type":"datetime"},{"name":"ManagementGroupName","type":"string"},{"name":"ExternalAgentIp","type":"string"},{"name":"ResourceId","type":"string"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"RecordType","type":"string","isPreferredFacet":true},{"name":"AuditID","type":"string"},{"name":"SerialNumber","type":"string"},{"name":"uid","type":"long"},{"name":"user","type":"string","isPreferredFacet":true},{"name":"node","type":"string"},{"name":"argc","type":"long"},{"name":"a0","type":"string"},{"name":"a1","type":"string"},{"name":"a2","type":"string"},{"name":"a3","type":"string"},{"name":"a4","type":"string"},{"name":"a5","type":"string"},{"name":"a6","type":"string"},{"name":"a7","type":"string"},{"name":"a8","type":"string"},{"name":"a9","type":"string"},{"name":"auid","type":"long"},{"name":"audit_user","type":"string"},{"name":"euid","type":"long"},{"name":"op","type":"string"},{"name":"effective_user","type":"string"},{"name":"acct","type":"string"},{"name":"addr","type":"string"},{"name":"arch","type":"string"},{"name":"cmd","type":"string"},{"name":"comm","type":"string"},{"name":"cwd","type":"string"},{"name":"data","type":"string"},{"name":"exe","type":"string"},{"name":"exit","type":"string"},{"name":"family","type":"string"},{"name":"filetype","type":"string"},{"name":"gid","type":"long"},{"name":"group","type":"string"},{"name":"egid","type":"long"},{"name":"effective_group","type":"string"},{"name":"hostname","type":"string"},{"name":"icmptype","type":"string"},{"name":"key","type":"string"},{"name":"name","type":"string"},{"name":"path","type":"string"},{"name":"pid","type":"long"},{"name":"ppid","type":"long"},{"name":"res","type":"string"},{"name":"result","type":"string"},{"name":"ses","type":"long"},{"name":"success","type":"string"},{"name":"syscall","type":"string"},{"name":"terminal","type":"string"},{"name":"tty","type":"string"},{"name":"vm","type":"string"},{"name":"RawRecord","type":"string"},{"name":"ComputerEnvironment","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["Security","SecurityInsights"]}},{"id":"LogicAppWorkflowRuntime","name":"LogicAppWorkflowRuntime","tableType":"Microsoft","description":"Logs generated during Logic Apps workflow runtime.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The name of this operation."},{"name":"StartTime","type":"datetime","description":"The start time (UTC) of the operation."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) of the operation."},{"name":"Status","type":"string","description":"The status of the operation, e.g. Succeeded, Failed, Skipped, Ignored."},{"name":"Code","type":"string","description":"The HTTP status code of the request."},{"name":"Error","type":"string","description":"The error message of this operation."},{"name":"WorkflowId","type":"string","description":"The unique ID of the workflow."},{"name":"WorkflowName","type":"string","description":"The name of the workflow."},{"name":"RunId","type":"string","description":"The unique ID of the workflow run."},{"name":"TriggerName","type":"string","description":"The name of the workflow trigger."},{"name":"ActionName","type":"string","description":"The name of the workflow action."},{"name":"OriginRunId","type":"string","description":"The unique ID of the original workflow run, only relevant for resubmission scenarios."},{"name":"ClientTrackingId","type":"string","description":"The unique ID of the client."},{"name":"ActionTrackingId","type":"string","description":"The unique ID of the workflow action."},{"name":"Location","type":"string","description":"The geographical run location of the workflow."},{"name":"ClientKeywords","type":"string","description":"The client keywords sent through the header."},{"name":"Tags","type":"string","description":"The custom tags associated with the workflow."},{"name":"TrackedProperties","type":"string","description":"The custom tracked properties."},{"name":"RetryHistory","type":"string","description":"The retry history of the workflow action."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.web/sites","microsoft.logic/workflows"],"solutions":["LogManagement"],"queries":["edffa3dc-fbae-42e7-a972-8639d323cacf"]}},{"id":"MAApplication","name":"MAApplication","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ProgramId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"AppType","type":"string"},{"name":"AppCategory","type":"string"},{"name":"NPId","type":"string"},{"name":"HasSupportStatement","type":"bool"},{"name":"TotalInstalls","type":"int"},{"name":"MonthlyActiveDevices","type":"int"},{"name":"TestOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"IsVirtualized","type":"bool"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationHealth","name":"MAApplicationHealth","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"ProgramId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"ActiveDevicesOnSource","type":"int"},{"name":"ActiveDevicesOnTarget","type":"int"},{"name":"TotalSessionsOnSource","type":"int"},{"name":"TotalSessionsOnTarget","type":"int"},{"name":"TotalDevicesInstalledOnSource","type":"int"},{"name":"TotalDevicesInstalledOnTarget","type":"int"},{"name":"DevicesWithCrashesOnSource","type":"int"},{"name":"DevicesWithCrashesOnTarget","type":"int"},{"name":"DevicesWithCrashesPercentOnTargetForCommercial","type":"real"},{"name":"SessionsWithCrashesOnSource","type":"int"},{"name":"SessionsWithCrashesOnTarget","type":"int"},{"name":"SessionsWithCrashesPercentOnTargetForCommercial","type":"real"},{"name":"HealthStatus","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationHealthAlternativeVersions","name":"MAApplicationHealthAlternativeVersions","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"ProgramId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"AdoptionStatus","type":"string"},{"name":"DevicesWithCrashesPercentOnTargetForCommercial","type":"real"},{"name":"SessionsWithCrashesPercentOnTargetForCommercial","type":"real"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationHealthIssues","name":"MAApplicationHealthIssues","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"ProgramId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"AppFileName","type":"string"},{"name":"AppFileVersion","type":"string"},{"name":"AppFileDisplayName","type":"string"},{"name":"DeviceId","type":"string"},{"name":"FailureId","type":"string"},{"name":"DiagnosticSignature","type":"string"},{"name":"FirstFailureDate","type":"datetime"},{"name":"LastFailureDate","type":"datetime"},{"name":"FailureInstanceCount","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationInstance","name":"MAApplicationInstance","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeviceId","type":"string"},{"name":"ProgramID","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationInstanceReadiness","name":"MAApplicationInstanceReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"DeviceId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"ProgramId","type":"string"},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeviceName","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAApplicationReadiness","name":"MAApplicationReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"ProgramId","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVendor","type":"string"},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"AppType","type":"string"},{"name":"AppCategory","type":"string"},{"name":"NPId","type":"string"},{"name":"HasSupportStatement","type":"bool"},{"name":"AdoptionStatus","type":"string"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"TestOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"TestResult","type":"string"},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"Notes","type":"string"},{"name":"Remediation","type":"string"},{"name":"RiskAssessment","type":"string"},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"TotalInstalls","type":"int"},{"name":"MonthlyActiveDevices","type":"int"},{"name":"DevicesWithIssues","type":"int"},{"name":"IsVirtualized","type":"bool"},{"name":"AHAInsight","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADeploymentPlan","name":"MADeploymentPlan","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"Name","type":"string","isPreferredFacet":true},{"name":"DeploymentTask","type":"string"},{"name":"OfficeTargetRelease","type":"string"},{"name":"WindowsTargetRelease","type":"string"},{"name":"CompletionDate","type":"datetime"},{"name":"WindowsTargetBuild","type":"string"},{"name":"OfficeTargetBuild","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADevice","name":"MADevice","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeviceId","type":"string"},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeviceName","type":"string"},{"name":"DeviceLastSeenDate","type":"datetime"},{"name":"Manufacturer","type":"string"},{"name":"Model","type":"string"},{"name":"OSVersion","type":"string"},{"name":"OSBuildNumber","type":"int"},{"name":"OSRevisionNumber","type":"int"},{"name":"OSBuild","type":"string"},{"name":"OSEdition","type":"string"},{"name":"OSArchitecture","type":"string"},{"name":"OSServicingBranch","type":"string"},{"name":"OSFamily","type":"string"},{"name":"Region","type":"string"},{"name":"TotalRAM","type":"real"},{"name":"Processor","type":"string"},{"name":"ModelFamily","type":"string"},{"name":"InventoryVersion","type":"string"},{"name":"InventoryCompleteness","type":"bool"},{"name":"BiosVersion","type":"string"},{"name":"DeviceAge","type":"int"},{"name":"TotalDiskSize","type":"int"},{"name":"DiskFreeSpace","type":"int"},{"name":"KernelModeCrashCount","type":"int"},{"name":"KernelModeCrashCountTrailing","type":"int"},{"name":"KernelModeCrashFreePercentTrailingIndustry","type":"real"},{"name":"AbnormalShutdownCount","type":"int"},{"name":"AbnormalShutdownCountTrailing","type":"int"},{"name":"OfficeChannel","type":"string"},{"name":"OfficeAudiencesGroup","type":"string"},{"name":"OfficeAudienceFFN","type":"string"},{"name":"OfficeVersion","type":"string"},{"name":"OfficeBuild","type":"string"},{"name":"AssignedToDeploymentPlan","type":"bool"},{"name":"WindowsTelemetryLevel","type":"int"},{"name":"OEMSerialNumber","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADeviceNRT","name":"MADeviceNRT","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeviceId","type":"string"},{"name":"DeviceName","type":"string"},{"name":"Manufacturer","type":"string"},{"name":"ModelFamily","type":"string"},{"name":"OSVersion","type":"string"},{"name":"OSBuildNumber","type":"int"},{"name":"OSRevisionNumber","type":"int"},{"name":"DeviceFirstSeenDate","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADeviceNotEnrolled","name":"MADeviceNotEnrolled","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeviceName","type":"string"},{"name":"OEMSerialNumber","type":"string"},{"name":"HasEnrollmentError","type":"string"},{"name":"ConfigMgrLastSeenDate","type":"datetime"},{"name":"PropertyBag","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADeviceReadiness","name":"MADeviceReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"DeviceId","type":"string"},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeviceName","type":"string"},{"name":"DeviceLastSeenDate","type":"datetime"},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"ModelFamily","type":"string"},{"name":"InventoryCompleteness","type":"bool"},{"name":"OfficeVersion","type":"string"},{"name":"WindowsUpgradeDecision","type":"string"},{"name":"OfficeUpgradeDecision","type":"string"},{"name":"AppIssues","type":"int"},{"name":"DriverIssues","type":"int"},{"name":"SysReqIssues","type":"int"},{"name":"OfficeAddInIssues","type":"int"},{"name":"OfficeAppIssues","type":"int"},{"name":"TotalIssues","type":"int"},{"name":"OSBuild","type":"string"},{"name":"OfficeBuild","type":"string"},{"name":"MacroIssues","type":"int"},{"name":"PilotDevice","type":"bool"},{"name":"DeviceStatus","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADriverInstanceReadiness","name":"MADriverInstanceReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"DeviceId","type":"string"},{"name":"HardwareID","type":"string","isPreferredFacet":true},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string","isPreferredFacet":true},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeviceName","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MADriverReadiness","name":"MADriverReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"DriverKey","type":"long"},{"name":"HardwareName","type":"string","isPreferredFacet":true},{"name":"HardwareType","type":"string","isPreferredFacet":true},{"name":"HardwareID","type":"string","isPreferredFacet":true},{"name":"DriverVendor","type":"string","isPreferredFacet":true},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string","isPreferredFacet":true},{"name":"DriverDate","type":"string"},{"name":"TotalComputers","type":"int"},{"name":"Remediation","type":"string"},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"RiskAssessment","type":"string"},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"DriverAvailability","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAddin","name":"MAOfficeAddin","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"AddinInstanceId","type":"string"},{"name":"AddinName","type":"string"},{"name":"AddinVersion","type":"string"},{"name":"AddinPublisher","type":"string"},{"name":"AddinProducts","type":"string"},{"name":"AddinRemarks","type":"string"},{"name":"AddinSupportStatus","type":"string"},{"name":"AddinSupportStatementUrl","type":"string"},{"name":"TotalInstalls","type":"int"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"TestOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAddinHealthEventNRT","name":"MAOfficeAddinHealthEventNRT","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"EventType","type":"int","isPreferredFacet":true},{"name":"EventTypeName","type":"string"},{"name":"DeviceId","type":"string","isPreferredFacet":true},{"name":"OfficeApplication","type":"string"},{"name":"OfficeAppRelease","type":"string","isPreferredFacet":true},{"name":"AddinInstanceId","type":"string","isPreferredFacet":true},{"name":"OfficeInterface","type":"string"},{"name":"OfficeMethod","type":"string"},{"name":"Timestamp","type":"datetime"},{"name":"IsVSTO","type":"bool"},{"name":"LoadAttempts","type":"int"},{"name":"DurationInMicroseconds","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAddinInstance","name":"MAOfficeAddinInstance","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeviceId","type":"string"},{"name":"AddinInstanceId","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAddinReadiness","name":"MAOfficeAddinReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"AddinInstanceId","type":"string"},{"name":"AddinName","type":"string"},{"name":"AddinVersion","type":"string"},{"name":"AddinPublisher","type":"string"},{"name":"AddinProducts","type":"string"},{"name":"AddinRemarks","type":"string"},{"name":"AddinSupportStatus","type":"string"},{"name":"AddinSupportStatementUrl","type":"string"},{"name":"TargetOfficeBitness","type":"string"},{"name":"AdoptionStatus","type":"string"},{"name":"TotalInstalls","type":"int"},{"name":"RiskAssessment","type":"string"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"TestOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"TestResult","type":"string"},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"Remediation","type":"string"},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAppInstance","name":"MAOfficeAppInstance","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeviceId","type":"string"},{"name":"OfficeAppId","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeAppReadiness","name":"MAOfficeAppReadiness","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"OfficeAppId","type":"string"},{"name":"OfficeAppName","type":"string"},{"name":"OfficeAppMajorVersion","type":"int"},{"name":"OfficeAppVersion","type":"string"},{"name":"OfficeAppRelease","type":"string"},{"name":"OfficeAppArchitecture","type":"string"},{"name":"TotalInstalls","type":"int"},{"name":"MonthlyActiveUsers","type":"int"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"TestOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"TestResult","type":"string"},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"Notes","type":"string"},{"name":"Remediation","type":"string"},{"name":"RiskAssessment","type":"string"},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"DevicesWithIssues","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeBuildInfo","name":"MAOfficeBuildInfo","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"BuildId","type":"int"},{"name":"ServicingChannel","type":"string"},{"name":"ReleaseVersion","type":"string"},{"name":"BuildVersion","type":"string"},{"name":"ReleaseType","type":"string"},{"name":"KBUrl","type":"string"},{"name":"AvailabilityDate","type":"datetime"},{"name":"EOSDate","type":"datetime"},{"name":"OfferedBuildType","type":"string"},{"name":"FeatureCurrency","type":"string"},{"name":"SecurityCompliance","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeCurrencyAssessment","name":"MAOfficeCurrencyAssessment","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"DeviceId","type":"string"},{"name":"ServicingChannel","type":"string"},{"name":"ReleaseVersion","type":"string"},{"name":"BuildVersion","type":"string"},{"name":"FeatureCurrency","type":"string"},{"name":"SecurityCompliance","type":"string"},{"name":"BuildId","type":"int"},{"name":"LastEventTime","type":"datetime"},{"name":"AssessmentTime","type":"datetime"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAOfficeSuiteInstance","name":"MAOfficeSuiteInstance","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"OfficeAppId","type":"string"},{"name":"DeviceId","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAProposedPilotDevices","name":"MAProposedPilotDevices","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DeploymentPlanId","type":"string"},{"name":"DeviceId","type":"string"},{"name":"DeviceName","type":"string"},{"name":"DeviceFamily","type":"string"},{"name":"Rank","type":"int"},{"name":"Coverage","type":"real"},{"name":"Redundancy","type":"real"},{"name":"Source","type":"string","isPreferredFacet":true},{"name":"PilotStatus","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAWindowsBuildInfo","name":"MAWindowsBuildInfo","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"BuildId","type":"int"},{"name":"ServicingChannel","type":"string"},{"name":"ReleaseVersion","type":"string"},{"name":"BuildVersion","type":"string"},{"name":"ReleaseType","type":"string"},{"name":"KB","type":"string"},{"name":"KBUrl","type":"string"},{"name":"AvailabilityDate","type":"datetime"},{"name":"EOSDate","type":"datetime"},{"name":"ExtEOSDate","type":"datetime"},{"name":"PaidEOSDate","type":"datetime"},{"name":"FeatureCurrencyStandard","type":"string"},{"name":"FeatureCurrencyExtended","type":"string"},{"name":"FeatureCurrencyPaid","type":"string"},{"name":"SecurityCompliance","type":"string"},{"name":"OfferedBuildType","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAWindowsCurrencyAssessment","name":"MAWindowsCurrencyAssessment","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"DeviceId","type":"string"},{"name":"BuildVersion","type":"string"},{"name":"ReleaseVersion","type":"string"},{"name":"ServicingChannel","type":"string"},{"name":"FeatureCurrency","type":"string"},{"name":"SecurityCompliance","type":"string"},{"name":"BuildId","type":"int"},{"name":"LastEventTime","type":"datetime"},{"name":"AssessmentTime","type":"datetime"},{"name":"ReleaseServicingLevel","type":"string"},{"name":"DeviceServicingLevel","type":"string"},{"name":"DeviceEOSDate","type":"datetime"},{"name":"ServicingState","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAWindowsCurrencyAssessmentDailyCounts","name":"MAWindowsCurrencyAssessmentDailyCounts","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"ServicingChannel","type":"string"},{"name":"ReleaseVersion","type":"string"},{"name":"BuildId","type":"int"},{"name":"BuildVersion","type":"string"},{"name":"DeviceCount","type":"int"},{"name":"AggregationTime","type":"datetime"},{"name":"SnapshotTime","type":"datetime"},{"name":"FeatureCurrencyLegend","type":"string"},{"name":"SecurityComplianceLegend","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MAWindowsDeploymentStatus","name":"MAWindowsDeploymentStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"DeviceId","type":"string"},{"name":"BuildId","type":"int"},{"name":"ReleaseVersion","type":"string"},{"name":"ReleaseType","type":"string"},{"name":"DeviceName","type":"string"},{"name":"Manufacturer","type":"string"},{"name":"Model","type":"string"},{"name":"SourceBuild","type":"string"},{"name":"TargetBuild","type":"string"},{"name":"TargetReleaseName","type":"string"},{"name":"StateName","type":"string"},{"name":"DeploymentStage","type":"string"},{"name":"DeploymentStatus","type":"string"},{"name":"DeploymentOverviewStatus","type":"string"},{"name":"ErrorCode","type":"int"},{"name":"ExtendedErrorCode","type":"int"},{"name":"ErrorDescription","type":"string"},{"name":"RecommendedAction","type":"string"},{"name":"UpdateSource","type":"string"},{"name":"LastEventTime","type":"datetime"},{"name":"DeploymentStartTime","type":"datetime"},{"name":"DeploymentEndTime","type":"datetime"},{"name":"DeploymentDuration","type":"int"},{"name":"UpdateDeferral","type":"int"},{"name":"PauseState","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["Microsoft365Analytics"]}},{"id":"MCCEventLogs","name":"MCCEventLogs","tableType":"Microsoft","description":"This table includes logs for cache events. Can be used for performance metrics.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"HitRatioMbps","type":"real","description":"Ratio of Data volume (MB) per second that came directly from Microsoft Connected Cache(hitMbps) to The total data volume (MB) per second delivered(egressMbps)."},{"name":"CacheNodeId","type":"string","description":"Unique CacheNode identifier."},{"name":"MissMbps","type":"real","description":"Data volume (MB) per second that Microsoft Connected Cache had to download from CDN to see the cache."},{"name":"HitMbps","type":"real","description":"Data volume (MB) per second that came directly from Microsoft Connected Cache."},{"name":"Hits","type":"int","description":"The number of times data is found in the cache."},{"name":"Misses","type":"int","description":"The number of times data is not found in the cache and had to download from CDN."},{"name":"EgressMbps","type":"real","description":"The total data volume (MB) per second delivered including: data volume (MB) that came directly from cache (hitMbps) and data volume (MB) that Microsoft Connected Cache had to download from CDN to see the cache (missMbps)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.connectedcache/cachenodes"],"solutions":["LogManagement"]}},{"id":"MCVPAuditLogs","name":"MCVPAuditLogs","tableType":"Microsoft","description":"The MCVP audit logs. This table will include audit logs for MCVP service transactions.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the audit log was created."},{"name":"OperationName","type":"string","description":"The operation request name where the audit log was created."},{"name":"OperationCategories","type":"string","description":"The operation request categories like Provision, Connection or Claims."},{"name":"OperationCategoryDescription","type":"string","description":"The operation request category general description."},{"name":"OperationResult","type":"string","description":"The operation request result - Success or Fail."},{"name":"OperationResultDescription","type":"string","description":"The operation request result description. The column will contain information if the OperationResult value is other than Success or Fail."},{"name":"OperationAccessLevel","type":"string","description":"The operation access level of the request - Administrator, Writer or Reader."},{"name":"CallerIdentities","type":"string","description":"The caller identity, user alias or email address."},{"name":"CallerIpAddress","type":"string","description":"IPV4 caller ip address."},{"name":"CallerAccessLevels","type":"string","description":"The caller access level - Administrator, Writer or Reader."},{"name":"TraceId","type":"string","description":"An identifier for distributed tracing through a system (W3C TraceContext)."},{"name":"SpanId","type":"string","description":"An identifier of the request as known by the caller."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.connectedvehicle/platformaccounts"],"solutions":["LogManagement"]}},{"id":"MCVPOperationLogs","name":"MCVPOperationLogs","tableType":"Microsoft","description":"The MCVP Azure monitor logs. This table will include logs for vehicle provision, connection and activities sending command and receiving telemetry messages.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name where the log was created."},{"name":"VehicleId","type":"string","description":"Unique vehicle identifier."},{"name":"DeviceName","type":"string","description":"Device friendly name."},{"name":"Message","type":"string","description":"The general log message."},{"name":"TraceId","type":"string","description":"An identifier for distributed tracing through a system (W3C TraceContext)."},{"name":"SpanId","type":"string","description":"An identifier of the request as known by the caller."},{"name":"SeverityText","type":"string","description":"The log severity."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.connectedvehicle/platformaccounts"],"solutions":["LogManagement"]}},{"id":"MDCDetectionDNSEvents","name":"MDCDetectionDNSEvents","tableType":"Microsoft","description":"DNS Events. This table is collected by the detection team in MDC.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the monitored entity was created, renamed, modified or deleted."},{"name":"AzureResourceId","type":"string","description":"The Azure resource ID of the K8S cluster resource."},{"name":"Region","type":"string","description":"The region where the K8S cluster is deployed."},{"name":"ImageName","type":"string","description":"The name of the Image running in the docker container which initiated the dns lookup call."},{"name":"Digest","type":"string","description":"The digest of the Image running in the docker container which initiated the dns lookup call."},{"name":"ContainerId","type":"string","description":"The container id of the docker container which initiated the dns lookup call."},{"name":"ContainerName","type":"string","description":"The name of the docker container which initiated the dns lookup call."},{"name":"PID","type":"string","description":"The process id of the process which initiated the dns lookup call."},{"name":"Ppid","type":"string","description":"The parent process id of the process which initiated the dns lookup call."},{"name":"Uid","type":"string","description":"The user id of the user who initiated the dns lookup call."},{"name":"Gid","type":"string","description":"The group id of the user who initiated the dns lookup call."},{"name":"Comm","type":"string","description":"The command name which initiated the dns lookup call - i.e. curl, wget etc."},{"name":"PodName","type":"string","description":"The name of the pod in which the container is running."},{"name":"NodeName","type":"string","description":"The name of the node on which the pod is running."},{"name":"Namespace","type":"string","description":"The namespace of the pod in which the container is running."},{"name":"Addresses","type":"dynamic","description":"The list of IP addresses resolved by the DNS lookup call."},{"name":"PacketId","type":"string","description":"The packet id in the packet that was sent for the DNS lookup call."},{"name":"Latency","type":"string","description":"The latency of the DNS lookup call."},{"name":"NameServer","type":"string","description":"The nameserver used in order to resolve the DNS lookup call."},{"name":"QR","type":"string","description":"Q for Query packets, R for Response packets."},{"name":"Qtype","type":"string","description":"The type of the DNS query - i.e. A, AAAA, CNAME etc."},{"name":"Rcode","type":"string","description":"A string representing Succes/Error DNS lookup result."},{"name":"Tid","type":"string","description":"The thread id of the DNS lookup call."},{"name":"Domain","type":"string","description":"The domain name that was queried/resolved by the DNS lookup call."},{"name":"DataPipelineMetadata","type":"dynamic","description":"Holds Data PipelineMetadata."},{"name":"AdditionalData","type":"dynamic","description":"Holds Additional Data."},{"name":"EventGuid","type":"string","description":"The unique identifier for the event."},{"name":"Cwd","type":"string","description":"The current working directory of the process which initiated the dns lookup call."},{"name":"Exe","type":"string","description":"The executable path of the process which initiated the dns lookup call."},{"name":"Pcomm","type":"string","description":"The parent command name which initiated the dns lookup call."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"],"queries":["1e4f66c0-41e2-45ff-864f-39e9d7a4f492"]}},{"id":"MDCDetectionFimEvents","name":"MDCDetectionFimEvents","tableType":"Microsoft","description":"Events from this table are collected by the detection team in MDC.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the monitored entity was created, renamed, modified or deleted."},{"name":"AzureResourceId","type":"string","description":"The Azure resource ID of the resource whose monitored entity was created, renamed, modified or deleted."},{"name":"Region","type":"string","description":"The region the resource whose monitored entity was created, renamed, modified or deleted."},{"name":"Computer","type":"string","description":"The name of the machine on which the monitored entity was created, renamed, modified or deleted."},{"name":"EventType","type":"string","description":"The type of change that occurred on the entity. Must be either 'Created', 'Modified', 'Renamed' or 'Deleted'."},{"name":"FileName","type":"string","description":"Holds the name of the file that was created, renamed, modified or deleted."},{"name":"FileType","type":"string","description":"Holds the type of the file that was created, renamed, modified or deleted. Example of possible values: Zip, PDF, Xar etc."},{"name":"FilePath","type":"string","description":"Holds the path of the file that was created, renamed, modified or deleted."},{"name":"IsDir","type":"bool","description":"True if event is for a directory, false if event is for a file."},{"name":"InitiatingProcessId","type":"string","description":"Holds the process Id of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessName","type":"string","description":"Holds the name of the initiating process that caused the monitored entity event."},{"name":"InitiatingParentProcessId","type":"string","description":"Holds the process Id of the initiating parents process that caused the monitored entity event."},{"name":"InitiatingParentProcessName","type":"string","description":"Holds the name of the initiating parents process that caused the monitored entity event."},{"name":"InitiatingProcessAccountDomainName","type":"string","description":"Holds the name of the process account domain that caused the monitored entity event."},{"name":"InitiatingProcessAccountName","type":"string","description":"Holds the name of the process account that caused the monitored entity event."},{"name":"AgentId","type":"string","description":"Holds the Tivan Agent Id."},{"name":"Inode","type":"int","description":"Holds the Tivan Agent Id."},{"name":"DataPipelineMetadata","type":"dynamic","description":"Holds Data PipelineMetadata."},{"name":"AdditionalData","type":"dynamic","description":"Holds Additional Data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"],"queries":["ca4f4032-55e0-48c9-aac1-aa14d6ff21d3"]}},{"id":"MDCDetectionGatingValidationEvents","name":"MDCDetectionGatingValidationEvents","tableType":"Microsoft","description":"K8s Gating validation events. This table is collected by the detection team in MDC.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AzureResourceId","type":"string","description":"The resource ID of the K8S cluster resource."},{"name":"Region","type":"string","description":"The region where the K8S cluster is deployed."},{"name":"Action","type":"string","description":"The validation action that was performed."},{"name":"RuleProperties","type":"dynamic","description":"The rule properties that was applied during the validation."},{"name":"AdmissionControlVersions","type":"dynamic","description":"The gating components versions."},{"name":"EvaluatedResourceKind","type":"string","description":"The evaluated K8s resource kind."},{"name":"EvaluatedResourceName","type":"string","description":"The evaluated K8s resource name."},{"name":"EvaluatedResourceParentKind","type":"string","description":"The evaluated K8s resource's parent kind (Controlled By)."},{"name":"EvaluatedResourceParentName","type":"string","description":"The evaluated K8s resource's parent name (Controlled By)."},{"name":"EvaluatedResourceDetails","type":"dynamic","description":"The evaluated resource details."},{"name":"Namespace","type":"string","description":"The evaluated K8s resource namespace."},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the monitored entity was created, renamed, modified or deleted."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"],"queries":["1558bfb7-2aa3-49e1-8386-f4f8509e514c"]}},{"id":"MDCDetectionK8SApiEvents","name":"MDCDetectionK8SApiEvents","tableType":"Microsoft","description":"Events from this table are collected by the detection team in MDC.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AzureResourceId","type":"string","description":"The unique identifier for the Azure resource."},{"name":"Region","type":"string","description":"The Azure region where the resource is located."},{"name":"Timestamp","type":"datetime","description":"The time at which this event was captured."},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the monitored entity was created, renamed, modified or deleted."},{"name":"K8SClusterName","type":"string","description":"The name of the K8S cluster containing the pod from where this event was captured."},{"name":"K8SNamespaceName","type":"string","description":"The namespace containing the pod from where this event was captured."},{"name":"K8SDeploymentName","type":"string","description":"The name of the deployment containing the pod from where this event was captured."},{"name":"K8SDaemonsetName","type":"string","description":"The name of the daemonset containing the pod from where this event was captured."},{"name":"K8SStatefulsetName","type":"string","description":"The name of the stateful set containing the pod from where this event was captured."},{"name":"K8SNodeName","type":"string","description":"The name of the node that has the pod from where this event was captured."},{"name":"K8SPodName","type":"string","description":"The name of the pod from where this event was captured."},{"name":"RequestId","type":"string","description":"A unique identifier that identifies the request and response events for one specific request-response pair."},{"name":"IsRequest","type":"bool","description":"Whether this event is for the request or the response. True if this event is for the request. False if this event is for the response."},{"name":"Method","type":"string","description":"The HTTP verb for this request."},{"name":"Url","type":"string","description":"The full url for this request. This will contain the scheme, host, port (if applicable), path, and query string."},{"name":"StatusCode","type":"int","description":"The HTTP response code of the response for this request."},{"name":"Payload","type":"string","description":"A chunk of payload for the request or the response in this event. The full payload for the request and/or the response may be split into multiple chunks."},{"name":"PayloadLength","type":"int","description":"The length of the payload chunk in this event. If there is no payload, this value will be zero."},{"name":"ChunkNum","type":"int","description":"The index of the payload chunk. Starts from zero. If the full payload is broken into chunks, this value represents which chunk is in this event."},{"name":"IsLastChunk","type":"bool","description":"Whether the payload chunk in this event is the last one or not. True if this is the last chunk; false otherwise."},{"name":"PayloadType","type":"string","description":"The value of the Content-Type header, if present."},{"name":"PayloadEncoding","type":"string","description":"The value of the Content-Encoding header, if present."},{"name":"AuthenticationTypes","type":"dynamic","description":"A list of well-known authentication mechanisms that were detected, e.g., Authorization header or API keys."},{"name":"ContainsAuthentication","type":"bool","description":"Whether a well-known authentication mechanism was detected. True if any authentication mechanism was detected, false otherwise."},{"name":"ClientIPs","type":"dynamic","description":"A list of client IPs extracted from the X-Forwarded-For header in the request."},{"name":"ContainsPublicIp","type":"bool","description":"Whether one of the IPs extracted from the X-Forwarded-For header in the request is a public IP."},{"name":"Elapsed","type":"real","description":"The time in milliseconds that have elapsed between the request and the response events."},{"name":"AdditionalMetadata","type":"dynamic","description":"Metadata related to the event."},{"name":"DataPipelineMetadata","type":"dynamic","description":"Metadata related to the data processing pipeline."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"MDCDetectionProcessV2Events","name":"MDCDetectionProcessV2Events","tableType":"Microsoft","description":"K8s process events. This table is collected by the detection team in MDC.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Repository","type":"string","description":"The container image repository."},{"name":"Tag","type":"string","description":"The tag of the container image."},{"name":"Digest","type":"string","description":"The SHA-256 digest of the container image."},{"name":"ContainerID","type":"string","description":"The unique identifier of the running container."},{"name":"ContainerName","type":"string","description":"The name of the container."},{"name":"Cmdline","type":"string","description":"The command-line instruction that started the container."},{"name":"Cwd","type":"string","description":"The current working directory of the container process."},{"name":"Pid","type":"string","description":"The process ID of the containerized application."},{"name":"Ppid","type":"string","description":"The parent process ID of the containerized application."},{"name":"Ses","type":"string","description":"The session ID of the container process."},{"name":"AgentId","type":"string","description":"The ID of the monitoring agent tracking the container."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the event was recorded in UTC."},{"name":"Computer","type":"string","description":"The name of the node where the container is running."},{"name":"Uid","type":"string","description":"The user ID under which the process is running."},{"name":"Gid","type":"string","description":"The group ID under which the process is running."},{"name":"Auid","type":"string","description":"The audit user ID associated with the container process."},{"name":"Comm","type":"string","description":"The name of the executed command."},{"name":"Pname","type":"string","description":"The parent process name of the containerized application."},{"name":"Exe","type":"string","description":"The path to the executable running inside the container."},{"name":"Success","type":"string","description":"Indicates whether the command execution was successful."},{"name":"PodName","type":"string","description":"The name of the Kubernetes pod."},{"name":"Namespace","type":"string","description":"The namespace where the Kubernetes pod is deployed."},{"name":"DriftAction","type":"string","description":"Indicates if there were any modifications in the container files."},{"name":"User","type":"string","description":"The username running the process inside the container."},{"name":"Group","type":"string","description":"The group name associated with the process."},{"name":"Memfd","type":"bool","description":"Indicates if the container has memory file descriptor (memfd) execution."},{"name":"UpperLayer","type":"bool","description":"Indicates if the container image uses an upper layer in the overlay filesystem."},{"name":"AdditionalData","type":"dynamic","description":"Additional metadata about the container event."},{"name":"PodLabels","type":"dynamic","description":"Labels associated with the Kubernetes pod."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"MDCFileIntegrityMonitoringEvents","name":"MDCFileIntegrityMonitoringEvents","tableType":"Microsoft","description":"View changes of Windows and Linux Files, as well as of software registry keys. Events from this table are collected by Microsoft Defender for Endpoint (MDE).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the monitored entity was created, renamed, modified or deleted."},{"name":"AzureResourceId","type":"string","description":"The Azure resource ID of the resource whose monitored entity was created, renamed, modified or deleted."},{"name":"AADTenantID","type":"string","description":"The AAD tenant ID of the subscription in which the monitored entity was created, renamed, modified or deleted."},{"name":"Computer","type":"string","description":"The name of the machine on which the monitored entity was created, renamed, modified or deleted."},{"name":"CloudProvider","type":"string","description":"The cloud provider of the resource."},{"name":"CloudIdentifier","type":"string","description":"The cloud identifier of the resource."},{"name":"CloudResourceType","type":"string","description":"The type of the cloud resource."},{"name":"MonitoredEntityType","type":"string","description":"The type of the monitored entity that was created, renamed, modified or deleted. Can be either 'File' or 'Registry'."},{"name":"ChangeType","type":"string","description":"The type of change that occurred on the entity. For 'File' entity must be either 'Created', 'Modified', 'Renamed' or 'Deleted'. For 'Registry' entity must be either 'RegistryKeyCreated', 'RegistryKeyDeleted', 'RegistryValueSet', 'RegistryValueDeleted', 'RegistryKeyRenamed'."},{"name":"FileName","type":"string","description":"Relevant for 'File' monitored entity type. Holds the name of the file that was created, renamed, modified or deleted."},{"name":"FileType","type":"string","description":"Relevant for 'File' monitored entity type. Holds the type of the file that was created, renamed, modified or deleted. Example of possible values: Zip, PDF, Xar etc."},{"name":"FilePath","type":"string","description":"Relevant for 'File' monitored entity type. Holds the path of the file that was created, renamed, modified or deleted."},{"name":"FileSize","type":"long","description":"Relevant for 'File' monitored entity type. Holds the current size (in bytes) of the file that was created, renamed, modified or deleted."},{"name":"OriginalFileName","type":"string","description":"Relevant for 'File' monitored entity type and for a 'Rename' change type. Holds the original name the file that was renamed, before the rename occured."},{"name":"OriginalFilePath","type":"string","description":"Relevant for 'File' monitored entity type and for a 'Rename' change type. Holds the original path of the file that was renamed, before the rename occured."},{"name":"FileMd5","type":"string","description":"Relevant for 'File' monitored entity type. Holds the MD5 of the file that was modified, created or deleted."},{"name":"FileSha256","type":"string","description":"Relevant for 'File' monitored entity type. Holds the SHA256 of the file that was modified, created or deleted."},{"name":"FileSha1","type":"string","description":"Relevant for 'File' monitored entity type. Holds the SHA1 of the file that was modified, created or deleted."},{"name":"RequestAccountName","type":"string","description":"Relevant for 'File' monitored entity type. Holds the name of the account of the user that caused the file event."},{"name":"RequestAccountDomain","type":"string","description":"Relevant for 'File' monitored entity type. Holds the domain of the account of the user that caused the file event."},{"name":"RequestAccountSid","type":"string","description":"Relevant for 'File' monitored entity type. Holds the SID of the account of the user that caused the file event."},{"name":"RequestSourceIP","type":"string","description":"Relevant for 'File' monitored entity type. Holds the source IP of the account of the user that caused the file event. For remote file, the IP from which the request came."},{"name":"RequestSourcePort","type":"string","description":"Relevant for 'File' monitored entity type. Holds the source port of the account of the user that caused the file event. For remote file, the port from which the request came."},{"name":"RequestSource","type":"string","description":"Relevant for 'File' monitored entity type. Holds the source of the account of the user that caused the file event. For example Local/SMB/NFS."},{"name":"RegistryKey","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the full registry key of the registry that was created or the new registry key of the registry that was renamed."},{"name":"RegistryHive","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the grouping configuration settings for the operating system and applications."},{"name":"OldValueData","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the previous registry value data."},{"name":"OldValueType","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the previous registry value type."},{"name":"OldValueName","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the previous registry value name."},{"name":"OldValueFullRegistryKey","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the previous full registry key."},{"name":"NewValueData","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the New registry value data."},{"name":"NewValueType","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the New registry value type."},{"name":"NewValueName","type":"string","description":"Relevant for 'Registry' monitored entity type. Holds the New registry value name."},{"name":"InitiatingProcessId","type":"long","description":"Holds the process Id of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessName","type":"string","description":"Holds the name of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessCreationTime","type":"datetime","description":"Holds the creation time of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessSessionId","type":"long","description":"Holds the session Id of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessFirstSeen","type":"datetime","description":"Holds the first seen time of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessAccountSid","type":"string","description":"Holds the account SID of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessAccountDomainName","type":"string","description":"Holds the account domain name of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessAccountName","type":"string","description":"Holds the account name of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessImageFileName","type":"string","description":"Holds the image file name of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessImageFilePath","type":"string","description":"Holds the image file path of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessImageFileType","type":"string","description":"Holds the image file type of the initiating process that caused the monitored entity event."},{"name":"InitProcImageFileSizeInBytes","type":"long","description":"Holds the image file size (in Bytes) of the initiating process that caused the monitored entity event."},{"name":"InitProcImageCreationTimeUtc","type":"datetime","description":"Holds the image creation time for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImagePeTimestampUtc","type":"datetime","description":"Holds the image PE time for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageLastWriteTimeUtc","type":"datetime","description":"Holds the image last write time for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageLastAccessTimeUtc","type":"datetime","description":"Holds the image last access time for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageLsHash","type":"string","description":"Holds the image LS hash for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageMd5","type":"string","description":"Holds the image MD5 for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageSha256","type":"string","description":"Holds the image SHA 256 for the image of the initiating process that caused the monitored entity event."},{"name":"InitProcImageSha1","type":"string","description":"Holds the image SHA 1 for the image of the initiating process that caused the monitored entity event."},{"name":"InitiatingProcessSource","type":"string","description":"Holds the source of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoCompanyName","type":"string","description":"Holds the version info company name of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoProductName","type":"string","description":"Holds the version info product name of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoProductVersion","type":"string","description":"Holds the version info product version of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoInternalFileName","type":"string","description":"Holds the version info internal file name of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoOriginalFileName","type":"string","description":"Holds the version info original file name of the initiating process that caused the monitored entity event."},{"name":"InitProcVersionInfoFileDescription","type":"string","description":"Holds the version info file description of the initiating process that caused the monitored entity event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"MDECustomCollectionDeviceFileEvents","name":"MDECustomCollectionDeviceFileEvents","tableType":"Microsoft","description":"This table is part of Microsoft Defender for Endpoints for the Custom Collection scenario. This table contains file creation, modification, and other file system events for anything explicitly requested by the customer for collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event."},{"name":"AdditionalFields","type":"dynamic","description":"Additional information about the entity or event."},{"name":"AppGuardContainerId","type":"string","description":"Identifier for the virtualized container used by Application Guard to isolate browser activity."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"FileName","type":"string","description":"Name of the file that the recorded action was applied to."},{"name":"FileOriginIP","type":"string","description":"IP address where the file was downloaded from."},{"name":"FileOriginReferrerUrl","type":"string","description":"URL of the web page that links to the downloaded file."},{"name":"FileOriginUrl","type":"string","description":"URL where the file was downloaded from."},{"name":"FileSize","type":"long","description":"Size of the file in bytes."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the recorded action was applied to."},{"name":"InitProcessAccountDomain","type":"string","description":"Domain of the account that ran the process responsible for the event."},{"name":"InitProcessAccountName","type":"string","description":"User name of the account that ran the process responsible for the event."},{"name":"InitProcessAccountObjectId","type":"string","description":"Azure AD object ID of the user account that ran the process responsible for the event."},{"name":"InitProcessAccountSid","type":"string","description":"Security Identifier (SID) of the account that ran the process responsible for the event."},{"name":"InitProcessAccountUpn","type":"string","description":"User principal name (UPN) of the account that ran the process responsible for the event."},{"name":"InitProcessCommandLine","type":"string","description":"Command line used to run the process that initiated the event."},{"name":"InitProcessFileName","type":"string","description":"Name of the process that initiated the event."},{"name":"InitProcessFolderPath","type":"string","description":"Folder containing the process (image file) that initiated the event."},{"name":"InitProcessId","type":"long","description":"Process ID (PID) of the process that initiated the event."},{"name":"InitProcessIntegrityLevel","type":"string","description":"Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources."},{"name":"InitProcessMD5","type":"string","description":"MD5 hash of the process (image file) that initiated the event."},{"name":"InitProcessParentFileName","type":"string","description":"Name of the parent process that spawned the process responsible for the event."},{"name":"InitProcessParentId","type":"long","description":"Process ID (PID) of the parent process that spawned the process responsible for the event."},{"name":"InitProcessSHA1","type":"string","description":"SHA-1 hash of the process (image file) that initiated the event."},{"name":"InitProcessSHA256","type":"string","description":"SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available."},{"name":"InitProcessTokenElevation","type":"string","description":"Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event."},{"name":"IsAzureInfoProtectionApplied","type":"bool","description":"Indicates whether the file is encrypted by Azure Information Protection."},{"name":"MD5","type":"string","description":"MD5 hash of the file that the recorded action was applied to."},{"name":"MachineGroup","type":"string","description":"Machine group of the machine. This group is used by role-based access control to determine access to the machine."},{"name":"PreviousFileName","type":"string","description":"Original name of the file that was renamed as a result of the action."},{"name":"PreviousFolderPath","type":"string","description":"Original folder containing the file before the recorded action was applied."},{"name":"ReportId","type":"long","description":"Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns."},{"name":"RequestAccountDomain","type":"string","description":"Domain of the account used to remotely initiate the activity."},{"name":"RequestAccountName","type":"string","description":"User name of account used to remotely initiate the activity."},{"name":"RequestAccountSid","type":"string","description":"Security Identifier (SID) of the account used to remotely initiate the activity."},{"name":"RequestProtocol","type":"string","description":"Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS."},{"name":"RequestSourceIP","type":"string","description":"IPv4 or IPv6 address of the remote device that initiated the activity."},{"name":"RequestSourcePort","type":"int","description":"Source port on the remote device that initiated the activity."},{"name":"SHA1","type":"string","description":"SHA-1 hash of the file that the recorded action was applied to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file that the recorded action was applied to."},{"name":"SensitivityLabel","type":"string","description":"Label applied to an email, file, or other content to classify it for information protection."},{"name":"SensitivitySubLabel","type":"string","description":"Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently."},{"name":"ShareName","type":"string","description":"Name of shared folder containing the file."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the event was recorded by the MDE agent on the endpoint."},{"name":"InitProcessParentCreationTime","type":"datetime","description":"Date and time when the parent of the process responsible for the event was started."},{"name":"InitProcessCreationTime","type":"datetime","description":"Date and time when the process that initiated the event was started."},{"name":"InitProcessFileSize","type":"long","description":"Size in bytes of the process (image file) that initiated the event."},{"name":"InitProcessVersionInfoCompanyName","type":"string","description":"Company name from the version information of the process (image file) responsible for the event."},{"name":"InitProcessVersionInfoFileDescription","type":"string","description":"Description from the version information of the process (image file) responsible for the event."},{"name":"InitProcessVersionInfoInternalFileName","type":"string","description":"Internal file name from the version information of the process (image file) responsible for the event."},{"name":"InitProcessVersionInfoOriginalFileName","type":"string","description":"Original file name from the version information of the process (image file) responsible for the event."},{"name":"InitProcessVersionInfoProductName","type":"string","description":"Product name from the version information of the process (image file) responsible for the event."},{"name":"InitProcessVersionInfoProductVersion","type":"string","description":"Product version from the version information of the process (image file) responsible for the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["LogManagement"]}},{"id":"MDPResourceLog","name":"MDPResourceLog","tableType":"Microsoft","description":"Logs pertaining to the provisioning agent resources for a Managed DevOps Pool.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"Location","type":"string","description":"The location of the Pool."},{"name":"OperationName","type":"string","description":"Type of Operation (Provisioning, Reimage, Return, etc)."},{"name":"Properties","type":"dynamic","description":"Json object containing the properties of the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.devopsinfrastructure/pools"],"solutions":["LogManagement"]}},{"id":"MNFDeviceUpdates","name":"MNFDeviceUpdates","tableType":"Microsoft","description":"Components state updates representing the status changes of ethernet ports, power supply units, fan modules, chassis and device software.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"EventName","type":"string","description":"Event name describing the update performed on Nexus network fabric devices."},{"name":"EventCategory","type":"string","description":"Event category describing the category of events on Nexus network fabric devices."},{"name":"FabricId","type":"string","description":"Fabric ID of the Nexus cluster which was generating the log."},{"name":"DeviceId","type":"string","description":"Device ID of the Nexus cluster which was generating the log."},{"name":"DeviceTime","type":"long","description":"Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC."},{"name":"Properties","type":"dynamic","description":"Properties of the log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"solutions":["LogManagement"],"queries":["96c338bf-610b-4231-83b5-df264ddbf749","f789e18e-9204-43f0-9656-ae305a7c56d3","53052d78-882f-46b7-a711-69dca0f58af4","ade0fc51-681d-490d-b8f5-216b3203e419","c21d56d3-8079-46ff-b056-9d5be6505e88"]}},{"id":"MNFSystemSessionHistoryUpdates","name":"MNFSystemSessionHistoryUpdates","tableType":"Microsoft","description":"System session history update events in the Nexus network fabric devices.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"EventCategory","type":"string","description":"Event category describing the category of events on Nexus network fabric devices."},{"name":"FabricId","type":"string","description":"Fabric ID of the Nexus cluster which was generating the log."},{"name":"DeviceId","type":"string","description":"Device ID of the Nexus cluster which was generating the log."},{"name":"DeviceName","type":"string","description":"Name of the device which was generating the log."},{"name":"DiffTimeStamp","type":"long","description":"Time when the diffs were generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC."},{"name":"GnmiTimeStamp","type":"long","description":"Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC."},{"name":"SessionUpdateTimeStamp","type":"long","description":"Time when the session was updated. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC."},{"name":"SessionUpdateSize","type":"long","description":"Size of the session update."},{"name":"SessionUpdateUser","type":"string","description":"User who updated the session."},{"name":"SessionUpdateSessionId","type":"string","description":"Session ID of the update."},{"name":"SessionDiffs","type":"string","description":"Differences in the session."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"solutions":["LogManagement"],"queries":["6f7d4fb8-e91c-4fa3-aa6f-c695d21e5e1a"]}},{"id":"MNFSystemStateMessageUpdates","name":"MNFSystemStateMessageUpdates","tableType":"Microsoft","description":"System state message update events in the Nexus network fabric devices.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"EventName","type":"string","description":"Event name describing the update performed on Nexus network fabric devices."},{"name":"EventCategory","type":"string","description":"Event category describing the category of events on Nexus network fabric devices."},{"name":"FabricId","type":"string","description":"Fabric ID of the Nexus cluster which was generating the log."},{"name":"DeviceId","type":"string","description":"Device ID of the Nexus cluster which was generating the log."},{"name":"DeviceTime","type":"long","description":"Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC."},{"name":"Properties","type":"dynamic","description":"Properties of the log."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.managednetworkfabric/networkdevices"],"solutions":["LogManagement"],"queries":["a1378514-505d-453b-a0a9-44cd62cd5228"]}},{"id":"MPCIngestionLogs","name":"MPCIngestionLogs","tableType":"Microsoft","description":"Ingestion logs for Microsoft Planetary Computer Pro.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"Category","type":"string","description":"Category of the audit log."},{"name":"Location","type":"string","description":"Location of the service sending the log."},{"name":"CorrelationId","type":"string","description":"Id of the request."},{"name":"Message","type":"string","description":"The message from the ingestion process."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.orbital/geocatalogs"],"solutions":["LogManagement"]}},{"id":"McasShadowItReporting","name":"McasShadowItReporting","tableType":"Microsoft","description":"McasShadowItReporting","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"StreamName","type":"string"},{"name":"MachineName","type":"string"},{"name":"MachineId","type":"string"},{"name":"TotalEvents","type":"int"},{"name":"BlockedEvents","type":"int"},{"name":"UploadedBytes","type":"int"},{"name":"TotalBytes","type":"int"},{"name":"DownloadedBytes","type":"int"},{"name":"IpAddress","type":"string"},{"name":"UserName","type":"string"},{"name":"EnrichedUserName","type":"string"},{"name":"AppName","type":"string"},{"name":"AppId","type":"string"},{"name":"AppInstance","type":"string"},{"name":"AppCategory","type":"string"},{"name":"AppTags","type":"dynamic"},{"name":"AppScore","type":"int"},{"name":"Date","type":"datetime"},{"name":"RawUserName","type":"string"},{"name":"RichUserName","type":"string"},{"name":"AadTenantId","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"MeshControlPlane","name":"MeshControlPlane","tableType":"Microsoft","description":"Istiod logs of AppLink operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"Category","type":"string","description":"Service log category describing the service logging the message."},{"name":"Level","type":"string","description":"Level (Fatal, Error, Warning, Info, Debug) of the log message."},{"name":"Message","type":"string","description":"Log message body."},{"name":"Container","type":"string","description":"Container name emitting this audit event."},{"name":"PodName","type":"string","description":"Name of the pod emitting this audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","container"],"resourceTypes":["microsoft.applink/applinks/applinksmembers"],"solutions":["LogManagement"],"queries":["39ef777f-53d8-400a-9d4e-d6e6946a538f"]}},{"id":"MessageEvents","name":"MessageEvents","tableType":"Microsoft","description":"This table shows information about messages by Microsoft Defender for Office 365.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"LastEditedTime","type":"string","description":"Date and time when the message was last edited"},{"name":"TeamsMessageId","type":"string","description":"Unique identifier for the message, as generated by Microsoft 365"},{"name":"SenderEmailAddress","type":"string","description":"Email address of the sender"},{"name":"SenderDisplayName","type":"string","description":"Name of the sender displayed in the address book, typically a combination of a first name, a middle initial, and a last name or surname"},{"name":"SenderObjectId","type":"string","description":"Unique identifier for the sender’s account"},{"name":"SenderType","type":"string","description":"Type of user that sent the message, for example, User, Group, Anonymous"},{"name":"RecipientDetails","type":"dynamic","description":"Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId)"},{"name":"IsOwnedThread","type":"bool","description":"Boolean value indicating whether the message is owned by your organization or not (only the messages owned by your organization can be remediated)"},{"name":"MessageId","type":"string","description":"Identifier for the message (non-unique)"},{"name":"ParentMessageId","type":"string","description":"Identifier for the message that the current message was a reply to, otherwise this is the same as the MessageId"},{"name":"GroupId","type":"string","description":"Identifier for the team or group that the message was sent to"},{"name":"GroupName","type":"string","description":"Name of the team or group that the message was sent to"},{"name":"ThreadId","type":"string","description":"Identifier of the channel or chat thread that the message is part of"},{"name":"ThreadSubtype","type":"string","description":"Indicates the channel type, possible values: None, PrivateChannel"},{"name":"IsExternalThread","type":"bool","description":"Indicates if there are external recipients in the thread (1) or none (0)"},{"name":"MessageFormatType","type":"string","description":"Type of message format; possible values: RichText, Text"},{"name":"MessageFormatSubtype","type":"string","description":"Subtype of message format, for example, HTML"},{"name":"MessageVersion","type":"string","description":"Version number of the message"},{"name":"MessageSubject","type":"string","description":"Subject of the message, if it exists"},{"name":"ThreatTypes","type":"string","description":"Verdict from the filtering stack on whether the message contains malware, phishing, or other threats"},{"name":"DetectionMethods","type":"dynamic","description":"Methods used to detect malware, phishing, or other threats found in the message"},{"name":"ConfidenceLevel","type":"dynamic","description":"List of confidence levels for each threat type identified"},{"name":"DeliveryAction","type":"string","description":"Delivery action of the message: Delivered, Blocked"},{"name":"DeliveryLocation","type":"string","description":"Location of the message at the time of delivery"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"SafetyTip","type":"string","description":"The safety tip that has been added on a message, if any"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"MessagePostDeliveryEvents","name":"MessagePostDeliveryEvents","tableType":"Microsoft","description":"This table shows information about messages by Microsoft Defender for Office 365.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"TeamsMessageId","type":"string","description":"Unique identifier for the message, as generated by Microsoft 365"},{"name":"Action","type":"string","description":"Action taken on the message: Blocked, Moved to quarantine"},{"name":"ActionType","type":"string","description":"Type of activity that triggered the event: Manual remediation, Phish ZAP, Malware ZAP"},{"name":"ActionTrigger","type":"string","description":"Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or Dynamic Delivery"},{"name":"ActionResult","type":"string","description":"Result of the action"},{"name":"SenderEmailAddress","type":"string","description":"Email address of the sender"},{"name":"RecipientDetails","type":"dynamic","description":"Array of recipient data (RecipientSmtpAddress, RecipientDisplayName, RecipientType, RecipientObjectId)"},{"name":"ThreatTypes","type":"string","description":"Verdict from the filtering stack on whether the message contains malware, phishing, or other threats"},{"name":"ConfidenceLevel","type":"dynamic","description":"List of confidence levels for each threat type identified"},{"name":"DetectionMethods","type":"string","description":"Methods used to detect malware, phishing, or other threats found in the message"},{"name":"LatestDeliveryLocation","type":"string","description":"Last known location of the message"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"IsExternalThread","type":"bool","description":"Indicates if there are external recipients in the thread (1) or none (0)"},{"name":"SafetyTip","type":"string","description":"The safety tip that has been added on a message, if any"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"MessageUrlInfo","name":"MessageUrlInfo","tableType":"Microsoft","description":"This table shows information about messages by Microsoft Defender for Office 365.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated."},{"name":"TeamsMessageId","type":"string","description":"Unique identifier for the message, as generated by Microsoft 365"},{"name":"Url","type":"string","description":"URL from message"},{"name":"UrlDomain","type":"string","description":"Domain name or host name of the URL"},{"name":"ThreatTypes","type":"string","description":"Verdict from the filtering stack on whether the message contains malware, phishing, or other threats"},{"name":"ReportId","type":"string","description":"Unique identifier for the event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"MicrosoftAzureBastionAuditLogs","name":"MicrosoftAzureBastionAuditLogs","tableType":"Microsoft","description":"Microsoft Azure Bastion Audit Logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"Time","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event"},{"name":"Location","type":"string","description":"The location of the server that processed the request (e.g., South Central US)."},{"name":"UserAgent","type":"string","description":"Browser User Agent that the request was sent"},{"name":"UserName","type":"string","description":"UserName that was used to log into the VirtualMachine from Bastion"},{"name":"ClientIpAddress","type":"string","description":"Browser IP Address that was used to log into the VirtualMachine from Bastion"},{"name":"ClientPort","type":"int","description":"Browser Port Number that was used to log into the VirtualMachine from Bastion"},{"name":"Protocol","type":"string","description":"Protocol (could be ssh or rdp) that was used to log into the VirtualMachine from Bastion"},{"name":"ResourceType","type":"string","description":"Resource Type that was accessed during the session. This could be a VM/VMSS/BSL/etc."},{"name":"TargetResourceId","type":"string","description":"ResourceID of the VirtualMachine where the Bastion was connected to"},{"name":"Message","type":"string","description":"Additonal text that's assoicated of this event"},{"name":"TargetVMIPAddress","type":"string","description":"IP Address of VirtualMachine where the Bastion was connected to"},{"name":"UserEmail","type":"string","description":"UserEmail account that was used to log into the VirtualMachine"},{"name":"TunnelId","type":"string","description":"Internal Bastion Connection GUID"},{"name":"SessionStartTime","type":"datetime","description":"Timestamp (UTC) of when the Bastion Session was started"},{"name":"SessionEndTime","type":"string","description":"Timestamp (UTC) of when the Bastion Session was ended"},{"name":"Duration","type":"int","description":"Duration in milliseconds where the Bastion Session lasted (available only when the Bastion Session ended)"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.network/bastionhosts"]}},{"id":"MicrosoftDataShareReceivedSnapshotLog","name":"MicrosoftDataShareReceivedSnapshotLog","tableType":"Microsoft","description":"Data Share consumer side synchronization logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the event is generated"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"CorrelationId of the event, this can be use as a reference to join with other tables"},{"name":"DetailMessage","type":"string","description":"This shows the event details. Can be empty if synchronization is not finished","isPreferredFacet":true},{"name":"StartTime","type":"string","description":"Datashare synchronization start time","isPreferredFacet":true},{"name":"EndTime","type":"string","description":"Datashare synchronization end time, can be empty if job not finished","isPreferredFacet":true},{"name":"Status","type":"string","description":"Synchronization status, can be inprogress/succeed/failed","isPreferredFacet":true},{"name":"TriggerType","type":"string","description":"Indicating whether the trigger is on-demand trigger or manual trigger","isPreferredFacet":true},{"name":"DataSetMappingType","type":"string","description":"Indicating the dataSetMapping type, this can be Blob/container/bolbfolder,etc","isPreferredFacet":true},{"name":"DataSetType","type":"string","description":"Indicating the dataSet type, this can be Blob/container/bolbfolder,etc","isPreferredFacet":true},{"name":"DataSetName","type":"string","description":"Name of provider source dataset","isPreferredFacet":true},{"name":"FilesWritten","type":"string","description":"Number of files written into sink","isPreferredFacet":true},{"name":"FilesRead","type":"string","description":"Number of files read from source","isPreferredFacet":true},{"name":"SizeWritten","type":"string","description":"Size of files into sink in bytes","isPreferredFacet":true},{"name":"SizeRead","type":"string","description":"Size of files read from source","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"MicrosoftDataShareSentSnapshotLog","name":"MicrosoftDataShareSentSnapshotLog","tableType":"Microsoft","description":"Data Share provider side synchronization logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when the event is generated"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event","isPreferredFacet":true},{"name":"Category","type":"string","description":"The name of the log that belongs to","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"CorrelationId of the event, this can be use as a reference to join with other tables"},{"name":"DetailMessage","type":"string","description":"This shows the event details. Can be empty if synchronization is not finished","isPreferredFacet":true},{"name":"StartTime","type":"string","description":"Datashare synchronization start time","isPreferredFacet":true},{"name":"EndTime","type":"string","description":"Datashare synchronization end time, can be empty if job not finished","isPreferredFacet":true},{"name":"Status","type":"string","description":"Synchronization status, can be inprogress/succeed/failed","isPreferredFacet":true},{"name":"TriggerType","type":"string","description":"Indicating whether the trigger is on-demand trigger or manual trigger","isPreferredFacet":true},{"name":"DataSetMappingType","type":"string","description":"Indicating the dataSetMapping type, this can be Blob/container/bolbfolder,etc","isPreferredFacet":true},{"name":"DataSetType","type":"string","description":"Indicating the dataSet type, this can be Blob/container/bolbfolder,etc","isPreferredFacet":true},{"name":"DataSetName","type":"string","description":"Name of provider source dataset","isPreferredFacet":true},{"name":"FilesWritten","type":"string","description":"Number of files written into sink ","isPreferredFacet":true},{"name":"FilesRead","type":"string","description":"Number of files read from source","isPreferredFacet":true},{"name":"SizeWritten","type":"string","description":"Size of files into sink in bytes","isPreferredFacet":true},{"name":"SizeRead","type":"string","description":"Size of files read from source","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.datashare/accounts"]}},{"id":"MicrosoftDataShareShareLog","name":"MicrosoftDataShareShareLog","tableType":"Microsoft","description":"Microsoft Data Share Share Log","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event"},{"name":"Category","type":"string","description":"The name of the log that belongs to"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"MicrosoftGraphActivityLogs","name":"MicrosoftGraphActivityLogs","tableType":"Microsoft","description":"Microsoft Graph Activity Logs provide details of API requests made to Microsoft Graph for resources in the tenant.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the request was received."},{"name":"Location","type":"string","description":"The name of the region that served the request."},{"name":"RequestId","type":"string","description":"The identifier representing the request."},{"name":"OperationId","type":"string","description":"The identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch."},{"name":"ClientRequestId","type":"string","description":"Optional. The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier."},{"name":"ApiVersion","type":"string","description":"The API version of the event."},{"name":"RequestMethod","type":"string","description":"The HTTP method of the event."},{"name":"ResponseStatusCode","type":"int","description":"The HTTP response status code for the event."},{"name":"AadTenantId","type":"string","description":"The Azure AD tenant ID."},{"name":"IPAddress","type":"string","description":"The IP address of the client from where the request occurred."},{"name":"UserAgent","type":"string","description":"The user agent information related to request."},{"name":"RequestUri","type":"string","description":"The URI of the request."},{"name":"DurationMs","type":"int","description":"The duration of the request in milliseconds."},{"name":"ResponseSizeBytes","type":"int","description":"The size of the response in Bytes."},{"name":"SignInActivityId","type":"string","description":"The identifier representing the sign-in activitys."},{"name":"Roles","type":"string","description":"The roles in token claims."},{"name":"SessionId","type":"string","description":"The unique identifier for the authentication session."},{"name":"DeviceId","type":"string","description":"The identifier of the device from which the authentication request originated."},{"name":"UniqueTokenId","type":"string","description":"The unique token identifier of the API call used to make the audited change."},{"name":"TokenIssuedAt","type":"datetime","description":"The timestamp the token was issued at."},{"name":"AppId","type":"string","description":"The identifier for the application."},{"name":"UserId","type":"string","description":"The identifier of the user making the request."},{"name":"ServicePrincipalId","type":"string","description":"The identifier of the servicePrincipal making the request."},{"name":"Scopes","type":"string","description":"The scopes in token claims."},{"name":"IdentityProvider","type":"string","description":"The identity provider that authenticated the subject of the token."},{"name":"ClientAuthMethod","type":"int","description":"Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2."},{"name":"Wids","type":"string","description":"Denotes the tenant-wide roles assigned to this user."},{"name":"ATContent","type":"string","description":"Reserved for future use."},{"name":"ATContentH","type":"string","description":"Reserved for future use."},{"name":"ATContentP","type":"string","description":"Reserved for future use."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["audit","security"],"solutions":["LogManagement"],"queries":["a697d547-302a-4092-a3ad-b3cb8e43c204","a697d547-302a-4092-a3ad-b3cb8e43c205"]}},{"id":"MicrosoftGraphPolicyLogs","name":"MicrosoftGraphPolicyLogs","tableType":"Microsoft","description":"Microsoft Graph Policy Logs provide details of resource policy evaluations from Microsoft Graph, including whether policies were applied, denied, or audited for API requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) when the policy evaluation occurred."},{"name":"Location","type":"string","description":"The Azure data center region that served the request (e.g., westus2, eastus2, northeurope)."},{"name":"RequestId","type":"string","description":"Unique identifier for this request. For $batch child requests, each child gets a unique ID. Aligns with ActivityEvent RequestId."},{"name":"OperationId","type":"string","description":"Correlation ID for the parent operation. For non-batch requests, equals RequestId. For $batch children, all share the parent request ID. Aligns with ActivityEvent OperationId."},{"name":"ClientRequestId","type":"string","description":"The optional client-provided correlation ID from the client-request-id header."},{"name":"RequestMethod","type":"string","description":"The HTTP method of the request: GET, POST, PATCH, or DELETE."},{"name":"ApiVersion","type":"string","description":"The Microsoft Graph API version used for the request: v1.0 or beta."},{"name":"RequestUri","type":"string","description":"The full Microsoft Graph request URI including path and query parameters."},{"name":"AadTenantId","type":"string","description":"The Microsoft Entra tenant ID of the organization owning the resource."},{"name":"TenantRegionScope","type":"string","description":"The region scope of the tenant (e.g., NA, EU, AS, AF, OC)."},{"name":"AppId","type":"string","description":"The application (client) ID of the Microsoft Entra app registration making the request."},{"name":"UserId","type":"string","description":"The object ID of the user for delegated (user + app) calls. Empty for app-only calls."},{"name":"ServicePrincipalId","type":"string","description":"The object ID of the service principal for app-only calls. Empty for delegated calls."},{"name":"TargetResourceName","type":"string","description":"Resource type short name for CRUD (e.g., user, application); bound action as bindingType/action (e.g., application/addKey). Presence of '/' distinguishes actions from resources."},{"name":"TargetResourceId","type":"string","description":"The identifier of the target resource extracted from the request URI key segment. A single value for primary keys (e.g., a GUID), or comma-separated key=value pairs for alternate or compound keys."},{"name":"PolicyDecision","type":"string","description":"High-level outcome of policy evaluation: deny (blocked), audit (non-compliant but allowed — what-if/dry-run), or compliant (no violations or no applicable policies)."},{"name":"PolicyDetailsCount","type":"int","description":"Total number of policy assignments evaluated. This reflects the original count before any truncation of PolicyDetails."},{"name":"ApplicablePoliciesCount","type":"int","description":"Number of policy assignments that were applicable to this specific request. Compare with PolicyDetailsCount (total matching assignments) to understand policy coverage."},{"name":"DenyPoliciesCount","type":"int","description":"Number of applicable policy assignments that triggered a deny effect."},{"name":"AuditPoliciesCount","type":"int","description":"Number of applicable policy assignments that triggered an audit effect."},{"name":"ErrorPoliciesCount","type":"int","description":"Number of policy assignments that encountered an error during evaluation, applicability check, or policy loading."},{"name":"TotalPolicyEvaluationDurationMs","type":"real","description":"Total time in milliseconds spent evaluating all applicable policies for this request, including applicability checks and effect evaluations."},{"name":"PolicyDetails","type":"dynamic","description":"Full array of individual policy evaluation results, sorted by effect priority (deny first, then audit, then compliant). Each entry includes assignmentUniqueName, assignedPolicyDisplayName, appliedPolicyEffects, evaluationError, policyVersion, isCompliant, and isApplicable. May be truncated if the serialized array exceeds 16 KB."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["audit","security"],"solutions":["LogManagement"]}},{"id":"MicrosoftHealthcareApisAuditLogs","name":"MicrosoftHealthcareApisAuditLogs","tableType":"Microsoft","description":"Azure API for FHIR audit logs","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log."},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event."},{"name":"CorrelationId","type":"string","description":"The correlation id of the request."},{"name":"RequestUri","type":"string","description":"The URI of the request."},{"name":"FhirResourceType","type":"string","description":"The resource type the operation was executed for."},{"name":"StatusCode","type":"int","description":"The HTTP status code."},{"name":"ResultType","type":"string","description":"The result type."},{"name":"OperationDuration","type":"int","description":"The duration of the operation in ms."},{"name":"LogCategory","type":"string","description":"The audit event category."},{"name":"CallerIPAddress","type":"string","description":"The IP address of the caller."},{"name":"CallerIdentityIssuer","type":"string","description":"The JWD token Issuer."},{"name":"CallerIdentityObjectId","type":"string","description":"The AAD object ID."},{"name":"CallerIdentity","type":"dynamic","description":"The caller's identity."},{"name":"Location","type":"string","description":"The location of the server that processed the request (e.g., South Central US)."},{"name":"Properties","type":"dynamic","description":"Additional properties."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"solutions":["LogManagement"],"resourceTypes":["microsoft.healthcareapis/services"]}},{"id":"MicrosoftPurviewInformationProtection","name":"MicrosoftPurviewInformationProtection","tableType":"Microsoft","description":"Microsoft Purview Information Protection audit logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Id","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"int","description":"The type of operation indicated by the record."},{"name":"RecordTypeName","type":"string","description":"The record type name."},{"name":"TimeGenerated","type":"datetime","description":"The date and time when the user performed the activity."},{"name":"Operation","type":"string","description":"The name of the user or admin activity."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"UserType","type":"string","description":"The type of user that performed the operation."},{"name":"UserKey","type":"string","description":"An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"ResultStatus","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False."},{"name":"ObjectId","type":"string","description":"For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"UserId","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged."},{"name":"ClientIP","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format."},{"name":"Scope","type":"string","description":"Was this event created by a hosted O365 service or an on-premises server."},{"name":"AppAccessContext","type":"dynamic","description":"The application context for the user or service principal that performed the action."},{"name":"Application","type":"string","description":"The application that where the activity happened."},{"name":"Platform","type":"string","description":"The platform on which the activity happened."},{"name":"DeviceName","type":"string","description":"The device on which the activity happened."},{"name":"EmailInfo","type":"dynamic","description":"The information required when the internalTarget is an email."},{"name":"CurrentProtectionTypeName","type":"string","description":"The type of protection applied."},{"name":"PreviousProtectionTypeName","type":"string","description":"Previous protection type."},{"name":"ContentType","type":"string","description":"Content type."},{"name":"TargetLocation","type":"string","description":"The location of the document with respect to the user' device."},{"name":"IrmContentId","type":"string","description":"The unique ID used for identifying the encrypted document after the operation is complete."},{"name":"SensitivityLabelId","type":"string","description":"The identifier for the sensitivity label recommended, as per the policy that was matched based on the contents of the document."},{"name":"SensitivityLabelOwnerEmail","type":"string","description":"The email address of the owner of the sensitivity label."},{"name":"OldSensitivityLabelId","type":"string","description":"The identifier of the sensitivity label previously applied to the document before the operation to change/remove the label was triggered."},{"name":"OldSensitivityLabelOwnerEmail","type":"string","description":"The email address of the owner of the old sensitivity label."},{"name":"SensitivityLabelPolicyId","type":"string","description":"The identifier for the sensitivity labeling policy that was matched based on the content of the document."},{"name":"LabelEventType","type":"string","description":"The label operation."},{"name":"ActionSource","type":"string","description":"The source of the label action."},{"name":"ActionSourceDetail","type":"string","description":"More details about the source of the label action."},{"name":"JustificationText","type":"string","description":"The justification to be provided, when configured by the admin in the sensitivity label policy, only when the sensitivity label is downgraded or removed by the user."},{"name":"SensitiveInfoTypeData","type":"dynamic","description":"Azure Information Protection - sensitive information types."},{"name":"ProtectionEventData","type":"dynamic","description":"Azure Information Protection - protection event data."},{"name":"Common","type":"dynamic","description":"Azure Information Protection - common event data."},{"name":"DataState","type":"string","description":"Azure Information Protection - data state."},{"name":"ProtectionEventTypeName","type":"string","description":"Protection event type name."},{"name":"Sender","type":"string","description":"The email address of the sender."},{"name":"Receivers","type":"dynamic","description":"The email addresses of the receivers."},{"name":"ItemName","type":"string","description":"The item name."},{"name":"LabelName","type":"string","description":"The label name applied to the item."},{"name":"LabelAction","type":"string","description":"The action applied by the label."},{"name":"LabelAppliedDateTime","type":"datetime","description":"The date and time the label was applied."},{"name":"ApplicationMode","type":"string","description":"The label application mode, how the label was applied."},{"name":"ExchangeMetaData","type":"dynamic","description":"Exchange auto labeling metadata."},{"name":"ConditionMatch","type":"dynamic","description":"The condition match that triggered the auto labeling."},{"name":"RuleActions","type":"dynamic","description":"Actions defined by the rules."},{"name":"WorkLoadItemId","type":"string","description":"The workload item id."},{"name":"OverriddenActions","type":"dynamic","description":"Actions that were overridden by the rule actions."},{"name":"SensitiveInfoDetectionIsIncluded","type":"bool","description":"Determines if sensitive info detection is included."},{"name":"IsViewableByExternalUsers","type":"bool","description":"Is viewable by external users."},{"name":"OverRideType","type":"string","description":"Override type."},{"name":"ItemCreationTime","type":"datetime","description":"The date and time the item was created."},{"name":"ItemLastModifiedTime","type":"datetime","description":"The date and time the item was last modified."},{"name":"ItemSize","type":"string","description":"The item size."},{"name":"OverRideReason","type":"string","description":"The reason the sensitivity label was overridden."},{"name":"CorrelationId","type":"string","description":"Correlation ID."},{"name":"ScopedLocationId","type":"string","description":"The address that triggered the policy match."},{"name":"MachineName","type":"string","description":"The machine name."},{"name":"PolicyId","type":"string","description":"Policy ID."},{"name":"PolicyName","type":"string","description":"Policy name."},{"name":"PolicyVersion","type":"string","description":"Policy version."},{"name":"ExecutionRuleId","type":"string","description":"The ID of the rule that was executed."},{"name":"ExecutionRuleName","type":"string","description":"The name of the rule that was executed."},{"name":"ExecutionRuleVersion","type":"string","description":"The version of the rule that was executed."},{"name":"RuleMode","type":"string","description":"The current mode of the rule."},{"name":"Severity","type":"string","description":"The severity of the auto label policy match."},{"name":"LabelVersion","type":"string","description":"The label version applied by the auto labeling policy."},{"name":"MgtRuleId","type":"string","description":"Management rule ID."},{"name":"SharePointMetaData","type":"dynamic","description":"SharePoint auto labeling metadata."},{"name":"CurrentProtectionType","type":"dynamic","description":"Current protection event information."},{"name":"PreviousProtectionType","type":"dynamic","description":"Previous protection event information."},{"name":"SensitivityLabelEventFailureData","type":"dynamic","description":"Sensitivity Label Event Failure Data"},{"name":"AutoSensitivityLabelPolicyInfo","type":"dynamic","description":"Auto Sensitivity Label Policy Info"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["4e7a449a-ae3f-4100-9598-197f4a43abc1"]}},{"id":"MicrosoftServicePrincipalSignInLogs","name":"MicrosoftServicePrincipalSignInLogs","tableType":"Microsoft","description":"Microsoft applications' service principal sign-in logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"AppId","type":"string","description":"Unique GUID representing the app ID in Entra ID."},{"name":"AppOwnerTenantId","type":"string","description":"The tenant identifier of the owner of the application in Entra ID."},{"name":"Category","type":"string","description":"Category of the sign-in event"},{"name":"CorrelationId","type":"string","description":"ID to provide sign-in trail"},{"name":"CreatedDateTime","type":"datetime","description":"Datetime of the sign-in activity."},{"name":"DurationMs","type":"long","description":"The duration of the operation in milliseconds"},{"name":"OperationName","type":"string","description":"For sign-ins, this value is always Sign-in activity"},{"name":"OperationVersion","type":"string","description":"The REST API version that's requested by the client"},{"name":"ResourceDisplayName","type":"string","description":"Name of the resource that was authenticated to"},{"name":"ResourceGroup","type":"string","description":"Resource group for the logs"},{"name":"ResourceIdentity","type":"string","description":"ID of the resource that was authenticated to"},{"name":"ResourceOwnerTenantId","type":"string","description":"The tenant ID of the owner of the resource being authenticated to"},{"name":"ResourceServicePrincipalId","type":"string","description":"Service Principal Id of the resource"},{"name":"ResultSignature","type":"string","description":"The result of the sign-in. Can be either success or failure"},{"name":"ServicePrincipalCredentialKeyId","type":"string","description":"Key id of the service principal that initiated the sign-in"},{"name":"ServicePrincipalCredentialThumbprint","type":"string","description":"Thumbprint of the service principal that initiated the sign-in"},{"name":"ServicePrincipalId","type":"string","description":"ID of the service principal who initiated the sign-in"},{"name":"ServicePrincipalName","type":"string","description":"Service Principal Name of the service principal who initiated the sign-in"},{"name":"SourceSystem","type":"string","description":"Details of source system of the object being provisioned"},{"name":"Type","type":"string","description":"For sign-ins, this value is always MicrosoftServicePrincipalSignInLogs"},{"name":"TimeGenerated","type":"datetime","description":"The date and time of the event in UTC"},{"name":"UniqueTokenIdentifier","type":"string","description":"Unique token identifier for the request"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["audit","security"],"solutions":["LogManagement"]}},{"id":"MySqlAuditLogs","name":"MySqlAuditLogs","tableType":"Microsoft","description":"Audit Logs for Azure Database for MySQL Flexible Servers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"EventClass","type":"string","description":"Class of the log event."},{"name":"EventSubclass","type":"string","description":"Subclass of the log event."},{"name":"ConnectionId","type":"string","description":"Unique connection ID generated by MySQL."},{"name":"EventTime","type":"datetime","description":"Query start time in UTC timestamp."},{"name":"ErrorCode","type":"int","description":"Error code if query failed. 0 means no error."},{"name":"ThreadId","type":"int","description":"ID of thread that executed the query"},{"name":"Host","type":"string","description":"Host name of client connecting to MySQL."},{"name":"Ip","type":"string","description":"IP address of client connecting to MySQL."},{"name":"User","type":"string","description":"Name of user executing the query."},{"name":"Db","type":"string","description":"Name of database accessed."},{"name":"Table","type":"string","description":"Name of table accessed."},{"name":"SqlText","type":"string","description":"Full query text."},{"name":"Status","type":"int","description":"Status of connection."},{"name":"Category","type":"string","description":"Category of log."},{"name":"IsAadAuth","type":"string","description":"Is AAD auth or not."},{"name":"ReplicationSetRole","type":"string","description":"Replication set role of MySQL flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbformysql/flexibleservers"],"solutions":["LogManagement"],"queries":["09097f08-6a4b-4747-a251-21dd4237d99a","4fec14fe-d662-4b6f-a3a6-4a6bfcfe55cb"]}},{"id":"MySqlSlowLogs","name":"MySqlSlowLogs","tableType":"Microsoft","description":"Slow query Logs for Azure Database for MySQL Flexible Servers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"StartTime","type":"datetime","description":"Query start time in UTC timestamp."},{"name":"QueryDurationMs","type":"long","description":"Total time in milliseconds the query took to execute."},{"name":"LockDurationMs","type":"long","description":"Total time in milliseconds the query was locked."},{"name":"Host","type":"string","description":"Host name of client connecting to MySQL."},{"name":"RowsSent","type":"int","description":"Number of rows sent."},{"name":"RowsExamined","type":"int","description":"Number of rows examined."},{"name":"LastInsertId","type":"int","description":"The first automatically generated value successfully inserted for an AUTO_INCREMENT column as a result of the most recently executed INSERT statement."},{"name":"InsertId","type":"int","description":"The insert ID."},{"name":"SqlText","type":"string","description":"Full query text."},{"name":"ServerId","type":"int","description":"ID of the MySQL flexible server."},{"name":"ThreadId","type":"int","description":"ID of thread that executed the query."},{"name":"Db","type":"string","description":"Name of database accessed."},{"name":"Category","type":"string","description":"Category of log."},{"name":"EventClass","type":"string","description":"Class of the log event."},{"name":"ReplicationSetRole","type":"string","description":"Replication set role of MySQL flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbformysql/flexibleservers"],"solutions":["LogManagement"],"queries":["83c3b089-8510-4925-8614-f7f36a04af0b"]}},{"id":"NCBMBreakGlassAuditLogs","name":"NCBMBreakGlassAuditLogs","tableType":"Microsoft","description":"Security log events on Nexus Baremetal Machines to monitor and detect user access to the system.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Host name of the Baremetal Machine."},{"name":"Mode","type":"string","description":"Mode of the operation by the user."},{"name":"ProcessId","type":"int","description":"ID of the process emitting the log."},{"name":"User","type":"string","description":"User accessing the system."},{"name":"Message","type":"string","description":"The message parsed from the log on user access."},{"name":"Log","type":"string","description":"The log message generated by the system during user access."},{"name":"Location","type":"string","description":"Location of the Nexus Baremetal machine."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security"],"resourceTypes":["microsoft.networkcloud/baremetalmachines"],"solutions":["LogManagement"]}},{"id":"NCBMSecurityDefenderLogs","name":"NCBMSecurityDefenderLogs","tableType":"Microsoft","description":"Security log events on Nexus Baremetal Machines to monitor and detect user access to the system.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"NamespaceName","type":"string","description":"Namespace where the pod is running in the Nexus cluster."},{"name":"Node","type":"string","description":"Host name of the Baremetal Machine."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"ComponentName","type":"string","description":"Name of the defender component managing the Nexus cluster."},{"name":"ComponentVersion","type":"string","description":"Version of the defender component managing the Nexus cluster."},{"name":"Message","type":"string","description":"Syslog message generated by the Baremetal machine."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus Baremetal machine."},{"name":"LogType","type":"string","description":"Type of defender log E.g. Trace, Heartbeat."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security"],"resourceTypes":["microsoft.networkcloud/baremetalmachines"],"solutions":["LogManagement"]}},{"id":"NCBMSecurityLogs","name":"NCBMSecurityLogs","tableType":"Microsoft","description":"Security log events on Nexus Baremetal Machines to monitor and detect user access to the system.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Host name of the Baremetal Machine."},{"name":"ProcessName","type":"string","description":"Identification of the process generating the log."},{"name":"ProcessId","type":"int","description":"ID of the process emitting the log."},{"name":"Message","type":"string","description":"Syslog message generated by the Baremetal machine."},{"name":"Facility","type":"string","description":"Log facility type. E.g. daemon, kern, syslog, user."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus Baremetal machine."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security"],"resourceTypes":["microsoft.networkcloud/baremetalmachines"],"solutions":["LogManagement"]}},{"id":"NCBMSystemLogs","name":"NCBMSystemLogs","tableType":"Microsoft","description":"Syslog events on Nexus Baremetal Machines providing critical insights into system activities, errors and anomalies for effecient troubleshooting and monitoring.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Host name of the Baremetal Machine."},{"name":"ProcessName","type":"string","description":"Identification of the process generating the log."},{"name":"ProcessId","type":"int","description":"ID of the process emitting the log."},{"name":"Message","type":"string","description":"Syslog message generated by the Baremetal machine."},{"name":"Facility","type":"string","description":"Log facility type. E.g. daemon, kern, syslog, user."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus Baremetal machine."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/baremetalmachines"],"solutions":["LogManagement"]}},{"id":"NCCIDRACLogs","name":"NCCIDRACLogs","tableType":"Microsoft","description":"Logs from IDRAC containers of Nexus clusters to gain insight for any hardware failure.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"NamespaceName","type":"string","description":"Namespace where the pod is running in the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clusters"],"solutions":["LogManagement"]}},{"id":"NCCKubernetesAPIAuditLogs","name":"NCCKubernetesAPIAuditLogs","tableType":"Microsoft","description":"Kubernetes API audit logs from Nexus clusters to track all the requests made.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the audit stage was completed."},{"name":"AuditId","type":"string","description":"Unique identifier for each audit event."},{"name":"Stage","type":"string","description":"Stage of the request."},{"name":"RequestReceivedTimestamp","type":"datetime","description":"Timestamp (UTC) when the API request was received."},{"name":"Verb","type":"string","description":"Kubernetes API verb associated with the request."},{"name":"RequestUri","type":"string","description":"Request URI as sent by the client to the Kubernetes API server."},{"name":"ResponseStatusCode","type":"int","description":"HTTP response status code returned by the API server."},{"name":"User","type":"string","description":"Authenticated user information."},{"name":"SourceIps","type":"string","description":"Source IP addresses from which the request originated."},{"name":"UserAgent","type":"string","description":"User agent string of the client making the request."},{"name":"ObjectRef","type":"string","description":"Reference to the Kubernetes object being accessed."},{"name":"Location","type":"string","description":"Azure region where the Nexus cluster is deployed."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clusters"],"solutions":["LogManagement"],"queries":["b2f5e8a1-4c3d-4e6f-9a7b-1c2d3e4f5a6b","c3a6f9b2-5d4e-4f7a-8b9c-2d3e4f5a6b7c","d4b7a0c3-6e5f-4a8b-9c0d-3e4f5a6b7c8d","e5c8b1d4-7f6a-4b9c-0d1e-4f5a6b7c8d9e"]}},{"id":"NCCKubernetesLogs","name":"NCCKubernetesLogs","tableType":"Microsoft","description":"Containerized application logs from Nexus clusters to gain insight onto the container orchestration platform.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"NamespaceName","type":"string","description":"Namespace where the pod is running in the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clusters"],"solutions":["LogManagement"]}},{"id":"NCCPlatformOperationsLogs","name":"NCCPlatformOperationsLogs","tableType":"Microsoft","description":"Logs from the Nexus undercloud platform to gain insight onto the container orchestration platform.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"NamespaceName","type":"string","description":"Namespace where the pod is running in the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clusters"],"solutions":["LogManagement"]}},{"id":"NCCVMOrchestrationLogs","name":"NCCVMOrchestrationLogs","tableType":"Microsoft","description":"Logs from Virtual Machine Orchestrator of Nexus cluster to track seamless coordination and management of virtual machines.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"NamespaceName","type":"string","description":"Namespace where the pod is running in the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Severity","type":"string","description":"Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clusters"],"solutions":["LogManagement"]}},{"id":"NCMClusterOperationsLogs","name":"NCMClusterOperationsLogs","tableType":"Microsoft","description":"Cluster Manager logs to track the deployment or upgrade of Nexus cluster.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the On-prem Nexus cluster."},{"name":"Level","type":"string","description":"Log level of the message."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"OperationID","type":"string","description":"Unique identifier for the operation."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/clustermanagers"],"solutions":["LogManagement"]}},{"id":"NCSStorageAlerts","name":"NCSStorageAlerts","tableType":"Microsoft","description":"Alert events logged from Nexus storage appliance providing storage system level alerts.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"ArrayName","type":"string","description":"Array name of the storage appliance."},{"name":"ArrayController","type":"string","description":"Array controller name of the storage appliance."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Action","type":"string","description":"Action for the storage appliance."},{"name":"Domain","type":"string","description":"Array domain of the storage appliance."},{"name":"User","type":"string","description":"Array user of the storage appliance."},{"name":"Severity","type":"string","description":"Array result of the storage appliance."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/storageappliances"],"solutions":["LogManagement"]}},{"id":"NCSStorageAudits","name":"NCSStorageAudits","tableType":"Microsoft","description":"Audit log events from Nexus storage appliance providing insight into data and system access.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"ArrayName","type":"string","description":"Array name of the storage appliance."},{"name":"ArrayController","type":"string","description":"Array controller name of the storage appliance."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Action","type":"string","description":"Action for the storage appliance."},{"name":"Session","type":"string","description":"Array session of the storage appliance."},{"name":"User","type":"string","description":"Array user of the storage appliance."},{"name":"Result","type":"string","description":"Array result of the storage appliance."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/storageappliances"],"solutions":["LogManagement"]}},{"id":"NCSStorageLogs","name":"NCSStorageLogs","tableType":"Microsoft","description":"All Logs from Nexus storage appliance other than audit & alert logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"ArrayName","type":"string","description":"Array name of the storage appliance."},{"name":"ArrayController","type":"string","description":"Array controller name of the storage appliance."},{"name":"Node","type":"string","description":"Node name of the Nexus cluster which is generating the log."},{"name":"PodName","type":"string","description":"Pod name generating the log in the Nexus cluster."},{"name":"ContainerName","type":"string","description":"Name of the container generating the log for the Nexus cluster."},{"name":"IPAddress","type":"string","description":"IP address generating the log in the Nexus cluster."},{"name":"Message","type":"string","description":"Message generated by the kubernetes containers running on Nexus cluster."},{"name":"Location","type":"string","description":"Location of the Nexus cluster."},{"name":"ClusterManagerName","type":"string","description":"Name of the ClusterManager managing the Nexus cluster."},{"name":"ClusterName","type":"string","description":"Name of the on-prem Nexus cluster."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.networkcloud/storageappliances"],"solutions":["LogManagement"]}},{"id":"NGXOperationLogs","name":"NGXOperationLogs","tableType":"Microsoft","description":"NGINX access and error logs captured by NGINXaaS.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the NGINX instance was accessed in."},{"name":"Message","type":"string","description":"The message of the log record."},{"name":"FilePath","type":"string","description":"The file path where log records come from."},{"name":"Tag","type":"string","description":"The tag of log records from syslog."},{"name":"Severity","type":"string","description":"The severity of log records from syslog as defined in RFC 3164."},{"name":"Facility","type":"string","description":"The facility of log records from syslog as defined in RFC 3164.Facility can be one of kern, user, mail, daemon, auth, intern, lpr, news, uucp, clock, authpriv, ftp, ntp, audit, alert, cron, local0..local7. Default is local7."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"solutions":["LogManagement"],"queries":["eff2d4f3-9a25-4a3e-9434-b1ce56ff7d8c","55b0b24b-dd8a-4f91-a797-2c0eae9ea440"]}},{"id":"NGXSecurityLogs","name":"NGXSecurityLogs","tableType":"Microsoft","description":"NGINX security logs captured by NGINXaaS.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the NGINX instance was accessed in."},{"name":"Message","type":"string","description":"The message of the log record."},{"name":"FilePath","type":"string","description":"The file path where log records come from."},{"name":"Tag","type":"string","description":"The tag of log records from syslog."},{"name":"Severity","type":"string","description":"The severity of log records from syslog as defined in RFC 3164."},{"name":"Facility","type":"string","description":"The facility of log records from syslog as defined in RFC 3164.Facility can be one of kern, user, mail, daemon, auth, intern, lpr, news, uucp, clock, authpriv, ftp, ntp, audit, alert, cron, local0..local7. Default is local7."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"solutions":["LogManagement"],"queries":["4d51c78c-2124-4637-8fd1-0450556306bc"]}},{"id":"NSPAccessLogs","name":"NSPAccessLogs","tableType":"Microsoft","description":"Logs of Network Security Perimeter (NSP) inbound access allowed based on NSP access rules.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp marking the start of event aggregation."},{"name":"TimeGeneratedEndTime","type":"datetime","description":"Timestamp indicating the end of event aggregation."},{"name":"Count","type":"int","description":"Total number of aggregated events."},{"name":"OperationName","type":"string","description":"Indicates top-level PaaS operation name."},{"name":"OperationVersion","type":"string","description":"The API version associated with the operation."},{"name":"Category","type":"string","description":"NSP access log categories."},{"name":"Location","type":"string","description":"Indicates the region of NSP."},{"name":"ResultDescription","type":"string","description":"Additional description about the operation result, when available."},{"name":"Profile","type":"string","description":"Name of the NSP profile associated to the resource."},{"name":"Parameters","type":"string","description":"List of optional PaaS resource properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...]."},{"name":"ServiceResourceId","type":"string","description":"Resource ID of PaaS resource emitting NSP access logs."},{"name":"ServiceFqdn","type":"string","description":"Fully Qualified Domain Name (FQDN) of PaaS resource emitting NSP access logs."},{"name":"AppId","type":"string","description":"Unique GUID representing the app ID of resource in the Azure Active Directory."},{"name":"MatchedRule","type":"string","description":"JSON property bag containing matched access rule name. It can be either NSP access rule name or resource rule name (not it's resource ID)."},{"name":"SourceResourceId","type":"string","description":"Resource ID of source PaaS resource for an inbound connection, when available."},{"name":"SourceIpAddress","type":"string","description":"IP address of source making inbound connection, when available."},{"name":"SourcePort","type":"string","description":"Port number of inbound connection, when available."},{"name":"SourceProtocol","type":"string","description":"Application layer protocol and transport layer protocol used for inbound connection in the format {AppProtocol}:{TransportProtocol}. For example: 'HTTPS:TCP'. It be must specified if available."},{"name":"SourcePerimeterGuids","type":"string","description":"List of perimeter GUIDs of source resource. It should be specified only if allowed based on perimeter GUID."},{"name":"SourceAppId","type":"string","description":"Unique GUID representing the app ID of source in the Azure Active Directory."},{"name":"SourceParameters","type":"string","description":"List of optional source properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...]."},{"name":"DestinationResourceId","type":"string","description":"Resource ID of destination PaaS resource for an outbound connection, when available."},{"name":"DestinationFqdn","type":"string","description":"Fully Qualified Domain(FQDN) name of the destination."},{"name":"DestinationParameters","type":"string","description":"List of optional destination properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...]."},{"name":"DestinationPort","type":"string","description":"Port number of outbound connection, when available."},{"name":"DestinationProtocol","type":"string","description":"Application layer protocol and transport layer protocol used for outbound connection in the format {AppProtocol}:{TransportProtocol}. For example: 'HTTPS:TCP'. It be must specified if available."},{"name":"DestinationEmailAddress","type":"string","description":"Email address of destination receiver. It be must specified if available."},{"name":"DestinationPhoneNumber","type":"string","description":"Phone number of destination receiver. It be must specified if available."},{"name":"AccessRuleVersion","type":"string","description":"Access rule version of the NSP profile to which PaaS resource is associated."},{"name":"ResultDirection","type":"string","description":"Direction of evaluation result whether 'Inbound' or 'Outbound'."},{"name":"ResultAction","type":"string","description":"Indicates whether the result of evaluation is 'Approved' or 'Denied'."},{"name":"RuleType","type":"string","description":"Indicates where the rule is defined: NSP or PaaS resource."},{"name":"TrafficType","type":"string","description":"Indicates whether traffic is 'Private', 'Public', 'Intra' or 'Cross' perimeter."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","network","audit","security"],"resourceTypes":["microsoft.network/networksecurityperimeters"],"solutions":["LogManagement"]}},{"id":"NTAInsights","name":"NTAInsights","tableType":"Microsoft","description":"Traffic Analytics insights are provided for flow data which shows anomalies in data pattern.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the data gets ingested into the Log Analytics Workspace."},{"name":"SubType","type":"string","description":"Subtype for the insights logs."},{"name":"SchemaVersion","type":"string","description":"Schema version."},{"name":"AggregationType","type":"string","description":"Type of data aggregation - 1 for short aggregation and 2 for long aggregation."},{"name":"IntervalStart","type":"datetime","description":"Start time of the data insights processing interval."},{"name":"IntervalEnd","type":"datetime","description":"End time of the data insights processing interval."},{"name":"PivotType","type":"string","description":"Pivot type for insights aggregation."},{"name":"InsightsResourceId","type":"string","description":"Resource ID for the resource for which data is aggregated"},{"name":"Region","type":"string","description":"Region of Vnet flow logs."},{"name":"DataPoints","type":"string","description":"Data points for aggregated data."},{"name":"TrafficVolumeUnit","type":"string","description":"The aggregated values represent Flows/Bytes/Packets."},{"name":"FlowStatus","type":"string","description":"The considered traffic is Allowed/Denied/All."},{"name":"SeriesNumber","type":"real","description":"An incremental value to represent the last aggregated series."},{"name":"ProcessingTime","type":"datetime","description":"The time when periodicty is calculated."},{"name":"Periodicity","type":"real","description":"The number of hours after whichthe data repeats itself."},{"name":"TrafficVolumeActual","type":"real","description":"The actual traffic volume in the time period."},{"name":"TrafficVolumeBaseline","type":"real","description":"The predicted value of the series, according to the decomposition per the anomaly calculation algorithm."},{"name":"TrafficTime","type":"datetime","description":"Time when the anomaly has occured in data pattern."},{"name":"AdFlag","type":"real","description":"A ternary series containing (+1, -1, 0) marking up/down/no anomaly respectively."},{"name":"AdScore","type":"real","description":"Anomaly score."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"]}},{"id":"NTAIpDetails","name":"NTAIpDetails","tableType":"Microsoft","description":"Traffic Analytics provides WHOIS data and geographic location for all public IPs in the customer's environment. For Malicious IP, it provides DNS domain, threat type and thread descriptions as identified by Microsoft security intelligence solutions. IP Details are published to your Log Analytics Workspace so you can create custom queries and put alerts on them. You can also access pre-populated queries from the traffic analytics dashboard.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the data gets ingested into the Log Analytics Workspace."},{"name":"SubType","type":"string","description":"Subtype for the flow logs. Use only FlowLog, other values of SubType_s are for internal workings of the product."},{"name":"FaSchemaVersion","type":"string","description":"Schema version."},{"name":"FlowIntervalStartTime","type":"datetime","description":"Start time of the flow log processing interval. This is time from which flow interval is measured."},{"name":"FlowIntervalEndTime","type":"datetime","description":"End time of the flow log processing interval."},{"name":"FlowType","type":"string","description":"Can be AzurePublic/ExternalPublic/MaliciousFlow."},{"name":"Ip","type":"string","description":"Public IP whose information is provided in the record."},{"name":"PublicIpDetails","type":"string","description":"For AzurePublic IP: Azure Service owning the IP OR \"Microsoft Virtual Public IP\" for IP 168.63.129.16 . ExternalPublic/Malicious IP: WhoIS information of the IP."},{"name":"ThreatType","type":"string","description":"For Malicious IPs only: One of the threats from the list of currently allowed values."},{"name":"DnsDomain","type":"string","description":"For Malicious IPs only: Domain name associated with this IP."},{"name":"ThreatDescription","type":"string","description":"For Malicious IPs only: Description of the threat posed by the malicious IP."},{"name":"Location","type":"string","description":"For Azure Public IP: Azure region of virtual network/network interface/virtual machine to which the IP belongs OR Global for IP 168.63.129.16. For External Public IP and Malicious IP: 2-letter country code where IP is located (ISO 3166-1 alpha-2)."},{"name":"Url","type":"string","description":"For Malicious IPs only: Url associated with this IP."},{"name":"Port","type":"int","description":"For Malicious IPs only: Port associated with this IP."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"]}},{"id":"NTANetAnalytics","name":"NTANetAnalytics","tableType":"Microsoft","description":"Traffic Analytics records for Flowlog enriched data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the data gets ingested into the log analytics workspace."},{"name":"SubType","type":"string","description":"Subtype of the ingestion. Values can be Flowlog and StatusMessage."},{"name":"FaSchemaVersion","type":"string","description":"Schema version for ingestion."},{"name":"TimeProcessed","type":"datetime","description":"Time(in UTC) at which the traffic analytics processed the raw flow logs from the storage account."},{"name":"FlowIntervalStartTime","type":"datetime","description":"Starting time(in UTC) of the flow log processing interval. This is time from which flow interval is measured."},{"name":"FlowIntervalEndTime","type":"datetime","description":"Ending time(in UTC) of the flow log processing interval."},{"name":"FlowType","type":"string","description":"Category of the flows(allowed values are IntraVNet, InterVNet, S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, Unknown Private, Unknown) based on IP addresses involved in flow."},{"name":"FlowStartTime","type":"datetime","description":"First occurrence of the flow (which will get aggregated) in the flow log processing interval between \"FlowIntervalStartTime_t\" and \"FlowIntervalEndTime_t\"."},{"name":"FlowEndTime","type":"datetime","description":"Last occurrence of the flow (which will get aggregated) in the flow log processing interval between \"FlowIntervalStartTime_t\" and \"FlowIntervalEndTime_t\". In terms of flow log v2, this field contains the time when the last flow with the same four-tuple started (marked as \"B\" in the raw flow record)."},{"name":"SrcIp","type":"string","description":"Source IP address."},{"name":"DestIp","type":"string","description":"Destination IP address."},{"name":"SrcPorts","type":"string","description":"Pipe Separated Source Ports."},{"name":"DestPort","type":"int","description":"Destination port."},{"name":"L4Protocol","type":"string","description":"Transport Protocol,T = TCP, U = UDP."},{"name":"L7Protocol","type":"string","description":"Application Layer protocol name."},{"name":"IsFlowCapturedAtUdrHop","type":"bool","description":"True if flow gets captured at a UDR hop."},{"name":"FlowDirection","type":"string","description":"Direction of the flow which can be inbound or outbound."},{"name":"FlowStatus","type":"string","description":"Status of flow which can be allowed or denied."},{"name":"NsgList","type":"string","description":"Network Security Group(NSG) associated with the flow. This is a placeholder for NSG flow logging."},{"name":"NsgRule","type":"string","description":"NSG rule that allowed or denied this flow. This is a placeholder for NSG flow logging."},{"name":"NsgRuleType","type":"string","description":"The type of Network Security Group(NSG) rule used by the flow. This is a placeholder for NSG flow logging."},{"name":"MacAddress","type":"string","description":"MAC address of the network interface at which the flow was captured."},{"name":"TargetResourceId","type":"string","description":"Target Resource Id for the resource where flow logging has been enabled."},{"name":"TargetResourceType","type":"string","description":"Target Resource Type where flow logging is enabled. It can be virtual network(VNET)/subnet(SUBNET)/network interface(NIC)."},{"name":"FlowLogResourceId","type":"string","description":"The resource Id for the flow log"},{"name":"SrcSubscription","type":"string","description":"Subscription of the Azure virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to."},{"name":"DestSubscription","type":"string","description":"Subscription Id of virtual network/ network interface/ virtual machine to which the destination IP in the flow belongs to."},{"name":"SrcRegion","type":"string","description":"Azure region of virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to."},{"name":"DestRegion","type":"string","description":"Azure region of virtual network/ network interface/ virtual machine to which the destination IP in the flow belongs to."},{"name":"SrcNic","type":"string","description":"NIC associated with the source IP in the flow."},{"name":"DestNic","type":"string","description":"NIC associated with the destination IP in the flow."},{"name":"SrcVm","type":"string","description":"Virtual machine associated with the source IP in the flow."},{"name":"DestVm","type":"string","description":"Virtual machine associated with the destination IP in the flow."},{"name":"SrcSubnet","type":"string","description":"Subnet associated with the source IP in the flow."},{"name":"DestSubnet","type":"string","description":"Subnet associated with the destination IP in the flow."},{"name":"SrcApplicationGateway","type":"string","description":"Application gateway associated with the source IP in the flow."},{"name":"DestApplicationGateway","type":"string","description":"Application gateway associated with the destination IP in the flow."},{"name":"SrcLoadBalancer","type":"string","description":"Load balancer associated with the source IP in the flow."},{"name":"DestLoadBalancer","type":"string","description":"Load balancer associated with the destination IP in the flow."},{"name":"SrcLocalNetworkGateway","type":"string","description":"Local network gateway associated with the source IP in the flow."},{"name":"DestLocalNetworkGateway","type":"string","description":"Local network gateway associated with the destination IP in the flow."},{"name":"SrcExpressRouteCircuit","type":"string","description":"Express route circuit associated with the source IP in the flow."},{"name":"DestExpressRouteCircuit","type":"string","description":"Express route circuit associated with the destination IP in the flow."},{"name":"ExpressRouteCircuitPeeringType","type":"string","description":"The peering type of the associated express route circuit for the flow."},{"name":"ConnectionType","type":"string","description":"Type of the connection. Possible values are VNetPeering, VpnGateway, and ExpressRoute."},{"name":"ConnectionName","type":"string","description":"Connection Name."},{"name":"ConnectingVnets","type":"string","description":"Space separated list of virtual network names."},{"name":"Country","type":"string","description":"Two letter country code (ISO 3166-1 alpha-2)."},{"name":"AzureRegion","type":"string","description":"Azure region locations."},{"name":"FlowEncryption","type":"string","description":"The type of flow encryption."},{"name":"AllowedInFlows","type":"long","description":"Count of inbound flows that were allowed. This represents the number of flows that shared the same four-tuple inbound to the network interface at which the flow was captured."},{"name":"DeniedInFlows","type":"long","description":"Count of inbound flows that were denied(Inbound to the network interface at which the flow was captured)."},{"name":"AllowedOutFlows","type":"long","description":"Count of outbound flows that were allowed(Outbound to the network interface at which the flow was captured)."},{"name":"DeniedOutFlows","type":"long","description":"Count of outbound flows that were denied(Outbound to the network interface at which the flow was captured)."},{"name":"PacketsDestToSrc","type":"long","description":"Represents packets sent from the destination to the source of the flow."},{"name":"PacketsSrcToDest","type":"long","description":"Represents packets sent from the source to the destination of the flow."},{"name":"BytesDestToSrc","type":"long","description":"Represents bytes sent from the destination to the source of the flow."},{"name":"BytesSrcToDest","type":"long","description":"Represents bytes sent from the source to the destination of the flow."},{"name":"CompletedFlows","type":"long","description":"This is populated with non-zero value when a flow gets a Completed event."},{"name":"SrcPublicIps","type":"string","description":"Source public IP addresses flow information."},{"name":"DestPublicIps","type":"string","description":"Destination public IP addresses flow information."},{"name":"AclGroup","type":"string","description":"Access control list group refers to the network security group associated with the network security group rule name (or) the network group associated with the security admin configuration which allowed or denied the connection."},{"name":"AclRule","type":"string","description":"Access control list rule refers to the network security group rule name or the security admin rule name which allowed or denied the connection."},{"name":"Status","type":"string","description":"Status of the ingestion. Possible values can be Completed, Partial or Failed."},{"name":"PrivateEndpointResourceId","type":"string","description":"Resource ID of the private endpoint resource."},{"name":"PrivateLinkResourceId","type":"string","description":"Resource ID of the private link service."},{"name":"PrivateLinkResourceName","type":"string","description":"Resource name of the private link service."},{"name":"SrcServiceId","type":"string","description":"Service ID associated with the source IP in the flow."},{"name":"DestServiceId","type":"string","description":"Service ID associated with the destination IP in the flow."},{"name":"SrcServiceName","type":"string","description":"Service Name associated with the source IP in the flow."},{"name":"DestServiceName","type":"string","description":"Service Name associated with the destination IP in the flow."},{"name":"SrcTenantId","type":"string","description":"Tenant ID associated with the source IP in the flow."},{"name":"DestTenantId","type":"string","description":"Tenant ID associated with the destination IP in the flow."},{"name":"SrcTenantName","type":"string","description":"Tenant Name associated with the source IP in the flow."},{"name":"DestTenantName","type":"string","description":"Tenant Name associated with the destination IP in the flow."},{"name":"SrcEnvironment","type":"string","description":"Environment associated with the source IP in the flow. Possible values can be Prod and NonProd."},{"name":"DestEnvironment","type":"string","description":"Environment associated with the destination IP in the flow. Possible values can be Prod and NonProd."},{"name":"SrcCloud","type":"string","description":"Cloud associated with the source IP in the flow. Possible values can be Public, Mooncake and Fairfax."},{"name":"DestCloud","type":"string","description":"Cloud associated with the source IP in the flow. Possible values can be Public, Mooncake and Fairfax."},{"name":"SrcNetworkGroups","type":"string","description":"In case source is tagged with a vnet, this is networkgroups that vnet belongs to."},{"name":"DestNetworkGroups","type":"string","description":"In case destination is tagged with a vnet, this is networkgroups that vnet belongs to."},{"name":"SrcServiceTags","type":"string","description":"Service tag of SrcPublicIps in format |"},{"name":"DestServiceTags","type":"string","description":"Service tag of DestPublicIps in format |"},{"name":"LogResourceId","type":"string","description":"The resource ID of the resource responsible for the log generation. Eg. flow log ID for VNet flow logs, firewall diagnostic log ID for firewall logs, etc."},{"name":"Action","type":"string","description":"Action taken for the record. For network flow records this would indicate whether the flow was allowed or denied. For example: Allow/Deny for Firewall logs."},{"name":"Description","type":"string","description":"Additional information about the record, if required. For Firewall logs this would contain the ActionReason from the firewall."},{"name":"TrafficAnalyticsResourceId","type":"string","description":"Resource ID of the Traffic Analytics resource that is responsible for Traffic Analytics processing for this log source."},{"name":"RecordCount","type":"long","description":"Count of individual records that were aggregated into this record."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"]}},{"id":"NTANspRuleRecommendation","name":"NTANspRuleRecommendation","tableType":"Microsoft","description":"Traffic Analytics NSP rule recommendations based on flow data for Network Security Perimeter resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation timestamp."},{"name":"StartTime","type":"datetime","description":"The rule evaluation windowstart time."},{"name":"EndTime","type":"datetime","description":"The rule evaluation window end time."},{"name":"TrafficAnalyticsResourceId","type":"string","description":"Traffic analytics resource ID."},{"name":"NspResourceId","type":"string","description":"NSP resource ID."},{"name":"NspProfile","type":"string","description":"NSP Profile."},{"name":"ResultDirection","type":"string","description":"Direction of the flow. Possible values are Inbound, Outbound."},{"name":"ResultAction","type":"string","description":"Indicates if the flow is allowed or denied. Possible values are Allowed, Denied."},{"name":"ResultType","type":"string","description":"Indicates if the flow is acled by NSP or Resource."},{"name":"SourceIPs","type":"string","description":"Comma-separated public source IPs in CIDR format for inbound flows."},{"name":"DestinationFqdns","type":"string","description":"Comma-separated destination fully qualified domain names for outbound traffic for a given NSP."},{"name":"PaasResourceId","type":"string","description":"Resource ID of the PaaS resource."},{"name":"RuleType","type":"string","description":"Type of the rule. Possible values are IP, ServiceTag, Subscription, FQDN."},{"name":"RuleValue","type":"string","description":"Value for the rule."},{"name":"ServiceEndpoints","type":"string","description":"Comma-separated service endpoints. Service Endpoint traffic found."},{"name":"TrafficType","type":"string","description":"Indicates whether the traffic is internal or external."},{"name":"IpDetails","type":"string","description":"Whois information of the IP in case of external traffic."},{"name":"Location","type":"string","description":"For external public IPs and malicious IPs: two-letter country code (ISO 3166-1 alpha-2) where the IP is located."},{"name":"AdditionalProperties","type":"string","description":"Property bag for any additional properties."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"]}},{"id":"NTARuleRecommendation","name":"NTARuleRecommendation","tableType":"Microsoft","description":"Traffic Analytics rules are recommended based on flow data for various pre-defined rules.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the data gets ingested into the Log Analytics Workspace."},{"name":"RecommendedRuleName","type":"string","description":"The name of the rule being recommended."},{"name":"SchemaVersion","type":"string","description":"Version of the schema used for this record."},{"name":"SummarizationType","type":"string","description":"Indicates how the flows were summarized by time. Possible values are Hourly, Daily."},{"name":"StartTime","type":"datetime","description":"Start time of the flow observation window."},{"name":"EndTime","type":"datetime","description":"End time of the flow observation window."},{"name":"RuleScope","type":"string","description":"Scope within which the rule applies. Possible values are SubscriptionId, VirtualNetwork."},{"name":"TargetResourceId","type":"string","description":"The resource targeted by the rule."},{"name":"TargetResourceIdsList","type":"string","description":"List of all targeted resource IDs covered by the rule."},{"name":"SrcSubscriptionId","type":"string","description":"Subscription ID of the target resource id sending the traffic."},{"name":"DestSubscriptionId","type":"string","description":"Subscription ID of the target resource id receiving the traffic."},{"name":"L4Protocol","type":"string","description":"Layer 4 protocol used in the traffic. Possible values are TCP, UDP."},{"name":"PortCategory","type":"string","description":"Indicates the classification of the destination port based on well-known or commonly used port ranges."},{"name":"SrcPublicIpCidrs","type":"string","description":"Public source IPs in CIDR format for inbound flows."},{"name":"DestPublicIpCidrs","type":"string","description":"Public destination IPs in CIDR format for outbound flows."},{"name":"SrcServiceTagsList","type":"string","description":"Service tags associated with source traffic for inbound flows."},{"name":"DestServiceTagsList","type":"string","description":"Service tags associated with destination traffic for outbound flows."},{"name":"TotalFlowCount","type":"int","description":"Total number of flows observed for this rule."},{"name":"DestPortsRanges","type":"string","description":"Comma-separated list of destination port ranges on target resource id."},{"name":"IpRegionDetails","type":"string","description":"Region information for the involved IP addresses."},{"name":"IpUrls","type":"string","description":"List of Urls for the malicious Ips."},{"name":"UnecryptedFlowDetails","type":"string","description":"For unencrypted flow, it specifies the encryption level. Possible values are Unencrypted, Unsupported hardware, Software not ready, Drop due to no encryption, Discovery not supported, Destination on same host, Fall back to no encryption."},{"name":"RecommendedAction","type":"string","description":"Recommended action on the recommended rule. Possible values are Allow, Block, Advisory."},{"name":"VirtualNetworkResourceId","type":"string","description":"Virtual network name targeted by rule."},{"name":"AdditionalProperties","type":"string","description":"Placeholder for additional properties related to the recommended rule."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"],"queries":["a2995731-5c93-42bc-894e-704789d8deba"]}},{"id":"NTATopologyDetails","name":"NTATopologyDetails","tableType":"Microsoft","description":"Traffic Analytics records for Topology data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the data gets ingested into the log analytics workspace."},{"name":"SubType","type":"string","description":"Subtype of the ingestion. Values can be Topology and StatusMessage."},{"name":"TimeProcessed","type":"datetime","description":"Time(in UTC) at which the traffic analytics discovered the topology resource."},{"name":"TopologyVersion","type":"string","description":"Topology version."},{"name":"SchemaVersion","type":"string","description":"This is topology schema version and not related to flow log schema version."},{"name":"MacAddress","type":"string","description":"MAC address of the discovered NIC."},{"name":"Name","type":"string","description":"Name of the discovered resource."},{"name":"Region","type":"string","description":"Region of the discovered resource."},{"name":"AzureResourceType","type":"string","description":"Resource type of the discovered resource."},{"name":"Subscription","type":"string","description":"Subscription guid of the discovered resource."},{"name":"SubscriptionName","type":"string","description":"Subscription name of the discovered resource."},{"name":"DiscoveryRegion","type":"string","description":"The region where resource is discovered."},{"name":"Tags","type":"string","description":"Tags associated with the discovered resource."},{"name":"AddressPrefixes","type":"string","description":"The address prefixes associated with the discovered resource."},{"name":"Nsg","type":"string","description":"The reference to the network security group resource."},{"name":"RouteTable","type":"string","description":"The reference to the route table resource."},{"name":"GatewayType","type":"string","description":"Gateway Type assocaited with virtual network gateway, VPN or express route."},{"name":"VirtualSubnetwork","type":"string","description":"Virtual subnetwork associated with virtual network gateway."},{"name":"VipAddress","type":"string","description":"Space separated list of IP addresses associated with virtual network gateway."},{"name":"Sku","type":"string","description":"SKU or pricing associated with the discovered resource."},{"name":"BgpEnabled","type":"bool","description":"Whether BGP is enabled for this resource or not."},{"name":"VpnClientAddressPrefixes","type":"string","description":"The reference to the address prefix resource which represents address prefix for P2S VpnClient. Will be empty when no point to site is configured."},{"name":"IpAddress","type":"string","description":"Gateway IP address of the discovered resource."},{"name":"SubnetPrefixes","type":"string","description":"Space separated string of address prefixes in local network address space."},{"name":"IsVirtualAppliance","type":"bool","description":"Boolean to specify if the discovered resource is a virtual appliance."},{"name":"VmssName","type":"string","description":"The virtual machine scale set name."},{"name":"Zones","type":"string","description":"The virtual machine zones information."},{"name":"Priority","type":"int","description":"Specifies the priority for the virtual machine. Minimum api-version: 2019-03-01."},{"name":"VirtualMachine","type":"string","description":"The reference to a virtual machine."},{"name":"PrivateIpAddresses","type":"string","description":"Private IP address of the IP configuration."},{"name":"PublicIpAddresses","type":"string","description":"Public IP address bound to the IP configuration."},{"name":"Subnetwork","type":"string","description":"The refrence to the subnetwork resource."},{"name":"EnableIpForwarding","type":"bool","description":"Indicates whether IP forwarding is enabled on the network interface."},{"name":"LoadBalancerBackendPools","type":"string","description":"Pool of load balancer backend IP addresses."},{"name":"ApplicationGatewayBackendPools","type":"string","description":"Pool of application gateway backend IP addresses."},{"name":"IsFlowEnabled","type":"bool","description":"Flag to enable/disable flow logging."},{"name":"FlowLogStorageAccount","type":"string","description":"Id of the storage account which is used to store the flow log."},{"name":"Description","type":"string","description":"Description of with network security group rule."},{"name":"Protocol","type":"string","description":"Protocol associated with network security group rule."},{"name":"SourcePortRange","type":"string","description":"Source port range associated with network security group rule."},{"name":"DestinationPortRange","type":"string","description":"Destination port range associated with network security group rule."},{"name":"SourceAddressPrefix","type":"string","description":"Source address prefix associated with network security group rule."},{"name":"DestinationAddressPrefix","type":"string","description":"Destination address prefix associated with network security group rule."},{"name":"Access","type":"string","description":"Access(Allow/Deny) associated with network security group rule."},{"name":"Direction","type":"string","description":"Direction associated with network security group rule."},{"name":"RuleType","type":"string","description":"The type of the network security group rule."},{"name":"NextHopType","type":"string","description":"The type of azure hop the packet should be sent to."},{"name":"NextHopIp","type":"string","description":"The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is virtual appliance."},{"name":"VirtualNetworkGateway1","type":"string","description":"The reference to virtual network gateway resource."},{"name":"VirtualNetworkGateway2","type":"string","description":"The reference to virtual network gateway resource."},{"name":"LocalNetworkGateway","type":"string","description":"The reference to local network gateway resource."},{"name":"Peer","type":"string","description":"The reference to peerings resource."},{"name":"GatewayConnectionType","type":"string","description":"Gateway connection type."},{"name":"ConnectionType","type":"string","description":"Connection type of the discovered connection."},{"name":"ConnectionStatus","type":"string","description":"Gateway connection status."},{"name":"RoutingWeight","type":"int","description":"The routing weight."},{"name":"IngressBytesTransferred","type":"long","description":"The ingress bytes transferred in this connection."},{"name":"EgressBytesTransferred","type":"long","description":"The egress bytes transferred in this connection."},{"name":"VirtualNetwork1","type":"string","description":"The reference to the virtual network resource associated with the virtual network peering."},{"name":"VirtualNetwork2","type":"string","description":"The reference to the virtual network resource associated with the virtual network peering."},{"name":"AllowVirtualNetworkAccess","type":"bool","description":"Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space."},{"name":"AllowForwardedTraffic","type":"bool","description":"Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network."},{"name":"AllowGatewayTransit","type":"bool","description":"If gateway links can be used in remote virtual networking to link to this virtual network."},{"name":"UseRemoteGateways","type":"bool","description":"If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway."},{"name":"LoadBalancerType","type":"string","description":"The type of the discovered load balancer resource. Possible values are internal load balancer or internet facing load balancer."},{"name":"FrontendSubnet","type":"string","description":"The subnet of the discovered load balancer resource. This will be populated when the load balancer is internal load balancer."},{"name":"FrontendSubnets","type":"string","description":"List of space separated subnets of the discovered load balancer resource. This will be populated when the load balancer is internal load balancer."},{"name":"FrontendIps","type":"string","description":"Frontend IP address of the load balancer."},{"name":"BackendSubnets","type":"string","description":"List of space separated subnets associated with the discovered resource."},{"name":"AppGatewayType","type":"string","description":"Type of the application gateway resource. This would be either internal or internet facing."},{"name":"PrivateFrontendIps","type":"string","description":"Front end private IP addresses associated with the application gateway resource."},{"name":"PublicFrontendIps","type":"string","description":"Front end public IP addresses associated with the application gateway resource."},{"name":"GatewaySubnet","type":"string","description":"Subnet associated with the application aateway resource."},{"name":"VirtualAppliances","type":"string","description":"Virtual appliances associated with the discovered subnetwork connection."},{"name":"Subnet1","type":"string","description":"Subnet associated with the discovered subnetwork connection."},{"name":"Subnet2","type":"string","description":"Subnet associated with the discovered subnetwork connection."},{"name":"SubnetRegion1","type":"string","description":"Subnet region associated with the discovered subnetwork connection."},{"name":"SubnetRegion2","type":"string","description":"Subnet region associated with the discovered subnetwork connection."},{"name":"FrontendIpAddress","type":"string","description":"Frontend IP address associated with the inbound NAT rule."},{"name":"BackendIpAddress","type":"string","description":"Backend IP address associated with the inbound NAT rules."},{"name":"FrontendPort","type":"int","description":"Frontend port associated with the inbound NAT rules. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534."},{"name":"BackendPort","type":"int","description":"Backend port associated with the inbound NAT rules. The port used for the internal endpoint. Acceptable values range from 1 to 65535."},{"name":"FloatingIpEnabled","type":"bool","description":"Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint."},{"name":"BackendAddressPool","type":"string","description":"The reference to backend address pool resource."},{"name":"CircuitProvisioningState","type":"string","description":"The current provisioning state of express route circuit."},{"name":"ServiceProviderProperties","type":"string","description":"\"Contains service provider properties in an express route circuit. Service provider properties semicolon seperated \"ServiceProviderName;ServiceProviderBandwidthInMbps;ServiceProviderPeeringLocation\"\"."},{"name":"ServiceProviderProvisioningState","type":"string","description":"The service provider provisioning state state of the resource."},{"name":"SkuDetail","type":"string","description":"\"The SKU of express route circuit. Express route circuit SKU detail semicolon seperated \"Family;Name;Tier\"\"."},{"name":"AzureAsn","type":"long","description":"The Azure ASN of express route circuit peering."},{"name":"PeerAsn","type":"long","description":"The peer ASN of express route circuit peering."},{"name":"PeeringType","type":"string","description":"The peering type of express route circuit peering."},{"name":"PrimaryAzurePort","type":"string","description":"The primary port of express route circuit peering."},{"name":"PrimaryPeerAddressPrefix","type":"string","description":"The primary peer address prefix of express route circuit peering."},{"name":"SecondaryAzurePort","type":"string","description":"The secondary port of express route circuit peering."},{"name":"SecondaryPeerAddressPrefix","type":"string","description":"The secondary peer address prefix of express route circuit peering."},{"name":"State","type":"string","description":"The peering state of express route circuit peering."},{"name":"PrimaryBytesIn","type":"long","description":"The primary bytes in of the peering."},{"name":"PrimaryBytesOut","type":"long","description":"The primary bytes out of the peering."},{"name":"SecondaryBytesIn","type":"long","description":"The secondary bytes in of the peering."},{"name":"SecondaryBytesOut","type":"long","description":"The secondary bytes out of the peering."},{"name":"VlanId","type":"int","description":"The VLAN Id of the peering."},{"name":"Network","type":"string","description":"IP address of a network entity associated with the express route circuit route."},{"name":"PrimaryNextHop","type":"string","description":"Primary next hop address of the express route circuit route."},{"name":"SecondaryNextHop","type":"string","description":"Secondary next hop address of the express route circuit route."},{"name":"LocalPreference","type":"string","description":"Local preference value as set with the set local-preference route-map configuration command of the express route circuit route."},{"name":"Path","type":"string","description":"Autonomous system paths to the destination network of the express route circuit route."},{"name":"Weight","type":"int","description":"Route weight of the express route circuit route."},{"name":"ComponentType","type":"string","description":"Component type of the status message. Possible values are Flowlog/Topology."},{"name":"Status","type":"string","description":"Status of the ingestion. Possible values can be Completed/Partial/Failed."},{"name":"VnetEncryptionSupported","type":"bool","description":"Indicates whether the virtual machine this nic is attached to supports encryption."},{"name":"EncryptionEnabled","type":"bool","description":"Indicates whether encryption is enabled on the virtual network."},{"name":"EncryptionEnforcement","type":"string","description":"Indicates whether the encrypted virtual network allows VM that does not support encryption. Possible values include DropUnencrypted/AllowUnencrypted."},{"name":"PrivateEndpointResourceId","type":"string","description":"Resource ID of the private endpoint resource."},{"name":"PrivateLinkResourceId","type":"string","description":"Resource ID of the private link service."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["LogManagement"]}},{"id":"NWConnectionMonitorDNSResult","name":"NWConnectionMonitorDNSResult","tableType":"Microsoft","description":"Connection Monitor DNS result records.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"RecordId","type":"string","description":"The record id for unique identification of test result record"},{"name":"ConnectionMonitorResourceId","type":"string","description":"The connection monitor resource id of the test"},{"name":"TestGroupName","type":"string","description":"The test group name to which the test belongs to"},{"name":"TestConfigurationName","type":"string","description":"The test configuration name to which the test belongs to"},{"name":"SourceType","type":"string","description":"The type of the source machine configured for the test"},{"name":"SourceResourceId","type":"string","description":"The resource id of the source machine"},{"name":"SourceAddress","type":"string","description":"The address of the source configured for the test"},{"name":"SourceSubnet","type":"string","description":"The subnet of the source"},{"name":"SourceIP","type":"string","description":"The IP address of the source"},{"name":"SourceName","type":"string","description":"The source end point name"},{"name":"SourceAgentId","type":"string","description":"The source agent id"},{"name":"DestinationPort","type":"int","description":"The destination port configured for the test"},{"name":"DestinationType","type":"string","description":"The type of the destination machine configured for the test"},{"name":"DestinationResourceId","type":"string","description":"The resource id of the Destination machine"},{"name":"DestinationAddress","type":"string","description":"The address of the destination configured for the test"},{"name":"DestinationSubnet","type":"string","description":"If applicable, the subnet of the destination"},{"name":"DestinationIP","type":"string","description":"The IP address of the destination"},{"name":"DestinationName","type":"string","description":"The destination end point name"},{"name":"DestinationAgentId","type":"string","description":"The destination agent id"},{"name":"Protocol","type":"string","description":"The protocol of the test"},{"name":"ChecksTotal","type":"int","description":"The total number of checks done under the test"},{"name":"ChecksFailed","type":"int","description":"The total number of checks failed under the test"},{"name":"TestResult","type":"string","description":"The result of the test"},{"name":"TestResultCriterion","type":"string","description":"The result criterion of the test"},{"name":"ResponseRecordCount","type":"int","description":"The total count of DNS response records"},{"name":"ResponseRecords","type":"string","description":"The DNS Response records"},{"name":"ResponseRecordType","type":"string","description":"The type of DNS response record"},{"name":"ValidationChecks","type":"string","description":"The validation checks of DNS Result"},{"name":"ValidationIssues","type":"string","description":"The issues identified as part of DNS Test"},{"name":"DomainName","type":"string","description":"The domain name of DNS Test"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"solutions":["LogManagement"]}},{"id":"NWConnectionMonitorDestinationListenerResult","name":"NWConnectionMonitorDestinationListenerResult","tableType":"Microsoft","description":"Connection Monitor destination listener result records.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"RecordId","type":"string","description":"The record id for unique identification of test result record"},{"name":"ConnectionMonitorResourceId","type":"string","description":"The connection monitor resource id of the test"},{"name":"TestGroupName","type":"string","description":"The test group name to which the test belongs to"},{"name":"TestConfigurationName","type":"string","description":"The test configuration name to which the test belongs to"},{"name":"DestinationPort","type":"int","description":"The Destination port configured for the test"},{"name":"DestinationType","type":"string","description":"The type of the destination machine configured for the test"},{"name":"DestinationResourceId","type":"string","description":"The resource id of the Destination machine"},{"name":"DestinationAddress","type":"string","description":"The address of the destination configured for the test"},{"name":"DestinationSubnet","type":"string","description":"If applicable, the subnet of the destination configured for the test"},{"name":"DestinationIP","type":"string","description":"The IP address of the destination"},{"name":"DestinationName","type":"string","description":"The destination end point name"},{"name":"DestinationAgentId","type":"string","description":"The destination agent id"},{"name":"Protocol","type":"string","description":"The protocol of the test"},{"name":"ListeningOutcome","type":"string","description":"The listening outcome result"},{"name":"Issues","type":"string","description":"The issues identfied by Destination Listener"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"NWConnectionMonitorPathResult","name":"NWConnectionMonitorPathResult","tableType":"Microsoft","description":"Connection Monitor path result records.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"RecordId","type":"string","description":"The record id for unique identification of test result record"},{"name":"TopologyId","type":"string","description":"The topology id of the path record"},{"name":"ConnectionMonitorResourceId","type":"string","description":"The connection monitor resource id of the test"},{"name":"TestGroupName","type":"string","description":"The test group name to which the test belongs to"},{"name":"TestConfigurationName","type":"string","description":"The test configuration name to which the test belongs to"},{"name":"SourceType","type":"string","description":"The type of the source machine configured for the test"},{"name":"SourceResourceId","type":"string","description":"The resource id of the source machine"},{"name":"SourceAddress","type":"string","description":"The address of the source configured for the test"},{"name":"SourceSubnet","type":"string","description":"The subnet of the source"},{"name":"SourceIP","type":"string","description":"The IP address of the source"},{"name":"SourceName","type":"string","description":"The source end point name"},{"name":"SourceAgentId","type":"string","description":"The source agent id"},{"name":"DestinationPort","type":"int","description":"The destination port configured for the test"},{"name":"DestinationType","type":"string","description":"The type of the destination machine configured for the test"},{"name":"DestinationResourceId","type":"string","description":"The resource id of the Destination machine"},{"name":"DestinationAddress","type":"string","description":"The address of the destination configured for the test"},{"name":"DestinationSubnet","type":"string","description":"If applicable, the subnet of the destination"},{"name":"DestinationIP","type":"string","description":"The IP address of the destination"},{"name":"DestinationName","type":"string","description":"The destination end point name"},{"name":"DestinationAgentId","type":"string","description":"The destination agent id"},{"name":"Protocol","type":"string","description":"The protocol of the test"},{"name":"ChecksTotal","type":"int","description":"The total number of checks done under the test"},{"name":"ChecksFailed","type":"int","description":"The total number of checks failed under the test"},{"name":"PathTestResult","type":"string","description":"The result of the test"},{"name":"PathTestResultCriterion","type":"string","description":"The result criterion of the test"},{"name":"ChecksFailedPercentThreshold","type":"int","description":"The checks failed percent threshold set for the test"},{"name":"RoundTripTimeMsThreshold","type":"real","description":"The round trip threshold (ms) set for the test"},{"name":"MinRoundTripTimeMs","type":"real","description":"The minimum round trip time (ms) for the test"},{"name":"MaxRoundTripTimeMs","type":"real","description":"The maximum round trip time for the test"},{"name":"AvgRoundTripTimeMs","type":"real","description":"The average round trip time for the test"},{"name":"JitterMs","type":"real","description":"The mean deviation round trip time for the test"},{"name":"HopAddresses","type":"string","description":"The hop addresses identified for the test"},{"name":"HopTypes","type":"string","description":"The hop types identified for the test"},{"name":"HopLinkTypes","type":"string","description":"The hop link types identified for the test"},{"name":"HopResourceIds","type":"string","description":"The hop resource ids identified for the test"},{"name":"Issues","type":"string","description":"The issues identified for the test"},{"name":"Hops","type":"string","description":"The hops identified for the test"},{"name":"AdditionalData","type":"string","description":"The additional data for the test"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"solutions":["LogManagement"],"queries":["a756c739-e5cb-4bf1-9b37-4d58d5a49e2d"]}},{"id":"NWConnectionMonitorTestResult","name":"NWConnectionMonitorTestResult","tableType":"Microsoft","description":"Connection Monitor test result records.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"RecordId","type":"string","description":"The record id for unique identification of test result record"},{"name":"ConnectionMonitorResourceId","type":"string","description":"The connection monitor resource id of the test"},{"name":"TestGroupName","type":"string","description":"The test group name to which the test belongs to"},{"name":"TestConfigurationName","type":"string","description":"The test configuration name to which the test belongs to"},{"name":"SourceType","type":"string","description":"The type of the source machine configured for the test"},{"name":"SourceResourceId","type":"string","description":"The resource id of the source machine"},{"name":"SourceAddress","type":"string","description":"The address of the source configured for the test"},{"name":"SourceSubnet","type":"string","description":"The subnet of the source"},{"name":"SourceIP","type":"string","description":"The IP address of the source"},{"name":"SourceName","type":"string","description":"The source end point name"},{"name":"SourceAgentId","type":"string","description":"The source agent id"},{"name":"DestinationPort","type":"int","description":"The destination port configured for the test"},{"name":"DestinationType","type":"string","description":"The type of the destination machine configured for the test"},{"name":"DestinationResourceId","type":"string","description":"The resource id of the Destination machine"},{"name":"DestinationAddress","type":"string","description":"The address of the destination configured for the test"},{"name":"DestinationSubnet","type":"string","description":"If applicable, the subnet of the destination"},{"name":"DestinationIP","type":"string","description":"The IP address of the destination"},{"name":"DestinationName","type":"string","description":"The destination end point name"},{"name":"DestinationAgentId","type":"string","description":"The destination agent id"},{"name":"Protocol","type":"string","description":"The protocol of the test"},{"name":"ChecksTotal","type":"int","description":"The total number of checks done under the test"},{"name":"ChecksFailed","type":"int","description":"The total number of checks failed under the test"},{"name":"TestResult","type":"string","description":"The result of the test"},{"name":"TestResultCriterion","type":"string","description":"The result criterion of the test"},{"name":"ChecksFailedPercentThreshold","type":"int","description":"The checks failed percent threshold set for the test"},{"name":"RoundTripTimeMsThreshold","type":"real","description":"The round trip threshold (ms) set for the test"},{"name":"MinRoundTripTimeMs","type":"real","description":"The minimum round trip time (ms) for the test"},{"name":"MaxRoundTripTimeMs","type":"real","description":"The maximum round trip time for the test"},{"name":"AvgRoundTripTimeMs","type":"real","description":"The average round trip time for the test"},{"name":"JitterMs","type":"real","description":"The mean deviation round trip time for the test"},{"name":"AdditionalData","type":"string","description":"The additional data for the test"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["network"],"resourceTypes":["microsoft.network/networkwatchers/connectionmonitors"],"solutions":["LogManagement"],"queries":["8a9e48ac-20be-4074-8118-9366e73d8dac","da3145ca-5cb9-43f4-afcc-0544bc320d8d"]}},{"id":"NatGatewayFlowlogsV1","name":"NatGatewayFlowlogsV1","tableType":"Microsoft","description":"Table of logs related to traffic through NAT Gateway resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was generated."},{"name":"SourceIP","type":"string","description":"The source IP generating the traffic through the NAT Gateway."},{"name":"DestinationIP","type":"string","description":"The destination IP the traffic is getting forwarded to, through the NAT Gateway."},{"name":"NatGatewayIP","type":"string","description":"The NAT Gateway IP address."},{"name":"PacketsReceived","type":"long","description":"Count of packets received from the destination IP and allowed by the NAT Gateway."},{"name":"PacketsSent","type":"long","description":"Count of packets sent from the source IP and allowed by the NAT Gateway."},{"name":"BytesReceived","type":"long","description":"Sum of the size (in bytes) of all the packets received from the destination IP and allowed by the NAT Gateway."},{"name":"BytesSent","type":"long","description":"Sum of the size (in bytes) of all the packets sent from the source IP and allowed by the NAT Gateway."},{"name":"PacketsReceivedDropped","type":"long","description":"Count of packets received from the destination IP and dropped at the NAT Gateway."},{"name":"PacketsSentDropped","type":"long","description":"Count of packets sent from the source IP and dropped at the NAT Gateway."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","monitor"],"resourceTypes":["microsoft.network/natgateways"],"solutions":["LogManagement"],"queries":["652774ec-9662-4e1f-bc18-b223ec9ce36d","252274ec-9662-4e3f-bc18-b225ec9ce31d"]}},{"id":"NetworkAccessAlerts","name":"NetworkAccessAlerts","tableType":"Microsoft","description":"This table is part of Identity and Network Access, which contains Network Access Alerts. These Alerts can be leveraged for knowing the state of your network access.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"CreationDateTime","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"FirstActivityDateTime","type":"datetime","description":"The impact start time of the alert (the time of the first event or activity included in the alert). The field is serialized a string according to ISO8601, including UTC timezone information."},{"name":"LastActivityDateTime","type":"datetime","description":"The impact end time of the alert (the time of the last event or activity included in the alert). The field is serialized a string according to ISO8601, including UTC timezone information."},{"name":"Id","type":"string","description":"A unique identifier for each Network Access Alert."},{"name":"VendorName","type":"string","description":"The name of the vendor that raised the alert, this value is displayed to users as is. For most internal security products alerts it should be set as ‘Microsoft’."},{"name":"ProductName","type":"string","description":"The name of the product which published this alert, i.e. Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, etc."},{"name":"ComponentName","type":"string","description":"The name of a component inside the product which generated the alert. This is an optional field, which might be populated only for product in which external end user are aware of specific components within a product. For products that offer different types of SKU/Bundles, this field can hold the SKU or bundle name."},{"name":"AlertType","type":"string","description":"The type name of the alert. Alerts of the same type should have the same name. This field is a keyed string representing the type of alert and not of an alert instance. All alert instances from the same detection logic/analytic should have the same value for alert type."},{"name":"DisplayName","type":"string","description":"The display name of the alert, this value is displayed to users either as-is or with additional parameters."},{"name":"Description","type":"string","description":"The number of bytes sent from the source to the destination for the connection or session."},{"name":"Severity","type":"string","description":"The severity of the alert as it is reported by the provider. Possible Values: Informational, Low, Medium, High."},{"name":"Techniques","type":"string","description":"Optional field that specify the kill chain related techniques behind the alert. Each technique should be added in this list using its ID and it should have at least one matching intent in the Intent field. The Production of this field (the expected format of the technique ID and the matching against the Intent values) follow MITRE att@ck enterprise matrix model (Opens in new window or tab), and further guidance on the different techniques that make up each intent can be found in MITRE's documentation."},{"name":"SubTechniques","type":"string","description":"Optional field that specify the kill chain related sub-techniques behind the alert. Each sub-technique should be added in this list using its ID and it should have at least one matching intent in the Intent field."},{"name":"DetectionTechnology","type":"string","description":"Optional field to hold the alert threat detection technology."},{"name":"PolicyId","type":"string","description":"The Policy Id associated with the network access traffic that generated the Alert."},{"name":"IsPreview","type":"bool","description":"IsPreview will be defined as true where the alert is in public preview state and not eligible for GA yet. By default the value is false."},{"name":"ExtendedProperties","type":"dynamic","description":"A bag of fields which will be presented to the user. Providers can send here any custom fields that should be part of the alert."},{"name":"RelatedResources","type":"dynamic","description":"A list of entities related to the alert. This list can hold a mixture of entities of diverse types. The entities type can be any of the types defined in the Entities section. Entities which are not in the list below can also be sent, however it is not guaranteed that they will be processed (the alert will not fail Production with new types of entities)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"NetworkAccessConnectionEvents","name":"NetworkAccessConnectionEvents","tableType":"Microsoft","description":"This table is part of Identity and Network Access, which contains Network Traffic Connection Events. These logs can be leveraged for security, and traffic management, as well as to monitor users experience.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"ConnectionId","type":"string","description":"Unique identifier representing the connection this traffic log was initiated from."},{"name":"TrafficType","type":"string","description":"The type of the target destination traffic."},{"name":"EventType","type":"string","description":"The type of the connection event."},{"name":"DeviceCategory","type":"string","description":"Device type the transaction originated from. Client, Branch."},{"name":"DestinationIp","type":"string","description":"The IP address of the connection or session destination."},{"name":"DestinationPort","type":"int","description":"The destination IP port."},{"name":"DestinationFqdn","type":"string","description":"The destination device hostname, including domain information when available."},{"name":"SourceIp","type":"string","description":"The IP address from which the connection or session originated."},{"name":"SourcePrivateIp","type":"string","description":"The private IP address from which the connection or session originated."},{"name":"RemoteNetworkSourceIp","type":"string","description":"The Remote Network IP address from which the connection or session originated."},{"name":"SourcePort","type":"int","description":"The IP port from which the connection originated."},{"name":"DeviceOperatingSystem","type":"string","description":"The client connecting operating system type."},{"name":"DeviceOperatingSystemVersion","type":"string","description":"The client connecting operating system version."},{"name":"AgentVersion","type":"string","description":"The version of the agent connecting."},{"name":"DeviceId","type":"string","description":"The ID of the source device as reported in the record."},{"name":"ClientDeviceName","type":"string","description":"The name of the client device making the connection."},{"name":"UserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the source user."},{"name":"UserPrincipalName","type":"string","description":"The source username, including domain information when available."},{"name":"TransportProtocol","type":"string","description":"The IP protocol used by the connection or session as listed in IANA protocol assignment."},{"name":"NetworkProtocol","type":"string","description":"The network protocol, IPv6 or IPv4."},{"name":"InitiatingProcessName","type":"string","description":"The process initiating the traffic transaction."},{"name":"AppId","type":"string","description":"Destination Application ID accessed in Azure AD during the transaction."},{"name":"PopProcessingRegion","type":"string","description":"Region where the request was processed by the backend service."},{"name":"RemoteNetworkId","type":"string","description":"The ID from which traffic was sent or received, providing visibility into the origin of the traffic."},{"name":"Token3PExpiry","type":"datetime","description":"The expiry date of the access token used to access the private access application."},{"name":"Token3PValidFrom","type":"datetime","description":"The validity date of the access token used to access the private access application."},{"name":"Token3PIssuedAt","type":"datetime","description":"The issued date of the access token used to access the private access application."},{"name":"Token3PUniqueId","type":"string","description":"The unique token identifier of the access token used to access the private access application."},{"name":"SecurityProfileId","type":"string","description":"The ID of the security profile that blocked the connection."},{"name":"SecurityProfileName","type":"string","description":"The name of the security profile that blocked the connection."},{"name":"SecurityProfileVersion","type":"string","description":"The version of the security profile that blocked the connection."},{"name":"SecurityPolicyId","type":"string","description":"The ID of the security policy within the security profile."},{"name":"SecurityPolicyName","type":"string","description":"The name of the security policy within the security profile."},{"name":"SecurityPolicyVersion","type":"string","description":"The version of the security policy within the security profile."},{"name":"SecurityRuleId","type":"string","description":"The ID of the rule that determined the action."},{"name":"IsLocal","type":"bool","description":"Represents if the connection was triggered by Intelligent Local Access."},{"name":"HomeTenantId","type":"string","description":"The home tenant ID for B2B scenarios."},{"name":"CrossTenantAccessType","type":"string","description":"Indication of B2B connection."},{"name":"DeviceJoinType","type":"string","description":"Device registration type, for BYOD scenarios."},{"name":"SourceIpCountryCode","type":"string","description":"The two-letter country code associated with the source IP address."},{"name":"SourceIpState","type":"string","description":"The state or region associated with the source IP address."},{"name":"SourceIpStateCode","type":"string","description":"The source IP state or region code."},{"name":"SourceIpCity","type":"string","description":"The city associated with the source IP address."},{"name":"SourceIpLatitude","type":"real","description":"The latitude coordinate associated with the source IP address."},{"name":"SourceIpLongitude","type":"real","description":"The longitude coordinate associated with the source IP address."},{"name":"SourceIpAutonomousSystemNumber","type":"string","description":"The autonomous system number (ASN) associated with the source IP address."},{"name":"SourceIpCarrier","type":"string","description":"The network carrier associated with the source IP address."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"NetworkAccessGenerativeAIInsights","name":"NetworkAccessGenerativeAIInsights","tableType":"Microsoft","description":"Logs generated by Generative AI interactions through network access, containing details about user activities and content access patterns.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"Activity","type":"string","description":"The type of generative AI activity being performed."},{"name":"TransactionId","type":"string","description":"Unique identifier for the transaction."},{"name":"SessionId","type":"string","description":"Unique identifier for the session."},{"name":"Content","type":"string","description":"The content or query associated with the generative AI interaction."},{"name":"UserPrincipalName","type":"string","description":"The UPN of the user who performed the activity."},{"name":"DestinationUrl","type":"string","description":"The URL of the generative AI endpoint accessed."},{"name":"SubActivity","type":"string","description":"The specific type of operation within the activity."},{"name":"EventId","type":"string","description":"Unique identifier for the generative AI event."},{"name":"EventType","type":"string","description":"The type of generative AI event that occurred."},{"name":"McpServerName","type":"string","description":"The name of the MCP server handling the MCP requests."},{"name":"McpClientName","type":"string","description":"The name of the MCP client initiating the MCP communication."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"NetworkAccessTraffic","name":"NetworkAccessTraffic","tableType":"Microsoft","description":"This table is part of Identity and Network Access, which contains Network Traffic Access logs. These logs can be leveraged for policy, risk, and traffic management, as well as to monitor users experience.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"TransactionId","type":"string","description":"Unique identifier that representing a roundtrip of request response."},{"name":"ConnectionId","type":"string","description":"Unique identifier representing the connection this traffic log was initiated from."},{"name":"SessionId","type":"string","description":"Unique identifier representing the session."},{"name":"TrafficType","type":"string","description":"The type of the target destination traffic."},{"name":"DeviceCategory","type":"string","description":"Device type the transaction originated from. Client, Branch."},{"name":"DestinationIp","type":"string","description":"The IP address of the connection or session destination."},{"name":"DestinationPort","type":"int","description":"The destination IP port."},{"name":"DestinationFqdn","type":"string","description":"The destination device hostname, including domain information when available."},{"name":"SourceIp","type":"string","description":"The IP address from which the connection or session originated."},{"name":"SourcePort","type":"int","description":"The IP port from which the connection originated."},{"name":"DeviceOperatingSystem","type":"string","description":"The client connecting operating system type."},{"name":"DeviceOperatingSystemVersion","type":"string","description":"The client connecting operating system version."},{"name":"AgentVersion","type":"string","description":"The version of the agent connecting."},{"name":"DeviceId","type":"string","description":"The ID of the source device as reported in the record."},{"name":"UserId","type":"string","description":"A machine-readable, alphanumeric, unique representation of the source user."},{"name":"UserPrincipalName","type":"string","description":"The source username, including domain information when available."},{"name":"TransportProtocol","type":"string","description":"The IP protocol used by the connection or session as listed in IANA protocol assignment."},{"name":"NetworkProtocol","type":"string","description":"The network protocol, IPv6 or IPv4."},{"name":"Action","type":"string","description":"The action taken on the network session. Allowed, Denied."},{"name":"PolicyRuleId","type":"string","description":"The ID of the rule for which the request was denied by."},{"name":"PolicyId","type":"string","description":"The ID of the policy for which the request was denied by its rule."},{"name":"SentBytes","type":"long","description":"The number of bytes sent."},{"name":"ReceivedBytes","type":"long","description":"The number of bytes received."},{"name":"ReferrerHeader","type":"string","description":"The Referer header value."},{"name":"OriginHeader","type":"string","description":"The origin header value."},{"name":"XForwardedFor","type":"string","description":"X-Forwarded-For header of the HTTP request."},{"name":"DestinationWebCategories","type":"string","description":"The destination FQDN's Web Categories."},{"name":"FilteringProfileId","type":"string","description":"The ID of the Filtering Profile associated with the action performed on traffic."},{"name":"FilteringProfileName","type":"string","description":"The name of the Filtering Profile associated with the action performed on traffic."},{"name":"PolicyName","type":"string","description":"The name of the filtering policy associated with the action performed on traffic."},{"name":"RuleName","type":"string","description":"The name of the rule associated with the action performed on traffic."},{"name":"InitiatingProcessName","type":"string","description":"The process initiating the traffic transaction."},{"name":"ResourceTenantId","type":"string","description":"Tenant ID that owns the resource."},{"name":"ThreatType","type":"string","description":"The identified threat type associated with the traffic."},{"name":"DestinationUrl","type":"string","description":"The Url link of the connection or session destination."},{"name":"Description","type":"string","description":"Additional details describing the traffic."},{"name":"AppId","type":"string","description":"Destination Application ID accessed in Azure AD during the transaction."},{"name":"ConnectorId","type":"string","description":"Private access connector ID."},{"name":"ConnectorName","type":"string","description":"Private access connector name."},{"name":"ConnectorIp","type":"string","description":"Private access connector IP."},{"name":"ConnectionStatus","type":"string","description":"Status of a connection. Status options: Open, Active, Closed."},{"name":"AccessType","type":"string","description":"Type of accessed application. Access type options: QuickAccess, PrivateAccess."},{"name":"ProcessingRegion","type":"string","description":"Region where the request was processed by the backend service."},{"name":"AppSegmentId","type":"string","description":"Destination Application segment ID from Azure AD accessed during the transaction."},{"name":"RemoteNetworkId","type":"string","description":"The ID from which traffic was sent or received, providing visibility into the origin of the traffic."},{"name":"HttpMethod","type":"string","description":"The http method used in the request."},{"name":"ResponseCode","type":"int","description":"The response code returned from the server."},{"name":"Token3PExpiry","type":"datetime","description":"The expiry date of the access token used to access the private access application."},{"name":"Token3PValidFrom","type":"datetime","description":"The validity date of the access token used to access the private access application."},{"name":"Token3PIssuedAt","type":"datetime","description":"The issued date of the access token used to access the private access application."},{"name":"Token3PUniqueId","type":"string","description":"The unique token identifier of the access token used to access the private access application."},{"name":"TlsAction","type":"string","description":"The TLS action taken on the traffic."},{"name":"TlsStatus","type":"string","description":"The status of the Tls option."},{"name":"TlsPolicyId","type":"string","description":"The unique token identifier of the TLS policy applied to the traffic."},{"name":"TlsPolicyName","type":"string","description":"The name for the TLS policy applied to the traffic."},{"name":"UniqueTokenId","type":"string","description":"The unique token identifier."},{"name":"VendorNames","type":"string","description":"The name of the vendors who detected the threat."},{"name":"CloudAppCatalogId","type":"string","description":"The id of the application in the saas application catalog."},{"name":"CloudAppName","type":"string","description":"The name of the application (i.e chatGPT, SalesForce, Bing)."},{"name":"CloudAppCategory","type":"string","description":"The category of the cloud application (i.e social media, search, generative AI)."},{"name":"CloudAppCategories","type":"string","description":"The category list of the cloud application (i.e social media, search, generative AI)."},{"name":"CloudAppGeneralScore","type":"int","description":"The general score of the application."},{"name":"CloudAppRiskScore","type":"int","description":"The risk score of the application."},{"name":"CloudAppComplianceScore","type":"int","description":"The compliance score of the application."},{"name":"CloudAppLegalScore","type":"int","description":"The legal score of the application."},{"name":"CloudAppLoginUser","type":"string","description":"The username that was used to log into the application."},{"name":"HttpRequestContentType","type":"string","description":"The content type specified in the HTTP request header."},{"name":"HttpResponseContentType","type":"string","description":"The content type specified in the HTTP response header."},{"name":"HttpUserAgent","type":"string","description":"The user agent string from the HTTP request header."},{"name":"TlsRuleId","type":"string","description":"The unique identifier of the TLS rule applied to the traffic."},{"name":"TlsRuleName","type":"string","description":"The name of the TLS rule applied to the traffic."},{"name":"DnsResponseOrigin","type":"string","description":"The origin of the DNS response for the traffic. Possible values: Cache, Onprem."},{"name":"AIAgentId","type":"string","description":"The unique identifier of the AI agent associated with the traffic."},{"name":"AIAgentName","type":"string","description":"The name of the AI agent associated with the traffic."},{"name":"KerberosMsgType","type":"string","description":"Kerberos message type number (AS/TGS). Possible values: 10 (AS_REQ), 11 (AS_REP), 12 (TGS_REQ), 13 (TGS_REP)."},{"name":"ServicePrincipalName","type":"string","description":"Target service the client is trying to access."},{"name":"Realm","type":"string","description":"Kerberos realm of the target service."},{"name":"OnPremAccount","type":"string","description":"Client principal name requesting the ticket."},{"name":"KerberosNonce","type":"int","description":"Random number for request/reply matching."},{"name":"KerberosClientName","type":"string","description":"Name associated with client during authentication."},{"name":"KerberosErrorCode","type":"int","description":"Kerberos error code (0-81). See KerberosErrorCodeName for corresponding error name."},{"name":"KerberosErrorCodeName","type":"string","description":"Kerberos error code name. Possible values: KDC_ERR_NONE (0), KDC_ERR_NAME_EXP (1), KDC_ERR_SERVICE_EXP (2), KDC_ERR_BAD_PVNO (3), KDC_ERR_C_OLD_MAST_KVNO (4), KDC_ERR_S_OLD_MAST_KVNO (5), KDC_ERR_C_PRINCIPAL_UNKNOWN (6), KDC_ERR_S_PRINCIPAL_UNKNOWN (7), KDC_ERR_PRINCIPAL_NOT_UNIQUE (8), KDC_ERR_NULL_KEY (9), KDC_ERR_CANNOT_POSTDATE (10), KDC_ERR_NEVER_VALID (11), KDC_ERR_POLICY (12), KDC_ERR_BADOPTION (13), KDC_ERR_ETYPE_NOSUPP (14), KDC_ERR_SUMTYPE_NOSUPP (15), KDC_ERR_PADATA_TYPE_NOSUPP (16), KDC_ERR_TRTYPE_NOSUPP (17), KDC_ERR_CLIENT_REVOKED (18), KDC_ERR_SERVICE_REVOKED (19), KDC_ERR_TGT_REVOKED (20), KDC_ERR_CLIENT_NOTYET (21), KDC_ERR_SERVICE_NOTYET (22), KDC_ERR_KEY_EXPIRED (23), KDC_ERR_PREAUTH_FAILED (24), KDC_ERR_PREAUTH_REQUIRED (25), KDC_ERR_SERVER_NOMATCH (26), KDC_ERR_MUST_USE_USER2USER (27), KDC_ERR_PATH_NOT_ACCEPTED (28), KDC_ERR_SVC_UNAVAILABLE (29), KRB_AP_ERR_BAD_INTEGRITY (31), KRB_AP_ERR_TKT_EXPIRED (32), KRB_AP_ERR_TKT_NYV (33), KRB_AP_ERR_REPEAT (34), KRB_AP_ERR_NOT_US (35), KRB_AP_ERR_BADMATCH (36), KRB_AP_ERR_SKEW (37), KRB_AP_ERR_BADADDR (38), KRB_AP_ERR_BADVERSION (39), KRB_AP_ERR_MSG_TYPE (40), KRB_AP_ERR_MODIFIED (41), KRB_AP_ERR_BADORDER (42), KRB_AP_ERR_BADKEYVER (44), KRB_AP_ERR_NOKEY (45), KRB_AP_ERR_MUT_FAIL (46), KRB_AP_ERR_BADDIRECTION (47), KRB_AP_ERR_METHOD (48), KRB_AP_ERR_BADSEQ (49), KRB_AP_ERR_INAPP_CKSUM (50), KRB_AP_PATH_NOT_ACCEPTED (51), KRB_ERR_RESPONSE_TOO_BIG (52), KRB_ERR_GENERIC (60), KRB_ERR_FIELD_TOOLONG (61), KDC_ERR_CLIENT_NOT_TRUSTED (62), KDC_ERR_KDC_NOT_TRUSTED (63), KDC_ERR_INVALID_SIG (64), KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED (65), KDC_ERR_CERTIFICATE_MISMATCH (66), KRB_AP_ERR_NO_TGT (67), KDC_ERR_WRONG_REALM (68), KRB_AP_ERR_USER_TO_USER_REQUIRED (69), KDC_ERR_CANT_VERIFY_CERTIFICATE (70), KDC_ERR_INVALID_CERTIFICATE (71), KDC_ERR_REVOKED_CERTIFICATE (72), KDC_ERR_REVOCATION_STATUS_UNKNOWN (73), KDC_ERR_REVOCATION_STATUS_UNAVAILABLE (74), KDC_ERR_CLIENT_NAME_MISMATCH (75), KDC_ERR_KDC_NAME_MISMATCH (76), KDC_ERR_INCONSISTENT_KEY_PURPOSE (77), KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED (78), KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (79), KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED (80), KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED (81)."},{"name":"KerberosErrorText","type":"string","description":"Kerberos error text description."},{"name":"IsAgentic","type":"bool","description":"Indicates whether the traffic was detected as agentic."},{"name":"ProcessTree","type":"string","description":"The process tree associated with the network request."},{"name":"ProcessArgs","type":"string","description":"The process arguments associated with the network request."},{"name":"AIDetectionConfidence","type":"int","description":"Confidence level of the AI detection result."},{"name":"AIDetectionEvidence","type":"string","description":"Evidence details for the AI detection result."},{"name":"IsTokenAgentic","type":"bool","description":"Indicates whether the token used in the traffic was issued to an AI agent."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"NetworkMonitoring","name":"NetworkMonitoring","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SubType","type":"string","isPreferredFacet":true},{"name":"SubnetId","type":"string","isPreferredFacet":true},{"name":"HostIp","type":"string","isPreferredFacet":true},{"name":"HostFqdn","type":"string","isPreferredFacet":true},{"name":"L4Port","type":"int","isPreferredFacet":true},{"name":"L7Protocol","type":"string","isPreferredFacet":true},{"name":"L4Protocol","type":"string","isPreferredFacet":true},{"name":"HostIp1","type":"string"},{"name":"HostFqdn1","type":"string"},{"name":"HostIp2","type":"string"},{"name":"HostFqdn2","type":"string"},{"name":"TotalByteCount","type":"long"},{"name":"TotalPacketCount","type":"long"},{"name":"ToS","type":"int","isPreferredFacet":true},{"name":"IngressByteCount","type":"long"},{"name":"IngressPacketCount","type":"long"},{"name":"EgressByteCount","type":"long"},{"name":"EgressPacketCount","type":"long"},{"name":"InternalByteCount","type":"long"},{"name":"InternalPacketCount","type":"long"},{"name":"ExporterIp","type":"string","isPreferredFacet":true},{"name":"ExportProtocol","type":"string"},{"name":"InterfaceId","type":"int","isPreferredFacet":true},{"name":"TotalFlowRecords","type":"long"},{"name":"SubnetId1","type":"string"},{"name":"SubnetId2","type":"string"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"SourceNetwork","type":"string","isPreferredFacet":true},{"name":"DestinationNetwork","type":"string","isPreferredFacet":true},{"name":"SourceSubNetwork","type":"string","isPreferredFacet":true},{"name":"DestinationSubNetwork","type":"string","isPreferredFacet":true},{"name":"SourceNetworkNodeLink","type":"string","isPreferredFacet":true},{"name":"DestinationNetworkNodeLink","type":"string","isPreferredFacet":true},{"name":"PathInformation","type":"string"},{"name":"AgentIP","type":"string","isPreferredFacet":true},{"name":"AgentFqdn","type":"string","isPreferredFacet":true},{"name":"Loss","type":"real"},{"name":"HighLatency","type":"real"},{"name":"MedianLatency","type":"real"},{"name":"LowLatency","type":"real"},{"name":"LossHealthIndicator","type":"bool","isPreferredFacet":true},{"name":"LatencyHealthIndicator","type":"bool","isPreferredFacet":true},{"name":"RuleName","type":"string","isPreferredFacet":true},{"name":"TimeSinceActive","type":"int"},{"name":"LossFaultLinks","type":"string"},{"name":"LatencyFaultLinks","type":"string"},{"name":"LossBenchmark","type":"real","isPreferredFacet":true},{"name":"LatencyBenchmark","type":"real","isPreferredFacet":true},{"name":"LossMode","type":"string","isPreferredFacet":true},{"name":"LatencyMode","type":"string","isPreferredFacet":true},{"name":"SubnetLinkCount","type":"int"},{"name":"NodeLinkCount","type":"int","isPreferredFacet":true},{"name":"AlertsCount","type":"int"},{"name":"PrefixLength","type":"string","isPreferredFacet":true},{"name":"AddressType","type":"string","isPreferredFacet":true},{"name":"TimeProcessed","type":"datetime","isPreferredFacet":true},{"name":"SourceNetworkNodeInterface","type":"string","isPreferredFacet":true},{"name":"DestinationNetworkNodeInterface","type":"string","isPreferredFacet":true},{"name":"Path","type":"string"},{"name":"LossThreshold","type":"real","isPreferredFacet":true},{"name":"LatencyThreshold","type":"real","isPreferredFacet":true},{"name":"LossThresholdMode","type":"string","isPreferredFacet":true},{"name":"LatencyThresholdMode","type":"string","isPreferredFacet":true},{"name":"LossHealthState","type":"string","isPreferredFacet":true},{"name":"LatencyHealthState","type":"string","isPreferredFacet":true},{"name":"AgentId","type":"string","isPreferredFacet":true},{"name":"AgentCapability","type":"int","isPreferredFacet":true},{"name":"Protocol","type":"string","isPreferredFacet":true},{"name":"AzureHopListIPAddress","type":"string"},{"name":"AzureHopListType","type":"string"},{"name":"AzureHopListHealth","type":"string"},{"name":"AzureHopListDiagnosticCode","type":"string"},{"name":"AzureHopListResourceID","type":"string"},{"name":"OSType","type":"string","isPreferredFacet":true},{"name":"RouterName","type":"string","isPreferredFacet":true},{"name":"RouterIP","type":"string","isPreferredFacet":true},{"name":"MachineType","type":"int","isPreferredFacet":true},{"name":"NPMAgentEnvironment","type":"string","isPreferredFacet":true},{"name":"ConnectionMonitorResourceId","type":"string","isPreferredFacet":true},{"name":"BitsInPerSecond","type":"long","isPreferredFacet":true},{"name":"BitsOutPerSecond","type":"long","isPreferredFacet":true},{"name":"NotificationCode","type":"int","isPreferredFacet":true},{"name":"NotificationType","type":"string","isPreferredFacet":true},{"name":"MinHopLatencyList","type":"string"},{"name":"MaxHopLatencyList","type":"string"},{"name":"AvgHopLatencyList","type":"string"},{"name":"TraceRouteCompletionTime","type":"datetime"},{"name":"TestName","type":"string","isPreferredFacet":true},{"name":"ServiceTestId","type":"int","isPreferredFacet":true},{"name":"Port","type":"int","isPreferredFacet":true},{"name":"EndpointId","type":"int","isPreferredFacet":true},{"name":"ServiceResponseCode","type":"long","isPreferredFacet":true},{"name":"Target","type":"string","isPreferredFacet":true},{"name":"ServiceResponseTime","type":"real"},{"name":"ServiceResponseHealthState","type":"string","isPreferredFacet":true},{"name":"ServiceResponseThreshold","type":"real"},{"name":"ServiceResponseThresholdMode","type":"string","isPreferredFacet":true},{"name":"ServiceLossPercent","type":"real"},{"name":"ServiceLossHealthState","type":"string","isPreferredFacet":true},{"name":"ResponseCodeHealthState","type":"string","isPreferredFacet":true},{"name":"CircuitName","type":"string","isPreferredFacet":true},{"name":"PeeringName","type":"string","isPreferredFacet":true},{"name":"PeeringType","type":"string","isPreferredFacet":true},{"name":"VirtualNetwork","type":"string","isPreferredFacet":true},{"name":"CircuitRegion","type":"string","isPreferredFacet":true},{"name":"PeeringLocation","type":"string","isPreferredFacet":true},{"name":"ServiceProvider","type":"string","isPreferredFacet":true},{"name":"ProvisioningState","type":"string","isPreferredFacet":true},{"name":"CircuitSKUTier","type":"string","isPreferredFacet":true},{"name":"CircuitSKUFamily","type":"string","isPreferredFacet":true},{"name":"MicrosoftEdge","type":"string","isPreferredFacet":true},{"name":"ProviderEdge","type":"string","isPreferredFacet":true},{"name":"MicrosoftEdgeAlias","type":"string","isPreferredFacet":true},{"name":"ProviderEdgeAlias","type":"string","isPreferredFacet":true},{"name":"DiagnosticHop","type":"string"},{"name":"DiagnosticHopLatency","type":"string"},{"name":"TotalPeerings","type":"int"},{"name":"TotalSessions","type":"int"},{"name":"VLan","type":"int"},{"name":"IsPrimary","type":"bool","isPreferredFacet":true},{"name":"SubscriptionId","type":"string","isPreferredFacet":true},{"name":"ServiceKey","type":"string","isPreferredFacet":true},{"name":"PrimaryBytesInPerSecond","type":"long"},{"name":"PrimaryBytesOutPerSecond","type":"long"},{"name":"SecondaryBytesInPerSecond","type":"long"},{"name":"SecondaryBytesOutPerSecond","type":"long"},{"name":"UtilizationHealthState","type":"string","isPreferredFacet":true},{"name":"CircuitResourceGroup","type":"string","isPreferredFacet":true},{"name":"CircuitSubscriptionId","type":"string","isPreferredFacet":true},{"name":"CircuitResourceId","type":"string","isPreferredFacet":true},{"name":"ConnectionResourceId","type":"string","isPreferredFacet":true},{"name":"NodeUniqueName","type":"string","isPreferredFacet":true},{"name":"DeviceMonitoringChannel","type":"string","isPreferredFacet":true},{"name":"DeviceComponentType","type":"string","isPreferredFacet":true},{"name":"DeviceState","type":"string","isPreferredFacet":true},{"name":"FriendlyName","type":"string","isPreferredFacet":true},{"name":"Index","type":"long","isPreferredFacet":true},{"name":"Details","type":"string"},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"Vendor","type":"string","isPreferredFacet":true},{"name":"sysName","type":"string","isPreferredFacet":true},{"name":"sysDescr","type":"string"},{"name":"sysLocation","type":"string"},{"name":"sysContact","type":"string"},{"name":"sysObjectID","type":"string","isPreferredFacet":true},{"name":"DeviceType","type":"string","isPreferredFacet":true},{"name":"SupportsSnmp","type":"bool","isPreferredFacet":true},{"name":"SnmpVersion","type":"string","isPreferredFacet":true},{"name":"SnmpManagementIpV4Address","type":"string","isPreferredFacet":true},{"name":"SnmpManagementIpV6Address","type":"string","isPreferredFacet":true},{"name":"InterfaceCount","type":"int","isPreferredFacet":true},{"name":"FanCount","type":"int","isPreferredFacet":true},{"name":"MemCount","type":"int","isPreferredFacet":true},{"name":"ProcessorCount","type":"int","isPreferredFacet":true},{"name":"DiskCount","type":"int","isPreferredFacet":true},{"name":"ifPhysAddress","type":"string","isPreferredFacet":true},{"name":"IpV4Subnets","type":"string"},{"name":"IpV6Subnets","type":"string"},{"name":"IpV4Addresses","type":"string"},{"name":"IpV6Addresses","type":"string"},{"name":"RouteTableIpV4NextHops","type":"string"},{"name":"RouteTableIpV6NextHops","type":"string"},{"name":"RouteTableNextHopNodes","type":"string"},{"name":"L2ConnectedPorts","type":"string"},{"name":"L2ConnectedNodes","type":"string"},{"name":"PortName","type":"string"},{"name":"ifType","type":"string","isPreferredFacet":true},{"name":"ifMtu","type":"long","isPreferredFacet":true},{"name":"ifHighSpeed","type":"long"},{"name":"RouteDestination","type":"string"},{"name":"RouteMetric","type":"string"},{"name":"RouteNextHop","type":"string"},{"name":"IcmpPingStatus","type":"string","isPreferredFacet":true},{"name":"SnmpPingStatus","type":"string","isPreferredFacet":true},{"name":"PingDelayInMsec","type":"real"},{"name":"sysUpTime","type":"long"},{"name":"InOctetsPerSec","type":"long"},{"name":"OutOctetsPerSec","type":"long"},{"name":"InDiscardsPerSec","type":"long"},{"name":"InDiscardsPercent","type":"int"},{"name":"OutDiscardsPerSec","type":"long"},{"name":"OutDiscardsPercent","type":"int"},{"name":"InErrorsPerSec","type":"long"},{"name":"InErrorsPercent","type":"int"},{"name":"OutErrorsPerSec","type":"long"},{"name":"OutErrorsPercent","type":"long"},{"name":"InUnicastPktsPerSec","type":"long"},{"name":"OutUnicastPktsPerSec","type":"long"},{"name":"InMultiCastPktsPerSec","type":"long"},{"name":"OutMultiCastPktsPerSec","type":"long"},{"name":"InBroadCastPktsPerSec","type":"long"},{"name":"OutBroadCastPktsPerSec","type":"long"},{"name":"ifAdminStatus","type":"string","isPreferredFacet":true},{"name":"ifOperStatus","type":"string","isPreferredFacet":true},{"name":"ifHCInOctets","type":"long"},{"name":"ifHCInUcastPkts","type":"long"},{"name":"ifHCInMulticastPkts","type":"long"},{"name":"ifHCInBroadcastPkts","type":"long"},{"name":"ifInDiscardsMib2","type":"long"},{"name":"ifInErrors","type":"long"},{"name":"ifHCOutOctetsMib2","type":"int"},{"name":"ifHCOutUcastPkts","type":"long"},{"name":"ifHCOutMulticastPkts","type":"long"},{"name":"ifHCOutBroadcastPkts","type":"long"},{"name":"ifOutDiscards","type":"long"},{"name":"ifOutErrors","type":"long"},{"name":"ifOutQLen","type":"long"},{"name":"MemTotalInMB","type":"long"},{"name":"MemAvailablePercent","type":"int"},{"name":"ProcessorTimePercent","type":"int"},{"name":"Enterprise","type":"string","isPreferredFacet":true},{"name":"GenTrapType","type":"string","isPreferredFacet":true},{"name":"SpecificTrapType","type":"string","isPreferredFacet":true},{"name":"TrapOid","type":"string","isPreferredFacet":true},{"name":"TrapData","type":"string"},{"name":"TrapCollectionIntervalInSeconds","type":"int"},{"name":"TrapCount","type":"int"},{"name":"CustomMonitoringData","type":"string","isPreferredFacet":true},{"name":"CustomFieldName","type":"string","isPreferredFacet":true},{"name":"CustomOid","type":"string","isPreferredFacet":true},{"name":"CustomOidResponseSuffix","type":"string"},{"name":"CustomFieldValueString","type":"string"},{"name":"CustomFieldValueHex","type":"string"},{"name":"CustomFieldValueInt","type":"long"},{"name":"CustomFieldValueFloat","type":"long"},{"name":"MessageCode","type":"string"},{"name":"MessageDetails","type":"string"},{"name":"MessageType","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["network"],"solutions":["NetworkMonitoring"]}},{"id":"NetworkSessions","name":"NetworkSessions","tableType":"Microsoft","description":"Network connections or sessions such as those logged by firewalls, Wire Data, NSG, Netflow, proxy systems and web security gateways.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventType","type":"string","description":"Type of event being collected."},{"name":"EventSubType","type":"string","description":"Additional description of type if applicable."},{"name":"EventCount","type":"int","description":"The number of events aggregated, if applicable."},{"name":"EventEndTime","type":"datetime","description":"The time in which the event ended."},{"name":"EventMessage","type":"string","description":"A general message or description, either included in, or generated from the record."},{"name":"DvcIpAddr","type":"string","description":"The IP address of the device generating the record."},{"name":"DvcMacAddr","type":"string","description":"The MAC address of the network interface of the reporting device from which the event was sent."},{"name":"DvcHostname","type":"string","description":"The device name of the device generating the message."},{"name":"EventProduct","type":"string","description":"The product generating the event."},{"name":"EventProductVersion","type":"string","description":"The version of the product generating the event."},{"name":"EventResourceId","type":"string","description":"The resource ID of the device generating the message."},{"name":"EventReportUrl","type":"string","description":"A link to the full report created by the reporting device."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event."},{"name":"EventResult","type":"string","description":"The result reported for the activity. Empty value when not applicable."},{"name":"EventResultDetails","type":"string","description":"Reason for the result reported in EventResult"},{"name":"EventSchemaVersion","type":"string","description":"Azure Sentinel Schema Version."},{"name":"EventSeverity","type":"string","description":"If the activity reported has a security impact, denotes the severity of the impact."},{"name":"EventOriginalUid","type":"string","description":"The record ID from the reporting device."},{"name":"EventStartTime","type":"datetime","description":"The time in which the event stated."},{"name":"TimeGenerated","type":"datetime","description":"The time the event occurred, as reported by reporting source."},{"name":"EventTimeIngested","type":"datetime","description":"The time the event was ingested to Azure Sentinel. Will be added by Azure Sentinel."},{"name":"EventUid","type":"string","description":"Unique identifier used by Sentinel to mark a row."},{"name":"NetworkApplicationProtocol","type":"string","description":"The application layer protocol used by the connection or session."},{"name":"DstBytes","type":"long","description":"The number of bytes sent from the destination to the source for the connection or session."},{"name":"SrcBytes","type":"long","description":"The number of bytes sent from the source to the destination for the connection or session."},{"name":"NetworkBytes","type":"long","description":"Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum."},{"name":"NetworkDirection","type":"string","description":"The direction the connection or session, into or out of the organization."},{"name":"DstGeoCity","type":"string","description":"The city associated with the destination IP address."},{"name":"DstGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"DstDvcHostname","type":"string","description":"The device name of the destination device."},{"name":"DstDvcFqdn","type":"string","description":"The fully qualified domain name of the host where the log was created."},{"name":"DstDomainHostname","type":"string","description":"The domain of the destination host."},{"name":"DstInterfaceName","type":"string","description":"The network interface used for the connection or session by the destination device."},{"name":"DstInterfaceGuid","type":"string","description":"GUID of the network interface which was used for authentication request."},{"name":"DstIpAddr","type":"string","description":"The IP address of the connection or session destination."},{"name":"DstDvcIpAddr","type":"string","description":"The destination IP address of a device that is not directly associated with the network packet."},{"name":"DstGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the destination IP address."},{"name":"DstMacAddr","type":"string","description":"The MAC address of the network interface at which the connection or session terminated."},{"name":"DstDvcMacAddr","type":"string","description":"The destination MAC address of a device that is not directly associated with the network packet."},{"name":"DstDvcDomain","type":"string","description":"The Domain of the destination device."},{"name":"DstPortNumber","type":"int","description":"The destination IP port."},{"name":"DstGeoRegion","type":"string","description":"The region within a country associated with the destination IP address."},{"name":"DstResourceId","type":"string","description":"The resource Id of the destination device."},{"name":"DstNatIpAddr","type":"string","description":"If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source."},{"name":"DstNatPortNumber","type":"int","description":"If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source."},{"name":"DstUserSid","type":"string","description":"The User ID of the identity associated with the session's destination. Typically, the identity used to authenticate a server."},{"name":"DstUserAadId","type":"string","description":"The Azure AD account object ID of the user at the destination end of the session."},{"name":"DstUserName","type":"string","description":"The username of the identity associated with the session’s destination."},{"name":"DstUserUpn","type":"string","description":"The UPN of the identity associated with the session’s destination."},{"name":"DstUserDomain","type":"string","description":"The domain or computer name of the account at the destination of the session."},{"name":"DstZone","type":"string","description":"The network zone of the destination, as defined by the reporting device."},{"name":"DstGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the destination IP address"},{"name":"DvcAction","type":"string","description":"If reported by an intermediary device such as a firewall, the action taken by device."},{"name":"DvcInboundInterface","type":"string","description":"If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the source device."},{"name":"DvcOutboundInterface","type":"string","description":"If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the destination device."},{"name":"NetworkDuration","type":"int","description":"The amount of time, in millisecond, for the completion of the network session or connection."},{"name":"NetworkIcmpCode","type":"int","description":"For an ICMP message, ICMP message type numeric value (RFC 2780 or RFC 4443)."},{"name":"NetworkIcmpType","type":"string","description":"For an ICMP message, ICMP message type text representation (RFC 2780 or RFC 4443)."},{"name":"DstPackets","type":"long","description":"The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device."},{"name":"SrcPackets","type":"long","description":"The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device."},{"name":"NetworkPackets","type":"long","description":"Number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum."},{"name":"HttpRequestTime","type":"int","description":"The amount of time it took to send the request to the server, if applicable."},{"name":"HttpResponseTime","type":"int","description":"The amount of time it took to receive a response in the server, if applicable."},{"name":"NetworkRuleName","type":"string","description":"The name or ID of the rule by which DeviceAction was decided upon."},{"name":"NetworkRuleNumber","type":"int","description":"Matched rule number."},{"name":"NetworkSessionId","type":"string","description":"The session identifier as reported by the reporting device."},{"name":"SrcGeoCity","type":"string","description":"The city associated with the source IP address."},{"name":"SrcGeoCountry","type":"string","description":"The country associated with the source IP address."},{"name":"SrcDvcHostname","type":"string","description":"The device name of the source device."},{"name":"SrcDvcFqdn","type":"string","description":"The fully qualified domain name of the host where the log was created."},{"name":"SrcDvcDomain","type":"string","description":"Domain of the device from which session was initiated."},{"name":"SrcDvcOs","type":"string","description":"The OS of the source device."},{"name":"SrcDvcModelName","type":"string","description":"The model of the source device."},{"name":"SrcDvcModelNumber","type":"string","description":"The model number of the source device."},{"name":"SrcDvcType","type":"string","description":"The type of the source device."},{"name":"SrcInterfaceName","type":"string","description":"The network interface used for the connection or session by the source device."},{"name":"SrcInterfaceGuid","type":"string","description":"GUID of the network interface used."},{"name":"SrcIpAddr","type":"string","description":"The IP address from which the connection or session originated."},{"name":"SrcDvcIpAddr","type":"string","description":"The source IP address of a device not directly associated with the network packet (collected by a provider or explicitly calculated)."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the geographical coordinate associated with the source IP address."},{"name":"SrcGeoLongitude","type":"real","description":"The longitude of the geographical coordinate associated with the source IP address."},{"name":"SrcMacAddr","type":"string","description":"The MAC address of the network interface from which the connection od session originated."},{"name":"SrcDvcMacAddr","type":"string","description":"The source MAC address of a device that is not directly associated with the network packet."},{"name":"SrcPortNumber","type":"int","description":"The IP port from which the connection originated. May not be relevant for a session comprising multiple connections."},{"name":"SrcGeoRegion","type":"string","description":"The region within a country associated with the source IP address."},{"name":"SrcResourceId","type":"string","description":"The resource ID of the device generating the message."},{"name":"SrcNatIpAddr","type":"string","description":"If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination."},{"name":"SrcNatPortNumber","type":"int","description":"If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination."},{"name":"SrcUserSid","type":"string","description":"The user ID of the identity associated with the sessions source. Typically, user performing an action on the client."},{"name":"SrcUserAadId","type":"string","description":"The Azure AD account object ID of the user at the source end of the session."},{"name":"SrcUserName","type":"string","description":"The username of the identity associated with the sessions source. Typically, user performing an action on the client."},{"name":"SrcUserUpn","type":"string","description":"UPN of the account initiating the session."},{"name":"SrcUserDomain","type":"string","description":"The domain for the account initiating the session."},{"name":"SrcZone","type":"string","description":"The network zone of the source, as defined by the reporting device."},{"name":"NetworkProtocol","type":"string","description":"The IP protocol used by the connection or session. Typically, TCP, UDP or ICMP."},{"name":"CloudAppName","type":"string","description":"The name of the destination application for an HTTP application as identified by a proxy."},{"name":"CloudAppId","type":"string","description":"The ID of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used."},{"name":"CloudAppOperation","type":"string","description":"The operation the user performed in the context of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used."},{"name":"CloudAppRiskLevel","type":"string","description":"The risk level associated with an HTTP application as identified by a proxy. This value is usually specific to the proxy used."},{"name":"FileName","type":"string","description":"The filename transmitted over the network connections for protocols such as FTP and HTTP which provide the file name information."},{"name":"FilePath","type":"string","description":"The full path, including file name, of the file."},{"name":"FileHashMd5","type":"string","description":"The MD5 hash value of the file transmitted over the network connections for protocols."},{"name":"FileHashSha1","type":"string","description":"The SHA1 hash value of the file transmitted over the network connections for protocols."},{"name":"FileHashSha256","type":"string","description":"The SHA256 hash value of the file transmitted over the network connections for protocols."},{"name":"FileHashSha512","type":"string","description":"The SHA512 hash value of the file transmitted over the network connections for protocols."},{"name":"FileExtension","type":"string","description":"The type of the file transmitted over the network connections for protocols such as FTP and HTTP."},{"name":"FileMimeType","type":"string","description":"The MIME type of the file transmitted over the network connections for protocols such as FTP and HTTP."},{"name":"FileSize","type":"int","description":"The file size, in bytes, of the file transmitted over the network connections for protocols."},{"name":"HttpVersion","type":"string","description":"The HTTP Request Version for HTTP/HTTPS network connections."},{"name":"HttpRequestMethod","type":"string","description":"The HTTP Method for HTTP/HTTPS network sessions."},{"name":"HttpStatusCode","type":"string","description":"The HTTP Status Code for HTTP/HTTPS network sessions."},{"name":"HttpContentType","type":"string","description":"The HTTP Response content type header for HTTP/HTTPS network sessions."},{"name":"HttpReferrerOriginal","type":"string","description":"The HTTP referrer header for HTTP/HTTPS network sessions."},{"name":"HttpUserAgentOriginal","type":"string","description":"The HTTP user agent header for HTTP/HTTPS network sessions."},{"name":"HttpRequestXff","type":"string","description":"The HTTP X-Forwarded-For header for HTTP/HTTPS network sessions."},{"name":"UrlCategory","type":"string","description":"The defined grouping of a URL (or could be just based on the domain in the URL) related to what it is (i.e.: adult, news, advertising, parked domains, etc.)."},{"name":"UrlOriginal","type":"string","description":"The HTTP request URL for HTTP/HTTPS network sessions."},{"name":"UrlHostname","type":"string","description":"The domain part of an HTTP request URL for HTTP/HTTPS network sessions."},{"name":"ThreatCategory","type":"string","description":"The category of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session."},{"name":"ThreatId","type":"string","description":"The ID of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session."},{"name":"ThreatName","type":"string","description":"The name of the threat or malware identified."},{"name":"AdditionalFields","type":"dynamic","description":"When no respective column in the schema matches, additional fields can be stored in a JSON bag."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["64ded722-608e-472b-a3dd-17f94b7cac07","6307514a-d00a-4ada-a0fb-087b72bee4f5"]}},{"id":"NginxUpstreamUpdateLogs","name":"NginxUpstreamUpdateLogs","tableType":"Microsoft","description":"NGINX upstream update logs captured by NGINXaaS.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log record was generated."},{"name":"Location","type":"string","description":"The location (region) the NGINX instance was accessed in."},{"name":"Message","type":"string","description":"The message of the log record."},{"name":"Tag","type":"string","description":"The tag of log records from syslog."},{"name":"Level","type":"string","description":"The log level of the log record."},{"name":"Context","type":"string","description":"Upstream's NGINX context: http or stream."},{"name":"UpstreamName","type":"string","description":"Name of the upstream as shown in the config."},{"name":"Error","type":"string","description":"Error message."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["nginx.nginxplus/nginxdeployments"],"solutions":["LogManagement"],"queries":["26551BF0-E908-4C30-8199-335F7CC86520"]}},{"id":"OAuthAppInfo","name":"OAuthAppInfo","tableType":"Microsoft","description":"Information about Microsoft 365-connected OAuth applications in the organization covered by Microsoft Cloud App Security.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ReportId","type":"string","description":"Unique identifier for the record"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the record was generated"},{"name":"OAuthAppId","type":"string","description":"The unique identifier for the app as assigned by Microsoft Entra ID"},{"name":"ServicePrincipalId","type":"string","description":"The unique identifier for the service principal instance of the application in the tenant"},{"name":"AppName","type":"string","description":"The application's display name as exposed by the associated service principal"},{"name":"AddedOnTime","type":"datetime","description":"Date and time when the application was registered"},{"name":"LastModifiedTime","type":"datetime","description":"Timestamp when the app was last modified"},{"name":"AppStatus","type":"string","description":"Status of the app; can be: Enabled, DisabledByMicrosoft, DisabledByAppGovernancePolicy, DisabledByUser, Deleted"},{"name":"VerifiedPublisher","type":"dynamic","description":"Specifies details about the verified publisher of the application which this service principal represents"},{"name":"PrivilegeLevel","type":"string","description":"The privilege level of the app based on the highest classified permission granted to the app"},{"name":"Permissions","type":"dynamic","description":"Contains an array of permission objects"},{"name":"ConsentedUsersCount","type":"int","description":"Count of users who have consented to the app"},{"name":"IsAdminConsented","type":"bool","description":"Value is True if a user has provided admin consent to the app on behalf of all the users in the org, otherwise False"},{"name":"AppOrigin","type":"string","description":"Specifies whether the app is internal to the organization or registered in an external tenant"},{"name":"LastUsedTime","type":"datetime","description":"Date and time when the app last signed in"},{"name":"AppOwnerTenantId","type":"string","description":"Specifies the ID of the tenant where the app was registered"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"OEPAirFlowTask","name":"OEPAirFlowTask","tableType":"Microsoft","description":"Diagnostic logs for AirFlow task execution having task name, task details.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"LogLevel","type":"string","description":"Log Level of the log - Info/Debug/Warning/Error"},{"name":"DagName","type":"string","description":"Name of the DAG run - as per Airflow's list of DAGs present"},{"name":"DagTaskName","type":"string","description":"Name of Task executed in Airflow DAG."},{"name":"RunId","type":"string","description":"To identify the particular DAG run which generated the log"},{"name":"CodePath","type":"string","description":"The task inside the DAG run which generated the log"},{"name":"TryNumber","type":"string","description":"Still not available"},{"name":"Content","type":"string","description":"Log details as a result of operation performed."},{"name":"AdditionalLogContent","type":"string","description":"Additional log content, if there is any more info that needs to be populated"},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"solutions":["LogManagement"],"queries":["df341dc6-ff0a-4579-b23e-d84b22419c91","b3e13991-72f2-4b47-aaa1-37ea6c4bcae9","b6e48dd7-12b6-494a-b164-52df19d45a9d","29adebd2-37b1-44fc-a684-422431bf0ddd"]}},{"id":"OEPAuditLogs","name":"OEPAuditLogs","tableType":"Microsoft","description":"Audit Logs for Microsoft Energy Data Services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"ServiceName","type":"string","description":"The name of service which is emitting the event."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"DataPartitionId","type":"string","description":"Represents the data partition ID."},{"name":"Action","type":"string","description":"Action performed,which can be CREATE,PUBLISH,UPDATE,DELETE,READ and JOB_RUN."},{"name":"ActionId","type":"string","description":"ID of the action performed."},{"name":"Puid","type":"string","description":"The client ID."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"OperationDescription","type":"string","description":"Description of operation that was performed."},{"name":"RequestId","type":"string","description":"The request ID uniquely identify the request made to Microsoft Energy Data Services for an operation."},{"name":"Message","type":"string","description":"The message about the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"solutions":["LogManagement"]}},{"id":"OEPDataplaneLogs","name":"OEPDataplaneLogs","tableType":"Microsoft","description":"Contains logs for HTTP requests & responses for the Indexer Service API, in OSDU Data Platform, and Microsoft Energy Data Services. The Indexer service, indexes the metadata store to support search. The indexer service will automatically take items that are newly added to storage and index the attributes from the schema associated with the kind attribute.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"Message","type":"string","description":"Log details as a result of operation performed."},{"name":"LogLevel","type":"string","description":"Log level of message (INFO, WARN, ERROR, etc.)."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, when available."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"solutions":["LogManagement"],"queries":["3ac59a15-04e1-4474-9b8d-8046477d177e","91d7b5a5-93b8-4a8f-8875-b5c511bc9e41","7f9d3e8f-df6d-4156-93c7-0877c1000716","ea5e6919-17ea-4cc9-880c-0626d5a351f3","6e113596-c393-4745-b93f-c371d452d94f","394023dd-9607-44b9-8f6d-45740903d67a","c646d0fd-7eee-44d1-ae13-0791e3f7b766"]}},{"id":"OEPElasticOperator","name":"OEPElasticOperator","tableType":"Microsoft","description":"Diagnostic logs for elastic operator. Elastic operator manages all the elasticsearch clusters in the oak instance. These logs can be helpful in identifing what operations are performed by the operator on the cluster. It could be upgrades, reconciliation, resource update etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"Content","type":"string","description":"Log details as a result of operation performed."},{"name":"Namespace","type":"string","description":"Namespace from which logs were generated, represents the data partition."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"solutions":["LogManagement"]}},{"id":"OEPElasticsearch","name":"OEPElasticsearch","tableType":"Microsoft","description":"Diagnostic logs for Elasticsearch cluster. It could be slow logs, server logs or deprecation logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) when the log was created."},{"name":"Category","type":"string","description":"Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"Content","type":"string","description":"Log details as a result of operation performed."},{"name":"Namespace","type":"string","description":"Namespace from which logs were generated, represents the data partition."},{"name":"PodName","type":"string","description":"Elasticsearch pod name."},{"name":"Duration","type":"string","description":"Time taken for performing the operation. Value is taken from 'took' property in Elasticsearch cluster as string, like '1.3ms', '478.9micros' etc."},{"name":"TotalHits","type":"string","description":"Total number of hits for a search operation. For example, value can be '3 hits' for 3 hits, '-1' for no hits, or 'null' if it is not a search slow log."},{"name":"Source","type":"string","description":"Source responsible for the log. It could be a search query or a record to be indexed in case of slow logs and null otherwise."},{"name":"Type","type":"string","description":"Type of log. Can be index_search_slowlog, index_indexing_slowlog, server, deprecation etc."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openenergyplatform/energyservices"],"solutions":["LogManagement"]}},{"id":"OEWAuditLogs","name":"OEWAuditLogs","tableType":"Microsoft","description":"Audit, activity and status for the Online Experiment Workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Category","type":"string","description":"The event category."},{"name":"Level","type":"string","description":"The log level."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"ResultType","type":"string","description":"The result of the operation."},{"name":"HttpStatusCode","type":"int","description":"The HTTP status code of the operation."},{"name":"ResultDescription","type":"string","description":"The description of the result of the operation."},{"name":"DurationMs","type":"int","description":"The duration of the operation in milliseconds."},{"name":"URI","type":"string","description":"The URI of the operation."},{"name":"Location","type":"string","description":"The location of the resource."},{"name":"CallerIpAddress","type":"string","description":"The IP address of the caller."},{"name":"Identity","type":"dynamic","description":"The identity triggering the operation."},{"name":"CorrelationId","type":"string","description":"The correlation Id of the operation."},{"name":"WorkspaceId","type":"string","description":"The workspace Id of the online experimentation resource."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"solutions":["LogManagement"]}},{"id":"OEWExperimentAssignmentSummary","name":"OEWExperimentAssignmentSummary","tableType":"Microsoft","description":"Experiment variant assignment summary from feature evaluation events. Used to monitor experiment activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The ingestion time of the experiment assignment summary."},{"name":"FeatureFlagReference","type":"string","description":"The fully qualified Id of the feature flag."},{"name":"FeatureName","type":"string","description":"The name of the feature flag."},{"name":"AllocationId","type":"string","description":"The Id of the allocation used for the feature evaluation."},{"name":"Variant","type":"string","description":"The Id of the feature variant assigned."},{"name":"VariantAssignmentPercentage","type":"real","description":"The variant assignment percentage of the feature variant."},{"name":"IsControlVariant","type":"bool","description":"Whether the feature variant assigned is the control for the experiment."},{"name":"AssignmentEventCount","type":"long","description":"Total number of assignment events."},{"name":"FirstAssignmentTimestamp","type":"datetime","description":"The timestamp of earliest assignment event in time range."},{"name":"LastAssignmentTimestamp","type":"datetime","description":"The timestamp of latest assignment event in time range."},{"name":"BinStartTime","type":"datetime","description":"The bin start time of assignment summary."},{"name":"BinSize","type":"long","description":"The duration of assignment summary time range (in minutes)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"solutions":["LogManagement"],"queries":["a7cb524f-2347-4ed2-a9ff-3ce04cb87913","3964f9a7-6371-445c-924f-9efdaef758ca","1e349818-951d-456b-b4b5-90dc93330b98"]}},{"id":"OEWExperimentScorecardMetricPairs","name":"OEWExperimentScorecardMetricPairs","tableType":"Microsoft","description":"Detailed experiment results including metric comparisons and any metric-level derived insights.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the scorecard results were ingested."},{"name":"ScorecardId","type":"string","description":"The Id of the experiment scorecard."},{"name":"MetricId","type":"string","description":"The Id of the metric."},{"name":"MetricDisplayName","type":"string","description":"The display name of the metric."},{"name":"MetricDescription","type":"string","description":"The description of the metric."},{"name":"MetricType","type":"string","description":"The metric type. Possible values include EventCount, UserCount, EventRate, UserRate, Sum, Average, Percentile."},{"name":"MetricLifecycle","type":"string","description":"The lifecycle stage of the metric. Possible values include Active, Inactive"},{"name":"MetricCategories","type":"dynamic","description":"Metric categories in the form of string array."},{"name":"DesiredDirection","type":"string","description":"Desirable direction for the metric. Possible values: Increase, Decrease, Neutral"},{"name":"MetricETag","type":"string","description":"The ETag of the metric."},{"name":"TreatmentVariant","type":"string","description":"The Id of the treatment variant."},{"name":"TreatmentCount","type":"long","description":"The sample count of the treatment variant."},{"name":"TreatmentMetricValue","type":"real","description":"The metric value for the treatment variant."},{"name":"TreatmentMetricValueNormalized","type":"real","description":"The normalized metric value for the treatment variant. Used by metric comparisons, which accounts for unequal traffic allocation."},{"name":"TreatmentStandardErrorNormalized","type":"real","description":"The standard error (StandardDeviation / sqrt(Count)) of the metric for the control variant."},{"name":"ControlVariant","type":"string","description":"The Id of the control variant."},{"name":"ControlCount","type":"long","description":"The sample count of the control variant."},{"name":"ControlMetricValue","type":"real","description":"The metric value for the control variant."},{"name":"ControlMetricValueNormalized","type":"real","description":"The normalized metric value for the control variant. Used by metric comparisons, which accounts for unequal traffic allocation."},{"name":"ControlStandardErrorNormalized","type":"real","description":"The standard error (StandardDeviation / sqrt(Count)) of the metric for the control variant."},{"name":"PValue","type":"real","description":"The P-Value of the comparison. Used to indicate if the difference between the variants is significant."},{"name":"TreatmentEffect","type":"string","description":"The effect of the treatment variant on the metric. Possible values: Zero samples, Too few samples, Inconclusive, Changed, Improved, Degraded."},{"name":"RelativeDifference","type":"real","description":"The relative difference of the comparison based on TreatmentMetricValueNormalized and ControlMetricValueNormalized."},{"name":"Insights","type":"dynamic","description":"Metric-level Insights derived from the analysis results in JSON format."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"solutions":["LogManagement"],"queries":["1e349818-951d-456b-b4b5-90dc93330b98"]}},{"id":"OEWExperimentScorecards","name":"OEWExperimentScorecards","tableType":"Microsoft","description":"Experimet scorecard metadata and insights.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the scorecard results were ingested."},{"name":"FeatureName","type":"string","description":"The name of the feature."},{"name":"Label","type":"string","description":"The name of the label for the feature (if exists)."},{"name":"FeatureFlagReference","type":"string","description":"The fully qualified Id of the feature."},{"name":"AllocationId","type":"string","description":"The Id of the allocation used for the feature evaluation."},{"name":"ScorecardId","type":"string","description":"The Id of the experiment scorecard."},{"name":"AnalysisStartTime","type":"datetime","description":"The start time of the scorecard analysis."},{"name":"AnalysisEndTime","type":"datetime","description":"The end name of the scorecard analysis."},{"name":"Insights","type":"dynamic","description":"Scorecard-level Insights derived from the analysis results in JSON format."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.onlineexperimentation/workspaces"],"solutions":["LogManagement"],"queries":["3964f9a7-6371-445c-924f-9efdaef758ca","1e349818-951d-456b-b4b5-90dc93330b98"]}},{"id":"OGOAuditLogs","name":"OGOAuditLogs","tableType":"Microsoft","description":"Audit logs for Microsoft Planetary Computer Pro.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"Category","type":"string","description":"Category of the audit log."},{"name":"Location","type":"string","description":"Location of the service sending the log."},{"name":"CorrelationId","type":"string","description":"Id of the request."},{"name":"Status","type":"string","description":"The status message."},{"name":"Endpoint","type":"string","description":"API Endpoint that was called."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["LogManagement"]}},{"id":"OLPSupplyChainEntityOperations","name":"OLPSupplyChainEntityOperations","tableType":"Microsoft","description":"The OLPSupplyChainEntityOperations table captures every data plane operation performed on a supplychain entity in the workspace. Data Plane requests are operations executed to create, update, delete or retrieve supplychain entities such as Warehouse, Item, DeliveryNode, Shipment etc. within a workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"RequestUri","type":"string","description":"URI of the API request."},{"name":"RequestMethod","type":"string","description":"HTTP method of the API request."},{"name":"HttpStatusCode","type":"int","description":"HTTP status code of the API response."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs."},{"name":"RequestId","type":"string","description":"Unique identifier to be used to correlate request logs."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"ClientTenantId","type":"string","description":"Tenant ID of the client making the API request."},{"name":"ClientObjectId","type":"string","description":"Object ID of the client making the API request."},{"name":"ClientName","type":"string","description":"Name of the client making the API request."},{"name":"ClientApplicationId","type":"string","description":"Application ID of the client making the API request."},{"name":"RequestBody","type":"dynamic","description":"Request body of the API calls."},{"name":"ResponseBody","type":"dynamic","description":"Request body of the API calls."},{"name":"CustomRequestAttributes","type":"dynamic","description":"Client defined arbitrary data in the API request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openlogisticsplatform/workspaces"],"solutions":["LogManagement"],"queries":["a4d5c564-f185-450d-9024-ac003c123456"]}},{"id":"OLPSupplyChainEvents","name":"OLPSupplyChainEvents","tableType":"Microsoft","description":"The events table captures every event that was dispatched from the Open Logistics Platform workspace. Events can be a result of a data plane API call (e.g. Shipment Created, Item Deleted, Notification sent, etc.) or a long running job operation completion (e.g. Data ingestion results in NewDataAvailable event).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs with OLPSupplyChainEntityOperations."},{"name":"RequestId","type":"string","description":"Unique identifier to be used to correlate request logs."},{"name":"DurationMs","type":"real","description":"Time it took to service the REST API request, in milliseconds."},{"name":"EventId","type":"string","description":"Unique identifier for each event."},{"name":"EventBody","type":"dynamic","description":"The event body."},{"name":"EventType","type":"string","description":"The type of the event, can be Microsoft.OpenLogisticsPlatform.EntityCreated, Microsoft.OpenLogisticsPlatform.EntityUpdated etc."},{"name":"SupplyChainResourceType","type":"string","description":"The type of supplychain resource for which the event is generated, can be Item, Warehouse, WarehouseItem etc."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.openlogisticsplatform/workspaces"],"solutions":["LogManagement"]}},{"id":"OTelEvents","name":"OTelEvents","tableType":"Microsoft","description":"Span Events emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the event's span began."},{"name":"Name","type":"string","description":"Human-readable name of the event."},{"name":"SpanId","type":"string","description":"The identifier of the span this event is about."},{"name":"TraceId","type":"string","description":"The identifier of the trace this span belongs to."},{"name":"Attributes","type":"dynamic","description":"A collection of key-value pairs representing properties of the event."},{"name":"DroppedAttributesCount","type":"int","description":"The number of attributes that were discarded by the data source."},{"name":"ResourceAttributes","type":"dynamic","description":"Resource attributes emitted by an OpenTelemetry source."},{"name":"ServiceNamespace","type":"string","description":"A namespace for ServiceName."},{"name":"ServiceName","type":"string","description":"Logical name of the service."},{"name":"ServiceVersion","type":"string","description":"Version information associated with the service."},{"name":"ServiceInstanceId","type":"string","description":"A unique identifier for the instance of the service."},{"name":"RoleName","type":"string","description":"A human-readable name of the service emitting this span. This is a simplified service identifier combining ServiceNamespace and ServiceName."},{"name":"SDKVersion","type":"string","description":"The name and version of the SDK, agent, or other source that emitted this record."},{"name":"EndUserId","type":"string","description":"Persistent string that uniquely represents an authenticated user of the service."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the service."},{"name":"UserAccountId","type":"string","description":"Service-defined account associated with the user."},{"name":"SessionId","type":"string","description":"Service-defined session id."},{"name":"ClientBrowser","type":"string","description":"Name and version of the web browser used by the client that triggered this span."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements associated with this event."},{"name":"SyntheticSource","type":"string","description":"Upstream source of this event if it is well-known to be synthetic (ex. web crawlers)."},{"name":"ItemCount","type":"int","description":"The number of spans represented by this record. This value is greater than 1 when sampling is in effect."},{"name":"OperationName","type":"string","description":"Service-defined name of the overall operation."},{"name":"ExceptionType","type":"string","description":"If this event is an exception, this is the type of the exception."},{"name":"ExceptionMessage","type":"string","description":"If this event is an exception, this is the message associated with the exception."},{"name":"ExceptionStackTrace","type":"string","description":"If the event is an exception, this is the stack trace associated with it."},{"name":"ExceptionProblem","type":"string","description":"If the event is an exception, this is a summarized identifier for it."},{"name":"ReferencedItemId","type":"string","description":"This is the item id for the the span that this event is associated with."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["1e2f3a4b-5c6d-7e8f-9012-3456789abcde"]}},{"id":"OTelLogs","name":"OTelLogs","tableType":"Microsoft","description":"Logs emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the log was emitted."},{"name":"Body","type":"string","description":"Content of the log record."},{"name":"SpanId","type":"string","description":"The identifier of the span this log is about."},{"name":"TraceId","type":"string","description":"The identifier of the trace this log belongs to."},{"name":"DeploymentEnvironmentName","type":"string","description":"Name of the deployment environment."},{"name":"Attributes","type":"dynamic","description":"A collection of key-value pairs representing properties of the log."},{"name":"ResourceAttributes","type":"dynamic","description":"Resource attributes emitted by an OpenTelemetry source."},{"name":"ScopeName","type":"string","description":"The name of the instrumentation scope."},{"name":"ScopeVersion","type":"string","description":"The version of the instrumentation scope."},{"name":"DroppedAttributesCount","type":"int","description":"The number of attributes that were discarded by the data source."},{"name":"SeverityText","type":"string","description":"The log level of this record."},{"name":"SeverityNumber","type":"int","description":"Normalized number representing the log level of this record."},{"name":"ServiceNamespace","type":"string","description":"A namespace for ServiceName."},{"name":"ServiceName","type":"string","description":"Logical name of the service."},{"name":"ServiceVersion","type":"string","description":"Version information associated with the service."},{"name":"ServiceInstanceId","type":"string","description":"A unique identifier for the instance of the service."},{"name":"RoleName","type":"string","description":"A human-readable name of the service emitting this span. This is a simplified service identifier combining ServiceNamespace and ServiceName."},{"name":"SDKVersion","type":"string","description":"The name and version of the SDK, agent, or other source that emitted this record."},{"name":"EndUserId","type":"string","description":"Persistent string that uniquely represents an authenticated user of the service."},{"name":"K8sPodName","type":"string","description":"The name of the Kubernetes pod, if the service is running in a Kubernetes cluster."},{"name":"K8sNamespaceName","type":"string","description":"The name of the Kubernetes namespace, if the service is running in a Kubernetes cluster."},{"name":"K8sContainerName","type":"string","description":"The name of the Kubernetes container, if the service is running in a Kubernetes cluster."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the service."},{"name":"UserAccountId","type":"string","description":"Service-defined account associated with the user."},{"name":"SessionId","type":"string","description":"Service-defined session id."},{"name":"ClientBrowser","type":"string","description":"Name and version of the web browser used by the client that triggered this span."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements associated with this event."},{"name":"SyntheticSource","type":"string","description":"Upstream source of this event if it is well-known to be synthetic (ex. web crawlers)."},{"name":"ItemCount","type":"int","description":"The number of spans represented by this record. This value is greater than 1 when sampling is in effect."},{"name":"OperationName","type":"string","description":"Service-defined name of the overall operation."},{"name":"SeverityLevel","type":"int","description":"A low cardinality binning of the value of SeverityNumber."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["2a1b3c4d-6e7f-8901-bcde-f23456789abc"]}},{"id":"OTelResources","name":"OTelResources","tableType":"Microsoft","description":"Resource attributes emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the resource attributes were effective."},{"name":"Id","type":"string","description":"A unique identifier for the resource attributes record."},{"name":"ServiceNamespace","type":"string","description":"A namespace for ServiceName. This is the value of the 'service.namespace' resource attribute."},{"name":"ServiceName","type":"string","description":"Logical name of the service. This is the value of the 'service.name' resource attribute."},{"name":"ServiceInstanceId","type":"string","description":"A unique identifier for the instance of the service. This is the value of the 'service.instance.id' resource attribute."},{"name":"RoleName","type":"string","description":"A simplified service identifier combining ServiceNamespace and ServiceName."},{"name":"Attributes","type":"dynamic","description":"Resource attributes emitted by an OpenTelemetry source."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"]}},{"id":"OTelSpans","name":"OTelSpans","tableType":"Microsoft","description":"Spans emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the span began."},{"name":"Name","type":"string","description":"Human-readable name of the span."},{"name":"SpanId","type":"string","description":"A unique identifier for the span."},{"name":"ParentSpanId","type":"string","description":"The identifier of the parent of this span."},{"name":"TraceId","type":"string","description":"The identifier of the trace this span belongs to."},{"name":"TraceState","type":"string","description":"An opaque string representing vendor-specific trace information that was propagated with this span."},{"name":"Kind","type":"string","description":"The kind of span that this record represents. Can be Unspecified, Internal, Server, Client, Producer, or Consumer."},{"name":"EndTime","type":"datetime","description":"Date and time when the span ended."},{"name":"StatusMessage","type":"string","description":"Human-readable error message for the span."},{"name":"StatusCode","type":"string","description":"The status of the span. Example values include OK and Error."},{"name":"Links","type":"dynamic","description":"References from this span to other spans."},{"name":"ScopeName","type":"string","description":"The name of the instrumentation scope."},{"name":"ScopeVersion","type":"string","description":"The version of the instrumentation scope."},{"name":"ResourceAttributes","type":"dynamic","description":"Resource attributes emitted by an OpenTelemetry source."},{"name":"DroppedAttributesCount","type":"int","description":"The number of attributes that were discarded by the data source."},{"name":"DroppedEventsCount","type":"int","description":"The number of events that were discarded by the data source."},{"name":"DroppedLinksCount","type":"int","description":"The number of links that were discarded by the data source."},{"name":"Attributes","type":"dynamic","description":"A collection of key-value pairs representing properties of the span."},{"name":"ServiceNamespace","type":"string","description":"A namespace for ServiceName."},{"name":"ServiceName","type":"string","description":"Logical name of the service."},{"name":"ServiceVersion","type":"string","description":"Version information associated with the service."},{"name":"ServiceInstanceId","type":"string","description":"A unique identifier for the instance of the service."},{"name":"RoleName","type":"string","description":"A human-readable name of the service emitting this span. This is a simplified service identifier combining ServiceNamespace and ServiceName."},{"name":"SDKVersion","type":"string","description":"The name and version of the SDK, agent, or other source that emitted this record."},{"name":"EndUserId","type":"string","description":"Persistent string that uniquely represents an authenticated user of the service."},{"name":"ResourceAttributesId","type":"string","description":"Id of the matching record in the OTelResources table that contains this span's resource attributes."},{"name":"DurationMs","type":"real","description":"The time elapsed between the start and end of this span, in milliseconds."},{"name":"ResultCode","type":"string","description":"Normalized result code for the process this span represents (ex. HTTP status code)."},{"name":"UserId","type":"string","description":"Anonymous ID of a user accessing the service."},{"name":"UserAccountId","type":"string","description":"Service-defined account associated with the user."},{"name":"SessionId","type":"string","description":"Service-defined session id."},{"name":"ClientBrowser","type":"string","description":"Name and version of the web browser used by the client that triggered this span."},{"name":"ClientOS","type":"string","description":"Operating system of the client device."},{"name":"ClientModel","type":"string","description":"Model of the client device."},{"name":"ClientType","type":"string","description":"Type of the client device."},{"name":"ClientIP","type":"string","description":"IP address of the client device."},{"name":"ClientCity","type":"string","description":"City where the client device is located."},{"name":"ClientStateOrProvince","type":"string","description":"State or province where the client device is located."},{"name":"ClientCountryOrRegion","type":"string","description":"Country or region where the client device is located."},{"name":"Measurements","type":"dynamic","description":"Application-defined measurements associated with this span."},{"name":"SyntheticSource","type":"string","description":"Upstream source of this span if it is well-known to be synthetic (ex. web crawlers)."},{"name":"Source","type":"string","description":"Friendly name of the direct source of this span, when known."},{"name":"Target","type":"string","description":"Normalized, low-cardinality destination for this span, if it is representing an outgoing call (Ex. HTTP host)."},{"name":"EnrichedName","type":"string","description":"An alternate name for this span that may be enriched with additional diagnostic information to make it more useful for aggregation and reporting purposes."},{"name":"OperationName","type":"string","description":"Service-defined name of the overall operation."},{"name":"Success","type":"bool","description":"Indicates whether the call completed successfully based on domain-specific criteria."},{"name":"DependencyType","type":"string","description":"Normalized type of destination for this span, if it is representing an outgoing call (Ex. HTTP, SQL)."},{"name":"Data","type":"string","description":"Normalized, high cardinality destination for this span (Ex. HTTP URL)."},{"name":"ItemCount","type":"int","description":"The number of spans represented by this record. This value is greater than 1 when sampling is in effect."},{"name":"PerformanceBucket","type":"string","description":"A low cardinality binning of the duration of this span."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"],"queries":["3f8d4567-12ab-34cd-56ef-789012345678"]}},{"id":"OTelTraces","name":"OTelTraces","tableType":"Microsoft","description":"Traces emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the span began."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"]}},{"id":"OTelTracesAgent","name":"OTelTracesAgent","tableType":"Microsoft","description":"Traces (from Agent) emitted by an OpenTelemetry source.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the span began."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["applications"],"resourceTypes":["microsoft.operationalinsights/workspaces"],"solutions":["LogManagement"]}},{"id":"OfficeActivity","name":"OfficeActivity","tableType":"Microsoft","description":"Audit logs for Office 365 tenants collected by Azure Sentinel. Including Exchange, SharePoint and Teams logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"Application","type":"string","description":"The application name","isPreferredFacet":true},{"name":"UserDomain","type":"string","description":"The domain of the user","isPreferredFacet":true},{"name":"Activity","type":"string","description":"The activity that the user performed.","isPreferredFacet":true},{"name":"UserAgent","type":"string","description":"The user agent","isPreferredFacet":true},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"The date and time in Coordinated Universal Time (UTC) when the user performed the activity","isPreferredFacet":true},{"name":"Operation","type":"string","description":"The name of the operation that the user is performing","isPreferredFacet":true},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization","isPreferredFacet":true},{"name":"UserType","type":"string","description":"The type of user that performed the operation. See the UserType table for details on the types of users","isPreferredFacet":true},{"name":"UserKey","type":"string","description":"An alternative ID for the user identified in the UserId property","isPreferredFacet":true},{"name":"OfficeWorkload","type":"string","description":"The Office 365 service where the activity occurred","isPreferredFacet":true},{"name":"ResultStatus","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not","isPreferredFacet":true},{"name":"ResultReasonType","type":"string","description":"Reason for the result reported in ResultType","isPreferredFacet":true},{"name":"OfficeObjectId","type":"string","description":"For SharePoint and OneDrive for Business activity"},{"name":"UserId","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged","isPreferredFacet":true},{"name":"ClientIP","type":"string","description":"The IP address of the device that was used when the activity was logged","isPreferredFacet":true},{"name":"Site_","type":"string","description":"The GUID of the site where the file or folder accessed by the user is located","isPreferredFacet":true},{"name":"ItemType","type":"string","description":"The type of object that was accessed or modified. See the ItemType table for details on the types of objects","isPreferredFacet":true},{"name":"EventSource","type":"string","description":"Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel","isPreferredFacet":true},{"name":"Source_Name","type":"string","description":"The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel","isPreferredFacet":true},{"name":"MachineDomainInfo","type":"string","description":"Information about device sync operations"},{"name":"MachineId","type":"string","description":"Information about device sync operations"},{"name":"Site_Url","type":"string","description":"The URL of the site where the file or folder accessed by the user is located","isPreferredFacet":true},{"name":"SourceRelativeUrl","type":"string","description":"The URL of the folder that contains the file accessed by the user","isPreferredFacet":true},{"name":"SourceFileName","type":"string","description":"The name of the file or folder accessed by the user","isPreferredFacet":true},{"name":"SourceFileExtension","type":"string","description":"The file extension of the file that was accessed by the user","isPreferredFacet":true},{"name":"DestinationRelativeUrl","type":"string","description":"The URL of the destination folder where a file is copied or moved"},{"name":"DestinationFileName","type":"string","description":"The name of the file that is copied or moved"},{"name":"DestinationFileExtension","type":"string","description":"The file extension of a file that is copied or moved","isPreferredFacet":true},{"name":"UserSharedWith","type":"string","description":"The user that a resource was shared with","isPreferredFacet":true},{"name":"SharingType","type":"string","description":"The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter","isPreferredFacet":true},{"name":"CustomEvent","type":"string","description":"Optional string for custom events"},{"name":"Event_Data","type":"string","description":"Optional payload for custom events"},{"name":"ModifiedObjectResolvedName","type":"string","description":"This is the user friendly name of the object that was modified by the cmdlet"},{"name":"Parameters","type":"string","description":"The name and value for all parameters that were used with the cmdlet that is identified in the Operations property"},{"name":"ExternalAccess","type":"string","description":"Specifies whether the cmdlet was run by a user in your organization","isPreferredFacet":true},{"name":"OriginatingServer","type":"string","description":"The name of the server from which the cmdlet was executed","isPreferredFacet":true},{"name":"OrganizationName","type":"string","description":"The name of the tenant","isPreferredFacet":true},{"name":"Logon_Type","type":"string","description":"Indicates the type of user who accessed the mailbox and performed the operation that was logged","isPreferredFacet":true},{"name":"InternalLogonType","type":"int","description":"Reserved for internal use"},{"name":"MailboxGuid","type":"string","description":"The Exchange GUID of the mailbox that was accessed"},{"name":"MailboxOwnerUPN","type":"string","description":"The email address of the person who owns the mailbox that was accessed"},{"name":"MailboxOwnerSid","type":"string","description":"The SID of the mailbox owner"},{"name":"MailboxOwnerMasterAccountSid","type":"string","description":"Mailbox owner account's master account SID"},{"name":"LogonUserSid","type":"string","description":"The SID of the user who performed the operation"},{"name":"LogonUserDisplayName","type":"string","description":"The user-friendly name of the user who performed the operation"},{"name":"ClientInfoString","type":"string","description":"Information about the email client that was used to perform the operation"},{"name":"Client_IPAddress","type":"string","description":"The IP address of the device that was used when the operation was logged"},{"name":"ClientMachineName","type":"string","description":"The machine name that hosts the Outlook client","isPreferredFacet":true},{"name":"ClientProcessName","type":"string","description":"The email client that was used to access the mailbox","isPreferredFacet":true},{"name":"ClientVersion","type":"string","description":"The version of the email client ","isPreferredFacet":true},{"name":"Folder","type":"string","description":"The folder where a group of items is located"},{"name":"CrossMailboxOperations","type":"bool","description":"Indicates if the operation involved more than one mailbox","isPreferredFacet":true},{"name":"DestMailboxId","type":"string","description":"Set only if the CrossMailboxOperations parameter is True"},{"name":"DestMailboxOwnerUPN","type":"string","description":"Set only if the CrossMailboxOperations parameter is True"},{"name":"DestMailboxOwnerSid","type":"string","description":"Set only if the CrossMailboxOperations parameter is True"},{"name":"DestMailboxOwnerMasterAccountSid","type":"string","description":"Set only if the CrossMailboxOperations parameter is True"},{"name":"DestFolder","type":"string","description":"The destination folder"},{"name":"Folders","type":"string","description":"Information about the source folders involved in an operation"},{"name":"AffectedItems","type":"string","description":"Information about each item in the group"},{"name":"Item","type":"string","description":"Represents the item upon which the operation was performed"},{"name":"ModifiedProperties","type":"string","description":"The property is included for admin events, such as adding a user as a member of a site or a site collection admin group"},{"name":"SendAsUserSmtp","type":"string","description":"SMTP address of the user who is being impersonated"},{"name":"SendAsUserMailboxGuid","type":"string","description":"The Exchange GUID of the mailbox that was accessed to send email as"},{"name":"SendOnBehalfOfUserSmtp","type":"string","description":"SMTP address of the user on whose behalf the email is sent"},{"name":"SendonBehalfOfUserMailboxGuid","type":"string","description":"The Exchange GUID of the mailbox that was accessed to send mail on behalf of"},{"name":"ExtendedProperties","type":"string","description":"The extended properties of the Azure AD event"},{"name":"Client","type":"string","description":"Details about the client device, device OS, and device browser that was used for the of the account login event","isPreferredFacet":true},{"name":"LoginStatus","type":"int","description":"This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms","isPreferredFacet":true},{"name":"Actor","type":"string","description":"The user or service principal that performed the action"},{"name":"ActorContextId","type":"string","description":"The GUID of the organization that the actor belongs to"},{"name":"ActorIpAddress","type":"string","description":"The actor's IP address in IPV4 or IPV6 address format","isPreferredFacet":true},{"name":"InterSystemsId","type":"string","description":"The GUID that track the actions across components within the Office 365 service"},{"name":"IntraSystemId","type":"string","description":"The GUID that's generated by Azure Active Directory to track the action"},{"name":"SupportTicketId","type":"string","description":"The customer support ticket ID for the action in 'act-on-behalf-of' situations"},{"name":"TargetContextId","type":"string","description":"The GUID of the organization that the targeted user belongs to"},{"name":"DataCenterSecurityEventType","type":"int","description":"The type of dmdlet event in lock box","isPreferredFacet":true},{"name":"EffectiveOrganization","type":"string","description":"The name of the tenant that the elevation/cmdlet was targeted at","isPreferredFacet":true},{"name":"ElevationTime","type":"datetime","description":"The start time of the elevation","isPreferredFacet":true},{"name":"ElevationApprover","type":"string","description":"The name of a Microsoft manager","isPreferredFacet":true},{"name":"ElevationApprovedTime","type":"datetime","description":"The timestamp for when the elevation was approved"},{"name":"ElevationRequestId","type":"string","description":"A unique identifier for the elevation request"},{"name":"ElevationRole","type":"string","description":"The role the elevation was requested for","isPreferredFacet":true},{"name":"ElevationDuration","type":"int","description":"The duration for which the elevation was active (in Hours)"},{"name":"GenericInfo","type":"string","description":"Used for comments and other generic information"},{"name":"SourceSystem","type":"string","description":"The source system name","isPreferredFacet":true},{"name":"OfficeId","type":"string","description":"Unique identifier of an audit record"},{"name":"SourceRecordId","type":"string","description":"Unique identifier of an audit record","isPreferredFacet":true},{"name":"AzureActiveDirectory_EventType","type":"string","description":"The type of Azure AD event","isPreferredFacet":true},{"name":"AADTarget","type":"string","description":"The user that the action (identified by the Operation property) was performed on"},{"name":"Start_Time","type":"datetime","description":"The date and time at which the cmdlet was executed"},{"name":"OfficeTenantId","type":"string","description":"The office tenant id","isPreferredFacet":true},{"name":"TargetUserOrGroupName","type":"string","description":"Stores the UPN or name of the target user or group that a resource was shared with","isPreferredFacet":true},{"name":"TargetUserOrGroupType","type":"string","description":"Identifies whether the target user or group is a Member, Guest, Group, or Partner","isPreferredFacet":true},{"name":"MessageId","type":"string","description":"An identifier for a chat or channel message"},{"name":"Members","type":"dynamic","description":"A list of users within a Team"},{"name":"TeamName","type":"string","description":"The name of the team being audited","isPreferredFacet":true},{"name":"TeamGuid","type":"string","description":"A unique identifier for the team being audited"},{"name":"ChannelType","type":"string","description":"The type of channel being audited (Standard/Private)","isPreferredFacet":true},{"name":"ChannelName","type":"string","description":"The name of the channel being audited","isPreferredFacet":true},{"name":"ChannelGuid","type":"string","description":"A unique identifier for the channel being audited"},{"name":"ExtraProperties","type":"dynamic","description":"A list of extra properties"},{"name":"AddOnType","type":"string","description":"The type of add-on that generated this event","isPreferredFacet":true},{"name":"AddonName","type":"string","description":"The name of the add-on that generated this event","isPreferredFacet":true},{"name":"TabType","type":"string","description":"The type of tab that generated this event"},{"name":"Name","type":"string","description":"Only present for settings events. Name of the setting that changed","isPreferredFacet":true},{"name":"OldValue","type":"string","description":"Only present for settings events. Old value of the setting","isPreferredFacet":true},{"name":"NewValue","type":"string","description":"Only present for settings events. New value of the setting","isPreferredFacet":true},{"name":"ItemName","type":"string","description":"The string in the Subject field of the email message","isPreferredFacet":true},{"name":"ChatThreadId","type":"string","description":"The Id of the chat thread","isPreferredFacet":true},{"name":"ChatName","type":"string","description":"The name of the chat","isPreferredFacet":true},{"name":"CommunicationType","type":"string","description":"The type of communications that was conducted","isPreferredFacet":true},{"name":"AADGroupId","type":"string","description":"Azure Active Directory group id","isPreferredFacet":true},{"name":"AddOnGuid","type":"string","description":"The unique identifier of the add-on generated this event","isPreferredFacet":true},{"name":"AppDistributionMode","type":"string","description":"Application distribution mode","isPreferredFacet":true},{"name":"TargetUserId","type":"string","description":"Target user id","isPreferredFacet":true},{"name":"OperationScope","type":"string","description":"The scope the operation was performed on","isPreferredFacet":true},{"name":"AzureADAppId","type":"string","description":"Teams Application Azure AD ID","isPreferredFacet":true},{"name":"OperationProperties","type":"dynamic","description":"Additional operation properties","isPreferredFacet":true},{"name":"AppId","type":"string","description":"Application ID","isPreferredFacet":true},{"name":"ClientAppId","type":"string","description":"Client application ID","isPreferredFacet":true},{"name":"ApplicationId","type":"string","description":"SharePoint application ID","isPreferredFacet":true},{"name":"SRPolicyId","type":"string","description":"Policy ID","isPreferredFacet":true},{"name":"SRPolicyName","type":"string","description":"Policy name","isPreferredFacet":true},{"name":"SRRuleMatchDetails","type":"dynamic","description":"Rule details","isPreferredFacet":true},{"name":"IsManagedDevice","type":"bool","description":"Indicates if operation was created by a device managed by the organization","isPreferredFacet":true},{"name":"AppPoolName","type":"string","description":"The App pool name","isPreferredFacet":true},{"name":"AppAccessContext","type":"dynamic","description":"The application context for the user or service principal that performed the action.","isPreferredFacet":true},{"name":"Attendees","type":"dynamic","description":"The list of attendees for the meeting.","isPreferredFacet":true},{"name":"ArtifactsShared","type":"dynamic","description":"The artifacts shared in the meeting.","isPreferredFacet":true},{"name":"IsJoinedFromLobby","type":"bool","description":"Indicates whether the user join from the lobby.","isPreferredFacet":true},{"name":"JoinTime","type":"datetime","description":"The time the user joined the meeting.","isPreferredFacet":true},{"name":"LeaveTime","type":"datetime","description":"The time the user left the meeting.","isPreferredFacet":true},{"name":"DeviceInformation","type":"string","description":"The user device information.","isPreferredFacet":true},{"name":"MeetingDetailId","type":"string","description":"The meeting detail ID.","isPreferredFacet":true},{"name":"ListItemUniqueId","type":"string","description":"The Guid of uniquely an identifiable item of list. This information is present only if it is applicable.","isPreferredFacet":true},{"name":"SensitivityLabelId","type":"string","description":"The current sensitivity label ID of the file.","isPreferredFacet":true},{"name":"UniqueSharingId","type":"string","description":"The unique sharing ID associated with the sharing operation.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["AzureSentinelPrivatePreview","SecurityInsights"]}},{"id":"OktaSystemLogs","name":"OktaSystemLogs","tableType":"Microsoft","description":"Okta System Logs data connector provides the capability to ingest audit and event logs from the Okta Sysem Log API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform and uses the Okta System Log API to fetch the events. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"ActingAppName","type":"string","description":"The name of the application initiating the action."},{"name":"ActingAppType","type":"string","description":"The type of the application initiating the action (e.g., Browser, API client)."},{"name":"ActorDetailEntry","type":"dynamic","description":"Detailed information about the actor performing the action, if available."},{"name":"ActorDisplayName","type":"string","description":"The display name of the actor performing the action."},{"name":"ActorSessionId","type":"string","description":"The session ID associated with the actor performing the action."},{"name":"ActorUserId","type":"string","description":"The user ID of the actor performing the action, if applicable."},{"name":"ActorUserIdType","type":"string","description":"The type of user ID for the actor (e.g., OktaId)."},{"name":"ActorUsername","type":"string","description":"The username of the actor performing the action."},{"name":"ActorUsernameType","type":"string","description":"The type of username for the actor (e.g., UPN)."},{"name":"ActorUserType","type":"string","description":"The type of the actor (e.g., Regular, System Principal)."},{"name":"AuthenticationContextAuthenticationProvider","type":"string","description":"The authentication provider used in the context of the action."},{"name":"AuthenticationContextAuthenticationStep","type":"int","description":"The step in the authentication process when the action occurred."},{"name":"AuthenticationContextCredentialProvider","type":"string","description":"The credential provider used during the authentication process."},{"name":"AuthenticationContextInterface","type":"string","description":"The interface used during the authentication process (e.g., web, mobile)."},{"name":"AuthenticationContextIssuerId","type":"string","description":"The ID of the issuer involved in the authentication process."},{"name":"AuthenticationContextIssuerType","type":"string","description":"The type of the issuer involved in the authentication process."},{"name":"DebugData","type":"dynamic","description":"Additional debugging data related to the event."},{"name":"DvcAction","type":"string","description":"The result of the device action (e.g., Allow, Deny, Partial)."},{"name":"EventMessage","type":"string","description":"A descriptive message associated with the event."},{"name":"EventOriginalResultDetails","type":"string","description":"Details of the original result of the event outcome."},{"name":"EventOriginalType","type":"string","description":"The original type of the event before transformation."},{"name":"EventOriginalUid","type":"string","description":"The unique identifier for the original event."},{"name":"EventResult","type":"string","description":"The high-level result of the event (e.g., Success, Failure)."},{"name":"EventSeverity","type":"string","description":"The severity level of the event (e.g., Informational, High)."},{"name":"HttpUserAgent","type":"string","description":"The raw user-agent string of the client initiating the event."},{"name":"LegacyEventType","type":"string","description":"The legacy type identifier for the event, if applicable."},{"name":"LogonMethod","type":"string","description":"The method used for logging in (e.g., password, token)."},{"name":"OriginalActorAlternateId","type":"string","description":"The alternate ID of the actor in the original event data."},{"name":"OriginalClientDevice","type":"string","description":"The type of client device initiating the event (e.g., Computer)."},{"name":"OriginalOutcomeResult","type":"string","description":"The raw outcome result of the original event."},{"name":"OriginalSeverity","type":"string","description":"The raw severity level of the original event."},{"name":"OriginalTarget","type":"dynamic","description":"The original target(s) involved in the event."},{"name":"OriginalUserId","type":"string","description":"The original user ID in the event data."},{"name":"OriginalUserType","type":"string","description":"The type of user in the original event data."},{"name":"Request","type":"dynamic","description":"Details of the request associated with the event."},{"name":"SecurityContextAsNumber","type":"int","description":"The autonomous system (AS) number in the security context."},{"name":"SecurityContextAsOrg","type":"string","description":"The organization associated with the AS number in the security context."},{"name":"SecurityContextDomain","type":"string","description":"The domain involved in the security context."},{"name":"SecurityContextIsProxy","type":"bool","description":"Indicates whether a proxy is used in the security context."},{"name":"SrcDeviceType","type":"string","description":"The type of the source device (e.g., Computer)."},{"name":"SrcDvcId","type":"string","description":"The unique identifier for the source device."},{"name":"SrcDvcOs","type":"string","description":"The operating system of the source device."},{"name":"SrcGeoCity","type":"string","description":"The city of the source device's geographic location."},{"name":"SrcGeoCountry","type":"string","description":"The country of the source device's geographic location."},{"name":"SrcGeoLatitude","type":"real","description":"The latitude of the source device's geographic location."},{"name":"SrcGeoLongtitude","type":"real","description":"The longitude of the source device's geographic location."},{"name":"SrcGeoPostalCode","type":"string","description":"The postal code of the source device's geographic location."},{"name":"SrcGeoRegion","type":"string","description":"The region/state of the source device's geographic location."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the source device."},{"name":"SrcIsp","type":"string","description":"The Internet Service Provider (ISP) of the source device."},{"name":"SrcZone","type":"string","description":"The network zone of the source device."},{"name":"TimeGenerated","type":"datetime","description":"The time the event was generated."},{"name":"TransactionDetail","type":"dynamic","description":"Details about the transaction associated with the event."},{"name":"TransactionId","type":"string","description":"The unique identifier of the transaction."},{"name":"TransactionType","type":"string","description":"The type of transaction associated with the event."},{"name":"Version","type":"string","description":"The version of the event format or schema."},{"name":"SrcDvcIdType","type":"string","description":"The type of source device ID (e.g., OktaId)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["054777d1-722e-4b86-512d-2bb21f562cc1"]}},{"id":"Operation","name":"Operation","tableType":"Microsoft","description":"Operational log of important activities affecting workspace. Includes both user-initiated activities and notifications from Log Analytics workspace services such as data-capping.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Value is OpsManager for all records in this table.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time that the record was created.","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","description":"Name of the Operations Manager management group for System Center Operations Manager agents.","isPreferredFacet":true},{"name":"SourceComputerId","type":"string","description":"Unique GUID identifier for a computer."},{"name":"OperationStatus","type":"string","description":"Operation status description. Ccommon values include Warning Succeeded Failed Error.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of a physical or virtual machine having membership with Log Analytics agent.","isPreferredFacet":true},{"name":"Detail","type":"string","description":"User friendly string that describes further details about the operation"},{"name":"OperationCategory","type":"string","description":"Name of the area that produced the record.","isPreferredFacet":true},{"name":"Solution","type":"string","description":"Name of the managed solution that produced the record. Can also include other sources such as RestAPI.","isPreferredFacet":true},{"name":"HelpLink","type":"string","description":"Reference URL for additional contextual information."},{"name":"OperationKey","type":"string","description":"Operation ID. Can be a GUID or string."},{"name":"ErrorId","type":"string","description":"Deprecated."},{"name":"CorrelationId","type":"string","description":"GUID that is shared with telemetry belonging to the same uber action."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor"],"solutions":["LogManagement"],"functions":["4d3c573b-a3fd-4c2a-8566-fc0b6fbcf48c"]}},{"id":"OracleCloudDatabase","name":"OracleCloudDatabase","tableType":"Microsoft","description":"Oracle Cloud Event logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time Event Generated"},{"name":"OperationName","type":"string","description":"The name of the operation represented by this event"},{"name":"ResultDescription","type":"string","description":"The static text description of this operation"},{"name":"LifeCycleState","type":"string","description":"Current lifeCycleState of the resource generated event"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["oracle.database/cloudvmclusters"],"solutions":["LogManagement"]}},{"id":"PFTitleAuditLogs","name":"PFTitleAuditLogs","tableType":"Microsoft","description":"Provides audit logs for various types of action performed on Azure PlayFab Title.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The operation name combined with operation type represents the action performed for which the log was generated."},{"name":"OperationType","type":"string","description":"The operation name combined with operation type represents the action performed for which the log was generated."},{"name":"Level","type":"string","description":"The severity level of the log, will be one of Informational, Warning, Error, or Critical."},{"name":"Location","type":"string","description":"The region of the Azure PlayFab Title, generating the log."},{"name":"PlayFabTitleId","type":"string","description":"ID of Azure PlayFab Title for which the log was generated."},{"name":"PlayFabPlayerAccountPoolId","type":"string","description":"ID of Azure PlayFab PlayerAccountPool associated with the Azure PlayFab Title for which the log was generated."},{"name":"UserId","type":"string","description":"ID of the user who performed the action which generated the log."},{"name":"UserName","type":"string","description":"Name or Email of the user who performed the action which generated the log."},{"name":"ModifiedPlayerId","type":"string","description":"Player ID on which the action taken."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.playfab/titles"],"solutions":["LogManagement"]}},{"id":"PGSQLAutovacuumStats","name":"PGSQLAutovacuumStats","tableType":"Microsoft","description":"Information related to autovacuum and schema level statistics of an Azure Database for PostgreSQL Flexible Servers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"DatabaseName","type":"string","description":"Name of the database the schema belongs to."},{"name":"SchemaName","type":"string","description":"Name of the schema the statistics were collected from."},{"name":"LiveRowsCount","type":"long","description":"Estimated number of live rows of all tables in this schema."},{"name":"DeadRowsCount","type":"long","description":"Estimated number of dead rows of all tables in this schema."},{"name":"SeqentialScansCount","type":"long","description":"Number of sequential scans initiated on all tables in this schema."},{"name":"RowsFromSeqentialScansCount","type":"long","description":"Number of live rows fetched by sequential scans on all tables in this schema."},{"name":"IndexScansCount","type":"long","description":"Number of index scans initiated on all tables in this schema."},{"name":"RowsFromIndexScansCount","type":"long","description":"Number of live rows fetched by index scans on all tables in this schema."},{"name":"RowsInsertedCount","type":"long","description":"Number of rows inserted in all tables in this schema."},{"name":"RowsUpdatedCount","type":"long","description":"Number of rows updated from all tables in this schema (includes HOT updated rows)."},{"name":"RowsDeletedCount","type":"long","description":"Number of rows deleted from all tables in this schema."},{"name":"RowsHotUpdatedCount","type":"long","description":"Number of rows HOT updated from all tables in this schema (i.e., with no separate index update required)."},{"name":"ModificationsSinceAnalyzeCount","type":"long","description":"Estimated number of rows modified from all tables since last analyzed of each individual table in this schema."},{"name":"VacuumCount","type":"long","description":"Number of times tables have been manually vacuumed in this schema (not counting VACUUM FULL)."},{"name":"AutovacuumCount","type":"long","description":"Number of times tables have been vacuumed by the autovacuum daemon in this schema."},{"name":"AnalyzeCount","type":"long","description":"Number of times tables have been manually analyzed in this schema."},{"name":"AutoanalyzeCount","type":"long","description":"Number of times tables have been analyzed by the autovacuum daemon in this schema."},{"name":"TablesCount","type":"long","description":"Number of tables in this schema."},{"name":"TablesVacuumedCount","type":"long","description":"Number of tables that were manually vacuumed in this schema."},{"name":"TablesAutovacuumedCount","type":"long","description":"Number of tables that were vacuumed by the autovacuum daemon in this schema."},{"name":"TablesAnalyzedCount","type":"long","description":"Number of tables that were manually analyzed in this schema."},{"name":"TablesAutoanalyzedCount","type":"long","description":"Number of tables that were analyzed by the autovacuum daemon in this schema."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["c5ec4e2d-c7b3-42c3-9150-6ec344d62ee3","73917797-b07e-495f-874e-337d5c089123","3412a5f6-4520-4ac5-bd10-6b137a30845e"],"functions":["f7a72ca9-df71-4cfb-811a-ea70469f3e3f"]}},{"id":"PGSQLDbTransactionsStats","name":"PGSQLDbTransactionsStats","tableType":"Microsoft","description":"Remaining transactions and multixact IDs for each database of an Azure Database for PostgreSQL Flexible Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"DatabaseName","type":"string","description":"Name of the database."},{"name":"UserId","type":"int","description":"Owner of the database, usually the user who created it."},{"name":"ConnectionsLimit","type":"int","description":"Maximum number of concurrent connections that can be made to this database, -1 means no limit."},{"name":"MinMultixactId","type":"long","description":"All multixact IDs before this one have been replaced with a transaction ID in this database."},{"name":"MinMultixactIdAge","type":"long","description":"Age in transactions of multixact ID in this database."},{"name":"TransactionIdFrozen","type":"long","description":"All transaction IDs before this one have been replaced with a permanent ('frozen') transaction ID in this database."},{"name":"TransactionIdFrozenAge","type":"long","description":"Age in transactions of TransactionIdFrozen in this database."},{"name":"VacuumFreezeMinAge","type":"int","description":"Value of the parameter vacuum_freeze_min_age at the collection time."},{"name":"AutovacuumFreezeMaxAge","type":"int","description":"Value of the parameter autovacuum_freeze_max_age at the collection time."},{"name":"RemainingTransactionIds","type":"long","description":"Remaining transaction IDs in this database."},{"name":"RemainingTransactionIdsTillEmergencyAV","type":"long","description":"Remaining transaction IDs in this database till emergency autovacuum is triggered."},{"name":"RemainingTransactionIdsTillWraparound","type":"long","description":"Remaining transaction IDs in this database till wraparound protection will be triggered."},{"name":"VacuumMultixactFreezeMinAge","type":"int","description":"Value of the parameter vacuum_multixact_freeze_min_age at the collection time."},{"name":"AutovacuumMultixactFreezeMaxAge","type":"int","description":"Value of the parameter autovacuum_multixact_freeze_max_age at the collection time."},{"name":"RemainingMultixactIds","type":"long","description":"Remaining multixact IDs in this database."},{"name":"RemainingMultixactIdsTillEmergencyAV","type":"long","description":"Remaining multixact IDs in this database till emergency autovacuum is triggered."},{"name":"RemainingMultixactIdsTillWraparound","type":"long","description":"Remaining multixact IDs in this database till wraparound protection will be triggered."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["d8825350-6728-45cd-8120-edf428e459f1"],"functions":["2d003852-e92b-49b3-b12e-164332b0edab"]}},{"id":"PGSQLPgBouncer","name":"PGSQLPgBouncer","tableType":"Microsoft","description":"PgBouncer logs of an Azure Database for PostgreSQL Flexible Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogLevel","type":"string","description":"Log level, Error or Informational."},{"name":"Message","type":"string","description":"Message from PG Bouncer log."},{"name":"Location","type":"string","description":"Location of PG server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["f88e66dd-2057-47d3-9758-3aab93c7602a"],"functions":["d6dad52a-5669-4cb4-bbbe-d5d1e4f9435d"]}},{"id":"PGSQLPgStatActivitySessions","name":"PGSQLPgStatActivitySessions","tableType":"Microsoft","description":"Session's data collected from PostgreSQL pg_stat_activity system view of an Azure Database for PostgreSQL Flexible Server. Contains one row per connection referred here as a backend and the data is collected at an interval of 5-minutes.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"DatabaseId","type":"int","description":"ID (OID) of the database this backend is connected to."},{"name":"DatabaseName","type":"string","description":"Name of the database this backend is connected to."},{"name":"ProcessId","type":"int","description":"Process ID (PID) of this backend."},{"name":"UserId","type":"int","description":"ID (OID) of the user logged into this backend."},{"name":"ApplicationName","type":"string","description":"Name of the application that is connected to this backend."},{"name":"ClientIpAddress","type":"string","description":"IP address of the client connected to this backend. If this field is empty, it indicates either that the client is connected via a Unix socket on the server machine or that this is an internal process such as autovacuum. The last octet of the IP is obfuscated."},{"name":"State","type":"string","description":"State of this backend at the collection time."},{"name":"WaitEventType","type":"string","description":"The type of event for which the backend is waiting, if any, otherwise empty string."},{"name":"WaitEvent","type":"string","description":"Wait event name if backend is currently waiting, otherwise empty string."},{"name":"BackendStartTime","type":"datetime","description":"Time when this process was started. For client backends, this is the time the client connected to the server."},{"name":"TransactionStartTime","type":"datetime","description":"Time when this process' current transaction was started, or empty if no transaction is active."},{"name":"QueryStartTime","type":"datetime","description":"Time when the currently active query was started, or if state is not active, when the last query was started."},{"name":"StateChangeTime","type":"datetime","description":"Time when the state was last changed."},{"name":"CollectionTime","type":"datetime","description":"The collection time indicating the time when the information was collected."},{"name":"TransactionId","type":"long","description":"Top-level transaction identifier of this backend, if any."},{"name":"OldestTransactionId","type":"long","description":"The oldest transaction ID that a backend is currently seeing."},{"name":"BackendType","type":"string","description":"Type of current backend."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["b61211bc-abef-4e01-b6f5-9154166f9021","8c1d6f16-f409-4be5-a36e-e7366e91fbc8","0f906ebd-a275-4f19-afb8-66956e3de6ba"],"functions":["86401b72-78ca-46bd-a1ef-2f63d9230a5c"]}},{"id":"PGSQLQueryStoreQueryText","name":"PGSQLQueryStoreQueryText","tableType":"Microsoft","description":"The query text captured by Query Store in Azure Database for PostgreSQL Flexible Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"QueryId","type":"string","description":"Unique query ID of the statement that is an internal hash code, computed from the statement's parse tree."},{"name":"QueryText","type":"string","description":"The SQL text of the query."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"]}},{"id":"PGSQLQueryStoreRuntime","name":"PGSQLQueryStoreRuntime","tableType":"Microsoft","description":"Query Store runtime statistics related to query execution information of an Azure Database for PostgreSQL Flexible Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"RuntimeStatsEntryId","type":"long","description":"ID of the runtime entry."},{"name":"UserId","type":"int","description":"ID (OID) of the user that executed the statement."},{"name":"DatabaseId","type":"int","description":"ID (OID) of database in which the statement was executed."},{"name":"QueryId","type":"string","description":"Unique query ID of the statement that is an internal hash code, computed from the statement's parse tree."},{"name":"PlanId","type":"long","description":"ID of the plan corresponding to this query if plan store is enabled, otherwise the field is empty."},{"name":"StartTime","type":"datetime","description":"The start time corresponding to the time bucket for this entry. Queries are aggregated by time buckets."},{"name":"EndTime","type":"datetime","description":"The end time corresponding to the time bucket for this entry. Queries are aggregated by time buckets."},{"name":"Calls","type":"long","description":"Number of times the query executed within this time bucket."},{"name":"TotalExecDurationMs","type":"real","description":"Total query execution duration in milliseconds for all calls in this time bucket."},{"name":"MinExecDurationMs","type":"real","description":"Minimum query execution duration in milliseconds in this time bucket."},{"name":"MaxExecDurationMs","type":"real","description":"Maximum query execution duration in milliseconds in this time bucket."},{"name":"MeanExecDurationMs","type":"real","description":"Mean query execution duration in milliseconds in this time bucket."},{"name":"StdDevExecDurationMs","type":"real","description":"Standard deviation of the query execution duration time in milliseconds in this time bucket."},{"name":"Rows","type":"long","description":"Total number of rows retrieved or affected by the statement for all calls in this time bucket."},{"name":"SharedBlksHit","type":"long","description":"Total number of shared block cache hits by the statement for all calls in this time bucket."},{"name":"SharedBlksRead","type":"long","description":"Total number of shared blocks read by the statement for all calls in this time bucket."},{"name":"SharedBlksDirtied","type":"long","description":"Total number of shared blocks dirtied by the statement for all calls in this time bucket."},{"name":"SharedBlksWritten","type":"long","description":"Total number of shared blocks written by the statement for all calls in this time bucket."},{"name":"LocalBlksHit","type":"long","description":"Total number of local block cache hits by the statement for all calls in this time bucket."},{"name":"LocalBlksRead","type":"long","description":"Total number of local blocks read by the statement for all calls in this time bucket."},{"name":"LocalBlksDirtied","type":"long","description":"Total number of local blocks dirtied by the statement for all calls in this time bucket."},{"name":"LocalBlksWritten","type":"long","description":"Total number of local blocks written by the statement for all calls in this time bucket."},{"name":"TempBlksRead","type":"long","description":"Total number of temporary file blocks read by the statement for all calls in this time bucket."},{"name":"TempBlksWritten","type":"long","description":"Total number of temporary file blocks written by the statement for all calls in this time bucket."},{"name":"BlkReadTime","type":"real","description":"Total time the statement spent reading blocks in milliseconds for all calls in this time bucket. Only available if track_io_timing is enabled, otherwise zero."},{"name":"BlkWriteTime","type":"real","description":"Total time the statement spent writing blocks in milliseconds for all calls in this time bucket. Only available if track_io_timing is enabled, otherwise zero."},{"name":"IsSystemQuery","type":"bool","description":"Boolean value indicating if the query is run by Azure managed system user."},{"name":"QueryType","type":"string","description":"Indicates the query type of the statement. Possible values: select, update, insert, delete, utility, nothing, unknown."},{"name":"SearchPath","type":"string","description":"Value of search_path set at the time the query was captured."},{"name":"SearchPathCaptureStatus","type":"string","description":"Indicates the status of capturing the search_path."},{"name":"ParametersCaptureStatus","type":"string","description":"Indicates the status of capturing parameters of a parameterized query."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["f41d96e1-a466-434c-96ba-f7ae31601398","bd908e0d-680a-40b9-88c2-b7fedf053c96","98ce5af3-de4d-45ac-91dc-b8a42f9bd2a4"],"functions":["7625213e-e8e7-433c-9f64-fdc984ad7ee0"]}},{"id":"PGSQLQueryStoreWaits","name":"PGSQLQueryStoreWaits","tableType":"Microsoft","description":"Query Store wait statistics sampled of an Azure Database for PostgreSQL Flexible Server. Wait event types combine different wait events into buckets by similarity.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"UserId","type":"int","description":"ID (OID) of the user that executed the statement. 0 indicates it is a background worker or a system call."},{"name":"DatabaseId","type":"int","description":"ID (OID) of database in which the statement was executed. 0 indicates it is a background worker or a system call."},{"name":"QueryId","type":"string","description":"Unique query ID of the statement that is an internal hash code, computed from the statement's parse tree. 0 indicates it was a background worker or system call."},{"name":"StartTime","type":"datetime","description":"The start time corresponding to the time bucket for this entry. Entries are aggregated by time buckets."},{"name":"EndTime","type":"datetime","description":"The end time corresponding to the time bucket for this entry. Entries are aggregated by time buckets."},{"name":"EventType","type":"string","description":"The PostgreSQL type of event for which the backend is waiting."},{"name":"Event","type":"string","description":"The PostgreSQL wait event name if backend is currently waiting."},{"name":"Calls","type":"long","description":"Number of the same event captured for this entry. Entries are aggregated by time buckets."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["f749c7ac-5407-4926-a42f-b8c684d6b169","6cba4bad-1a95-4970-9fc6-1a5f6936187b"],"functions":["cd3f45c0-2b70-42d9-bbad-cbbe7f3ee715"]}},{"id":"PGSQLServerLogs","name":"PGSQLServerLogs","tableType":"Microsoft","description":"PostgreSQL Server logs of an Azure Database for PostgreSQL Flexible Server.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"LogicalServerName","type":"string","description":"Logical name of the instance."},{"name":"ReplicaRole","type":"string","description":"Replica role example. Primary or secondary."},{"name":"ProcessId","type":"int","description":"Process ID of the PostgreSQL backend."},{"name":"ErrorLevel","type":"string","description":"Logging level, example: LOG, ERROR, NOTICE."},{"name":"SqlErrorCode","type":"string","description":"PostgreSQL Error code that follows the SQL standard's conventions for SQLSTATE codes."},{"name":"Message","type":"string","description":"Primary log message."},{"name":"Detail","type":"string","description":"Detail log message (if applicable)."},{"name":"DetailLog","type":"string","description":"Extended detail log message (if applicable)."},{"name":"Hint","type":"string","description":"Message hint (if applicable)."},{"name":"Query","type":"string","description":"Internal query that led to the error (if applicable)."},{"name":"Context","type":"string","description":"Error context (if applicable)."},{"name":"Statement","type":"string","description":"Query string (if applicable)."},{"name":"SchemaName","type":"string","description":"Name of the schema (if applicable)."},{"name":"TableName","type":"string","description":"Name of the table (if applicable)."},{"name":"ColumnName","type":"string","description":"Name of the column (if applicable)."},{"name":"DatatypeName","type":"string","description":"Name of the datatype (if applicable)."},{"name":"ConstraintName","type":"string","description":"Name of the constraint (if applicable)."},{"name":"BackendType","type":"string","description":"Type of current backend. Available for PostgreSQL 14 and later."},{"name":"Location","type":"string","description":"Location of Azure Database for PostgreSQL Flexible server."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.dbforpostgresql/flexibleservers"],"solutions":["LogManagement"],"queries":["6c056893-0853-4a39-9638-35a5b0644363","61d8a45e-1589-489f-8d69-792c36fa8967","80ddf123-662f-408d-b1c9-1efcaee4ea25","3c0316ed-8069-4b75-8247-519398618f34","8c11b79a-eff0-439c-a54c-519a0cdc30cf","abca51a5-f135-4977-af75-46670f36017c","c50219bc-5393-40c6-b7aa-d5ac8cd065b8","c8e78040-e38f-46d1-a4ca-ec3fa1ea3c92","faffa3cc-01d7-4c65-9dcd-15c65d8db91f","54526cff-06de-4bec-bfa5-6909c04908bb"],"functions":["bd5b5b75-dad2-40f2-b2f1-a58a0b41106d"]}},{"id":"Perf","name":"Perf","tableType":"Microsoft","description":"Performance counters from Windows agents that provide insight into the performance of hardware components, operating systems, and applications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"Computer","type":"string","description":"Computer that the counter was collected from."},{"name":"ObjectName","type":"string","description":"Performance object for the counter."},{"name":"CounterName","type":"string","description":"Name of the performance counter."},{"name":"InstanceName","type":"string","description":"Counter instance name. Empty when no instance applies."},{"name":"CounterValue","type":"real","description":"Value of the performance counter sample."},{"name":"TimeGenerated","type":"datetime","description":"Date and time the counter was recorded."},{"name":"SourceSystem","type":"string","description":"Type of agent that collected the counter sample."},{"name":"CounterPath","type":"string","description":"Full path of the counter in the form \\\\\\ObjectName(InstanceName)\\CounterName."},{"name":"Min","type":"real"},{"name":"Max","type":"real"},{"name":"SampleCount","type":"int"},{"name":"BucketStartTime","type":"datetime"},{"name":"BucketEndTime","type":"datetime"},{"name":"StandardDeviation","type":"real"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["monitor","virtualmachines","container"],"resourceTypes":["microsoft.operationalinsights/workspaces","microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.azurestackhci/clusters","microsoft.hybridcontainerservice/provisionedclusters"],"solutions":["LogManagement"]}},{"id":"PerfInsightsFindings","name":"PerfInsightsFindings","tableType":"Microsoft","description":"This table contains information about individual PerfInsights findings.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the log was generated. This column can be used to construct a time series or to filter data to a specific time window. Example: 2014-05-25T08:20:03.123456Z."},{"name":"DataSetRunId","type":"string","description":"The identifier of the Data Set run for which this data was collected."},{"name":"FindingPartitionKey","type":"string","description":"Partitionkey to access the finding."},{"name":"FindingId","type":"string","description":"Unique identifier for the finding."},{"name":"ReportId","type":"string","description":"Reference to the parent report ID."},{"name":"RuleFriendlyName","type":"string","description":"Name of the rule that generated the finding."},{"name":"RuleCategory","type":"string","description":"Category of the finding."},{"name":"ImpactLevel","type":"string","description":"Impact level of the finding (High, Medium, Low)."},{"name":"Recommendation","type":"string","description":"Recommended action to address the finding."},{"name":"ReferenceLinks","type":"dynamic","description":"List of reference URLs."},{"name":"Finding","type":"string","description":"The detailed description of the finding."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection","microsoft.compute/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"]}},{"id":"PerfInsightsImpactedResources","name":"PerfInsightsImpactedResources","tableType":"Microsoft","description":"This table contains information about resources impacted by an individual PerfInsights finding.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the log was generated. This column can be used to construct a time series or to filter data to a specific time window. Example: 2014-05-25T08:20:03.123456Z."},{"name":"DataSetRunId","type":"string","description":"The identifier of the Data Set run for which this data was collected."},{"name":"FindingId","type":"string","description":"Reference to the parent finding ID."},{"name":"ImpactedResourceName","type":"string","description":"Name of the impacted resource."},{"name":"ImpactedResourceValue","type":"string","description":"Value of the impacted resource."},{"name":"Details","type":"dynamic","description":"JSON string containing relevant details of the impacted resource."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection","microsoft.compute/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"],"queries":["e70b8048-60cc-485e-aa4c-13681020dc97"]}},{"id":"PerfInsightsRun","name":"PerfInsightsRun","tableType":"Microsoft","description":"This table contains information about PerfInsights runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time (UTC) when the log was generated. This column can be used to construct a time series or to filter data to a specific time window. Example: 2014-05-25T08:20:03.123456Z."},{"name":"DataSetRunId","type":"string","description":"The identifier of the Data Set run for which this data was collected."},{"name":"PerfInsightsResourceId","type":"string","description":"Resource URI in PerfInsights format."},{"name":"ReportId","type":"string","description":"Report Id."},{"name":"Scenario","type":"string","description":"The scenario being analyzed."},{"name":"PerfInsightsExeFileVersion","type":"string","description":"Version of the PerfInsights executable."},{"name":"StartTimeUtc","type":"datetime","description":"Start time of the performance analysis in UTC."},{"name":"EndTimeUtc","type":"datetime","description":"End time of the performance analysis in UTC."},{"name":"CommandLine","type":"string","description":"Command line used to run the performance analysis."},{"name":"HighImpactFindings","type":"int","description":"Count of high impact findings."},{"name":"MediumImpactFindings","type":"int","description":"Count of medium impact findings."},{"name":"LowImpactFindings","type":"int","description":"Count of low impact findings."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","virtualmachines"],"resourceTypes":["microsoft.azuremonitordiagnosticsagents/datacollection","microsoft.compute/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"]}},{"id":"PowerAppsActivity","name":"PowerAppsActivity","tableType":"Microsoft","description":"Contains Microsoft Power Apps activity logs that track events like creation, deletion, updates, permission changes, and app launches.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. For example: Admin, System, Application, Service Principal, Guest or Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"TargetAppName","type":"string","description":"The name of the app where the event occurred."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"AdditionalInfo","type":"dynamic","description":"Additional information if any (e.g. the environment name)"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["d5eec317-3dee-4aa9-92ec-28af5f25242f"]}},{"id":"PowerAutomateActivity","name":"PowerAutomateActivity","tableType":"Microsoft","description":"Contains Microsoft Power Automate audit logs. It's typically used to track Power Automate activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"RecipientUpn","type":"string","description":"If permission was updated, shows the UPN of the permission recipient."},{"name":"FlowConnectorNames","type":"string","description":"Connector names listed in the flow."},{"name":"FlowDetailsUrl","type":"string","description":"Link to the flow's details page."},{"name":"LicenseDisplayName","type":"string","description":"Display name of the license."},{"name":"SharingPermission","type":"string","description":"Type of permission shared with another user (3 = Owner/ReadWrite, 2 = Run-only user/Read)."},{"name":"UserUpn","type":"string","description":"Unique ID of the user. Always equivalent to UserKey."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"AdditionalInfo","type":"dynamic","description":"More information, for example, the environment name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["65800d1d-80dd-4792-a147-5ce60fdd84bb"]}},{"id":"PowerBIActivity","name":"PowerBIActivity","tableType":"Microsoft","description":"Contains Microsoft PowerBI audit logs. It's typically used to track PowerBI activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"UserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"Scope","type":"string","description":"Event can be created by a hosted Office 365 service or an on-premises server. Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to Office 365."},{"name":"TargetAppName","type":"string","description":"The name of the app where the event occurred."},{"name":"DashboardName","type":"string","description":"The name of the dashboard where the event occurred."},{"name":"DataClassification","type":"string","description":"The data classification, if exists, for the dashboard where the event occurred."},{"name":"DatasetName","type":"string","description":"The name of the dataset where the event occurred."},{"name":"MembershipInformation","type":"string","description":"Membership information about the group."},{"name":"OrgAppPermission","type":"string","description":"Permissions list for an organizational app (entire organization, specific users, or specific groups)."},{"name":"ReportName","type":"string","description":"The name of the report where the event occurred."},{"name":"SharingInformation","type":"string","description":"Information about the person to whom a sharing invitation is sent."},{"name":"SwitchState","type":"string","description":"Information about the state of various tenant level switches."},{"name":"PbiWorkspaceName","type":"string","description":"The name of the PowerBI workspace where the event occurred."},{"name":"EventProduct","type":"string","description":"The Microsoft product name (PowerBI)."},{"name":"EventVendor","type":"string","description":"Service vendor name."},{"name":"UserAgent","type":"string","description":"Information about the user's browser. This information is provided by the browser."},{"name":"Activity","type":"string","description":"The name of the user or admin activity."},{"name":"ItemName","type":"string","description":"The name of the item that the activity was performed on."},{"name":"WorkspaceId","type":"string","description":"The ID of the PowerBI workspace."},{"name":"DashboardId","type":"string","description":"The ID of the dashboard that the activity was performed on."},{"name":"IsSuccess","type":"string","description":"Indicates whether the action was successful or not."},{"name":"RequestId","type":"string","description":"A unique identifier for the request."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"ActivityId","type":"string","description":"A unique identifier for the activity."},{"name":"DistributionMethod","type":"string","description":"Indicates the distribution method of the content."},{"name":"FolderAccessRequests","type":"dynamic","description":"List of users that requested access to the folder."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["d5f248e0-45a6-45a7-9bd2-8ef963d39a05"]}},{"id":"PowerBIDatasetsTenant","name":"PowerBIDatasetsTenant","tableType":"Microsoft","description":"Contains Analysis Services engine process events such as the start of a batch or transaction e.g. execute query, process partition. Typically used to monitor the performance, health and usage of Power BI's data engine. Contains information from the entire tenant.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp(UTC) of when the log entry was generated."},{"name":"OperationName","type":"string","description":"The operation associated with the log record."},{"name":"CorrelationId","type":"string","description":"An event ID that can be used to correlated events between multiple tables."},{"name":"PowerBIWorkspaceId","type":"string","description":"Unique identifier of the Power BI workspace that contains the artifact being operated on."},{"name":"PremiumCapacityId","type":"string","description":"Unique identifier of the Premium capacity hosting the artifact being operated on."},{"name":"ApplicationContext","type":"dynamic","description":"Unique identifiers providing details about the context of the operation. E.g. Report ID, DatasetID."},{"name":"ApplicationName","type":"string","description":"Contains the name of the client application that created the connection to the Power BI dataset. This is provided by the application and is optional."},{"name":"ArtifactId","type":"string","description":"Unique ID of the resource logging the data."},{"name":"ArtifactKind","type":"string","description":"Type of artifact logging the operation e.g. Dataset."},{"name":"CpuTimeMs","type":"long","description":"Amount of CPU time (in milliseconds) used by the operation."},{"name":"ArtifactName","type":"string","description":"The name of the Power BI artifact logging this operation."},{"name":"LogAnalyticsCategory","type":"string","description":"Unique category of the events like Audit/Security/Request."},{"name":"DatasetMode","type":"string","description":"The mode of the dataset. Import, DirectQuery or Composite."},{"name":"DurationMs","type":"long","description":"Amount of time (in milliseconds) taken by the operation."},{"name":"User","type":"string","description":"The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server."},{"name":"ExecutingUser","type":"string","description":"The user executing the operation."},{"name":"OperationDetailName","type":"string","description":"Provides subcategories of OperationName."},{"name":"XmlaObjectPath","type":"string","description":"A comma-separated list of parents, starting with the object's parent."},{"name":"PowerBIWorkspaceName","type":"string","description":"Name of the Power BI workspace containing the artifact."},{"name":"StatusCode","type":"int","description":"Status code of the operation. It covers success and failure."},{"name":"ProgressCounter","type":"long","description":"Progress Counter."},{"name":"XmlaProperties","type":"string","description":"Properties of the XMLA request."},{"name":"XmlaSessionId","type":"string","description":"Analysis services session identifier."},{"name":"Level","type":"string","description":"Contains the severity level of the operation being logged. Success, Informational, Warning, or Error."},{"name":"Identity","type":"dynamic","description":"Information about user and claims."},{"name":"Status","type":"string","description":"Status of the operation."},{"name":"EventText","type":"string","description":"Contains verbose information associated with operation e.g. DAX query."},{"name":"CustomerTenantId","type":"string","description":"Unique identifier of the Power BI tenant."},{"name":"XmlaRequestId","type":"string","description":"Unique Identifier of request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.powerbi/tenants"],"solutions":["LogManagement"]}},{"id":"PowerBIDatasetsWorkspace","name":"PowerBIDatasetsWorkspace","tableType":"Microsoft","description":"Contains Analysis Services engine process events such as the start of a batch or transaction e.g. execute query, process partition. Typically used to monitor the performance, health and usage of Power BI's data engine. Contains information from the entire tenant.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp(UTC) of when the log entry was generated."},{"name":"OperationName","type":"string","description":"The operation associated with the log record."},{"name":"CorrelationId","type":"string","description":"An event ID that can be used to correlated events between multiple tables."},{"name":"PowerBIWorkspaceId","type":"string","description":"Unique identifier of the Power BI workspace that contains the artifact being operated on."},{"name":"PremiumCapacityId","type":"string","description":"Unique identifier of the Premium capacity hosting the artifact being operated on."},{"name":"ApplicationContext","type":"dynamic","description":"Unique identifiers providing details about the context of the operation. E.g. Report ID, DatasetID."},{"name":"ApplicationName","type":"string","description":"Contains the name of the client application that created the connection to the Power BI dataset. This is provided by the application and is optional."},{"name":"ArtifactId","type":"string","description":"Unique ID of the resource logging the data."},{"name":"ArtifactKind","type":"string","description":"Type of artifact logging the operation e.g. Dataset."},{"name":"CpuTimeMs","type":"long","description":"Amount of CPU time (in milliseconds) used by the operation."},{"name":"ArtifactName","type":"string","description":"The name of the Power BI artifact logging this operation."},{"name":"LogAnalyticsCategory","type":"string","description":"Unique category of the events like Audit/Security/Request."},{"name":"DatasetMode","type":"string","description":"The mode of the dataset. Import, DirectQuery or Composite."},{"name":"DurationMs","type":"long","description":"Amount of time (in milliseconds) taken by the operation."},{"name":"User","type":"string","description":"The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server."},{"name":"ExecutingUser","type":"string","description":"The user executing the operation."},{"name":"OperationDetailName","type":"string","description":"Provides subcategories of OperationName."},{"name":"XmlaObjectPath","type":"string","description":"A comma-separated list of parents, starting with the object's parent."},{"name":"PowerBIWorkspaceName","type":"string","description":"Name of the Power BI workspace containing the artifact."},{"name":"StatusCode","type":"int","description":"Status code of the operation. It covers success and failure."},{"name":"ProgressCounter","type":"long","description":"Progress Counter."},{"name":"XmlaProperties","type":"string","description":"Properties of the XMLA request."},{"name":"XmlaSessionId","type":"string","description":"Analysis services session identifier."},{"name":"Level","type":"string","description":"Contains the severity level of the operation being logged. Success, Informational, Warning, or Error."},{"name":"Identity","type":"dynamic","description":"Information about user and claims."},{"name":"Status","type":"string","description":"Status of the operation."},{"name":"EventText","type":"string","description":"Contains verbose information associated with operation e.g. DAX query."},{"name":"CustomerTenantId","type":"string","description":"Unique identifier of the Power BI tenant."},{"name":"XmlaRequestId","type":"string","description":"Unique Identifier of request."},{"name":"ReplicaId","type":"string","description":"Replica identifier."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.powerbi/tenants/workspaces"],"solutions":["LogManagement"]}},{"id":"PowerPlatformAdminActivity","name":"PowerPlatformAdminActivity","tableType":"Microsoft","description":"Contains Microsoft Power Platform administrative activity logs that track events like creation, deletion, updates, to the Microsoft Power Platform environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. For example: Admin, System, Application, Service Principal, Guest or Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"PropertyCollection","type":"dynamic","description":"Additional information property bag for the event."},{"name":"Properties","type":"dynamic","description":"Additional information properties with KQL friendly formatting."},{"name":"EnvironmentId","type":"string","description":"The unique identifier of the environment."},{"name":"RequiresCustomerKeyEncryption","type":"bool","description":"Status of the Customer Key Encryption requirement for the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["52f7ea87-5e0f-4366-90fa-d73f627b3bc6"]}},{"id":"PowerPlatformConnectorActivity","name":"PowerPlatformConnectorActivity","tableType":"Microsoft","description":"Contains Microsoft Power Platform Connector audit logs. It's typically used to track Power Platform Connector activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"ConnectorId","type":"string","description":"The unique ID of the resource. Examples: custom api, and connection or gateway."},{"name":"AdditionalInfo","type":"dynamic","description":"More information, for example, the environment name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["af2a6875-f636-497f-a721-10070b187d3a"]}},{"id":"PowerPlatformDlpActivity","name":"PowerPlatformDlpActivity","tableType":"Microsoft","description":"Contains Microsoft Power Platform Data Loss Prevention (DLP) audit logs. It's typically used to track Power Platform DLP admin activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in (UTC) when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"PolicyName","type":"string","description":"Name of the DLP policy."},{"name":"AdditionalInfo","type":"dynamic","description":"More information, for example, the environment name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["8c391e1d-f7d0-4a0b-bab1-a0fc8978e108"]}},{"id":"ProjectActivity","name":"ProjectActivity","tableType":"Microsoft","description":"Contains your Microsoft Project audit logs in order to track your Project activities.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"EventOriginalUid","type":"string","description":"Unique identifier of an audit record."},{"name":"RecordType","type":"string","description":"The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records."},{"name":"TimeGenerated","type":"datetime","description":"The date and time in UTC when the user performed the activity."},{"name":"EventOriginalType","type":"string","description":"The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see \"Search the audit log\" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be \"DlpRuleMatch\", \"DlpRuleUndo\" or \"DlpInfo\", which are described under \"DLP schema\" below."},{"name":"OrganizationId","type":"string","description":"The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."},{"name":"UserType","type":"string","description":"The type of user that performed the operation."},{"name":"ActorUserType","type":"string","description":"The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other."},{"name":"ActorUserId","type":"string","description":"An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts."},{"name":"Workload","type":"string","description":"The Office 365 service where the activity occurred."},{"name":"EventResult","type":"string","description":"Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed."},{"name":"ObjectId","type":"string","description":"For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet."},{"name":"ActorName","type":"string","description":"The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the \"user\" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records."},{"name":"SrcIpAddr","type":"string","description":"The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."},{"name":"Scope","type":"string","description":"Event can be created by a hosted Office 365 service or an on-premises server. Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to Office 365."},{"name":"ProjectEntity","type":"string","description":"The project entity the audit was for."},{"name":"ProjectAction","type":"string","description":"The project action that was taken."},{"name":"OnBehalfOfResId","type":"string","description":"The resource ID the action was taken on behalf of."},{"name":"EventProduct","type":"string","description":"The Microsoft service name."},{"name":"EventVendor","type":"string","description":"The vendor service name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["8df595d6-7c32-4257-8280-90182a32c23a"]}},{"id":"ProtectionStatus","name":"ProtectionStatus","tableType":"Microsoft","description":"Antimalware installation info and security health status of the machine:","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"DeviceName","type":"string","isPreferredFacet":true},{"name":"DetectionId","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"Threat","type":"string","isPreferredFacet":true},{"name":"ThreatStatusRank","type":"int","isPreferredFacet":true},{"name":"ThreatStatus","type":"string","isPreferredFacet":true},{"name":"ThreatStatusDetails","type":"string"},{"name":"ProtectionStatusRank","type":"int","isPreferredFacet":true},{"name":"ProtectionStatus","type":"string"},{"name":"ProtectionStatusDetails","type":"string"},{"name":"SignatureVersion","type":"string"},{"name":"TypeofProtection","type":"string","isPreferredFacet":true},{"name":"ScanDate","type":"datetime"},{"name":"AMProductVersion","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerIP_Hidden","type":"string"},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"VMUUID","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["AntiMalware","Security","SecurityCenter","SecurityCenterFree"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"PurviewDataSensitivityLogs","name":"PurviewDataSensitivityLogs","tableType":"Microsoft","description":"Data Sensitivity information for assets scanned using Purview.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was generated."},{"name":"PurviewTenantId","type":"string","description":"Tenant ID associated with the Purview account."},{"name":"PurviewAccountName","type":"string","description":"Name of the Purview account."},{"name":"PurviewRegion","type":"string","description":"Region of the Purview account."},{"name":"SourceName","type":"string","description":"Name of the data source scanned as registered in Purview."},{"name":"SourceType","type":"string","description":"Type of data source scanned: azuredatalakegen1, azureblob, azuredataexplorer, amazons3 etc."},{"name":"SourcePath","type":"string","description":"Resource Path of the data source. Ex: ARM path for Azure resources and ARN for AWS resources."},{"name":"SourceSubscriptionId","type":"string","description":"Subscription ID associated with the data source. Account ID for AWS resources."},{"name":"SourceRegion","type":"string","description":"The location of the data source that was scanned."},{"name":"SourceCollectionName","type":"string","description":"Name of the data source collection name in Purview."},{"name":"SourceScanId","type":"string","description":"The associated Purview scan ID for the source."},{"name":"AssetName","type":"string","description":"Name of the asset scanned."},{"name":"AssetPath","type":"string","description":"Path of the asset scanned in a source."},{"name":"AssetType","type":"string","description":"Type of asset that was scanned: file, column, table, generic."},{"name":"AssetCreationTime","type":"datetime","description":"Time (UTC) at which the asset was created."},{"name":"AssetModifiedTime","type":"datetime","description":"Time (UTC) at which the asset was last modified."},{"name":"AssetLastScanTime","type":"datetime","description":"Time (UTC) at which the asset was last scanned."},{"name":"FileExtension","type":"string","description":"File extension of the asset scanned. Only populated when asset type is a file."},{"name":"FileSize","type":"long","description":"File size of the asset scanned in bytes. Only populated when asset type is a file."},{"name":"ActivityType","type":"string","description":"The type of data sensitivity event: classification, labeling."},{"name":"ClassificationTrigger","type":"string","description":"The trigger for the classification event."},{"name":"Classification","type":"dynamic","description":"Names of the classifications found."},{"name":"ClassificationDetails","type":"dynamic","description":"List of classification details: ID, name, count, uniquecount, confidence."},{"name":"SensitivityLabelTrigger","type":"string","description":"The trigger for the sensitivity label event."},{"name":"SensitivityLabel","type":"dynamic","description":"Names for the labels found."},{"name":"SensitivityLabelDetails","type":"dynamic","description":"List of label details: ID, name, order."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security","resources"],"resourceTypes":["microsoft.securityinsights/purview","microsoft.purview/accounts"],"solutions":["LogManagement"]}},{"id":"PurviewScanStatusLogs","name":"PurviewScanStatusLogs","tableType":"Microsoft","description":"Status of the scan on the data sources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"Category","type":"string","description":"Log type category."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events. Can be used to identify correlated events between multiple tables."},{"name":"LogLevel","type":"string","description":"Log level of message (INFO, WARN, ERROR, etc.)."},{"name":"DataSourceName","type":"string","description":"Name of the data source where the scan is run."},{"name":"DataSourceType","type":"string","description":"Type of data source where the scan is run. For example: AzureDataExplorer, SQLServer etc."},{"name":"ScanName","type":"string","description":"Name of the scan associated with the scan status log event."},{"name":"AssetsDiscovered","type":"long","description":"Number of assets discovered from the scan."},{"name":"AssetsClassified","type":"long","description":"Number of assets classified from the scan."},{"name":"ScanQueueTimeInSeconds","type":"long","description":"Time spent by this scan waiting in the queue."},{"name":"ScanTotalRunTimeInSeconds","type":"long","description":"Total time to complete the scan."},{"name":"RunType","type":"string","description":"Run Type of the scan. For example: Manual, Scheduled etc."},{"name":"ErrorDetails","type":"string","description":"Error detail while running the scan."},{"name":"ScanResultId","type":"string","description":"Guid of the Scan Result."},{"name":"ResultType","type":"string","description":"Result of the scan at the current state. For example: Throttled, Queued etc."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.purview/accounts"],"solutions":["LogManagement"]}},{"id":"PurviewSecurityLogs","name":"PurviewSecurityLogs","tableType":"Microsoft","description":"Table containing audit events for the Purview account, such as role assignments to a collection or creation or deletion of a collection.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"EntityName","type":"string","description":"Name of the entity for which the operation was performed."},{"name":"EntityType","type":"string","description":"Type of the entity for which the operation was performed."},{"name":"CallerIdentities","type":"dynamic","description":"Contains information about the identity that performed the operation. May contain the objectId, username, PUID etc. of the identity."},{"name":"ResultType","type":"string","description":"Result of the operation."},{"name":"ResultDescription","type":"string","description":"Description of the result of the operation. May also contain the error description if the operation failed."},{"name":"Location","type":"string","description":"Location of the Purview account."},{"name":"Properties","type":"dynamic","description":"Additional properties of the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.purview/accounts"],"solutions":["LogManagement"],"queries":["5a5e640c-37d6-4f21-93c2-3287fd420ea3"]}},{"id":"QualysKnowledgeBase","name":"QualysKnowledgeBase","tableType":"Microsoft","description":"QualysKnowledgeBase table contains vulnerabilities from Qualys KnowledgeBase.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"Qid","type":"string","description":"The QID of the vulnerability."},{"name":"VulnTitle","type":"string","description":"Title of the ingested vulnerability."},{"name":"Category","type":"string","description":"Vulnerability Category."},{"name":"Consequence","type":"string","description":"Vulnerability Consequence."},{"name":"Diagnosis","type":"string","description":"Diagnosis information for the vulnerability."},{"name":"LastServiceModificationDateTime","type":"datetime","description":"Date and time when the vulnerability was last modified in the service."},{"name":"Patchable","type":"string","description":"Indicates whether the vulnerability is patchable."},{"name":"CveId","type":"dynamic","description":"Common Vulnerabilities and Exposures identifier."},{"name":"CveUrl","type":"dynamic","description":"URL for the CVE entry."},{"name":"VendorReferenceId","type":"dynamic","description":"Vendor-specific reference identifier."},{"name":"VendorReferenceUrl","type":"dynamic","description":"URL for vendor-specific reference."},{"name":"PciFlag","type":"string","description":"PCI compliance flag indicator."},{"name":"PublishedDatetime","type":"datetime","description":"Date and time when the vulnerability was published."},{"name":"SeverityLevel","type":"string","description":"Severity level of the vulnerability."},{"name":"SoftwareProduct","type":"dynamic","description":"Software product affected by the vulnerability."},{"name":"SoftwareVendor","type":"dynamic","description":"Vendor of the affected software."},{"name":"Solution","type":"string","description":"Solution or remediation steps for the vulnerability."},{"name":"VulnType","type":"string","description":"Type or classification of the vulnerability."},{"name":"DiscoveryAdditionalInfo","type":"string","description":"Additional information about vulnerability discovery."},{"name":"DiscoveryAuthType","type":"dynamic","description":"Authentication type used for discovery."},{"name":"DiscoveryRemote","type":"string","description":"Remote discovery information."},{"name":"ThreatIntelligence","type":"dynamic","description":"Threat intelligence data associated with the vulnerability."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["63b0b1fc-ec04-4485-900d-a656aa32111e","3b26c2e7-62eb-4cb1-b350-1afbdac2d7e0"]}},{"id":"QuantumProviderAccountJobAuditLogs","name":"QuantumProviderAccountJobAuditLogs","tableType":"Microsoft","description":"Audit logs for job-related operations performed on Azure Quantum Provider Account resources, including job cancellations and priority updates. Used to track who performed which job operation and when.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the job operation was recorded."},{"name":"Location","type":"string","description":"The Azure region where the Provider Account resource resides."},{"name":"Category","type":"string","description":"The log category. Value is AuditEvent for all records in this table."},{"name":"OperationName","type":"string","description":"The name of the audited operation, such as CancelJob or UpdateJobPriority."},{"name":"OperationVersion","type":"string","description":"The API version under which the operation was invoked."},{"name":"ResultCode","type":"string","description":"The outcome of the operation, such as Success or Failure."},{"name":"JobId","type":"string","description":"The unique identifier of the job that was the target of the operation."},{"name":"JobSubscriptionId","type":"string","description":"The Azure subscription ID of the workspace that contains the job."},{"name":"JobResourceGroupName","type":"string","description":"The resource group of the workspace that contains the job."},{"name":"JobWorkspaceName","type":"string","description":"The name of the Azure Quantum workspace that contains the job."},{"name":"OperationParams","type":"dynamic","description":"Additional parameters specific to the operation, represented as a JSON object. For example, UpdateJobPriority includes PriorityOperation and BypassQueueStatus fields."},{"name":"RequesterObjectId","type":"string","description":"The Entra object ID of the identity that performed the operation."},{"name":"RequesterTenantId","type":"string","description":"The Entra tenant ID of the identity that performed the operation."},{"name":"RequesterUpn","type":"string","description":"The user principal name (UPN) of the identity that performed the operation. Empty for managed identities and service principals."},{"name":"TraceId","type":"string","description":"The distributed trace identifier for correlating this operation across services."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.quantum/provideraccounts"],"solutions":["LogManagement"]}},{"id":"QuantumProviderAccountQueueAuditLogs","name":"QuantumProviderAccountQueueAuditLogs","tableType":"Microsoft","description":"Audit logs for queue dispatch management operations performed on Azure Quantum Provider Account resources, such as enabling or disabling target dispatch for a queue. Used to track changes to queue routing configuration.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the queue operation was recorded."},{"name":"Location","type":"string","description":"The Azure region where the Provider Account resource resides."},{"name":"Category","type":"string","description":"The log category. Value is AuditEvent for all records in this table."},{"name":"OperationName","type":"string","description":"The name of the audited operation, such as UpdateQueueDispatchStatus."},{"name":"OperationVersion","type":"string","description":"The API version under which the operation was invoked."},{"name":"ResultCode","type":"string","description":"The outcome of the operation, such as Success or Failure."},{"name":"QueueId","type":"string","description":"The identifier of the queue whose dispatch configuration was modified."},{"name":"OperationParams","type":"dynamic","description":"Additional parameters specific to the operation, represented as a JSON object. For UpdateQueueDispatchStatus this includes a TargetDispatchStatuses array with per-target status changes."},{"name":"RequesterObjectId","type":"string","description":"The Entra object ID of the identity that performed the operation."},{"name":"RequesterTenantId","type":"string","description":"The Entra tenant ID of the identity that performed the operation."},{"name":"RequesterUpn","type":"string","description":"The user principal name (UPN) of the identity that performed the operation. Empty for managed identities and service principals."},{"name":"TraceId","type":"string","description":"The distributed trace identifier for correlating this operation across services."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.quantum/provideraccounts"],"solutions":["LogManagement"]}},{"id":"QuantumProviderAccountTargetAuditLogs","name":"QuantumProviderAccountTargetAuditLogs","tableType":"Microsoft","description":"Audit logs for target intake management operations performed on Azure Quantum Provider Account resources, such as enabling or disabling a target's intake of new jobs. Used to track changes to target availability.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the target operation was recorded."},{"name":"Location","type":"string","description":"The Azure region where the Provider Account resource resides."},{"name":"Category","type":"string","description":"The log category. Value is AuditEvent for all records in this table."},{"name":"OperationName","type":"string","description":"The name of the audited operation, such as UpdateTargetIntakeStatus."},{"name":"OperationVersion","type":"string","description":"The API version under which the operation was invoked."},{"name":"ResultCode","type":"string","description":"The outcome of the operation, such as Success or Failure."},{"name":"TargetId","type":"string","description":"The identifier of the quantum target whose intake status was modified."},{"name":"OperationParams","type":"dynamic","description":"Additional parameters specific to the operation, represented as a JSON object. For UpdateTargetIntakeStatus this includes the new Status value (Enabled or Disabled)."},{"name":"RequesterObjectId","type":"string","description":"The Entra object ID of the identity that performed the operation."},{"name":"RequesterTenantId","type":"string","description":"The Entra tenant ID of the identity that performed the operation."},{"name":"RequesterUpn","type":"string","description":"The user principal name (UPN) of the identity that performed the operation. Empty for managed identities and service principals."},{"name":"TraceId","type":"string","description":"The distributed trace identifier for correlating this operation across services."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.quantum/provideraccounts"],"solutions":["LogManagement"]}},{"id":"QuantumWorkspaceJobAuditLogs","name":"QuantumWorkspaceJobAuditLogs","tableType":"Microsoft","description":"Audit logs for job-related operations performed on Azure Quantum Workspace resources, including job creation, updates, and cancellations. Used to track who performed which job operation and when.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the job operation was recorded."},{"name":"Location","type":"string","description":"The Azure region where the Workspace resource resides."},{"name":"Category","type":"string","description":"The log category. Value is AuditEvent for all records in this table."},{"name":"OperationName","type":"string","description":"The name of the audited operation, such as CreateJob, UpdateJob, or CancelJob."},{"name":"OperationVersion","type":"string","description":"The API version under which the operation was invoked."},{"name":"ResultCode","type":"string","description":"The outcome of the operation, such as Success or Failure."},{"name":"JobId","type":"string","description":"The unique identifier of the job that was the target of the operation."},{"name":"ProviderId","type":"string","description":"The identifier of the quantum provider to which the job was submitted. Populated for CreateJob operations."},{"name":"TargetId","type":"string","description":"The identifier of the quantum target to which the job was submitted. Populated for CreateJob operations."},{"name":"Priority","type":"string","description":"The priority level assigned to the job at creation time, such as High or Standard. Populated for CreateJob operations."},{"name":"OperationParams","type":"dynamic","description":"Additional parameters specific to the operation, represented as a JSON object. For UpdateJob this includes flags such as priorityUpdated, nameUpdated, and tagsUpdated."},{"name":"RequesterObjectId","type":"string","description":"The Entra object ID of the identity that performed the operation."},{"name":"RequesterTenantId","type":"string","description":"The Entra tenant ID of the identity that performed the operation."},{"name":"RequesterUpn","type":"string","description":"The user principal name (UPN) of the identity that performed the operation. Empty for managed identities and service principals."},{"name":"TraceId","type":"string","description":"The distributed trace identifier for correlating this operation across services."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.quantum/workspaces"],"solutions":["LogManagement"]}},{"id":"REDConnectionEvents","name":"REDConnectionEvents","tableType":"Microsoft","description":"Logs the connection events when client connects to redis enterprise database.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when event audit log was captured."},{"name":"EventEpochTime","type":"long","description":"The unix timestamp (number of seconds since January 1, 1970) when the event happened in UTC. This can be converted to datetime format using function unixtime_seconds_todatetime in log analytics workspace."},{"name":"OperationName","type":"string","description":"The Redis operation associated with the log record."},{"name":"Location","type":"string","description":"The location (i.e. region) of the Azure Cache for Redis Enterprise instance that was accessed."},{"name":"ClientIp","type":"string","description":"The Redis client IP address."},{"name":"PrivateLinkIPv6","type":"string","description":"The Redis client private link IPv6 address (if applicable)."},{"name":"ConnectionId","type":"long","description":"Unique connection ID assigned by Redis."},{"name":"EventType","type":"string","description":"Type of connection event(new_conn/auth/close_conn)."},{"name":"EventStatus","type":"int","description":"Results of an authentication request as a status code (only applicable for authentication event)."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.cache/redisenterprise"],"solutions":["LogManagement"],"queries":["ddd81f93-5320-4626-ac94-a938757326a4","42dfde83-f564-4282-854d-612dfda54abf","e1629bb4-4c6e-49a1-a826-5627804b3dcf","d05ffa8d-2ca3-4a6b-9d91-2cee1feafc52","e4c56072-f3d4-4d90-89af-7b94cf0a80e1"]}},{"id":"Rapid7InsightVMCloudAssets","name":"Rapid7InsightVMCloudAssets","tableType":"Microsoft","description":"Rapid7InsightVMCloudAssets table contains asset information from Rapid7 InsightVM Cloud.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the event was generated"},{"name":"AssessedForPolicies","type":"bool","description":"Whether an asset was assessed for policies"},{"name":"AssessedForVulnerabilities","type":"bool","description":"Whether an asset was assessed for vulnerabilities"},{"name":"CredentialAssessments","type":"string","description":"The credential assessments for the asset"},{"name":"CriticalVulnerabilities","type":"real","description":"The count of critical vulnerability findings"},{"name":"Exploits","type":"real","description":"The count of known unique exploits that can be used to exploit vulnerabilities on the asset"},{"name":"HostName","type":"string","description":"The host name (local or FQDN)"},{"name":"Id","type":"string","description":"The asset identifier"},{"name":"Ip","type":"string","description":"The IPv4 or IPv6 address"},{"name":"LastAssessedForVulnerabilities","type":"datetime","description":"The time at which an asset was assessed for vulnerabilities"},{"name":"LastScanEnd","type":"datetime","description":"The time at which the last scan of the asset ended"},{"name":"LastScanStart","type":"datetime","description":"The time at which the last scan of the asset started"},{"name":"Mac","type":"string","description":"The Media Access Control (MAC) address with format specification"},{"name":"MalwareKits","type":"real","description":"The count of known unique malware kits that can be used to attack vulnerabilities"},{"name":"ModerateVulnerabilities","type":"real","description":"The count of moderate vulnerability findings"},{"name":"New","type":"string","description":"Vulnerabilities that are new in the latest version (when comparison time is supplied)"},{"name":"OsArchitecture","type":"string","description":"The architecture of the operating system"},{"name":"OsDescription","type":"string","description":"The description of the operating system (containing vendor, family, product, version and architecture)"},{"name":"OsFamily","type":"string","description":"The family of the operating system"},{"name":"OsName","type":"string","description":"The name of the operating system"},{"name":"OsSystemName","type":"string","description":"A combination of vendor and family (with redundancies removed), suitable for grouping"},{"name":"OsType","type":"string","description":"The type of operating system"},{"name":"OsVendor","type":"string","description":"The vendor of the operating system"},{"name":"OsVersion","type":"string","description":"The version of the operating system"},{"name":"Remediated","type":"string","description":"Vulnerabilities that were remediated in the latest version (when comparison time is supplied)"},{"name":"RiskScore","type":"real","description":"The risk score (with criticality adjustments) of the asset"},{"name":"Same","type":"string","description":"Vulnerabilities that are the same between current and comparison time (when comparison time is supplied and includeSame is true)"},{"name":"SevereVulnerabilities","type":"real","description":"The count of severe vulnerability findings"},{"name":"Tags","type":"string","description":"The tags applied to the asset"},{"name":"TotalVulnerabilities","type":"real","description":"The total count of vulnerability findings"},{"name":"UniqueIdentifiers","type":"string","description":"Unique identifiers found on the asset, such as hardware or operating system identifiers"},{"name":"AssetType","type":"string","description":"The type of asset"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["9a3c7b7e-2a9f-4e4a-9f3c-3e2d8b1c5a67"]}},{"id":"Rapid7InsightVMCloudVulnerabilities","name":"Rapid7InsightVMCloudVulnerabilities","tableType":"Microsoft","description":"Rapid7InsightVMCloudVulnerabilities table contains vulnerability information from Rapid7 InsightVM Cloud.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the event was generated"},{"name":"Added","type":"datetime","description":"The date the vulnerability coverage was added (ISO 8601 YYYY-MM-DD)"},{"name":"Categories","type":"string","description":"Comma-separated list of categories the vulnerability is classified under"},{"name":"Cves","type":"string","description":"All CVEs assigned to this vulnerability"},{"name":"CvssV2AccessComplexity","type":"string","description":"Enum: L/M/H. CVSS v2 Access Complexity — attack conditions required to exploit"},{"name":"CvssV2AccessVector","type":"string","description":"Enum: L/A/N. CVSS v2 Access Vector — how the vulnerability is exploited (Local/Adjacent/Network)"},{"name":"CvssV2Authentication","type":"string","description":"Enum: N/S/M. CVSS v2 Authentication — number of authentications required to exploit"},{"name":"CvssV2AvailabilityImpact","type":"string","description":"Enum: N/P/C. CVSS v2 Availability Impact — impact to availability"},{"name":"CvssV2ConfidentialityImpact","type":"string","description":"Enum: N/P/C. CVSS v2 Confidentiality Impact — impact on confidentiality"},{"name":"CvssV2ExploitScore","type":"real","description":"The CVSS v2 exploit score"},{"name":"CvssV2ImpactScore","type":"real","description":"The CVSS v2 impact score"},{"name":"CvssV2IntegrityImpact","type":"string","description":"Enum: N/P/C. CVSS v2 Integrity Impact — impact to integrity"},{"name":"CvssV2Score","type":"real","description":"The CVSS v2 score (0-10)"},{"name":"CvssV2Vector","type":"string","description":"The CVSS v2 vector"},{"name":"CvssV3AttackComplexity","type":"string","description":"Enum: L/H. CVSS v3 Attack Complexity — conditions beyond attacker control required"},{"name":"CvssV3AttackVector","type":"string","description":"Enum: N/A/L/P. CVSS v3 Attack Vector — context of exploitation"},{"name":"CvssV3AvailabilityImpact","type":"string","description":"Enum: N/L/H. CVSS v3 Availability Impact — impact to availability"},{"name":"CvssV3ConfidentialityImpact","type":"string","description":"Enum: N/L/H. CVSS v3 Confidentiality Impact — impact on confidentiality"},{"name":"CvssV3ExploitScore","type":"real","description":"The CVSS v3 exploit score"},{"name":"CvssV3ImpactScore","type":"real","description":"The CVSS v3 impact score"},{"name":"CvssV3IntegrityImpact","type":"string","description":"Enum: N/L/H. CVSS v3 Integrity Impact — impact to integrity"},{"name":"CvssV3PrivilegesRequired","type":"string","description":"Enum: N/L/H. CVSS v3 Privileges Required — level of privileges needed before exploit"},{"name":"CvssV3Scope","type":"string","description":"Enum: U/C. CVSS v3 Scope — impact remains in same authority or crosses"},{"name":"CvssV3Score","type":"real","description":"The CVSS v3 score (0-10)"},{"name":"CvssV3UserInteraction","type":"string","description":"Enum: N/R. CVSS v3 User Interaction — whether user action is required"},{"name":"CvssV3Vector","type":"string","description":"The CVSS v3 vector"},{"name":"DenialOfService","type":"bool","description":"Whether the vulnerability can lead to Denial of Service (DoS)"},{"name":"Description","type":"string","description":"A verbose description of the vulnerability"},{"name":"Exploits","type":"string","description":"The exploits that can be used to exploit a vulnerability"},{"name":"Id","type":"string","description":"The identifier of the vulnerability"},{"name":"Links","type":"string","description":"References to security standards this vulnerability is a part of"},{"name":"MalwareKits","type":"string","description":"The malware kits that are known to be used to exploit the vulnerability"},{"name":"Modified","type":"datetime","description":"The last date the vulnerability was modified (ISO 8601 YYYY-MM-DD)"},{"name":"PciCvssScore","type":"real","description":"The CVSS score adjusted for PCI rules (0-10)"},{"name":"PciFail","type":"bool","description":"Whether presence on a host would cause a PCI failure"},{"name":"PciSeverityScore","type":"real","description":"The severity score adjusted for PCI rules (0-10)"},{"name":"PciSpecialNotes","type":"string","description":"Special notes or remarks about the vulnerability pertaining to PCI compliance"},{"name":"PciStatus","type":"string","description":"The PCI compliance status"},{"name":"Published","type":"datetime","description":"The date the vulnerability was first published (ISO 8601 YYYY-MM-DD)"},{"name":"References","type":"string","description":"Condensed references to security standards: [:,...]"},{"name":"RiskScore","type":"real","description":"The risk score of the vulnerability (e.g., Rapid7 Real Risk™, 0-1000)"},{"name":"Severity","type":"string","description":"The severity of the vulnerability (none, informational, low, moderate, severe, critical)"},{"name":"SeverityScore","type":"real","description":"The severity score of the vulnerability (0-10)"},{"name":"VulnerabilityTitle","type":"string","description":"The title (summary) of the vulnerability"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["7c5e2d1f-4b3a-8c9e-0d1f-2a3b4c5d6e7f"]}},{"id":"RemoteNetworkHealthLogs","name":"RemoteNetworkHealthLogs","tableType":"Microsoft","description":"This table is part of Identity and Network Access, which contains Remote Network Health logs. These logs can be leveraged for knowing the state of your remote networks health state.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"CreatedDateTime","type":"datetime","description":"The date and time (UTC) that the event was generated."},{"name":"Id","type":"string","description":"A unique identifier for each remoteNetworkHealthEvent."},{"name":"RemoteNetworkId","type":"string","description":"A unique identifier for each remoteNetwork site."},{"name":"SourceIp","type":"string","description":"The public IP address."},{"name":"DestinationIp","type":"string","description":"The IP address of the destination."},{"name":"Description","type":"string","description":"Description and summary of the event."},{"name":"BgpRoutesAdvertisedCount","type":"int","description":"Count of BGP routes advertised through tunnel."},{"name":"SentBytes","type":"long","description":"The number of bytes sent from the source to the destination for the connection or session."},{"name":"ReceivedBytes","type":"long","description":"The number of bytes sent from the destination to the source."},{"name":"Status","type":"string","description":"Remote network status. Possible values are: tunnelDisconnected, tunnelConnected, bgpDisconnected, bgpConnected, remoteNetworkAlive, unknownFutureValue, packetDropped."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","network","management"],"solutions":["LogManagement"]}},{"id":"ResourceManagementPublicAccessLogs","name":"ResourceManagementPublicAccessLogs","tableType":"Microsoft","description":"Contains Resource management private link analysis events such as the operations that are already blocked due to private link present at the scope or operations that would be blocked. Contains information from the entire tenant.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log entry was generated."},{"name":"OperationName","type":"string","description":"The operation associated with the log record."},{"name":"OperationType","type":"string","description":"The resource type and operation associated with the log record."},{"name":"ProviderName","type":"string","description":"The resource provider name associated with the log record."},{"name":"CorrelationId","type":"string","description":"An event ID that can be used to correlated events between multiple tables."},{"name":"OperationVersion","type":"string","description":"An API version associated with the operation."},{"name":"Category","type":"string","description":"A category type associated with the operation."},{"name":"ResultType","type":"string","description":"Status of the operation."},{"name":"ResultSignature","type":"int","description":"Status code of the operation. It covers success and failure."},{"name":"DurationMs","type":"long","description":"Amount of time (in milliseconds) taken by the operation."},{"name":"CallerIpAddress","type":"string","description":"Client IP address."},{"name":"Uri","type":"string","description":"The resource URI for the operation."},{"name":"PrivateLinkAssociationIds","type":"dynamic","description":"List of private link association resource IDs present at the scope."},{"name":"ObjectIdentifier","type":"string","description":"Object ID for the caller of the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"queries":["1c9afed0-4e16-42f5-ace0-24b0b34d29d2","03e774ad-103e-42d5-b006-ba8b32754996","f1382f9e-b98d-44ca-bb27-72d5ece96dbf","f2599fa8-3ccd-41e1-a3a2-8f9bbcca9a9a","1d18188d-3133-4439-8e85-e9efaadad013"]}},{"id":"RetinaNetworkFlowLogs","name":"RetinaNetworkFlowLogs","tableType":"Microsoft","description":"Network flow logs for Azure Container Networking Services.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the flow was recorded (flow.time)."},{"name":"UUID","type":"string","description":"The UUID of the flow (flow.uuid)."},{"name":"Verdict","type":"string","description":"The verdict of the flow (e.g., FORWARDED, DROPPED) (flow.verdict)."},{"name":"DropReason","type":"string","description":"The description of the drop reason if the verdict is DROPPED. (flow.drop_reason_desc)."},{"name":"IP","type":"dynamic","description":"The IP values of the flow. Including ip source, ip destination, ip is encrypted and ip version."},{"name":"Layer4","type":"dynamic","description":"The layer 4 information of the flow such as the protocol, source port, destination port, and TCP flags."},{"name":"SourceIdentity","type":"int","description":"The security identity number for the source (flow.source.identity)."},{"name":"SourceClusterName","type":"string","description":"The name of the source cluster (flow.source.cluster_name)."},{"name":"SourceNamespace","type":"string","description":"The namespace of the source (flow.source.namespace)."},{"name":"SourcePodName","type":"string","description":"The name of the source pod (flow.source.pod_name)."},{"name":"SourceWorkloads","type":"dynamic","description":"Array of workloads associated with the source, including name and kind (flow.source.workloads)."},{"name":"DestinationIdentity","type":"int","description":"Security identity number for the destination (flow.destination.identity)."},{"name":"DestinationClusterName","type":"string","description":"The name of the destination cluster (flow.destination.cluster_name)."},{"name":"DestinationNamespace","type":"string","description":"The namespace of the destination (flow.destination.namespace)."},{"name":"DestinationPodName","type":"string","description":"The name of the destination pod (flow.destination.pod_name)."},{"name":"DestinationWorkloads","type":"dynamic","description":"Array of workloads associated with the destination, including name and kind (flow.destination.workloads)."},{"name":"FlowType","type":"string","description":"Type of the flow (e.g., L3_L4, L7 SOCK) (flow.Type)."},{"name":"NodeName","type":"string","description":"Name of the node where the flow was captured (flow.node_name)."},{"name":"Layer7","type":"dynamic","description":"L7 flow type if Flow_Type is L7 (e.g., DNS, HTTP, Kafka) (flow.l7.type)."},{"name":"Reply","type":"bool","description":"Indicates if the flow is a reply (flow.is_reply.value)."},{"name":"EventType","type":"dynamic","description":"Event type details (flow.event_type)."},{"name":"Service","type":"dynamic","description":"Service details of the flow."},{"name":"TrafficDirection","type":"string","description":"Direction of the traffic (e.g., INGRESS, EGRESS) (flow.traffic_direction)."},{"name":"TraceObservationPoint","type":"string","description":"Point of observation in the trace (e.g., TO_ENDPOINT) (flow.trace_observation_point)."},{"name":"PacketsSent","type":"int","description":"Number of packets sent from the source to the destination since the last update."},{"name":"PacketsReceived","type":"int","description":"Number of packets sent from the destination to the source since the last update."},{"name":"Policies","type":"dynamic","description":"Combined entry for all policies that allowed or denied ingress/egress (flow.egress_allowed_by, flow.ingress_allowed_by, flow.egress_denied_by, flow.ingress_denied_by)."},{"name":"AdditionalFlowData","type":"dynamic","description":"Additional flow data."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["container"],"resourceTypes":["microsoft.containerservice/managedclusters"],"solutions":["LogManagement"],"queries":["f47ac10b-58cc-4372-a567-0e02b2c3d479","d3b07384-d9a0-4c9d-8f00-6e7a9e7a8b0d"]}},{"id":"SCCMAssessmentRecommendation","name":"SCCMAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by SCCM assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"SiteCode","type":"string","isPreferredFacet":true},{"name":"SiteServer","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SCCMAssessmentPlus"]}},{"id":"SCGPoolExecutionLog","name":"SCGPoolExecutionLog","tableType":"Microsoft","description":"Contains Execution Logs for a StandbyContainerGroupPool, which can be used for audit and troubleshooting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The resource operation name for the log."},{"name":"EventName","type":"string","description":"The event that occurred during the operation."},{"name":"Location","type":"string","description":"The region where the event occurred during the operation."},{"name":"ErrorMessage","type":"string","description":"The message associated with an error that occurred during the operation."},{"name":"Message","type":"string","description":"A non-Error message associated with an event that occurred during the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.standbypool/standbycontainergrouppools"],"solutions":["LogManagement"],"queries":["6f2a51a0-449a-4578-b715-4f634a4d084a"]}},{"id":"SCGPoolRequestLog","name":"SCGPoolRequestLog","tableType":"Microsoft","description":"Contains Request Logs for a StandbyContainerGroupPool, which can be used for audit and troubleshooting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The resource operation name for the log."},{"name":"EventName","type":"string","description":"The event that occurred during the operation."},{"name":"Location","type":"string","description":"The region where the event occurred during the operation."},{"name":"NewMinCapacity","type":"int","description":"The new minimum number of containers for the standbypool as set by the user."},{"name":"NewMaxCapacity","type":"int","description":"The new maximum number of containers for the standbypool as set by the user."},{"name":"NewResourceState","type":"string","description":"The new resource state for the containers in the standbypool as set by the user."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.standbypool/standbycontainergrouppools"],"solutions":["LogManagement"],"queries":["aed2e616-52ae-4c8e-8562-af62c017718a"]}},{"id":"SCOMAssessmentRecommendation","name":"SCOMAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by SCOM assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Server","type":"string","isPreferredFacet":true},{"name":"DatabaseName","type":"string","isPreferredFacet":true},{"name":"SqlInstanceName","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SCOMAssessment","SCOMAssessmentPlus"]}},{"id":"SPAssessmentRecommendation","name":"SPAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by SP assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Farm","type":"string"},{"name":"Server","type":"string","isPreferredFacet":true},{"name":"DatabaseName","type":"string","isPreferredFacet":true},{"name":"WebApplication","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SPAssessment"]}},{"id":"SQLAssessmentRecommendation","name":"SQLAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by SQL assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"SqlInstanceName","type":"string","isPreferredFacet":true},{"name":"DatabaseName","type":"string","isPreferredFacet":true},{"name":"AffectedObjectResult","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SQLAssessment","SQLAssessmentPlus"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"SQLSecurityAuditEvents","name":"SQLSecurityAuditEvents","tableType":"Microsoft","description":"Azure Synapse SQL Audit Log.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"Logical server name."},{"name":"ResourceGroup","type":"string","description":"Resource group of the SQL resoruce."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"AuditSchemaVersion","type":"int","description":"The audit logs schema version."},{"name":"EventTime","type":"datetime","description":"The time (UTC) the event was fired at."},{"name":"SequenceNumber","type":"int","description":"Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits."},{"name":"ActionId","type":"string","description":"ID of the audit action."},{"name":"ActionName","type":"string","description":"The name of the audit action."},{"name":"Succeeded","type":"bool","description":"Indicates whether the action that triggered the event succeeded. Is not nullable. For all events other than login events, this only reports whether the permission check succeeded or failed, not the operation."},{"name":"IsColumnPermission","type":"bool","description":"Flag indicating if this is a column level permission."},{"name":"SessionId","type":"int","description":"ID of the session on which the event occurred."},{"name":"ServerPrincipalId","type":"int","description":"ID of the login context that the action is performed in."},{"name":"DatabasePrincipalId","type":"int","description":"ID of the database user context that the action is performed in."},{"name":"TargetServerPrincipalId","type":"int","description":"Server principal that the GRANT/DENY/REVOKE operation is performed on."},{"name":"TargetDatabasePrincipalId","type":"int","description":"The database principal the GRANT/DENY/REVOKE operation is performed on."},{"name":"ObjectId","type":"int","description":"The ID of the entity on which the audit occurred."},{"name":"UserDefinedEventId","type":"int","description":"User defined event id passed as an argument to sp_audit_write."},{"name":"TransactionId","type":"long","description":"Unique identifier to identify multiple audit events in one transaction."},{"name":"ClassType","type":"string","description":"The type of auditable entity that the audit occurs on."},{"name":"ClassTypeDescription","type":"string","description":"The description of the class type."},{"name":"SecurableClassType","type":"string","description":"The type of auditable entity that the audit occurs on."},{"name":"DurationMs","type":"long","description":"Query execution duration in milliseconds."},{"name":"ResponseRows","type":"long","description":"Number of rows returned in the result set."},{"name":"AffectedRows","type":"long","description":"Number of rows affected by the executed statement."},{"name":"ClientTlsVersion","type":"int","description":"Client TLS version"},{"name":"ClientIp","type":"string","description":"Source IP of the client application"},{"name":"PermissionBitmask","type":"string","description":"In some actions, this is the permissions that were grant, denied, or revoked."},{"name":"SequenceGroupId","type":"string","description":"Unique identifier."},{"name":"SessionServerPrincipalName","type":"string","description":"Server principal for session. Is nullable. Returns the identity of the original login which was connected to the instance of SQL Server in case there were explicit or implicit context switches."},{"name":"ServerPrincipalName","type":"string","description":"Current login. Is nullable."},{"name":"ServerPrincipalSid","type":"string","description":"Current login SID."},{"name":"DatabasePrincipalName","type":"string","description":"Current user."},{"name":"TargetServerPrincipalName","type":"string","description":"Target login of action."},{"name":"TargetServerPrincipalSid","type":"string","description":"SID of target login."},{"name":"TargetDatabasePrincipalName","type":"string","description":"Target user of action."},{"name":"DatabaseName","type":"string","description":"The database context in which the action occurred."},{"name":"SchemaName","type":"string","description":"The schema context in which the action occurred."},{"name":"ObjectName","type":"string","description":"The name of the entity on which the audit occurred."},{"name":"Statement","type":"string","description":"TSQL statement if it exists."},{"name":"AdditionalInformation","type":"string","description":"Unique information that only applies to a single event is returned as XML."},{"name":"UserDefinedInformation","type":"string","description":"Used to record any extra information the user wants to record in audit log by using the sp_audit_write stored procedure."},{"name":"ApplicationName","type":"string","description":"Name of client application which executed the statement that caused the audit event."},{"name":"ConnectionId","type":"string","description":"ID of the connection in the server."},{"name":"DataSensitivityInformation","type":"string","description":"Information types and sensitivity labels returned by the audited query, based on the classified columns in the database."},{"name":"HostName","type":"string","description":"The host name."},{"name":"SessionContext","type":"string","description":"The Session context key value content. provided as an XML."},{"name":"IsServerLevelAudit","type":"bool","description":"Boolean indicating whether this was generated from a server level audit or database level audit."},{"name":"EventId","type":"string","description":"unique Guid identifying each audit event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SVMPoolExecutionLog","name":"SVMPoolExecutionLog","tableType":"Microsoft","description":"Contains Execution Logs for a StandbyVirtualMachinePool, which can be used for audit and troubleshooting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The resource operation name for the log."},{"name":"EventName","type":"string","description":"The event that occurred during the operation."},{"name":"Location","type":"string","description":"The region where the event occurred during the operation."},{"name":"ErrorMessage","type":"string","description":"The message associated with an error that occurred during the operation."},{"name":"Message","type":"string","description":"A non-Error message associated with an event that occurred during the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","monitor"],"resourceTypes":["microsoft.standbypool/standbyvirtualmachinepools"],"solutions":["LogManagement"],"queries":["485749e7-4fa6-4e11-80f7-ef1696cd7736"]}},{"id":"SVMPoolRequestLog","name":"SVMPoolRequestLog","tableType":"Microsoft","description":"Contains Request Logs for a StandbyVirtualMachinePool, which can be used for audit and troubleshooting.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The resource operation name for the log."},{"name":"EventName","type":"string","description":"The event that occurred during the operation."},{"name":"Location","type":"string","description":"The region where the event occurred during the operation."},{"name":"NewMinCapacity","type":"int","description":"The new minimum number of vms for the standbypool as set by the user."},{"name":"NewMaxCapacity","type":"int","description":"The new maximum number of vms for the standbypool as set by the user."},{"name":"NewResourceState","type":"string","description":"The new resource state for the vms in the standbypool as set by the user."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.standbypool/standbyvirtualmachinepools"],"solutions":["LogManagement"],"queries":["d76e62a6-9777-4e9c-a455-1d2541deaaf2"]}},{"id":"SalesforceAuditTrail","name":"SalesforceAuditTrail","tableType":"Microsoft","description":"The Setup Audit Trail table contains logs from the Salesforce Audit Trail API that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (in UTC) when the log entry was generated."},{"name":"Id","type":"string","description":"The unique identifier for the audit trail entry."},{"name":"Action","type":"string","description":"The action performed."},{"name":"Section","type":"string","description":"The section of the Salesforce setup that was changed."},{"name":"Display","type":"string","description":"A user-friendly display name for the change."},{"name":"CreatedDate","type":"datetime","description":"The date and time when the change was made."},{"name":"CreatedById","type":"string","description":"The ID of the user who made the change."},{"name":"CreatedByName","type":"string","description":"The name of the user who made the change."},{"name":"CreatedByEmail","type":"string","description":"The email of the user who made the change."},{"name":"CreatedByUsername","type":"string","description":"The username of the user who made the change."},{"name":"CreatedByContext","type":"string","description":"The context in which the user made the change."},{"name":"CreatedByIssuer","type":"string","description":"The issuer of the user's identity."},{"name":"DelegateUser","type":"string","description":"The user who delegated the change."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["291d06cf-e4b6-43e2-aa5d-45b2fcd74d6b"]}},{"id":"SalesforceLoginHistory","name":"SalesforceLoginHistory","tableType":"Microsoft","description":"The Login History table contains login event logs from Salesforce that have been ingested into Microsoft Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (in UTC) when the log entry was generated."},{"name":"ApiType","type":"string","description":"Indicates the API type, for example Soap Enterprise."},{"name":"ApiVersion","type":"string","description":"Displays the API version used by the client."},{"name":"Application","type":"string","description":"The application used to access the organization."},{"name":"AuthMethodReference","type":"string","description":"The authentication method used by a third-party identification provider for an OpenID Connect single sign-on protocol."},{"name":"AuthenticationServiceId","type":"string","description":"The 18-character ID for an authentication service for a login event."},{"name":"Browser","type":"string","description":"The current browser version."},{"name":"CipherSuite","type":"string","description":"The TLS cipher suite used for the login."},{"name":"ClientVersion","type":"string","description":"Version of the API client."},{"name":"CountryIso","type":"string","description":"The ISO 3166 code for the country where the user's IP address is physically located."},{"name":"ForwardedForIp","type":"string","description":"The value in the X-Forwarded-For header of HTTP requests sent by the client."},{"name":"LoginGeoId","type":"string","description":"The 18-character ID for the record of the geographic location of the user for a successful or unsuccessful login event."},{"name":"LoginSubType","type":"string","description":"The type of login flow used."},{"name":"LoginTime","type":"datetime","description":"Time zone is based on GMT."},{"name":"LoginType","type":"string","description":"The type of login used to access the session."},{"name":"LoginUrl","type":"string","description":"URL from which the login request is coming."},{"name":"NetworkId","type":"string","description":"The ID of the Experience Cloud site that the user is logging in to."},{"name":"OptionsIsGet","type":"bool","description":"The HTTP method used for the session login is a GET request."},{"name":"OptionsIsPost","type":"bool","description":"The HTTP method used for the session login is a POST request."},{"name":"Platform","type":"string","description":"Operating system on the login machine."},{"name":"SourceIp","type":"string","description":"The IP address of the incoming client request that first reaches Salesforce during a login."},{"name":"Status","type":"string","description":"Displays the status of the attempted login. Status is either success or a reason for failure."},{"name":"TlsProtocol","type":"string","description":"The TLS protocol used for the login."},{"name":"UserId","type":"string","description":"ID of the user logging in."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["e8215b69-4cfe-4e8e-9d8e-cec354bd3ecb"]}},{"id":"SecureScoreControls","name":"SecureScoreControls","tableType":"Microsoft","description":"Azure Security Center Secure Score per control. A control is a logical group of related security recommendations, its secure score reflects the security posture per the control.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The (UTC) date and time the control score was generated"},{"name":"SecureScoresSubscriptionId","type":"string","description":"The ID of the subscription","isPreferredFacet":true},{"name":"AssessedResourceId","type":"string","description":"The ID of the assessed resource","isPreferredFacet":true},{"name":"ControlId","type":"string","description":"The ID of the assessed control","isPreferredFacet":true},{"name":"ControlName","type":"string","description":"The display name of the control","isPreferredFacet":true},{"name":"CurrentScore","type":"real","description":"The current secure score per control"},{"name":"MaxScore","type":"int","description":"The maximum control score"},{"name":"PercentageScore","type":"real","description":"The percentage of the score (current score divided by max score)"},{"name":"Weight","type":"long","description":"The weight for calculation of an aggregated score for several scopes"},{"name":"HealthyResources","type":"int","description":"The number of healthy resources"},{"name":"UnhealthyResources","type":"int","description":"The number of unhealthy resources"},{"name":"NotApplicableResources","type":"int","description":"The number of not applicable resources"},{"name":"Description","type":"string","description":"The description of the control"},{"name":"RecommendationResourceIds","type":"dynamic","description":"The recommendation resource IDs for the recommendations assessed in the control"},{"name":"ControlType","type":"string","description":"The type of security control (for example, BuiltIn)"},{"name":"ResourceProviderType","type":"string","description":"Resource provider type of the assessed resource"},{"name":"IsSnapshot","type":"bool","description":"Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'.","isPreferredFacet":true},{"name":"Environment","type":"string","description":"Data source environment.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"The complete set of metadata."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["Security","SecurityCenter","SecurityCenterFree"]}},{"id":"SecureScores","name":"SecureScores","tableType":"Microsoft","description":"Azure Security Center overall Secure Scores per subscription.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The (UTC) date and time the control score was generated"},{"name":"SecureScoresSubscriptionId","type":"string","description":"The ID of the subscription","isPreferredFacet":true},{"name":"AssessedResourceId","type":"string","description":"The ID of the assessed resource","isPreferredFacet":true},{"name":"DisplayName","type":"string","description":"The initiative�s name"},{"name":"CurrentScore","type":"real","description":"The current secure score per control"},{"name":"MaxScore","type":"int","description":"The maximum control score"},{"name":"PercentageScore","type":"real","description":"The percentage of the score (current score divided by max score)"},{"name":"Weight","type":"long","description":"The weight for calculation of an aggregated score for several scopes"},{"name":"ResourceProviderType","type":"string","description":"Resource provider type of the assessed resource"},{"name":"IsSnapshot","type":"bool","description":"Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'.","isPreferredFacet":true},{"name":"Environment","type":"string","description":"Data source environment.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"The complete set of metadata."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["Security","SecurityCenter","SecurityCenterFree"]}},{"id":"SecurityAlert","name":"SecurityAlert","tableType":"Microsoft","description":"Alerts that been generated by security products.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DisplayName","type":"string","isPreferredFacet":true},{"name":"AlertName","type":"string","isPreferredFacet":true},{"name":"AlertSeverity","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"ProviderName","type":"string","isPreferredFacet":true},{"name":"VendorName","type":"string","isPreferredFacet":true},{"name":"VendorOriginalId","type":"string"},{"name":"SystemAlertId","type":"string"},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"AlertType","type":"string","isPreferredFacet":true},{"name":"ConfidenceLevel","type":"string"},{"name":"ConfidenceScore","type":"real"},{"name":"IsIncident","type":"bool"},{"name":"StartTime","type":"datetime"},{"name":"EndTime","type":"datetime"},{"name":"ProcessingEndTime","type":"datetime"},{"name":"RemediationSteps","type":"string"},{"name":"ExtendedProperties","type":"string"},{"name":"Entities","type":"string"},{"name":"WorkspaceSubscriptionId","type":"string"},{"name":"WorkspaceResourceGroup","type":"string"},{"name":"ExtendedLinks","type":"string"},{"name":"ProductName","type":"string","isPreferredFacet":true},{"name":"ProductComponentName","type":"string","isPreferredFacet":true},{"name":"AlertLink","type":"string","isPreferredFacet":true},{"name":"Status","type":"string","isPreferredFacet":true},{"name":"CompromisedEntity","type":"string","isPreferredFacet":true},{"name":"Tactics","type":"string","isPreferredFacet":true},{"name":"Techniques","type":"string","isPreferredFacet":true},{"name":"SubTechniques","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["AzureSecurityOfThings","Security","SecurityCenter","SecurityCenterFree","SecurityInsights"]}},{"id":"SecurityAttackPathData","name":"SecurityAttackPathData","tableType":"Microsoft","description":"This tables contains attack paths that are being generated by Microsoft Defender for Cloud in order to detect potential breach paths of attackers to your cloud environment.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the attack path was exported."},{"name":"AttackPathId","type":"string","description":"The ID of the attack path."},{"name":"DisplayName","type":"string","description":"The display name of the attack path."},{"name":"Description","type":"string","description":"The description of the attack path."},{"name":"EntrypointId","type":"string","description":"The ID of the attack path enry point."},{"name":"TargetId","type":"string","description":"The ID of the attack path target."},{"name":"AdditionalRemediationSteps","type":"string","description":"The manual remediation steps of the attack path."},{"name":"Path","type":"dynamic","description":"The nodes, edges & insights that create the path."},{"name":"Assessments","type":"dynamic","description":"The assessments mapped to the attack path."},{"name":"RiskLevel","type":"string","description":"The risk level of the attack path."},{"name":"RiskFactors","type":"dynamic","description":"The risk factors of the attack path."},{"name":"PotentialImpact","type":"string","description":"The potenrial impact of the attack path."},{"name":"Mitre","type":"string","description":"MITRE mapping of the path."},{"name":"AttackStory","type":"string","description":"The attack story."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.security/security"],"solutions":["Security","SecurityCenter","SecurityCenterFree"],"queries":["bdb7da24-8f5f-422d-927e-14b06c75a407"]}},{"id":"SecurityBaseline","name":"SecurityBaseline","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"BaselineType","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string"},{"name":"CceId","type":"string","isPreferredFacet":true},{"name":"AzId","type":"string","isPreferredFacet":true},{"name":"RuleSeverity","type":"string","isPreferredFacet":true},{"name":"BaselineRuleType","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RuleSetting","type":"string"},{"name":"ExpectedResult","type":"string"},{"name":"ActualResult","type":"string"},{"name":"AnalyzeResult","type":"string","isPreferredFacet":true},{"name":"SitePath","type":"string"},{"name":"AnalyzeOperation","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["Security","SecurityCenter","SecurityCenterFree"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"SecurityBaselineSummary","name":"SecurityBaselineSummary","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"TimeGenerated","type":"datetime"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"BaselineType","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string"},{"name":"TotalAssessedRules","type":"int"},{"name":"PercentageOfPassedRules","type":"int"},{"name":"CriticalFailedRules","type":"int"},{"name":"WarningFailedRules","type":"int"},{"name":"InformationalFailedRules","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["Security","SecurityCenter","SecurityCenterFree"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines"]}},{"id":"SecurityCaseEvent","name":"SecurityCaseEvent","tableType":"Microsoft","description":"Audit log table tracking all field-level changes to Case Management entities including cases, tasks, comments, attachments, and relations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the record was ingested into Log Analytics."},{"name":"RecordId","type":"string","description":"Unique identifier for this audit record."},{"name":"AadTenantId","type":"string","description":"Azure AD tenant GUID where the change occurred."},{"name":"EntityType","type":"string","description":"Type of entity changed: Case, CaseTask, Comment, Attachment, CaseRelation etc..."},{"name":"EntityId","type":"string","description":"Unique identifier of the changed entity."},{"name":"ParentEntityId","type":"string","description":"Parent entity ID. Null for Case entities, contains Case ID for child entities like CaseTask, Comment, Attachment, etc."},{"name":"OperationName","type":"string","description":"Type of operation: Create, Update, Delete, Link, or Unlink."},{"name":"PropertyNames","type":"dynamic","description":"Property name(s) that changed."},{"name":"PreviousValues","type":"dynamic","description":"Previous value(s) before the change. Null for Create operations. Can be a simple value or JSON object."},{"name":"NewValues","type":"dynamic","description":"New value(s) after the change. Null for Delete operations. Can be a simple value or JSON object."},{"name":"EventTime","type":"datetime","description":"Timestamp when the change was made in the source system."},{"name":"ModifiedBy","type":"string","description":"User principal name (UPN) of the user who made the change."},{"name":"IsDeleted","type":"bool","description":"Indicates if the entity was deleted."},{"name":"EntityCreatedTime","type":"datetime","description":"Original creation timestamp of the entity."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["audit"],"solutions":["LogManagement"],"queries":["a1b2c3d4-1111-4aaa-bbbb-000000000001","a1b2c3d4-1111-4aaa-bbbb-000000000002","a1b2c3d4-1111-4aaa-bbbb-000000000003","a1b2c3d4-1111-4aaa-bbbb-000000000004","a1b2c3d4-1111-4aaa-bbbb-000000000005","a1b2c3d4-1111-4aaa-bbbb-000000000006","a1b2c3d4-1111-4aaa-bbbb-000000000007","a1b2c3d4-1111-4aaa-bbbb-000000000008","a1b2c3d4-1111-4aaa-bbbb-000000000009","a1b2c3d4-1111-4aaa-bbbb-000000000010","a1b2c3d4-1111-4aaa-bbbb-000000000011","a1b2c3d4-1111-4aaa-bbbb-000000000012","a1b2c3d4-1111-4aaa-bbbb-000000000013","a1b2c3d4-1111-4aaa-bbbb-000000000014"]}},{"id":"SecurityDetection","name":"SecurityDetection","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Provider","type":"string","isPreferredFacet":true},{"name":"AlertTitle","type":"string","isPreferredFacet":true},{"name":"AlertSeverity","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"OriginalSeverity","type":"string","isPreferredFacet":true},{"name":"DetectionID","type":"string"},{"name":"SubjectUserName","type":"string","isPreferredFacet":true},{"name":"RemediationSteps","type":"string"},{"name":"SubjectDomainName","type":"string","isPreferredFacet":true},{"name":"ProcessName","type":"string","isPreferredFacet":true},{"name":"CommandLine","type":"string"},{"name":"LogChannel","type":"string","isPreferredFacet":true},{"name":"Duration","type":"string"},{"name":"InvalidAccountsSeen","type":"int"},{"name":"ValidAccountsSeen","type":"int"},{"name":"SuccessfulLogins","type":"int"},{"name":"FailedAttempts","type":"int"},{"name":"AccountsSeen","type":"int"},{"name":"SuspiciousProcess","type":"string","isPreferredFacet":true},{"name":"FullPath","type":"string","isPreferredFacet":true},{"name":"ChildProcess","type":"string","isPreferredFacet":true},{"name":"ParentProcess","type":"string","isPreferredFacet":true},{"name":"ExtendedProperties","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ServiceId","type":"string"},{"name":"IsFirstParty","type":"bool"},{"name":"ReportingSystem","type":"string","isPreferredFacet":true},{"name":"OccuringDatacenter","type":"string","isPreferredFacet":true},{"name":"AssociatedResource","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["Security"]}},{"id":"SecurityEvent","name":"SecurityEvent","tableType":"Microsoft","description":"Security events collected from windows machines by Azure Security Center or Azure Sentinel.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time stamp when the event was generated on the computer."},{"name":"SourceSystem","type":"string","description":"The Log Analytics source system. Value is always 'OpsManager'."},{"name":"Account","type":"string","description":"The Security context for services or users."},{"name":"AccountType","type":"string","description":"Identifies whether the account is a computer account (machine) or a user's."},{"name":"Computer","type":"string","description":"The name of the computer on which the event occurred."},{"name":"EventSourceName","type":"string","description":"The name of the software that logs the event (applicationor a succomponent)."},{"name":"Channel","type":"string","description":"The channel to which the event was logged."},{"name":"Task","type":"int","description":"The task defined in the event."},{"name":"Level","type":"string","description":"Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical expressed in numbers."},{"name":"EventData","type":"string","description":"Event specific data associated with the event."},{"name":"EventID","type":"int","description":"The identifier that the provider used to identify the event."},{"name":"Activity","type":"string","description":"The descriptive title of the event occurred."},{"name":"StorageAccount","type":"string","description":"Sets the storage account access key."},{"name":"AzureDeploymentID","type":"string","description":"Azure deployment ID of the cloud service the log belongs to."},{"name":"AccessMask","type":"string","description":"Hexadecimal mask for the requested or performed operation."},{"name":"AccountDomain","type":"string","description":"Subject’s domain or computer name."},{"name":"AccountExpires","type":"string","description":"The date when the account expires."},{"name":"AccountName","type":"string","description":"The name of the account that requested the “remove domain trust” operation."},{"name":"AccountSessionIdentifier","type":"string","description":"A unique identifier that is generated by the machine when the session is created."},{"name":"AdditionalInfo","type":"string","description":"Additional information that is provided by the source, which do not mapped to other fields, represented by list."},{"name":"AdditionalInfo2","type":"string","description":"Additional information that is provided by the source, which do not mapped to other fields, represented by list."},{"name":"AllowedToDelegateTo","type":"string","description":"The list of SPNs to which this account can present delegated credentials."},{"name":"Attributes","type":"string","description":"Additional information about the event."},{"name":"AuditPolicyChanges","type":"string","description":"Events that are generated when changes are made to the system audit policy or audit settings on a file or registry key."},{"name":"AuditsDiscarded","type":"int","description":"Number of audit messages that were discarded."},{"name":"AuthenticationLevel","type":"int","description":"Number of audit messages that were discarded."},{"name":"AuthenticationPackageName","type":"string","description":"the name of loaded Authentication Package. The format is: DLL\\_PATH\\_AND\\_NAME: AUTHENTICATION\\_PACKAGE\\_NAME."},{"name":"AuthenticationProvider","type":"string","description":"The identity of the provider responsible for the authentication process (can include a certificate authority, a username, a password authentication system, etc)."},{"name":"AuthenticationServer","type":"string","description":"The server in which located the authentication provider."},{"name":"AuthenticationService","type":"int","description":"The service in which located the authentication provider."},{"name":"AuthenticationType","type":"string","description":"the type of authentication that was used for the event (two-factor authentication, biometric authentication, etc)."},{"name":"CACertificateHash","type":"string","description":"The hash value of the certificate authority's (CA) certificate that was used to authenticate the user who performed the event."},{"name":"CalledStationID","type":"string","description":"Information about the ID of the station that initiated the action that led to the security event."},{"name":"CallerProcessId","type":"string","description":"Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process."},{"name":"CallerProcessName","type":"string","description":"Full path and the name of the executable for the process."},{"name":"CallingStationID","type":"string","description":"Information about the ID of the station that initiated the action that led to the security event."},{"name":"CAPublicKeyHash","type":"string","description":"Hash value that identifies the public key of a certification authority (CA) that issued a certificate."},{"name":"CategoryId","type":"string","description":"The category of the security event that occurred (login attempt, data breach, etc)."},{"name":"CertificateDatabaseHash","type":"string","description":"Hash value that identifies the database that issued a certificate."},{"name":"ClassId","type":"string","description":"'Class Guid' attribute of device."},{"name":"ClassName","type":"string","description":"'Class' attribute of device."},{"name":"ClientAddress","type":"string","description":"IP address of the computer from which the TGT request was received."},{"name":"ClientIPAddress","type":"string","description":"IP address of the computer that initiated the action that led to the event."},{"name":"ClientName","type":"string","description":"computer name from which the user was reconnected. Has 'Unknown' value for console session."},{"name":"CommandLine","type":"string","description":"The command line arguments that were passed to an application or process that was involved in the event."},{"name":"CompatibleIds","type":"string","description":"'Compatible Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"},{"name":"DCDNSName","type":"string","description":"The DNS name of the domain controller that was involved in the event."},{"name":"DeviceDescription","type":"string","description":"the description of the device that was involved in the event."},{"name":"DeviceId","type":"string","description":"The unique identifier of the device that was involved in the event."},{"name":"DisplayName","type":"string","description":"It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name."},{"name":"Disposition","type":"string","description":"The event outcome/ resolution, such as whether the event was resolved or whether any action was taken in response to the event."},{"name":"DomainBehaviorVersion","type":"string","description":"msDS-Behavior-Version domain attribute was modified. Numeric value."},{"name":"DomainName","type":"string","description":"The name of removed trusted domain."},{"name":"DomainPolicyChanged","type":"string","description":"Indicates whether any domain policies have been changed as part of the event (password policies, security policies, etc)."},{"name":"DomainSid","type":"string","description":"SID of the trust partner. This parameter might not be captured in the event, and in that case appears as 'NULL SID'."},{"name":"EAPType","type":"string","description":"The type of Extensible Authentication Protocol (EAP) that was used for the event authentication process."},{"name":"ElevatedToken","type":"string","description":"A 'Yes' or 'No' flag. If 'Yes', then the session this event represents is elevated and has administrator privileges."},{"name":"ErrorCode","type":"int","description":"Contains error code for Failure events. For Success events this parameter has '0x0' value."},{"name":"ExtendedQuarantineState","type":"string","description":"The state of the network quarantine process, if applicable. Network quarantine is a process by which unauthorized devices are prevented from accessing a network until they meet certain security requirements or have been checked for malware."},{"name":"FailureReason","type":"string","description":"textual explanation of Status field value. For this event, it typically has 'Account locked out' value."},{"name":"FileHash","type":"string","description":"The hash value for any files that are were accessed or modified as part of the event, or any files that were used in the authentication or authorization process."},{"name":"FilePath","type":"string","description":"Full path and filename of the key file on which the operation was performed."},{"name":"FilePathNoUser","type":"string","description":"The path of any files that are related to the event, excluding the username or other user-specific information."},{"name":"Filter","type":"string","description":"Filters that are used in the performed event."},{"name":"ForceLogoff","type":"string","description":"'\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire' group policy."},{"name":"Fqbn","type":"string","description":"The fully qualified binary name (FQBN) for any files that are related to the event."},{"name":"FullyQualifiedSubjectMachineName","type":"string","description":"The fully qualified domain name (FQDN) of the machine that initiated the event."},{"name":"FullyQualifiedSubjectUserName","type":"string","description":"The username of the user or service that initiated the event in FQDN format."},{"name":"GroupMembership","type":"string","description":"The list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event."},{"name":"HandleId","type":"string","description":"Hexadecimal value of a handle to Object Name. This field can be used for correlation with other events."},{"name":"HardwareIds","type":"string","description":"'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"},{"name":"HomeDirectory","type":"string","description":"User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory."},{"name":"HomePath","type":"string","description":"User's home path. The path must be a network UNC of the form \\\\Server\\Share\\Directory."},{"name":"InterfaceUuid","type":"string","description":"The unique identifier (UUID) for the network interface that was used for the event."},{"name":"IpAddress","type":"string","description":"the network address (usually IPv4 or IPv6) associated with the event."},{"name":"IpPort","type":"string","description":"The network port number associated with the event."},{"name":"KeyLength","type":"int","description":"The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length."},{"name":"LmPackageName","type":"string","description":"The name of the package or software component that is currently using the Local Security Authority (LSA) on the machine where the event is being generated."},{"name":"LocationInformation","type":"string","description":"'Location information' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"},{"name":"LockoutDuration","type":"string","description":"'\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration' group policy. Numeric value."},{"name":"LockoutObservationWindow","type":"string","description":"'\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after' group policy. Numeric value."},{"name":"LockoutThreshold","type":"string","description":"'\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold' group policy. Numeric value."},{"name":"LoggingResult","type":"string","description":"The result of the logon process."},{"name":"LogonGuid","type":"string","description":"A GUID that can help you correlate this event with another event that can contain the same Logon GUID."},{"name":"LogonHours","type":"string","description":"Hours that the account is allowed to logon to the domain."},{"name":"LogonID","type":"string","description":"Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID."},{"name":"LogonProcessName","type":"string","description":"The name of registered logon process."},{"name":"LogonType","type":"int","description":"The type of logon which was performed."},{"name":"LogonTypeName","type":"string","description":"The type of logon or authentication event that is being captured by the event log (common values:Interactive, Network, RemoteInteractive, Unlock)."},{"name":"MachineAccountQuota","type":"string","description":"ms-DS-MachineAccountQuota domain attribute was modified. Numeric value."},{"name":"MachineInventory","type":"string","description":"Information about the hardware configuration and software environment of the computer where the event is being generated. It can include different data points, for instance: the make and model of the computer, the amount of RAM or storage space available, the version numbers of various software applications, etc)."},{"name":"MachineLogon","type":"string","description":"Information about a successful logon event in the machine."},{"name":"MandatoryLabel","type":"string","description":"ID of integrity label which was assigned to the new process."},{"name":"MaxPasswordAge","type":"string","description":"The period of time (in days) that a password can be used before the system requires the user to change it."},{"name":"MemberName","type":"string","description":"The user account that was involved in the event."},{"name":"MemberSid","type":"string","description":"The security identifier (SID) associated with the user account that was involved in the event."},{"name":"MinPasswordAge","type":"string","description":"The period of time (in days) that a password must be used before the system requires the user to change it."},{"name":"MinPasswordLength","type":"string","description":"The least number of characters that can make up a password for a user account."},{"name":"MixedDomainMode","type":"string","description":"The domain mode of a system or domain controller."},{"name":"NASIdentifier","type":"string","description":"The identifier of the network access server (NAS) that was involved in the event."},{"name":"NASIPv4Address","type":"string","description":"The IPv4Address of the network access server (NAS) that was involved in the event, if applicable."},{"name":"NASIPv6Address","type":"string","description":"The IPv6Address of the network access server (NAS) that was involved in the event, if applicable."},{"name":"NASPort","type":"string","description":"the port on the network access server that was used in the event."},{"name":"NASPortType","type":"string","description":"the type of network access server (NAS) used in the event."},{"name":"NetworkPolicyName","type":"string","description":"The name of the network policy associated with the event."},{"name":"NewDate","type":"string","description":"New date in UTC time zone. The format is YYYY-MM-DD."},{"name":"NewMaxUsers","type":"string","description":"The new maximum number of users allowed for a resource in the event."},{"name":"NewProcessId","type":"string","description":"Hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process."},{"name":"NewProcessName","type":"string","description":"Full path and the name of the executable for the new process."},{"name":"NewRemark","type":"string","description":"The new value of network share 'Comments:' field. Has 'N/A' value if it isn't set."},{"name":"NewShareFlags","type":"string","description":"The share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions."},{"name":"NewTime","type":"string","description":"New time that was set in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ"},{"name":"NewUacValue","type":"string","description":"Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account."},{"name":"NewValue","type":"string","description":"New value for changed registry key value."},{"name":"NewValueType","type":"string","description":"New type of changed registry key value."},{"name":"ObjectName","type":"string","description":"Name and other identifying information for the object for which access was requested. For example, for a file, the path would be included."},{"name":"ObjectServer","type":"string","description":"Contains the name of the Windows subsystem calling the routine."},{"name":"ObjectType","type":"string","description":"The type of an object that was accessed during the operation."},{"name":"ObjectValueName","type":"string","description":"The name of modified registry key value."},{"name":"OemInformation","type":"string","description":"The original equipment manufacturer (OEM) associated with a device or system in the event."},{"name":"OldMaxUsers","type":"string","description":"The previous maximum number of users allowed for a resource in the event."},{"name":"OldRemark","type":"string","description":"the old value of network share 'Comments:' field. Has 'N/A' value if it isn't set."},{"name":"OldShareFlags","type":"string","description":"The previous share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions."},{"name":"OldUacValue","type":"string","description":"Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object."},{"name":"OldValue","type":"string","description":"Old value for changed registry key value."},{"name":"OldValueType","type":"string","description":"Old type of changed registry key value."},{"name":"OperationType","type":"string","description":"The type of operation which was performed on an object"},{"name":"PackageName","type":"string","description":"The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon."},{"name":"ParentProcessName","type":"string","description":"The name of the parent process associated with the event."},{"name":"PasswordHistoryLength","type":"string","description":"\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value."},{"name":"PasswordLastSet","type":"string","description":"Last time the account’s password was modified."},{"name":"PasswordProperties","type":"string","description":"The password policies or properties associated with the event, for example: password length, complexity and expiration date."},{"name":"PreviousDate","type":"string","description":"The previous date associated with the event."},{"name":"PreviousTime","type":"string","description":"Previous time in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ."},{"name":"PrimaryGroupId","type":"string","description":"Relative Identifier (RID) of user’s object primary group."},{"name":"PrivateKeyUsageCount","type":"string","description":"The number of times a private key has been used."},{"name":"PrivilegeList","type":"string","description":"The privileges, including user, group, or system privileges associated with the event."},{"name":"Process","type":"string","description":"The name of the process that generates the event."},{"name":"ProcessId","type":"string","description":"Identifies the process that generated the event."},{"name":"ProcessName","type":"string","description":"Full path and the name of the executable for the process."},{"name":"Properties","type":"string","description":"Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed."},{"name":"ProfilePath","type":"string","description":"Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path."},{"name":"ProtocolSequence","type":"string","description":"Information about the protocol used for an authentication attempt."},{"name":"ProxyPolicyName","type":"string","description":"Name of the policy that was used to configure the proxy server for connecting to the network."},{"name":"QuarantineHelpURL","type":"string","description":"URL that provides help with troubleshooting a network quarantine issue."},{"name":"QuarantineSessionID","type":"string","description":"Identifier of the session where the file was assessed for quarantine."},{"name":"QuarantineSessionIdentifier","type":"string","description":"Identifier of the session where the file was assessed for quarantine."},{"name":"QuarantineState","type":"string","description":"It shows whether the file is quarantined."},{"name":"QuarantineSystemHealthResult","type":"string","description":"Report that shows the status of the files that have been quarantined."},{"name":"RelativeTargetName","type":"string","description":"Relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as “\\”."},{"name":"RemoteIpAddress","type":"string","description":"The IP address of the computer that initiated a remote connection."},{"name":"RemotePort","type":"string","description":"The port number of the remote computer that initiated a connection."},{"name":"Requester","type":"string","description":"The event requester identifier."},{"name":"RequestId","type":"string","description":"A unique identifier that's associated with particular requests, such as those made over HTTP."},{"name":"RestrictedAdminMode","type":"string","description":"Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10."},{"name":"RowsDeleted","type":"string","description":"The number of rows that were deleted as a part of a particular operation."},{"name":"SamAccountName","type":"string","description":"logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name)."},{"name":"ScriptPath","type":"string","description":"Specifies the path of the account’s logon script."},{"name":"SecurityDescriptor","type":"string","description":"Information about the security settings and permissions of a particular object or resource. "},{"name":"ServiceAccount","type":"string","description":"The security context that the service will run as when started."},{"name":"ServiceFileName","type":"string","description":"Indicates the type of service that was registered with the Service Control Manager."},{"name":"ServiceName","type":"string","description":"The name of installed service."},{"name":"ServiceStartType","type":"int","description":"Contains information about how a particular service should be started, whether it should be started automatically or manually."},{"name":"ServiceType","type":"string","description":"Indicates the type of service that was registered with the Service Control Manager."},{"name":"SessionName","type":"string","description":"The name of the session to which the user was reconnected."},{"name":"ShareLocalPath","type":"string","description":"The local path of accessed network share."},{"name":"ShareName","type":"string","description":"The name of accessed network share. The format is: \\\\*\\SHARE_NAME."},{"name":"SidHistory","type":"string","description":"Contains previous SIDs used for the object if the object was moved from another domain."},{"name":"Status","type":"string","description":"The reason why logon failed. For this event, it typically has '0xC0000234' value. The most common status codes are listed in Table 12. Windows logon status codes."},{"name":"SubjectAccount","type":"string","description":"Information about the account that is initiating the event."},{"name":"SubcategoryGuid","type":"string","description":"The unique GUID of changed subcategory."},{"name":"SubcategoryId","type":"string","description":"A unique identifier for a specific type of the event."},{"name":"Subject","type":"string","description":"Information about the security principal (for instance: user account) that initiated the event."},{"name":"SubjectDomainName","type":"string","description":"Information about the domain or workgroup to which the subject account belongs."},{"name":"SubjectKeyIdentifier","type":"string","description":"A unique identifier for a particular certificate subject."},{"name":"SubjectLogonId","type":"string","description":"A unique identifier for the logon session associated with the subject account."},{"name":"SubjectMachineName","type":"string","description":"Information about the machine or system from which the event was created."},{"name":"SubjectMachineSID","type":"string","description":"The security identifier (SID) for the machine that generated the event."},{"name":"SubjectUserName","type":"string","description":"The name of the user account that generated the event."},{"name":"SubjectUserSid","type":"string","description":"The security identifier (SID) for the user account that generated the event."},{"name":"SubStatus","type":"string","description":"Additional information about logon failure. The most common substatus codes listed in the 'Table 12. Windows logon status codes'."},{"name":"TableId","type":"string","description":"The specific data table identifier the event data is stored in."},{"name":"TargetAccount","type":"string","description":"The account targeted by the event (user name, computer name, etc)."},{"name":"TargetDomainName","type":"string","description":"The name of the domain that the target account belongs to."},{"name":"TargetInfo","type":"string","description":"Additional information about the event target (for example: the path to a file or folder, the name of a registry key, etc)."},{"name":"TargetLinkedLogonId","type":"string","description":"Information that helps to link related events together by their logon attempt IDs. It can be useful in keeping all relevant events organized, tracking activity across multiple sessions, and identifying the attack source."},{"name":"TargetLogonGuid","type":"string","description":"A globally unique identifier (GUID) associated with the logon session related to the event."},{"name":"TargetLogonId","type":"string","description":"A unique identifier associated with the logon session related to the event."},{"name":"TargetOutboundDomainName","type":"string","description":"The domain that the account specified in the TargetAccount field was authenticated against during an outbound authentication attempt."},{"name":"TargetOutboundUserName","type":"string","description":"The name of the user account that was authenticated during an outbound authentication attempt."},{"name":"TargetServerName","type":"string","description":"The name of the server on which the new process was run. Has “localhost” value if the process was run locally."},{"name":"TargetSid","type":"string","description":"The security identifier (SID) of the server on which the new process was run."},{"name":"TargetUser","type":"string","description":"The user account identifier that generated the new process."},{"name":"TargetUserName","type":"string","description":"The name of the user account that generated the new process."},{"name":"TargetUserSid","type":"string","description":"The security identifier (SID) associated with the user or resource involved in the event."},{"name":"TemplateContent","type":"string","description":"The content of the event message or notification in a structured form."},{"name":"TemplateDSObjectFQDN","type":"string","description":"FQDN of the DS object that represents the GPO template."},{"name":"TemplateInternalName","type":"string","description":"The internal name of the GPO template."},{"name":"TemplateOID","type":"string","description":"the unique identifier for the template that was used to create the event."},{"name":"TemplateSchemaVersion","type":"string","description":"Version of the template schema that defines the data to include with an event."},{"name":"TemplateVersion","type":"string","description":"Version of the template that defines the data to include with an event."},{"name":"TokenElevationType","type":"string","description":"Type of token that was assigned to a new process in accordance with User Account Control Policy."},{"name":"TransmittedServices","type":"string","description":"The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx."},{"name":"UserAccountControl","type":"string","description":"Shows the list of changes in userAccountControl attribute. You will see a line of text for each change."},{"name":"UserParameters","type":"string","description":"If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see in this field. For local accounts, this field is not applicable and always has value."},{"name":"UserPrincipalName","type":"string","description":"Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name."},{"name":"UserWorkstations","type":"string","description":"Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object."},{"name":"VirtualAccount","type":"string","description":"A 'Yes' or 'No' flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'."},{"name":"VendorIds","type":"string","description":"'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details'."},{"name":"Workstation","type":"string","description":"The name of the machine that was used to perform the event."},{"name":"WorkstationName","type":"string","description":"Machine name from which a logon attempt was performed."},{"name":"EventLevelName","type":"string","description":"The rendered message string of the level specified in the event."},{"name":"SourceComputerId","type":"string","description":"Unique identifier assigned to each computer in a Windows domain."},{"name":"ManagementGroupName","type":"string","description":"Additional information based on the resource type."},{"name":"SystemUserId","type":"string","description":"The ID of the user who is responsible for the event."},{"name":"Version","type":"int","description":"Contains the version number of the event's definition."},{"name":"Opcode","type":"string","description":"The opcode element is defined by the SystemPropertiesType complex type."},{"name":"Keywords","type":"string","description":"A bitmask of the keywords defined in the event."},{"name":"Correlation","type":"string","description":"The activity identifiers that consumers can use to group related events together."},{"name":"SystemProcessId","type":"int","description":"Identifies the process that generated the event."},{"name":"SystemThreadId","type":"int","description":"Identifies the thread that generated the event."},{"name":"EventRecordId","type":"string","description":"The record number assigned to the event when it was logged."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["Security","SecurityInsights"],"queries":["2ceeb9da-0e43-44b8-b0c7-9debf01d0d89"]}},{"id":"SecurityIncident","name":"SecurityIncident","tableType":"Microsoft","description":"Incidents generated by security products.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) of when the incident was ingested"},{"name":"IncidentName","type":"string","description":"The resource name of the incident"},{"name":"Title","type":"string","description":"The title of the incident","isPreferredFacet":true},{"name":"Description","type":"string","description":"The description of the incident","isPreferredFacet":true},{"name":"Severity","type":"string","description":"The severity of the incident","isPreferredFacet":true},{"name":"Status","type":"string","description":"The status of the incident","isPreferredFacet":true},{"name":"Classification","type":"string","description":"The classification the incident was given when closed","isPreferredFacet":true},{"name":"ClassificationComment","type":"string","description":"Description of the reason the incident was closed","isPreferredFacet":true},{"name":"ClassificationReason","type":"string","description":"The classification reason the incident was given when closed","isPreferredFacet":true},{"name":"Owner","type":"dynamic","description":"The user the incident is assigned to"},{"name":"ProviderName","type":"string","description":"The name of the source provider that generated the incident"},{"name":"ProviderIncidentId","type":"string","description":"The incident ID assigned by the incident provider"},{"name":"FirstActivityTime","type":"datetime","description":"Timestamp (UTC) of when the first activity in the incident occured"},{"name":"LastActivityTime","type":"datetime","description":"Timestamp (UTC) of when the last activity in the incident occured"},{"name":"FirstModifiedTime","type":"datetime","description":"Timestamp (UTC) of when the incident was first modified"},{"name":"LastModifiedTime","type":"datetime","description":"Timestamp (UTC) of when the incident was last modified"},{"name":"CreatedTime","type":"datetime","description":"Timestamp (UTC) of when the incident was created"},{"name":"ClosedTime","type":"datetime","description":"Timestamp (UTC) of when the incident was last closed"},{"name":"IncidentNumber","type":"int","description":"The sequential number of the incident"},{"name":"RelatedAnalyticRuleIds","type":"dynamic","description":"The IDs of the Analytic rules associated with the incident"},{"name":"AlertIds","type":"dynamic","description":"The IDs of the alerts related to the incident"},{"name":"BookmarkIds","type":"dynamic","description":"The IDs of the bookmarks related to the incident"},{"name":"Comments","type":"dynamic","description":"The comments added to the incident"},{"name":"Tasks","type":"dynamic","description":"The tasks added to the incident"},{"name":"Labels","type":"dynamic","description":"The labels added to the incident"},{"name":"IncidentUrl","type":"string","description":"The URI to open the incident in Azure Sentinel portal"},{"name":"AdditionalData","type":"dynamic","description":"Additional data on the incident"},{"name":"ModifiedBy","type":"string","description":"The source of the change in the incident","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["SecurityInsights"]}},{"id":"SecurityIoTRawEvent","name":"SecurityIoTRawEvent","tableType":"Microsoft","description":"Table is part of Microsoft Defender for IoT. It contains IoT raw security event properties. These logs can be used to monitor your operational, diagnostic and security raw events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"IoTRawEventId","type":"string","description":"The internal raw event ID.","isPreferredFacet":true},{"name":"RawEventType","type":"string","description":"The type of the raw event - security, operational or diagnostic.","isPreferredFacet":true},{"name":"RawEventName","type":"string","description":"The name of the raw event."},{"name":"TimeGenerated","type":"datetime","description":"The date and time the raw event was generated.","isPreferredFacet":true},{"name":"TimeStamp","type":"datetime","description":"The date and time the raw event was first detected."},{"name":"RawEventCategory","type":"string","description":"The category of the raw event - periodic or triggered.","isPreferredFacet":true},{"name":"IsEmpty","type":"bool","description":"Property identifying if the raw event contains data.","isPreferredFacet":true},{"name":"AgentVersion","type":"string","description":"The version of the agent.","isPreferredFacet":true},{"name":"AssociatedResourceId","type":"string","description":"The associated Azure resource ID.","isPreferredFacet":true},{"name":"AzureSubscriptionId","type":"string","description":"The Azure subscription ID."},{"name":"DeviceId","type":"string","description":"The device ID.","isPreferredFacet":true},{"name":"EventDetails","type":"string","description":"Additional raw event details."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["AzureSecurityOfThings"]}},{"id":"SecurityNestedRecommendation","name":"SecurityNestedRecommendation","tableType":"Microsoft","description":"Nested recommendations can be thought of as 'sub' recommendations grouped into a 'parent' recommendation. To view nested recommendations, open the 'parent' from the recommendations page in Security Center. For example, if a vulnerability scan of your SQL databases returns 100 findings, each finding will be available as a nested recommendation within the parent recommendation 'Vulnerabilities on your SQL databases should be remediated'.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time the sub-assessment was exported"},{"name":"SubAssessmentTimeGeneration","type":"datetime","description":"The date and time the sub-assessment was generated","isPreferredFacet":true},{"name":"RecommendationSubscriptionId","type":"string","description":"Recommendation's subscription Id","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","description":"Resource group name","isPreferredFacet":true},{"name":"AssessedResourceId","type":"string","description":"Id of the assessed resource","isPreferredFacet":true},{"name":"ParentRecommendationId","type":"string","description":"Id of the parent recommendation","isPreferredFacet":true},{"name":"Id","type":"string","description":"Id of the assessed recommendation","isPreferredFacet":true},{"name":"RecommendationName","type":"string","description":"Display name of the sub-assessment","isPreferredFacet":true},{"name":"NestedRecommendationId","type":"string","description":"Id of the nested-recommendation","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the assessment status"},{"name":"RecommendationSeverity","type":"string","description":"The sub-assessment severity level","isPreferredFacet":true},{"name":"RecommendationState","type":"string","description":"The sub-assessment state","isPreferredFacet":true},{"name":"RemediationDescription","type":"string","description":"Information on how to remediate this sub-assessment"},{"name":"AdditionalData","type":"dynamic","description":"Additional details of the sub-assessment"},{"name":"ResourceProviderType","type":"string","description":"Resource provider type of the assessed resource"},{"name":"Category","type":"string","description":"Category of the sub-assessment"},{"name":"ResourceDetails","type":"dynamic","description":"Details of the resource that was assessed"},{"name":"Impact","type":"string","description":"Description of the impact of this sub-assessment"},{"name":"Cause","type":"string","description":"Cause of the assessment status"},{"name":"VulnerabilityId","type":"string","description":"Vulnerability Id","isPreferredFacet":true},{"name":"IsSnapshot","type":"bool","description":"Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"Resource type"},{"name":"RemidiationDescription","type":"string","description":"Information on how to remediate this sub-assessment"},{"name":"RecommendationLink","type":"string","description":"Recommendation link URL"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["Security","SecurityCenter","SecurityCenterFree"]}},{"id":"SecurityRecommendation","name":"SecurityRecommendation","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"RecommendationName","type":"string","isPreferredFacet":true},{"name":"RecommendationDisplayName","type":"string"},{"name":"ProviderName","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationState","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"DiscoveredTimeUTC","type":"datetime"},{"name":"ResolvedTimeUTC","type":"datetime"},{"name":"PolicyDefinitionId","type":"string","isPreferredFacet":true},{"name":"RecommendationSeverity","type":"string","isPreferredFacet":true},{"name":"AssessedResourceId","type":"string","isPreferredFacet":true},{"name":"DeviceId","type":"string","isPreferredFacet":true},{"name":"ResourceRegion","type":"string","isPreferredFacet":true},{"name":"IsSnapshot","type":"bool","isPreferredFacet":true},{"name":"RecommendationAdditionalData","type":"dynamic"},{"name":"FirstEvaluationDate","type":"datetime","isPreferredFacet":true},{"name":"StatusChangeDate","type":"datetime","isPreferredFacet":true},{"name":"Environment","type":"string","isPreferredFacet":true},{"name":"Properties","type":"dynamic"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["AzureSecurityOfThings","Security","SecurityCenterFree"]}},{"id":"SecurityRegulatoryCompliance","name":"SecurityRegulatoryCompliance","tableType":"Microsoft","description":"Azure Security Center regulatory compliance assessments state.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The (UTC) date and time the assessment was generated"},{"name":"RegulatoryComplianceSubscriptionId","type":"string","description":"The subscription ID of the assessed resource","isPreferredFacet":true},{"name":"AssessedResourceId","type":"string","description":"The ID of the assessed resource","isPreferredFacet":true},{"name":"RecommendationId","type":"string","description":"The ID of the assessed recommendation","isPreferredFacet":true},{"name":"RecommendationName","type":"string","description":"Recommendation display name","isPreferredFacet":true},{"name":"ComplianceStandard","type":"string","description":"The name of compliance standard","isPreferredFacet":true},{"name":"ComplianceControl","type":"string","description":"The name of regulatory compliance control","isPreferredFacet":true},{"name":"SkippedResources","type":"int","description":"The number of resources that passed this assessment"},{"name":"PassedResources","type":"int","description":"The number of resources that passed this assessment"},{"name":"FailedResources","type":"int","description":"The number of resources that failed this assessment"},{"name":"State","type":"string","description":"The assessment state","isPreferredFacet":true},{"name":"ResourceProviderType","type":"string","description":"Resource provider type of the assessed resource"},{"name":"RecommendationLink","type":"string","description":"A link for more details on the assessment result"},{"name":"IsSnapshot","type":"bool","description":"Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"The complete set of metadata."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["Security","SecurityCenter","SecurityCenterFree"]}},{"id":"SentinelAlibabaCloudAPIGatewayLogs","name":"SentinelAlibabaCloudAPIGatewayLogs","tableType":"Microsoft","description":"Alibaba Cloud API Gateway Logs data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the log entry was generated"},{"name":"ApiGroupUid","type":"string","description":"The ID of the group to which the API belongs."},{"name":"ApiGroupName","type":"string","description":"The name of the group to which the API belongs."},{"name":"ApiUid","type":"string","description":"The API ID."},{"name":"ApiName","type":"string","description":"The API name."},{"name":"ApiStageUid","type":"string","description":"The ID of the environment in which the API was called."},{"name":"ApiStageName","type":"string","description":"The environment name."},{"name":"HttpMethod","type":"string","description":"The HTTP method that was used by the API request."},{"name":"Path","type":"string","description":"The request path of the API."},{"name":"Domain","type":"string","description":"The domain name that was used for the API call."},{"name":"StatusCode","type":"string","description":"HttpStatusCode"},{"name":"ErrorMessage","type":"string","description":"The returned error message."},{"name":"AppId","type":"string","description":"The ID of the application that was used to call the API."},{"name":"AppName","type":"string","description":"The name of the application that was used to call the API."},{"name":"ClientIp","type":"string","description":"The IP address of the client that initiated the API call."},{"name":"Exception","type":"string","description":"The specific error message that was returned by the backend service of the API."},{"name":"ExchangeTimestamp","type":"string","description":"The I/O points in time in the request link. FrontRequestStart: the point in time when API Gateway started to receive the request from the client. FrontRequestEnd: the point in time when API Gateway completed receiving the request from the client. BackendRequestStart: the point in time when API Gateway started to forward the request to the backend service. BackendRequestEnd: the point in time when API Gateway completed forwarding the request to the backend service. BackendResponseStart: the point in time when API Gateway started to receive the response from the backend service. BackendResponseEnd: the point in time when API Gateway completed receiving the response from the backend service. FrontResponseStart: the point in time when API Gateway started to send the response to the client. FrontResponseEnd: the point in time when API Gateway completed sending the response to the client."},{"name":"ProviderAliUid","type":"string","description":"The ID of the account that provides the API."},{"name":"Region","type":"string","description":"The region where the API resides, for example, cn-hangzhou, which indicates the China (Hangzhou) region."},{"name":"RequestHandleTime","type":"datetime","description":"The time point in UTC at which the API request was received by API Gateway."},{"name":"RequestId","type":"string","description":"The request ID. The ID is globally unique."},{"name":"RequestSize","type":"string","description":"The request size. Unit: bytes."},{"name":"ResponseSize","type":"string","description":"The response size. Unit: bytes."},{"name":"ServiceLatency","type":"real","description":"The total time consumed to access the backend resources. The total time includes the time consumed to request a connection to the resources, the time consumed to establish the connection, and the time consumed to call the backend service. Unit: milliseconds."},{"name":"ErrorCode","type":"string","description":"The error code, such as X500ER."},{"name":"RequestProtocol","type":"string","description":"The protocol used by the client to send the request. Valid values: HTTP, HTTPS, and WS."},{"name":"InstanceId","type":"string","description":"The ID of the API Gateway instance to which the API belongs."},{"name":"InitialRequestId","type":"string","description":"If an API calls another API, for example, API-1 calls API-2, initialRequestId is used to record the request ID of API-1 in the logs of API-2."},{"name":"ClientNonce","type":"string","description":"The X-Ca-Nonce header in the request initiated from the client."},{"name":"RequestQueryString","type":"string","description":"The queryString in the request initiated from the client. This field is for dedicated instances only."},{"name":"RequestHeaders","type":"string","description":"The header content in the request initiated from the client. This field is for dedicated instances only."},{"name":"RequestBody","type":"string","description":"The body of the request sent by the client. The body can contain up to 1,024 bytes in length. This field is for dedicated instances only."},{"name":"ResponseHeaders","type":"string","description":"The header content of the API response. This field is for dedicated instances only."},{"name":"ResponseBody","type":"string","description":"The response content. The response can contain up to 1,024 bytes in length. This field is for dedicated instances only."},{"name":"ConsumerAppKey","type":"string","description":"The AppKey that was used in the request."},{"name":"TotalLatency","type":"real","description":"The total latency of the API request. Unit: milliseconds."},{"name":"CustomTraceId","type":"string","description":"The traceId of the end-to-end log."},{"name":"JwtClaims","type":"string","description":"The JSON web token (JWT) claims. The claims can be configured at the group level."},{"name":"Plugin","type":"string","description":"The plug-in hit by the request and the relevant context."},{"name":"LogStore","type":"string","description":"The name of the log store where the logs are stored."},{"name":"LogRegion","type":"string","description":"The region where the log store is located."},{"name":"LogProject","type":"string","description":"The name of the log project where the logs are stored."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"SentinelAlibabaCloudVPCFlowLogs","name":"SentinelAlibabaCloudVPCFlowLogs","tableType":"Microsoft","description":"Alibaba Cloud VPC Flow Logs data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the log entry was generated"},{"name":"Version","type":"string","description":"The version of the flow log. The version of all current flow log entries is 1"},{"name":"VswitchId","type":"string","description":"The ID of the vSwitch to which the elastic network interface (ENI) is attached"},{"name":"VmId","type":"string","description":"The ID of the ECS instance to which the ENI is attached"},{"name":"VpcId","type":"string","description":"The ID of the VPC to which the ENI belongs"},{"name":"AccountId","type":"string","description":"The Alibaba Cloud account ID"},{"name":"EniId","type":"string","description":"The ID of the ENI"},{"name":"Region","type":"string","description":"The region where the VPC resides, Not included in all records"},{"name":"SrcAddr","type":"string","description":"The source IP address"},{"name":"SrcPort","type":"string","description":"The source port"},{"name":"DstAddr","type":"string","description":"The destination IP address"},{"name":"DstPort","type":"string","description":"The destination port"},{"name":"Protocol","type":"string","description":"The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. Common protocol numbers include 1 for ICMP, 6 for TCP, and 17 for UDP"},{"name":"Direction","type":"string","description":"The direction of the traffic: in (Inbound traffic to the ENI) or out (Outbound traffic from the ENI)"},{"name":"Packets","type":"string","description":"The number of packets"},{"name":"Bytes","type":"string","description":"The number of bytes"},{"name":"Start","type":"string","description":"The time when the first packet was received in the capture window. The value is a Unix timestamp"},{"name":"End","type":"string","description":"For a persistent connection, this is the end time of the capture window. For a short-lived connection, this is the time when the connection was closed. The value is a Unix timestamp"},{"name":"LogStatus","type":"string","description":"The logging status of the flow log: OK (Data is recorded normally), NODATA (No network traffic), SKIPDATA (Some flow log records are skipped)"},{"name":"Action","type":"string","description":"Indicates whether the traffic was permitted or denied by a security group or network ACL: ACCEPT (traffic was permitted) or REJECT (traffic was denied)"},{"name":"TcpFlags","type":"string","description":"The TCP flag, represented in decimal, which reflects a combination of flags from the TCP protocol, such as SYN, ACK, and FIN"},{"name":"TrafficPath","type":"string","description":"The scenario where the traffic occurs (0-22): 0=Other scenarios, 1=Traffic through other resources in same VPC, 2=Private traffic to ECS instance in same VPC, etc."},{"name":"SrcType","type":"string","description":"The CIDR block information of the source IP address after enabling the inter-domain analysis feature. This field is included only if you enable the inter-domain analysis feature."},{"name":"DstType","type":"string","description":"The CIDR block information of the destination IP address after enabling the inter-domain analysis feature. This field is included only if you enable the inter-domain analysis feature."},{"name":"LogStore","type":"string","description":"The name of the log store where the logs are stored."},{"name":"LogRegion","type":"string","description":"The region where the log store is located."},{"name":"LogProject","type":"string","description":"The name of the log project where the logs are stored."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"SentinelAlibabaCloudWAFLogs","name":"SentinelAlibabaCloudWAFLogs","tableType":"Microsoft","description":"Alibaba Cloud WAF Logs data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time when the log entry was generated"},{"name":"OwnerId","type":"string","description":"The ID of the Alibaba Cloud account"},{"name":"AccountAction","type":"string","description":"The action that is performed on the client request after an account security rule is triggered. The value is fixed as block"},{"name":"AccountRuleId","type":"string","description":"The ID of the account security rule that is triggered"},{"name":"AccountTest","type":"bool","description":"The protection mode that is used for the client request after an account security rule is triggered. true: observation mode, false: prevention mode"},{"name":"AclAction","type":"string","description":"The action that is performed on the client request after a rule created for the blacklist or custom protection policy (ACL) feature is triggered. Valid values: block, captcha_strict, captcha, js, captcha_strict_pass, captcha_pass, and js_pass"},{"name":"AclRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the blacklist or ACL feature"},{"name":"AclRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the blacklist or ACL feature. Valid values: custom (ACL feature), blacklist (blacklist feature)"},{"name":"AclTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the blacklist or ACL feature is triggered. true: observation mode, false: prevention mode"},{"name":"AlgorithmRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the typical bot behavior identification feature"},{"name":"AntiscanAction","type":"string","description":"The action that is performed on the client request after a rule created for the scan protection feature is triggered. The value is fixed as block"},{"name":"AntiscanRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the scan protection feature"},{"name":"AntiscanRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the scan protection feature. Valid values: highfreq, dirscan, scantools, collaborative"},{"name":"AntiscanTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the scan protection feature is triggered. true: observation mode, false: prevention mode"},{"name":"BlockAction","type":"string","description":"The WAF protection feature that is triggered to block the request. Valid values: tmd, waf, acl, deeplearning, antiscan, antifraud, antibot"},{"name":"BodyBytesSent","type":"long","description":"The number of bytes in the request body"},{"name":"BypassMatchedIds","type":"string","description":"The ID of the rule that is triggered to allow the client request. Multiple IDs are separated with commas"},{"name":"CcAction","type":"string","description":"The action that is performed on the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass"},{"name":"CcBlocks","type":"string","description":"Indicates whether the client request is blocked by the HTTP flood protection feature. 1: The request is blocked, A different value: The request is allowed"},{"name":"CcRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature"},{"name":"CcRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature. Valid values: custom (custom protection rule), system (HTTP flood protection rule)"},{"name":"CcTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the HTTP flood protection or custom protection policy (HTTP Flood Protection) feature is triggered. true: observation mode, false: prevention mode"},{"name":"ContentType","type":"string","description":"The type of the requested content"},{"name":"DeeplearningAction","type":"string","description":"The action that is performed on the client request after a rule created for the Deep Learning Engine is triggered. The value is fixed as block"},{"name":"DeeplearningRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the Deep Learning Engine"},{"name":"DeeplearningRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the Deep Learning Engine. Valid values: xss, code_exec, webshell, sqli, lfilei, rfilei, crlf, other"},{"name":"DeeplearningTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the Deep Learning Engine is triggered. true: observation mode, false: prevention mode"},{"name":"DlpRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the data leakage prevention feature"},{"name":"DlpTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the data leakage prevention feature is triggered. true: observation mode, false: prevention mode"},{"name":"FinalRuleType","type":"string","description":"The subtype of the rule that is applied to the client request. The rule is indicated by final_rule_id"},{"name":"FinalRuleId","type":"string","description":"The ID of the rule that is applied to the client request. The rule defines the action recorded in the final_action field"},{"name":"FinalAction","type":"string","description":"The action that WAF performs on the client request. Valid values: block, captcha_strict, captcha, and js"},{"name":"FinalPlugin","type":"string","description":"The protection feature that performs the action specified by final_action on the client request. Valid values: waf, deeplearning, dlp, account, normalized, acl, cc, antiscan, scene, antifraud, intelligence, algorithm, wxbb"},{"name":"Host","type":"string","description":"The Host field of the request header. This field contains the domain name or IP address to access"},{"name":"HttpCookie","type":"string","description":"The Cookie field of the request header. This field contains the cookie information about the client"},{"name":"HttpReferer","type":"string","description":"The Referer field of the request header. This field contains the source URL information about the request"},{"name":"HttpUserAgent","type":"string","description":"The User-Agent field of the request header. This field contains information such as the identifier of the client browser or operating system"},{"name":"HttpXForwardedFor","type":"string","description":"The X-Forwarded-For (XFF) field of the request header. This field is used to identify the actual IP address of the client that is connected to the web server by using an HTTP proxy or a load balancing device"},{"name":"Https","type":"bool","description":"Indicates whether the request is an HTTPS request. true: The request is an HTTPS request, false: The request is an HTTP request"},{"name":"MatchedHost","type":"string","description":"The domain name of the origin server that is matched by WAF for the request. A wildcard domain name may be matched"},{"name":"NormalizedAction","type":"string","description":"The action that is performed on the client request after a rule created for the positive security model feature is triggered. Valid values: block and continue"},{"name":"NormalizedRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the positive security model feature"},{"name":"NormalizedRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the positive security model feature. Valid values: User-Agent, Referer, URL, Cookie, Bod"},{"name":"NormalizedTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the positive security model feature is triggered. true: observation mode, false: prevention mode"},{"name":"Querystring","type":"string","description":"The query string in the client request. The query string refers to the part that follows the question mark (?) in the requested URL"},{"name":"RealClientIp","type":"string","description":"The actual IP address of the client that initiates the request. WAF identifies the actual IP address based on the analysis of the request"},{"name":"Region","type":"string","description":"The ID of the region where the WAF instance resides. Valid values: cn (Chinese mainland), int (outside the Chinese mainland)"},{"name":"RemoteAddr","type":"string","description":"The IP address that is used to connect to WAF"},{"name":"RemotePort","type":"int","description":"The port that is used to connect to WAF"},{"name":"RequestLength","type":"long","description":"The number of bytes in the client request. The request includes the request line, request headers, and request body. Unit: bytes"},{"name":"RequestMethod","type":"string","description":"The request method"},{"name":"RequestPath","type":"string","description":"The requested relative path. The relative path refers to the part between the domain name and the question mark (?) in the requested URL"},{"name":"RequestTimeMsec","type":"real","description":"The time that is taken by WAF to process the client request. Unit: milliseconds"},{"name":"RequestTraceid","type":"string","description":"The unique identifier that is generated by WAF for the client request"},{"name":"SceneAction","type":"string","description":"The action that is performed on the client request after a rule created for scenario-specific configuration is triggered. Valid values: block, captcha, js, captcha_pass, and js_pass"},{"name":"SceneId","type":"string","description":"The scenario ID of the rule that is triggered. The rule is created for scenario-specific configuration"},{"name":"SceneRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for scenario-specific configuration"},{"name":"SceneRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for scenario-specific configuration. Valid values: bot_aialgo, js, intelligence, sdk, cc"},{"name":"SceneTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for scenario-specific configuration is triggered. true: observation mode, false: prevention mode"},{"name":"ServerPort","type":"int","description":"The requested destination port"},{"name":"ServerProtocol","type":"string","description":"The protocol and version that is used by the origin server to respond to the request forwarded by WAF"},{"name":"Status","type":"int","description":"The HTTP status code that is returned by WAF to the client"},{"name":"SslCipher","type":"string","description":"The cipher suite that is used in the client request"},{"name":"SslProtocol","type":"string","description":"The SSL or TLS protocol and version that are used in the client request"},{"name":"Time","type":"datetime","description":"The point in time at which the client request is initiated"},{"name":"UaBrowser","type":"string","description":"The name of the browser that initiates the request"},{"name":"UaBrowserFamily","type":"string","description":"The family to which the browser belongs"},{"name":"UaBrowserType","type":"string","description":"The type of the browser that initiates the request"},{"name":"UaBrowserVersion","type":"string","description":"The version of the browser that initiates the request"},{"name":"UaDeviceType","type":"string","description":"The device type of the client that initiates the request"},{"name":"UaOs","type":"string","description":"The operating system of the client that initiates the request"},{"name":"UaOsFamily","type":"string","description":"The family to which the operating system of the client belongs"},{"name":"UpstreamAddr","type":"string","description":"The back-to-origin addresses used by WAF. Each address is in the IP:Port format. Multiple addresses are separated with commas"},{"name":"UpstreamResponseTime","type":"real","description":"The time that is taken by the origin server to respond to the request. The request is forwarded by WAF. Unit: seconds"},{"name":"UpstreamStatus","type":"int","description":"The status code that is returned by the origin server to WAF"},{"name":"UserId","type":"string","description":"The ID of the Alibaba Cloud account to which the WAF instance belongs"},{"name":"WafAction","type":"string","description":"The action that is performed on the client request after a rule created for the Protection Rules Engine is triggered. The value is fixed as block"},{"name":"WafTest","type":"bool","description":"The protection mode that is used for the client request after a rule created for the Protection Rules Engine is triggered. true: observation mode, false: prevention mode"},{"name":"WafRuleId","type":"string","description":"The ID of the rule that is triggered. The rule is created for the Protection Rules Engine"},{"name":"WafRuleType","type":"string","description":"The type of the rule that is triggered. The rule is created for the Protection Rules Engine. Valid values: xss, code_exec, webshell, sqli, lfilei, rfilei, crlf, other"},{"name":"LogStore","type":"string","description":"The name of the log store where the logs are stored."},{"name":"LogRegion","type":"string","description":"The region where the log store is located."},{"name":"LogProject","type":"string","description":"The name of the log project where the logs are stored."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"SentinelAudit","name":"SentinelAudit","tableType":"Microsoft","description":"Audit logs for operations performed on Azure Sentinel resources, such as Data Connectors, Analytic Rules and more. These logs can be used to audit operations on your Sentinel resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"SentinelResourceId","type":"string","description":"The Sentinel resource ID."},{"name":"SentinelResourceName","type":"string","description":"The Sentinel resource name."},{"name":"Status","type":"string","description":"Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success."},{"name":"Description","type":"string","description":"The operation description."},{"name":"WorkspaceId","type":"string","description":"The workspace ID."},{"name":"SentinelResourceType","type":"string","description":"The resource type, for example: DataConnector, AlertRule, etc."},{"name":"SentinelResourceKind","type":"string","description":"The resource kind, for example: connector kind (such as Office365, AmazonWebServicesCloudTrail), alert rule kind (scheduld)."},{"name":"CorrelationId","type":"string","description":"A unique record identifier."},{"name":"ExtendedProperties","type":"dynamic","description":"Additional information based on the resource type."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security","audit"],"solutions":["SecurityInsights"],"queries":["bffd4ec5-3957-408c-9831-3f49a4614e93"]}},{"id":"SentinelBehaviorEntities","name":"SentinelBehaviorEntities","tableType":"Microsoft","description":"Microsoft Sentinel behaviors table. Contains information about entities (file, process, device, user, and others) that are involved in a behavior or observation, including detected threats.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"ActionType","type":"string","description":"Type of behavior."},{"name":"Categories","type":"string","description":"Type of threat indicator or breach activity identified by the behavior."},{"name":"ServiceSource","type":"string","description":"Product or service that identified the behavior."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"EntityType","type":"string","description":"Type of object, such as a file, a process, a device, or a user."},{"name":"EntityRole","type":"string","description":"Indicates whether the entity is impacted or merely related."},{"name":"DetailedEntityRole","type":"string","description":"The role of the entity in the behavior."},{"name":"FileName","type":"string","description":"Name of the file that the behavior applies to."},{"name":"FolderPath","type":"string","description":"Folder containing the file that the behavior applies to."},{"name":"SHA1","type":"string","description":"SHA-256 of the file that the behavior applies to."},{"name":"SHA256","type":"string","description":"SHA-256 of the file. Empty unless EntityType is \"File\" or \"Process\"."},{"name":"FileSize","type":"long","description":"Size, in bytes, of the file that the behavior applies to."},{"name":"ThreatFamily","type":"string","description":"Malware family that the suspicious or malicious file or process has been classified under."},{"name":"RemoteIP","type":"string","description":"IP address that was being connected to."},{"name":"RemoteUrl","type":"string","description":"URL or fully qualified domain name (FQDN) that was being connected to."},{"name":"AccountName","type":"string","description":"User name of the account."},{"name":"AccountDomain","type":"string","description":"Domain of the account."},{"name":"AccountSid","type":"string","description":"Security Identifier (SID) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Microsoft Entra ID."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"DeviceName","type":"string","description":"Fully qualified domain name (FQDN) of the device."},{"name":"LocalIP","type":"string","description":"IP address assigned to the local machine used during communication."},{"name":"NetworkMessageId","type":"string","description":"Unique identifier for the email in UUID format, generated by Office 365."},{"name":"EmailSubject","type":"string","description":"Subject of the email."},{"name":"EmailClusterId","type":"string","description":"Identifier for the group of similar emails clustered based on heuristic analysis of their contents."},{"name":"Application","type":"string","description":"Application that performed the recorded action."},{"name":"ApplicationId","type":"string","description":"Unique identifier for the application."},{"name":"OAuthApplicationId","type":"string","description":"Unique identifier of the third-party OAuth application in UUID format."},{"name":"ProcessCommandLine","type":"string","description":"Command line used to create the new process."},{"name":"RegistryKey","type":"string","description":"Registry key that the recorded action was applied to."},{"name":"RegistryValueName","type":"string","description":"Name of the registry value that the recorded action was applied to."},{"name":"RegistryValueData","type":"string","description":"Data of the registry value that the recorded action was applied to."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"CloudResource","type":"string","description":"Cloud resource name."},{"name":"CloudPlatform","type":"string","description":"The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform."},{"name":"CloudResourceType","type":"string","description":"Type of cloud resource."},{"name":"CloudResourceId","type":"string","description":"Unique identifier of the cloud resource accessed."},{"name":"CloudSubscriptionId","type":"string","description":"Unique identifier of the cloud service subscription."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"SentinelBehaviorInfo","name":"SentinelBehaviorInfo","tableType":"Microsoft","description":"Microsoft Sentinel behaviors table. Contains information about behaviors, which refers to a conclusion or insight based on one or more raw events, which can provide analysts more context in investigations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the record was generated."},{"name":"BehaviorId","type":"string","description":"Unique identifier for the behavior."},{"name":"Title","type":"string","description":"Title of the behavior."},{"name":"ActionType","type":"string","description":"Type of behavior."},{"name":"Description","type":"string","description":"Description of the behavior."},{"name":"Categories","type":"string","description":"Types of threat indicator or breach activity identified by the behavior."},{"name":"AttackTechniques","type":"string","description":"MITRE ATT&CK techniques associated with the activity that triggered the behavior."},{"name":"ServiceSource","type":"string","description":"Product or service that provided the behavior."},{"name":"DetectionSource","type":"string","description":"Detection technology or sensor that identified the notable component or activity."},{"name":"DataSources","type":"string","description":"Products or services that provided information for the behavior."},{"name":"DeviceId","type":"string","description":"Unique identifier for the device in the service."},{"name":"AccountUpn","type":"string","description":"User principal name (UPN) of the account."},{"name":"AccountObjectId","type":"string","description":"Unique identifier for the account in Microsoft Entra ID."},{"name":"StartTime","type":"datetime","description":"Date and time of the first activity related to the behavior."},{"name":"EndTime","type":"datetime","description":"Date and time of the last activity related to the behavior."},{"name":"AdditionalFields","type":"string","description":"Additional information about the entity or event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["SecurityInsights"]}},{"id":"SentinelHealth","name":"SentinelHealth","tableType":"Microsoft","description":"Health logs for operations performed by Microsoft Sentinel resources such as Data Connectors, Analytic Rules and more. These logs can be used to monitor the health of your Microsoft Sentinel resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"SentinelResourceId","type":"string","description":"The Sentinel resource ID."},{"name":"SentinelResourceName","type":"string","description":"The Sentinel resource name."},{"name":"Status","type":"string","description":"Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success."},{"name":"Description","type":"string","description":"The operation description."},{"name":"Reason","type":"string","description":"The operation reason."},{"name":"WorkspaceId","type":"string","description":"The workspace ID."},{"name":"SentinelResourceType","type":"string","description":"The resource type, for example: DataConnector, AlertRule, etc."},{"name":"SentinelResourceKind","type":"string","description":"The resource kind, for example: connector kind (such as Office365, AmazonWebServicesCloudTrail), alert rule kind (scheduld)."},{"name":"RecordId","type":"string","description":"A unique record identifier."},{"name":"ExtendedProperties","type":"dynamic","description":"Additional information based on the resource type."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"SentinelImpervaWAFCloudV2Logs","name":"SentinelImpervaWAFCloudV2Logs","tableType":"Microsoft","description":"Imperva Cloud WAF logs containing web application firewall events and security data from Incapsula WAF, ingested via S3 with SQS notifications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp when the event occurred, derived from the CEF Start field."},{"name":"LogVersion","type":"string","description":"CEF log format version identifier."},{"name":"EventVendor","type":"string","description":"The vendor of the product generating the event. Always 'Imperva'."},{"name":"EventProduct","type":"string","description":"The product name generating the event, e.g. 'Incapsula WAF'."},{"name":"EventType","type":"string","description":"The type of event, e.g. 'Normal', 'SQL Injection'."},{"name":"DeviceVersion","type":"string","description":"The version of the WAF device firmware."},{"name":"SignatureId","type":"string","description":"The unique identifier for the security signature that triggered."},{"name":"AttackName","type":"string","description":"The name of the detected attack or event classification."},{"name":"AttackSeverity","type":"string","description":"The severity rating of the attack, from 0 to 10."},{"name":"FileId","type":"string","description":"Unique identifier for the log file."},{"name":"RequestClientApplication","type":"string","description":"The client application or user agent string of the request."},{"name":"Suid","type":"string","description":"The session user identifier or email associated with the request."},{"name":"Customer","type":"string","description":"The Imperva customer account name."},{"name":"Tag","type":"string","description":"Tags associated with the event, such as attack classification labels."},{"name":"CiCode","type":"string","description":"The city code of the request origin."},{"name":"Src","type":"string","description":"The source IP address of the client making the request."},{"name":"In","type":"string","description":"The size of the incoming request in bytes."},{"name":"CCode","type":"string","description":"The ISO country code of the request origin."},{"name":"Cn1","type":"string","description":"The HTTP response status code."},{"name":"RequestMethod","type":"string","description":"The HTTP request method, e.g. GET, POST, PUT, DELETE."},{"name":"DeviceFacility","type":"string","description":"The facility or module that generated the event, e.g. 'waf'."},{"name":"App","type":"string","description":"The application protocol, e.g. 'HTTPS', 'HTTP'."},{"name":"Ver","type":"string","description":"The TLS or HTTP protocol version used."},{"name":"Ref","type":"string","description":"The HTTP referer header value."},{"name":"AdditionalReqHeaders","type":"string","description":"Additional HTTP request headers captured."},{"name":"DeviceExternalId","type":"string","description":"External device identifier from the WAF."},{"name":"Act","type":"string","description":"The action taken on the request, e.g. 'REQ_PASSED', 'REQ_BLOCKED'."},{"name":"Start","type":"string","description":"The start timestamp of the event in Unix epoch milliseconds."},{"name":"End","type":"string","description":"The end timestamp of the event in Unix epoch milliseconds."},{"name":"AdditionalResHeaders","type":"string","description":"Additional HTTP response headers captured."},{"name":"SiteId","type":"string","description":"The unique identifier for the protected site in Imperva."},{"name":"SourceServiceName","type":"string","description":"The hostname or service name of the protected site."},{"name":"SiteTag","type":"string","description":"Tags associated with the protected site."},{"name":"Cpt","type":"string","description":"The client port number of the request."},{"name":"Request","type":"string","description":"The requested URL path."},{"name":"Xff","type":"string","description":"The X-Forwarded-For header value indicating original client IP behind proxies."},{"name":"FilePermission","type":"string","description":"File permission information associated with the event."},{"name":"FileType","type":"string","description":"The type of file involved in the request."},{"name":"Dproc","type":"string","description":"The destination process name."},{"name":"PostBody","type":"string","description":"The HTTP POST body content, if captured."},{"name":"QStr","type":"string","description":"The URL query string parameters."},{"name":"SIP","type":"string","description":"The server IP address that handled the request."},{"name":"Spt","type":"string","description":"The server port number."},{"name":"AdditionalRuleInfo","type":"string","description":"Additional information about the WAF rule that was triggered."},{"name":"CapSupport","type":"string","description":"Client capability support flags for advanced detection."},{"name":"ClApp","type":"string","description":"The classified client application type."},{"name":"CoSupport","type":"string","description":"Client cookie support indicator."},{"name":"ClAppSig","type":"string","description":"The client application signature used for bot detection."},{"name":"JavascriptSupport","type":"string","description":"Whether the client supports JavaScript execution."},{"name":"Latitude","type":"string","description":"The geographic latitude of the request origin."},{"name":"Longitude","type":"string","description":"The geographic longitude of the request origin."},{"name":"RuleName","type":"string","description":"The name of the WAF rule that matched the request."},{"name":"VID","type":"string","description":"The visitor identifier assigned by Imperva for tracking."},{"name":"DeliveryRuleDetails","type":"string","description":"Details about the content delivery rule applied to the request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["335fcdf9-4712-4176-8266-d19eab3e64a0"]}},{"id":"ServiceFabricOperationalEvent","name":"ServiceFabricOperationalEvent","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"ProviderGuid","type":"string"},{"name":"EventSourceName","type":"string","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"Pid","type":"int"},{"name":"Tid","type":"int"},{"name":"OpcodeName","type":"string"},{"name":"KeywordName","type":"string"},{"name":"TaskName","type":"string","isPreferredFacet":true},{"name":"ChannelName","type":"string"},{"name":"AzureDeploymentID","type":"string","isPreferredFacet":true},{"name":"Role","type":"string","isPreferredFacet":true},{"name":"EventMessage","type":"string"},{"name":"ApplicationName","type":"string","isPreferredFacet":true},{"name":"ApplicationTypeName","type":"string","isPreferredFacet":true},{"name":"ApplicationTypeVersion","type":"string","isPreferredFacet":true},{"name":"UpgradeDomains","type":"string","isPreferredFacet":true},{"name":"ServiceName","type":"string"},{"name":"ServiceTypeName","type":"string","isPreferredFacet":true},{"name":"PartitionId","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"]}},{"id":"ServiceFabricReliableActorEvent","name":"ServiceFabricReliableActorEvent","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"ProviderGuid","type":"string"},{"name":"EventSourceName","type":"string","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"Pid","type":"int"},{"name":"Tid","type":"int"},{"name":"OpcodeName","type":"string"},{"name":"KeywordName","type":"string"},{"name":"TaskName","type":"string","isPreferredFacet":true},{"name":"ChannelName","type":"string"},{"name":"AzureDeploymentID","type":"string","isPreferredFacet":true},{"name":"Role","type":"string","isPreferredFacet":true},{"name":"EventMessage","type":"string"},{"name":"ActorType","type":"string","isPreferredFacet":true},{"name":"ActorId","type":"string","isPreferredFacet":true},{"name":"ActorIdKind","type":"int","isPreferredFacet":true},{"name":"IsStateful","type":"bool","isPreferredFacet":true},{"name":"ReplicaOrInstanceId","type":"long","isPreferredFacet":true},{"name":"PartitionId","type":"string"},{"name":"ServiceName","type":"string"},{"name":"ApplicationName","type":"string","isPreferredFacet":true},{"name":"ServiceTypeName","type":"string","isPreferredFacet":true},{"name":"ApplicationTypeName","type":"string","isPreferredFacet":true},{"name":"NodeName","type":"string","isPreferredFacet":true},{"name":"NodeId","type":"string"},{"name":"CountOfWaitingMethodCalls","type":"long","isPreferredFacet":true},{"name":"MethodName","type":"string","isPreferredFacet":true},{"name":"MethodSignature","type":"string","isPreferredFacet":true},{"name":"MethodExecutionTimeTicks","type":"long","isPreferredFacet":true},{"name":"Exception","type":"string","isPreferredFacet":true},{"name":"SaveStateExecutionTimeTicks","type":"long","isPreferredFacet":true},{"name":"ReplicaId","type":"long","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"]}},{"id":"ServiceFabricReliableServiceEvent","name":"ServiceFabricReliableServiceEvent","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"ProviderGuid","type":"string"},{"name":"EventSourceName","type":"string","isPreferredFacet":true},{"name":"EventId","type":"int","isPreferredFacet":true},{"name":"Pid","type":"int"},{"name":"Tid","type":"int"},{"name":"OpcodeName","type":"string"},{"name":"KeywordName","type":"string"},{"name":"TaskName","type":"string","isPreferredFacet":true},{"name":"ChannelName","type":"string"},{"name":"AzureDeploymentID","type":"string","isPreferredFacet":true},{"name":"Role","type":"string","isPreferredFacet":true},{"name":"EventMessage","type":"string"},{"name":"ApplicationTypeName","type":"string","isPreferredFacet":true},{"name":"ApplicationName","type":"string","isPreferredFacet":true},{"name":"ServiceTypeName","type":"string","isPreferredFacet":true},{"name":"ServiceName","type":"string"},{"name":"PartitionId","type":"string"},{"name":"ReplicaId","type":"long","isPreferredFacet":true},{"name":"SlowCancellationTimeMillis","type":"real","isPreferredFacet":true},{"name":"WasCanceled","type":"bool","isPreferredFacet":true},{"name":"Exception","type":"string","isPreferredFacet":true},{"name":"ActualCancellationTimeMillis","type":"real","isPreferredFacet":true},{"name":"InstanceId","type":"long","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources"],"solutions":["LogManagement"]}},{"id":"SfBAssessmentRecommendation","name":"SfBAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Skype for Business assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Forest","type":"string"},{"name":"Domain","type":"string"},{"name":"LyncOrganization","type":"string"},{"name":"LyncInternalDomain","type":"string"},{"name":"LyncSimpleURLDomain","type":"string"},{"name":"LyncSite","type":"string","isPreferredFacet":true},{"name":"LyncFEPool","type":"string","isPreferredFacet":true},{"name":"LyncFrontEnd","type":"string","isPreferredFacet":true},{"name":"LyncCentralMgmtStoreDatabase","type":"string"},{"name":"LyncUserStoreDatabase","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SfBAssessment"]}},{"id":"SfBOnlineAssessmentRecommendation","name":"SfBOnlineAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Skype and Teams assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"O365TenantId","type":"string"},{"name":"TenantName","type":"string"},{"name":"Domain","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SfBOnlineAssessment"]}},{"id":"SharePointOnlineAssessmentRecommendation","name":"SharePointOnlineAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by SP Online assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"O365TenantId","type":"string"},{"name":"TenantName","type":"string"},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","SharePointOnlineAssessment"]}},{"id":"SignalRServiceDiagnosticLogs","name":"SignalRServiceDiagnosticLogs","tableType":"Microsoft","description":"Azure SignalR service diagnostic logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The operation name of the log event. it can be used to filter the log based on a specific operation name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of Azure SignalR service.","isPreferredFacet":true},{"name":"Level","type":"string","description":"The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP of the client or server connects to SignalR service.","isPreferredFacet":true},{"name":"Collection","type":"string","description":"The collection of the log event. Can be 'Connection', 'Authorization', 'Throttling' or 'Message'. 'Connection' collection includes the logs about the lifetime of connections. 'Authorization' includes the logs about the authorization of connections. 'Throttling' includes the logs about the throttled connections. 'Message' includes the logs about the tracing messages.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The message of the log event. It describes the log event in detail.","isPreferredFacet":true},{"name":"HubName","type":"string","description":"The SignalR Hubs API enables you to call methods on connected clients from the server.","isPreferredFacet":true},{"name":"GroupName","type":"string","description":"A group can have any number of clients, and a client can be a member of any number of groups.","isPreferredFacet":true},{"name":"UserId","type":"string","description":"The user ID of the connection. It is defined by the client or app server.","isPreferredFacet":true},{"name":"ConnectionId","type":"string","description":"The connection ID of the connection connected to SignalR service.","isPreferredFacet":true},{"name":"ConnectionType","type":"string","description":"The connection type. Can be 'Server' and 'Client'. 'Server' means the connection connects to an app server. 'Client' means the connection connects to a SignalR client.","isPreferredFacet":true},{"name":"TransportType","type":"string","description":"The transport type of the connection. Can be 'WebSockets', 'ServerSentEvents', or 'LongPolling'. For more details, see https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.http.connections.httptransporttype.","isPreferredFacet":true},{"name":"MessageType","type":"string","description":"The type of the messsage. Can be 'BroadcastDataMessage', 'MultiConnectionDataMessage', 'GroupBroadcastDataMessage', 'MultiGroupBroadcastDataMessage', 'UserDataMessage', 'MultiUserDataMessage', 'JoinGroupWithAckMessage' and 'LeaveGroupWithAckMessage'. For more details, see https://www.nuget.org/packages/Microsoft.Azure.SignalR.Protocols.","isPreferredFacet":true},{"name":"MessageTracingId","type":"long","description":"The tracing ID of the message. It's used for tracing messages.","isPreferredFacet":true},{"name":"InvocationId","type":"string","description":"The invocation ID of the message. It's only available in ASP.NET SignalR.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.signalrservice/signalr"]}},{"id":"SigninLogs","name":"SigninLogs","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ResourceId","type":"string","description":"The identifier of the resource that the user signed in to.","isPreferredFacet":true},{"name":"OperationName","type":"string","isPreferredFacet":true},{"name":"OperationVersion","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Provides the 5-6 digit error code that's generated during a sign-in event. 0 indicates success; other values are failures. You can find more information using the Azure AD Error Codes documentation or https://login.microsoftonline.com/error.","isPreferredFacet":true},{"name":"ResultSignature","type":"string","isPreferredFacet":true},{"name":"ResultDescription","type":"string","description":"Provides the error message or the reason for failure for the corresponding sign-in activity."},{"name":"DurationMs","type":"long"},{"name":"CorrelationId","type":"string","description":"The identifier that's sent from the client when sign-in is initiated. This is used for troubleshooting the corresponding sign-in activity when calling for support."},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Identity","type":"string","description":"The display name of the actor identified in the signin.","isPreferredFacet":true},{"name":"Level","type":"string","isPreferredFacet":true},{"name":"Location","type":"string","description":"The 2 letter country code from where the sign-in occurred. Depending on IP address provided, this value may not always resolve to a city or region level of detail."},{"name":"AlternateSignInName","type":"string","description":"The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers.","isPreferredFacet":true},{"name":"AppDisplayName","type":"string","description":"The application name displayed in the Azure Portal.","isPreferredFacet":true},{"name":"AppId","type":"string","description":"The application identifier in Azure Active Directory."},{"name":"AuthenticationContextClassReferences","type":"string","description":"Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in."},{"name":"AuthenticationDetails","type":"string","description":"The result of the authentication attempt and additional details on the authentication method."},{"name":"AppliedEventListeners","type":"dynamic","description":"Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, that were triggered by the corresponding events in the sign-in event."},{"name":"AuthenticationMethodsUsed","type":"string","description":"The authentication methods used. Possible values: SMS, Authenticator App, App Verification code, Password, FIDO, PTA, or PHS."},{"name":"AuthenticationProcessingDetails","type":"string","description":"Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication."},{"name":"AuthenticationRequirement","type":"string","description":"This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed."},{"name":"AuthenticationRequirementPolicies","type":"string","description":"Sources of authentication requirement, such as conditional access, per-user MFA, identity protection, and security defaults."},{"name":"ClientAppUsed","type":"string","description":"The legacy client used for sign-in activity. For example: Browser, Exchange ActiveSync, Modern clients, IMAP, MAPI, SMTP, or POP.","isPreferredFacet":true},{"name":"ConditionalAccessPolicies","type":"dynamic","description":"A list of conditional access policies that are triggered by the corresponding sign-in activity."},{"name":"ConditionalAccessStatus","type":"string","description":"The status of the conditional access policy triggered. Possible values: success, failure, or notApplied.","isPreferredFacet":true},{"name":"CreatedDateTime","type":"datetime","description":"The date and time the sign-in was initiated. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.","isPreferredFacet":true},{"name":"DeviceDetail","type":"dynamic","description":"The device information from where the sign-in occurred. Includes information such as deviceId, OS, and browser."},{"name":"IsInteractive","type":"bool","description":"Indicates whether a user sign in is interactive. In interactive sign in, the user provides an authentication factor to Azure AD. These factors include passwords, responses to MFA challenges, biometric factors, or QR codes that a user provides to Azure AD or an associated app. In non-interactive sign in, the user doesn't provide an authentication factor. Instead, the client app uses a token or code to authenticate or access a resource on behalf of a user. Non-interactive sign ins are commonly used for a client to sign in on a user's behalf in a process transparent to the user.","isPreferredFacet":true},{"name":"Id","type":"string","description":"The identifier representing the sign-in activity."},{"name":"IPAddress","type":"string","description":"The IP address of the client from where the sign-in occurred.","isPreferredFacet":true},{"name":"IsRisky","type":"bool","isPreferredFacet":true},{"name":"LocationDetails","type":"dynamic","description":"Provides the city, state, country/region and latitude and longitude from where the sign-in happened."},{"name":"MfaDetail","type":"dynamic","description":"This property is deprecated."},{"name":"NetworkLocationDetails","type":"string","description":"The network location details including the type of network used and its names."},{"name":"OriginalRequestId","type":"string","description":"The request identifier of the first request in the authentication sequence."},{"name":"ProcessingTimeInMilliseconds","type":"string"},{"name":"RiskDetail","type":"string","description":"The reason behind a specific state of a risky user, sign-in, or a risk event. Possible values: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, or adminConfirmedSigninCompromised. The value none means that no action has been performed on the user or sign-in so far. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.","isPreferredFacet":true},{"name":"RiskEventTypes","type":"string","description":"This property is deprecated.","isPreferredFacet":true},{"name":"RiskEventTypes_V2","type":"string","description":"The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, or generic."},{"name":"RiskLevelAggregated","type":"string","description":"The aggregated risk level. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.","isPreferredFacet":true},{"name":"RiskLevelDuringSignIn","type":"string","description":"The risk level during sign-in. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.","isPreferredFacet":true},{"name":"RiskState","type":"string","description":"The risk state of a risky user, sign-in, or a risk event. Possible values: none, confirmedSafe, remediated, dismissed, atRisk, or confirmedCompromised.","isPreferredFacet":true},{"name":"ResourceDisplayName","type":"string","description":"The name of the resource that the user signed in to.","isPreferredFacet":true},{"name":"ResourceIdentity","type":"string","description":"The resource that the user signed in to.","isPreferredFacet":true},{"name":"ResourceServicePrincipalId","type":"string","description":"The identifier of the service principal representing the target resource in the sign-in event."},{"name":"ServicePrincipalId","type":"string","description":"The application identifier used for sign-in. This field is populated when you are signing in using an application."},{"name":"ServicePrincipalName","type":"string","description":"The application name used for sign-in. This field is populated when you are signing in using an application."},{"name":"Status","type":"dynamic","description":"The sign-in status. Includes the error code and description of the error (in case of a sign-in failure)."},{"name":"TokenIssuerName","type":"string","description":"The name of the identity provider. For example, sts.microsoft.com."},{"name":"TokenIssuerType","type":"string","description":"The type of identity provider. The possible values are: AzureAD, or ADFederationServices, AzureADBackupAuth, ADFederationServicesMFAAdapter, NPSExtension."},{"name":"UserAgent","type":"string","description":"The user agent information related to sign-in."},{"name":"UserDisplayName","type":"string","description":"The display name of the user.","isPreferredFacet":true},{"name":"UserId","type":"string","description":"The identifier of the user.","isPreferredFacet":true},{"name":"UserPrincipalName","type":"string","description":"The UPN of the user."},{"name":"AADTenantId","type":"string"},{"name":"UserType","type":"string","description":"Identifies whether the user is a member or guest in the tenant. Possible values are: member and guest."},{"name":"FlaggedForReview","type":"bool","description":"During a failed sign in, a user may click a button in the Azure portal to mark the failed event for tenant admins. If a user clicked the button to flag the failed sign in, this value is true.","isPreferredFacet":true},{"name":"IPAddressFromResourceProvider","type":"string","description":"The IP address a user used to reach a resource provider, used to determine Conditional Access compliance for some policies. For example, when a user interacts with Exchange Online, the IP address Exchange receives from the user may be recorded here. This value is often null.","isPreferredFacet":true},{"name":"SignInIdentifier","type":"string","description":"The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers.","isPreferredFacet":true},{"name":"SignInIdentifierType","type":"string","description":"The type of sign in identifier. Possible values are: userPrincipalName, phoneNumber, proxyAddress, qrCode, onPremisesUserPrincipalName.","isPreferredFacet":true},{"name":"ResourceTenantId","type":"string","description":"The tenant identifier of the resource referenced in the sign in."},{"name":"HomeTenantId","type":"string","description":"The tenant identifier of the user initiating the sign in. Not applicable in Managed Identity or service principal sign ins."},{"name":"UniqueTokenIdentifier","type":"string","description":"A unique base64 encoded request identifier used to track tokens issued by Azure AD as they are redeemed at resource providers."},{"name":"SessionId","type":"string","description":"Id of the session that was generated during the signIn."},{"name":"SessionLifetimePolicies","type":"string","description":"Any conditional access session management policies that were applied during the sign-in event."},{"name":"AutonomousSystemNumber","type":"string","description":"The Autonomous System Number (ASN) of the network used by the actor."},{"name":"AuthenticationProtocol","type":"string","description":"Lists the protocol type or grant type used in the authentication. The possible values are: none, oAuth2, ropc, wsFederation, saml20, deviceCode. For authentications that use protocols other than the possible values listed, the protocol type is listed as none."},{"name":"CrossTenantAccessType","type":"string","description":"Describes the type of cross-tenant access used by the actor to access the resource."},{"name":"AuthenticationAppDeviceDetails","type":"string","description":"Details of the app and device state used during the most recent authentication step using an authentication app."},{"name":"AuthenticationAppPolicyEvaluationDetails","type":"string","description":"The details of the policies applied and enforced related to the authentication app during the latest signIn step."},{"name":"ClientCredentialType","type":"string","description":"The type of client credential used. Examples include client assertion, client secret, etc."},{"name":"FederatedCredentialId","type":"string","description":"Federated Credential Id."},{"name":"GlobalSecureAccessIpAddress","type":"string","description":"Global secure IP address that user signed in from."},{"name":"HomeTenantName","type":"string","description":"The tenant name of the external tenant who homes the entitity taking action in the customer's tenant."},{"name":"IncomingTokenType","type":"string","description":"The type of token utilized to signIn (examples: primary refresh token, saml assertion)."},{"name":"IsTenantRestricted","type":"bool","description":"Indicates if a signIn is under a tenant restrictions policy or not."},{"name":"IsThroughGlobalSecureAccess","type":"bool","description":"Displays whether or not a user came through Global Secure Access service or not."},{"name":"OriginalTransferMethod","type":"string","description":"Transfer method used to initiate a session throughout all subsequent requests."},{"name":"TokenProtectionStatusDetails","type":"dynamic","description":"Token protection creates a cryptographically secure tie between the token and the device it's issued to. This field indicates whether the signin token was bound to the device or not."},{"name":"AppOwnerTenantId","type":"string","description":"The tenant identifier of the owenr of the application in Azure Active Directory."},{"name":"ResourceOwnerTenantId","type":"string","description":"The tenant identifier of the owner of the resource referenced in the sign in."},{"name":"Agent","type":"dynamic","description":"The agentic property for sign in logs. Includes the agentType and the parentAppId when the type is AgenticInstance."},{"name":"SourceAppClientId","type":"string","description":"The Source App's Client ID for Target Identities."},{"name":"ConditionalAccessAudiences","type":"string","description":"The audiences targeted by the conditional access policy."},{"name":"AuthenticatorAppLocation","type":"string","description":"The location of the authenticator app."},{"name":"AppliedConditionalAccessPolicies","type":"string","isPreferredFacet":true},{"name":"RiskLevel","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["resources","security"],"solutions":["LogManagement"],"resourceTypes":["microsoft.graph/tenants"]}},{"id":"SqlAtpStatus","name":"SqlAtpStatus","tableType":"Microsoft","description":"SQL Advanced Threat Protection status log. The logs allows identifying machines connected to the workspace with SQL ATP and the protection status on each instance on those machines.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated"},{"name":"AgentId","type":"string","description":"ID of the source monitoring agent","isPreferredFacet":true},{"name":"ClientIP","type":"string","description":"Client IP address of the source computer"},{"name":"HostResourceId","type":"string","description":"Resource ID of the machine hosting the SQL Instance, if exists"},{"name":"Computer","type":"string","description":"Name of the computer that hosts the SQL Server","isPreferredFacet":true},{"name":"SqlInstanceName","type":"string","description":"SQL Server instance name","isPreferredFacet":true},{"name":"Status","type":"string","description":"SQL Advanced Threat Protection status for the SQL instance","isPreferredFacet":true},{"name":"LastError","type":"string","description":"The last error from SQL Advanced Threat Protection (if exists). The error refer to the time passed from the previous status entry and can help diagnose transient or persistent issues with SQL ATP protection"},{"name":"IntelligencePackVersion","type":"string","description":"The IP version of SQL Advanced Threat Protection running on the machine"},{"name":"SqlInstanceVersion","type":"string","description":"SQL Server instance version"},{"name":"SqlInstanceStartTime","type":"datetime","description":"The start time of the SQL Server instance"},{"name":"AgentStartTime","type":"datetime","description":"The start time of the Microsoft Monitoring Agent process running SQL ATP solution. This can help find agents who restart frequently or not at all and can indicate a problem or machine with out-of-date configuration"},{"name":"MachineUUID","type":"string","description":"The unique identifier of the machine running the Microsoft Monitoring Agent"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["SQLAdvancedThreatProtection"]}},{"id":"SqlVulnerabilityAssessmentResult","name":"SqlVulnerabilityAssessmentResult","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ServerInstanceType","type":"string","isPreferredFacet":true},{"name":"ServerInstanceName","type":"string","isPreferredFacet":true},{"name":"ServerVersion","type":"string"},{"name":"DatabaseName","type":"string","isPreferredFacet":true},{"name":"ScanId","type":"string","isPreferredFacet":true},{"name":"CheckId","type":"string","isPreferredFacet":true},{"name":"Status","type":"string"},{"name":"ActualResult","type":"string"},{"name":"Title","type":"string"},{"name":"Risk","type":"string","isPreferredFacet":true},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"Impact","type":"string"},{"name":"Query","type":"string"},{"name":"Remediation","type":"string"},{"name":"RemediationScripts","type":"string"},{"name":"BenchmarkReferences","type":"string"},{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"AgentId","type":"string"},{"name":"SubscriptionId","type":"string","isPreferredFacet":true},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string"},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["SQLThreatDetection","SQLVulnerabilityAssessment"]}},{"id":"SqlVulnerabilityAssessmentScanStatus","name":"SqlVulnerabilityAssessmentScanStatus","tableType":"Microsoft","description":"SQL Vulnerability Assesment Heartbeat Log.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated"},{"name":"AgentId","type":"string","description":"ID of the source monitoring agent","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of the computer that hosts the assessed SQL Server","isPreferredFacet":true},{"name":"ServerInstanceName","type":"string","description":"SQL Server instance name","isPreferredFacet":true},{"name":"ServerVersion","type":"string","description":"SQL Server version"},{"name":"DatabaseName","type":"string","description":"Database name","isPreferredFacet":true},{"name":"ScanId","type":"string","description":"Vulnerability Assessment scan ID","isPreferredFacet":true},{"name":"Status","type":"string","description":"Vulnerability assessment scan status i.e. Finding, NonFinding, InternalError"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"solutions":["SQLVulnerabilityAssessment"]}},{"id":"StorageBlobLogs","name":"StorageBlobLogs","tableType":"Microsoft","description":"Storage Blob Service Logs Schema","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The Universal Time Coordinated (UTC) time when the request was received by storage.","isPreferredFacet":true},{"name":"AccountName","type":"string","description":"The name of the storage account.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of storage account.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"The protocol that is used in the operation.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed.","isPreferredFacet":true},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request.","isPreferredFacet":true},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.","isPreferredFacet":true},{"name":"StatusText","type":"string","description":"The status of the requested operation.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.","isPreferredFacet":true},{"name":"ServerLatencyMs","type":"real","description":"The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester).","isPreferredFacet":true},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester, including the port number.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate logs across resources.","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","description":"The schema version of the log.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.","isPreferredFacet":true},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token.","isPreferredFacet":true},{"name":"RequesterObjectId","type":"string","description":"The OAuth object ID of the requester.","isPreferredFacet":true},{"name":"RequesterTenantId","type":"string","description":"The OAuth tenant ID of identity.","isPreferredFacet":true},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester.","isPreferredFacet":true},{"name":"RequesterAudience","type":"string","description":"The OAuth audience of the request.","isPreferredFacet":true},{"name":"RequesterTokenIssuer","type":"string","description":"The OAuth token issuer.","isPreferredFacet":true},{"name":"RequesterUpn","type":"string","description":"The User Principal Names of requestor.","isPreferredFacet":true},{"name":"AuthorizationDetails","type":"dynamic","description":"Detailed policy information used to authorize the request.","isPreferredFacet":true},{"name":"UserAgentHeader","type":"string","description":"The User-Agent header value, in quotes.","isPreferredFacet":true},{"name":"ReferrerHeader","type":"string","description":"The Referer header value.","isPreferredFacet":true},{"name":"ClientRequestId","type":"string","description":"The x-ms-client-request-id header value of the request.","isPreferredFacet":true},{"name":"Etag","type":"string","description":"The ETag identifier for the returned object, in quotes.","isPreferredFacet":true},{"name":"ServiceType","type":"string","description":"The service associated with this request.","isPreferredFacet":true},{"name":"OperationCount","type":"int","description":"The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.","isPreferredFacet":true},{"name":"ObjectKey","type":"string","description":"The key of the requested object, in quotes.","isPreferredFacet":true},{"name":"RequestHeaderSize","type":"long","description":"The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"RequestBodySize","type":"long","description":"The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseHeaderSize","type":"long","description":"The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseBodySize","type":"long","description":"The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.","isPreferredFacet":true},{"name":"RequestMd5","type":"string","description":"The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.","isPreferredFacet":true},{"name":"ResponseMd5","type":"string","description":"The value of the MD5 hash calculated by the storage service.","isPreferredFacet":true},{"name":"LastModifiedTime","type":"datetime","description":"The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.","isPreferredFacet":true},{"name":"ConditionsUsed","type":"string","description":"A semicolon-separated list of key-value pairs that represent a condition.","isPreferredFacet":true},{"name":"ContentLengthHeader","type":"long","description":"The value of the Content-Length header for the request sent to the storage service.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of requested operation.","isPreferredFacet":true},{"name":"TlsVersion","type":"string","description":"The TLS version used in the connection of request.","isPreferredFacet":true},{"name":"SasExpiryStatus","type":"string","description":"Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy","isPreferredFacet":true},{"name":"MetricResponseType","type":"string","description":"Records the metric response for correlation between metrics and logs.","isPreferredFacet":true},{"name":"SourceUri","type":"string","description":"Records the source URI for operations.","isPreferredFacet":true},{"name":"DestinationUri","type":"string","description":"Records the destination URI for operations.","isPreferredFacet":true},{"name":"AccessTier","type":"string","description":"The access tier of the storage account.","isPreferredFacet":true},{"name":"SourceAccessTier","type":"string","description":"The source tier of the storage account.","isPreferredFacet":true},{"name":"RehydratePriority","type":"string","description":"The priority used to rehydrate an archived blob.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"StorageCacheOperationEvents","name":"StorageCacheOperationEvents","tableType":"Microsoft","description":"Logs for Azure HPC Cache API requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"OperationName","type":"string","description":"The operation name for which the log entry was created."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, if available."},{"name":"ResponseCode","type":"int","description":"HTTP status of API request."},{"name":"ResultType","type":"string","description":"Result of the REST API request."},{"name":"ResultDescription","type":"string","description":"Details about the result, if available."},{"name":"StorageTargetName","type":"string","description":"Name of the storage target associated with the operation, if available."},{"name":"PrimingJobName","type":"string","description":"Name of the priming job associated with the operation, if available."},{"name":"Location","type":"string","description":"The region of the resource associated with the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"solutions":["LogManagement"],"queries":["84dd84da-6817-4482-92a6-4bcb3ec96cb6","cee04e51-5743-4b8e-9913-6d50f3813742","1d18a296-9f63-4753-a271-cc9e38e32e5a"]}},{"id":"StorageCacheUpgradeEvents","name":"StorageCacheUpgradeEvents","tableType":"Microsoft","description":"Logs for Azure HPC Cache firmware upgrade events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, if available."},{"name":"CurrentFirmwareVersion","type":"string","description":"The firmware version currently running."},{"name":"AvailableFirmwareVersion","type":"string","description":"The firmware version for upgrade, if available."},{"name":"Description","type":"string","description":"The description of the upgrade event."},{"name":"Location","type":"string","description":"The region of the resource associated with the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"solutions":["LogManagement"],"queries":["aa3b3c6e-70e0-4d36-89d3-8ff32afb2c09"]}},{"id":"StorageCacheWarningEvents","name":"StorageCacheWarningEvents","tableType":"Microsoft","description":"Logs for Azure HPC Cache warning events.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (UTC) when the log was created."},{"name":"CorrelationId","type":"string","description":"Unique identifier to be used to correlate logs, if available."},{"name":"State","type":"string","description":"The state of the warning: Active or Cleared."},{"name":"Description","type":"string","description":"The description of the warning event."},{"name":"Level","type":"string","description":"The severity level of the event: Informational, Warning, Error, or Critical."},{"name":"Location","type":"string","description":"The region of the resource associated with the event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagecache/caches"],"solutions":["LogManagement"],"queries":["4b6de6c1-0bc4-4056-bb4b-07feaea2b6f3"]}},{"id":"StorageFileLogs","name":"StorageFileLogs","tableType":"Microsoft","description":"Storage File Service Logs Schema","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The Universal Time Coordinated (UTC) time when the request was received by storage.","isPreferredFacet":true},{"name":"AccountName","type":"string","description":"The name of the storage account.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of storage account.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"The protocol that is used in the operation.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed.","isPreferredFacet":true},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request.","isPreferredFacet":true},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.","isPreferredFacet":true},{"name":"StatusText","type":"string","description":"The status of the requested operation.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.","isPreferredFacet":true},{"name":"ServerLatencyMs","type":"real","description":"The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester).","isPreferredFacet":true},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester, including the port number.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate logs across resources.","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","description":"The schema version of the log.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.","isPreferredFacet":true},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token.","isPreferredFacet":true},{"name":"RequesterObjectId","type":"string","description":"The OAuth object ID of the requester.","isPreferredFacet":true},{"name":"RequesterTenantId","type":"string","description":"The OAuth tenant ID of identity.","isPreferredFacet":true},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester.","isPreferredFacet":true},{"name":"RequesterAudience","type":"string","description":"The OAuth audience of the request.","isPreferredFacet":true},{"name":"RequesterTokenIssuer","type":"string","description":"The OAuth token issuer.","isPreferredFacet":true},{"name":"RequesterUpn","type":"string","description":"The User Principal Names of requester.","isPreferredFacet":true},{"name":"RequesterUserName","type":"string","description":"The user name of requester for SMB.","isPreferredFacet":true},{"name":"AuthorizationDetails","type":"dynamic","description":"Detailed policy information used to authorize the request.","isPreferredFacet":true},{"name":"SmbPrimarySID","type":"string","description":"Security Identifier of Kerberos Authenticated request","isPreferredFacet":true},{"name":"UserAgentHeader","type":"string","description":"The User-Agent header value, in quotes.","isPreferredFacet":true},{"name":"ReferrerHeader","type":"string","description":"The Referer header value.","isPreferredFacet":true},{"name":"ClientRequestId","type":"string","description":"The x-ms-client-request-id header value of the request.","isPreferredFacet":true},{"name":"Etag","type":"string","description":"The ETag identifier for the returned object, in quotes.","isPreferredFacet":true},{"name":"ServiceType","type":"string","description":"The service associated with this request.","isPreferredFacet":true},{"name":"OperationCount","type":"int","description":"The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.","isPreferredFacet":true},{"name":"ObjectKey","type":"string","description":"The key of the requested object, in quotes.","isPreferredFacet":true},{"name":"RequestHeaderSize","type":"long","description":"The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"RequestBodySize","type":"long","description":"The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseHeaderSize","type":"long","description":"The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseBodySize","type":"long","description":"The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.","isPreferredFacet":true},{"name":"RequestMd5","type":"string","description":"The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.","isPreferredFacet":true},{"name":"ResponseMd5","type":"string","description":"The value of the MD5 hash calculated by the storage service.","isPreferredFacet":true},{"name":"LastModifiedTime","type":"datetime","description":"The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.","isPreferredFacet":true},{"name":"ConditionsUsed","type":"string","description":"A semicolon-separated list of key-value pairs that represent a condition.","isPreferredFacet":true},{"name":"ContentLengthHeader","type":"long","description":"The value of the Content-Length header for the request sent to the storage service.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of requested operation.","isPreferredFacet":true},{"name":"TlsVersion","type":"string","description":"The TLS version used in the connection of request.","isPreferredFacet":true},{"name":"SmbTreeConnectID","type":"string","description":"The SMB TreeConnectID established at TreeConnect time.","isPreferredFacet":true},{"name":"SmbPersistentHandleID","type":"string","description":"Persistent HandleID from an SMB2 Create request that survives network reconnects.  Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Persistent.","isPreferredFacet":true},{"name":"SmbVolatileHandleID","type":"string","description":"Volatile HandleID from an SMB2 Create request that is recycled on network reconnects.  Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Volatile.","isPreferredFacet":true},{"name":"SmbMessageID","type":"string","description":"The connection relative MessageId.","isPreferredFacet":true},{"name":"SmbCreditsConsumed","type":"int","description":"The ingress or egress consumed by the request, in units of 64k.","isPreferredFacet":true},{"name":"SmbCommandDetail","type":"string","description":"More information about this specific request rather than the general type of request.","isPreferredFacet":true},{"name":"SmbFileId","type":"string","description":"The FileId associated with file or directory.  Roughly analogous to an NTFS FileId.","isPreferredFacet":true},{"name":"SmbSessionID","type":"string","description":"The SMB2 SessionId established at SessionSetup time.","isPreferredFacet":true},{"name":"SmbCommandMajor","type":"int","description":"Value in SMB2_HEADER.Command, and is currently a number between 0 and 18 inclusive.","isPreferredFacet":true},{"name":"SmbCommandMinor","type":"string","description":"The subclass of  SmbCommandMajor, where appropriate.","isPreferredFacet":true},{"name":"SasExpiryStatus","type":"string","description":"Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy","isPreferredFacet":true},{"name":"MetricResponseType","type":"string","description":"Records the metric response for correlation between metrics and logs.","isPreferredFacet":true},{"name":"SmbStatusCode","type":"string","description":"Status code for SMB in a hex format.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"StorageMalwareScanningResults","name":"StorageMalwareScanningResults","tableType":"Microsoft","description":"Logs for malware scans performed by the Malware Scanning feature of Defender for Storage.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the log was generated."},{"name":"CorrelationId","type":"string","description":"The ID of a specific scan."},{"name":"AggregatedScanId","type":"string","description":"If this object was scanned as part of an aggregated scan, this is the ID of that scan."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"StorageAccountName","type":"string","description":"The name of the storage account."},{"name":"StorageAccountLocation","type":"string","description":"The location of the storage account."},{"name":"BlobUri","type":"string","description":"The URI of the scanned blob (Deprecated, use ScannedObjectUri instead)."},{"name":"BlobEtag","type":"string","description":"The Etag of the scanned blob (Deprecated, use ScannedObjectEtag instead)."},{"name":"ScanFinishedTimeUtc","type":"datetime","description":"Scan finished time in UTC."},{"name":"ScannedObjectEtag","type":"string","description":"The Etag of the scanned object (blob or file)."},{"name":"ScannedObjectUri","type":"string","description":"The URI of the scanned object (blob or file)."},{"name":"ScanResultType","type":"string","description":"Type of the scan result (Malicious, Error, No Threat Found, Not Scanned)."},{"name":"ScanResultDetails","type":"dynamic","description":"Information regarding the scan results."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","security"],"resourceTypes":["microsoft.security/defenderforstoragesettings"],"solutions":["LogManagement"],"queries":["30a46f4f-dc1a-43e1-9fe4-c82750e218b3","dd5cd0fc-683c-4ace-a7da-ef6afd649407"]}},{"id":"StorageMoverAuditLogs","name":"StorageMoverAuditLogs","tableType":"Microsoft","description":"Audit logs for storage mover and its child resources.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time in UTC when the log was generated on the Storage Mover agent."},{"name":"Message","type":"string","description":"Log message."},{"name":"ResType","type":"string","description":"Resource type that generated the log."},{"name":"OperationName","type":"string","description":"Operation name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagemover/storagemovers"],"solutions":["LogManagement"]}},{"id":"StorageMoverCopyLogsFailed","name":"StorageMoverCopyLogsFailed","tableType":"Microsoft","description":"The result logs generated during the execution of Storage Mover job runs where the transfer result is 'Failed'. The logs include the details of the scanned items and their transfer result.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time in UTC when the log was generated on the Storage Mover agent."},{"name":"JobRunName","type":"string","description":"Unique name of the job run which generated this log."},{"name":"ItemPath","type":"string","description":"Relative path of the item from the migration source, and target root directories."},{"name":"ItemType","type":"string","description":"Type of the item, either 'F' for file, or 'D' for directory."},{"name":"TransferResult","type":"string","description":"The final transfer result of the item. One of: Excluded, Failed, Transferred, NoCopyNecessary, Unsupported."},{"name":"StatusCode","type":"string","description":"The storage mover status code."},{"name":"Details","type":"string","description":"The error description and any additional details if available."},{"name":"FileSize","type":"long","description":"The file size in bytes (if available). Only applicable when item type is File."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagemover/storagemovers"],"solutions":["LogManagement"]}},{"id":"StorageMoverCopyLogsTransferred","name":"StorageMoverCopyLogsTransferred","tableType":"Microsoft","description":"The result logs generated during the execution of Storage Mover job runs where the transfer result is 'Transferred'. The logs include the details of the scanned items and their transfer result.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time in UTC when the log was generated on the Storage Mover agent."},{"name":"JobRunName","type":"string","description":"Unique name of the job run which generated this log."},{"name":"ItemPath","type":"string","description":"Relative path of the item from the migration source, and target root directories."},{"name":"ItemType","type":"string","description":"Type of the item, either 'F' for file, or 'D' for directory."},{"name":"TransferResult","type":"string","description":"The final transfer result of the item. One of: Excluded, Failed, Transferred, NoCopyNecessary, Unsupported."},{"name":"StatusCode","type":"string","description":"The storage mover status code."},{"name":"Details","type":"string","description":"The error description and any additional details if available."},{"name":"FileSize","type":"long","description":"The file size in bytes (if available). Only applicable when item type is File."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagemover/storagemovers"],"solutions":["LogManagement"]}},{"id":"StorageMoverJobRunLogs","name":"StorageMoverJobRunLogs","tableType":"Microsoft","description":"Logs associated with Storage Mover job runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time in UTC when the log was generated on the Storage Mover agent."},{"name":"JobRunName","type":"string","description":"JobRunName"},{"name":"Level","type":"string","description":"The log level. Can be Informational, Warning or Error."},{"name":"StatusCode","type":"string","description":"Status code associated with the log message."},{"name":"Message","type":"string","description":"Log message."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.storagemover/storagemovers"],"solutions":["LogManagement"]}},{"id":"StorageQueueLogs","name":"StorageQueueLogs","tableType":"Microsoft","description":"Storage Queue Service Logs Schema","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The Universal Time Coordinated (UTC) time when the request was received by storage.","isPreferredFacet":true},{"name":"AccountName","type":"string","description":"The name of the storage account.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of storage account.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"The protocol that is used in the operation.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed.","isPreferredFacet":true},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request.","isPreferredFacet":true},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.","isPreferredFacet":true},{"name":"StatusText","type":"string","description":"The status of the requested operation.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.","isPreferredFacet":true},{"name":"ServerLatencyMs","type":"real","description":"The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester).","isPreferredFacet":true},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester, including the port number.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate logs across resources.","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","description":"The schema version of the log.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.","isPreferredFacet":true},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token.","isPreferredFacet":true},{"name":"RequesterObjectId","type":"string","description":"The OAuth object ID of the requester.","isPreferredFacet":true},{"name":"RequesterTenantId","type":"string","description":"The OAuth tenant ID of identity.","isPreferredFacet":true},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester.","isPreferredFacet":true},{"name":"RequesterAudience","type":"string","description":"The OAuth audience of the request.","isPreferredFacet":true},{"name":"RequesterTokenIssuer","type":"string","description":"The OAuth token issuer.","isPreferredFacet":true},{"name":"RequesterUpn","type":"string","description":"The User Principal Names of requestor.","isPreferredFacet":true},{"name":"AuthorizationDetails","type":"dynamic","description":"Detailed policy information used to authorize the request.","isPreferredFacet":true},{"name":"UserAgentHeader","type":"string","description":"The User-Agent header value, in quotes.","isPreferredFacet":true},{"name":"ReferrerHeader","type":"string","description":"The Referer header value.","isPreferredFacet":true},{"name":"ClientRequestId","type":"string","description":"The x-ms-client-request-id header value of the request.","isPreferredFacet":true},{"name":"Etag","type":"string","description":"The ETag identifier for the returned object, in quotes.","isPreferredFacet":true},{"name":"ServiceType","type":"string","description":"The service associated with this request.","isPreferredFacet":true},{"name":"OperationCount","type":"int","description":"The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.","isPreferredFacet":true},{"name":"ObjectKey","type":"string","description":"The key of the requested object, in quotes.","isPreferredFacet":true},{"name":"RequestHeaderSize","type":"long","description":"The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"RequestBodySize","type":"long","description":"The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseHeaderSize","type":"long","description":"The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseBodySize","type":"long","description":"The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.","isPreferredFacet":true},{"name":"RequestMd5","type":"string","description":"The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.","isPreferredFacet":true},{"name":"ResponseMd5","type":"string","description":"The value of the MD5 hash calculated by the storage service.","isPreferredFacet":true},{"name":"LastModifiedTime","type":"datetime","description":"The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.","isPreferredFacet":true},{"name":"ConditionsUsed","type":"string","description":"A semicolon-separated list of key-value pairs that represent a condition.","isPreferredFacet":true},{"name":"ContentLengthHeader","type":"long","description":"The value of the Content-Length header for the request sent to the storage service.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of requested operation.","isPreferredFacet":true},{"name":"TlsVersion","type":"string","description":"The TLS version used in the connection of request.","isPreferredFacet":true},{"name":"SasExpiryStatus","type":"string","description":"Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy","isPreferredFacet":true},{"name":"MetricResponseType","type":"string","description":"Records the metric response for correlation between metrics and logs.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"StorageTableLogs","name":"StorageTableLogs","tableType":"Microsoft","description":"Storage Table Service Logs Schema","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The Universal Time Coordinated (UTC) time when the request was received by storage.","isPreferredFacet":true},{"name":"AccountName","type":"string","description":"The name of the storage account.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of storage account.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"The protocol that is used in the operation.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The type of REST operation that was performed.","isPreferredFacet":true},{"name":"AuthenticationType","type":"string","description":"The type of authentication that was used to make the request.","isPreferredFacet":true},{"name":"StatusCode","type":"string","description":"The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.","isPreferredFacet":true},{"name":"StatusText","type":"string","description":"The status of the requested operation.","isPreferredFacet":true},{"name":"DurationMs","type":"real","description":"The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.","isPreferredFacet":true},{"name":"ServerLatencyMs","type":"real","description":"The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester).","isPreferredFacet":true},{"name":"Uri","type":"string","description":"Uniform resource identifier that is requested.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP address of the requester, including the port number.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The ID that is used to correlate logs across resources.","isPreferredFacet":true},{"name":"SchemaVersion","type":"string","description":"The schema version of the log.","isPreferredFacet":true},{"name":"OperationVersion","type":"string","description":"The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.","isPreferredFacet":true},{"name":"AuthenticationHash","type":"string","description":"The hash of authentication token.","isPreferredFacet":true},{"name":"RequesterObjectId","type":"string","description":"The OAuth object ID of the requester.","isPreferredFacet":true},{"name":"RequesterTenantId","type":"string","description":"The OAuth tenant ID of identity.","isPreferredFacet":true},{"name":"RequesterAppId","type":"string","description":"The Open Authorization (OAuth) application ID that is used as the requester.","isPreferredFacet":true},{"name":"RequesterAudience","type":"string","description":"The OAuth audience of the request.","isPreferredFacet":true},{"name":"RequesterTokenIssuer","type":"string","description":"The OAuth token issuer.","isPreferredFacet":true},{"name":"RequesterUpn","type":"string","description":"The User Principal Names of requestor.","isPreferredFacet":true},{"name":"AuthorizationDetails","type":"dynamic","description":"Detailed policy information used to authorize the request.","isPreferredFacet":true},{"name":"UserAgentHeader","type":"string","description":"The User-Agent header value, in quotes.","isPreferredFacet":true},{"name":"ReferrerHeader","type":"string","description":"The Referer header value.","isPreferredFacet":true},{"name":"ClientRequestId","type":"string","description":"The x-ms-client-request-id header value of the request.","isPreferredFacet":true},{"name":"Etag","type":"string","description":"The ETag identifier for the returned object, in quotes.","isPreferredFacet":true},{"name":"ServiceType","type":"string","description":"The service associated with this request.","isPreferredFacet":true},{"name":"OperationCount","type":"int","description":"The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.","isPreferredFacet":true},{"name":"ObjectKey","type":"string","description":"The key of the requested object, in quotes.","isPreferredFacet":true},{"name":"RequestHeaderSize","type":"long","description":"The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"RequestBodySize","type":"long","description":"The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseHeaderSize","type":"long","description":"The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.","isPreferredFacet":true},{"name":"ResponseBodySize","type":"long","description":"The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.","isPreferredFacet":true},{"name":"RequestMd5","type":"string","description":"The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.","isPreferredFacet":true},{"name":"ResponseMd5","type":"string","description":"The value of the MD5 hash calculated by the storage service.","isPreferredFacet":true},{"name":"LastModifiedTime","type":"datetime","description":"The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.","isPreferredFacet":true},{"name":"ConditionsUsed","type":"string","description":"A semicolon-separated list of key-value pairs that represent a condition.","isPreferredFacet":true},{"name":"ContentLengthHeader","type":"long","description":"The value of the Content-Length header for the request sent to the storage service.","isPreferredFacet":true},{"name":"Category","type":"string","description":"The category of requested operation.","isPreferredFacet":true},{"name":"TlsVersion","type":"string","description":"The TLS version used in the connection of request.","isPreferredFacet":true},{"name":"SasExpiryStatus","type":"string","description":"Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy","isPreferredFacet":true},{"name":"MetricResponseType","type":"string","description":"Records the metric response for correlation between metrics and logs.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.storage/storageaccounts"]}},{"id":"SucceededIngestion","name":"SucceededIngestion","tableType":"Microsoft","description":"Succeeded ingestion operations logs provide information about successfully completed ingest operations. Logs include data source details that together with `Failed ingestion operations` logs can be used for tracking the process of ingestion of each data source. Ingestion logs are supported for queued ingestion to the ingestion endpoint using SDKs, data connections, and connectors.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"SucceededOn","type":"datetime","description":"Time at which this ingest operation successfully ended","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"The ingestion's operation ID","isPreferredFacet":true},{"name":"Database","type":"string","description":"The name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"The name of the target table into which the data is ingested","isPreferredFacet":true},{"name":"IngestionSourceId","type":"string","description":"A unique identifier representing the ingested source","isPreferredFacet":true},{"name":"IngestionSourcePath","type":"string","description":"The path of the ingestion data sources or the Azure blob storage URI","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"The final state of this data ingestion operation","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The ingestion's activity ID","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.kusto/clusters"]}},{"id":"SynapseBigDataPoolApplicationsEnded","name":"SynapseBigDataPoolApplicationsEnded","tableType":"Microsoft","description":"Information about ended Apache Spark applications.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Properties","type":"dynamic","description":"extended properties related to this event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseBuiltinSqlPoolRequestsEnded","name":"SynapseBuiltinSqlPoolRequestsEnded","tableType":"Microsoft","description":"Ended Azure Synapse built-in serverless SQL requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"DurationMs","type":"int","description":"The total elapsed time in milliseconds."},{"name":"ResultType","type":"string","description":"The status of the request."},{"name":"ErrorCode","type":"int","description":"The error/success code"},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Properties","type":"dynamic","description":"extended properties related to this event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseDXCommand","name":"SynapseDXCommand","tableType":"Microsoft","description":"Azure data explorer synapse command execution summary. Logs include DatabaseName, State, Duration that can be used for monitoring the commands which were invoked on the cluster","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when this event was generated","isPreferredFacet":true},{"name":"Category","type":"string","description":"The log category for these events will be 'Command'","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"The time (UTC) when this command started","isPreferredFacet":true},{"name":"LastUpdatedOn","type":"datetime","description":"The last time this command was updated","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database the command ran on"},{"name":"State","type":"string","description":"The state the command ended with, like 'Completed'"},{"name":"FailureReason","type":"string","description":"The reason for the failure"},{"name":"TotalCPU","type":"string","description":"Total CPU runtime across cluster nodes"},{"name":"CommandType","type":"string","description":"Command type. like 'DatabasesShow'"},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the command"},{"name":"ResourceUtilization","type":"dynamic","description":"Resurce consumption for the exuected command"},{"name":"Duration","type":"string","description":"Command duration as a string like '00:00:00.0156250'"},{"name":"User","type":"string","description":"User that invoked the query"},{"name":"Principal","type":"string","description":"Principal that invoked the query like 'aaduser=USER_ID;TENANT'"},{"name":"WorkloadGroup","type":"string","description":"Workload are a means of resource governance for incoming requests to the cluster"},{"name":"Text","type":"string","description":"Text of the invoked command"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXFailedIngestion","name":"SynapseDXFailedIngestion","tableType":"Microsoft","description":"Failed ingestion operations logs provide detailed information about failed ingest operations. Logs include data source details, as well as error code and failure status (transient or permanent), that can be used for tracking the process of data source ingestion. Users can identify usage errors (permanent bad requests) and handle retries of transient failures. Ingestion logs are supported for queued ingestion to the ingestion endpoint using SDKs, data connections, and connectors","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when this event was generated","isPreferredFacet":true},{"name":"FailedOn","type":"datetime","description":"The time this ingest operation failed","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"The ingestion's operation ID","isPreferredFacet":true},{"name":"Database","type":"string","description":"The name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"The name of the target table the data is ingested into","isPreferredFacet":true},{"name":"IngestionSourceId","type":"string","description":"The ID of the ingestion source","isPreferredFacet":true},{"name":"IngestionSourcePath","type":"string","description":"Azure blob storage URI","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Final state of this data ingestion operation like 'Failed'","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The ingestion's activity ID Used for debugging issues","isPreferredFacet":true},{"name":"Details","type":"string","description":"Details of the failure","isPreferredFacet":true},{"name":"ErrorCode","type":"string","description":"Failure's error code like 'BadRequest_EmptyBlob'","isPreferredFacet":true},{"name":"FailureStatus","type":"string","description":"Failure's status like 'Permanent'","isPreferredFacet":true},{"name":"OriginatesFromUpdatePolicy","type":"bool","description":"Indicates if the failure originates from an Update Policy","isPreferredFacet":true},{"name":"ShouldRetry","type":"bool","description":"Indicates if the failure is temporary and the operation should be retried","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXIngestionBatching","name":"SynapseDXIngestionBatching","tableType":"Microsoft","description":"Azure data explore synapse ingestion batching operations. These logs have detailed statistics of batches ready for ingestion (duration, batch size and blobs count)","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) this event was generated","isPreferredFacet":true},{"name":"Database","type":"string","description":"The name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"The name of the target table the data is ingested into","isPreferredFacet":true},{"name":"BatchingType","type":"string","description":"Batching type: Whether the batch reached the limit of batching time, data size, or number of files set by the the batching policy","isPreferredFacet":true},{"name":"SourceCreationTime","type":"datetime","description":"When the first blobs in this batch were created (UTC time)","isPreferredFacet":true},{"name":"BatchTimeSeconds","type":"real","description":"Total batching time of this batch (seconds)","isPreferredFacet":true},{"name":"BatchSizeBytes","type":"long","description":"Total uncompressed size of data in this batch (bytes)","isPreferredFacet":true},{"name":"DataSourcesInBatch","type":"int","description":"Number of data sources in this batch","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The operation's activity ID","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXQuery","name":"SynapseDXQuery","tableType":"Microsoft","description":"Azure data explorer synpase query execution summary. Logs include DatabaseName, State, Duration that can be used for monitoring the queries which were invoked on the cluster","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) this event was generated","isPreferredFacet":true},{"name":"Category","type":"string","description":"The log category for these events will be 'Query'","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"The time (UTC) this command started","isPreferredFacet":true},{"name":"LastUpdatedOn","type":"datetime","description":"The time (UTC) this command ended","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"The name of the database the command ran on","isPreferredFacet":true},{"name":"State","type":"string","description":"The state the command ended with like 'Completed'"},{"name":"FailureReason","type":"string","description":"The reason for the failure"},{"name":"TotalCPU","type":"string","description":"Total CPU runtime across cluster nodes"},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the query"},{"name":"MemoryPeak","type":"long","description":"Memory peak"},{"name":"Duration","type":"string","description":"Query duration as a string like '00:00:00.0156250'"},{"name":"User","type":"string","description":"User that invoked the query"},{"name":"Principal","type":"string","description":"The principal that invoked the query like 'aaduser=USER_ID;TENANT'"},{"name":"ExtentsMinDataScannedTime","type":"datetime","description":"Minimum data scan time","isPreferredFacet":true},{"name":"ExtentsMaxDataScannedTime","type":"datetime","description":"Maximum data scan time","isPreferredFacet":true},{"name":"TotalExtentsCount","type":"long","description":"Total extents count"},{"name":"ScannedExtentsCount","type":"long","description":"Scanned extents count"},{"name":"TotalRowsCount","type":"long","description":"Total rows count"},{"name":"ScannedRowsCount","type":"long","description":"Scanned rows count"},{"name":"CacheMemoryHits","type":"long","description":"Memory cache hits"},{"name":"CacheMemoryMisses","type":"long","description":"Memory cache misses"},{"name":"CacheDiskHits","type":"long","description":"Disk cache hits"},{"name":"CacheDiskMisses","type":"long","description":"Disk cache misses"},{"name":"CacheShardsHotHits","type":"long","description":"Shards hot cache hits"},{"name":"CacheShardsHotMisses","type":"long","description":"Shards hot cache misses"},{"name":"CacheShardsColdHits","type":"long","description":"Shards cold cache hits"},{"name":"CacheShardsColdMisses","type":"long","description":"Shards cold cache misses"},{"name":"CacheShardsBypassBytes","type":"long","description":"Shards cache bypass bytes"},{"name":"TableCount","type":"int","description":"Table count"},{"name":"TablesStatistics","type":"dynamic","description":"Tables statistics"},{"name":"WorkloadGroup","type":"string","description":"Workload are a means of resource governance for incoming requests to the cluster"},{"name":"Text","type":"string","description":"Text of the invoked query"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXSucceededIngestion","name":"SynapseDXSucceededIngestion","tableType":"Microsoft","description":"Succeeded ingestion operations logs provide information about successfully completed ingest operations. Logs include data source details that together with `Failed ingestion operations` logs can be used for tracking the process of ingestion of each data source. Ingestion logs are supported for queued ingestion to the ingestion endpoint using SDKs, data connections, and connectors","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) when this event was generated","isPreferredFacet":true},{"name":"SucceededOn","type":"datetime","description":"The time this ingest operation ended successfully","isPreferredFacet":true},{"name":"OperationId","type":"string","description":"The ingestion's operation ID","isPreferredFacet":true},{"name":"Database","type":"string","description":"The name of the database holding the target table","isPreferredFacet":true},{"name":"Table","type":"string","description":"The name of the target table the data is ingested into","isPreferredFacet":true},{"name":"IngestionSourceId","type":"string","description":"The ingestion source ID","isPreferredFacet":true},{"name":"IngestionSourcePath","type":"string","description":"Azure blob storage URI","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Final state of this data ingestion operation like 'Succeeded'","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The ingestion's activity ID","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXTableDetails","name":"SynapseDXTableDetails","tableType":"Microsoft","description":"Azure Data Explorer Synpase table details","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) this event was generated","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"Name of the database"},{"name":"TableName","type":"string","description":"Name of the table"},{"name":"TotalExtentSize","type":"real","description":"Total size of extents (compressed size + index size) in the table (in bytes)"},{"name":"TotalOriginalSize","type":"real","description":"The total original data size in the table (in bytes)"},{"name":"HotExtentSize","type":"real","description":"Total size of extents (compressed size + index size) in the table, stored in the hot cache (in bytes)"},{"name":"RetentionPolicyOrigin","type":"string","description":"Retention policy origin entity (Table/Database/Cluster)"},{"name":"RetentionPolicy","type":"dynamic","description":"Table's effective entity retention policy, serialized as JSON"},{"name":"CachingPolicyOrigin","type":"string","description":"Caching policy origin entity (Table/Database/Cluster)"},{"name":"CachingPolicy","type":"dynamic","description":"Table's effective entity caching policy, serialized as JSON"},{"name":"MaxExtentsCreationTime","type":"datetime","description":"Maximum creation time of an extent in the table (or null, if there are no extents)"},{"name":"MinExtentsCreationTime","type":"datetime","description":"Minimum creation time of an extent in the table (or null, if there are no extents)"},{"name":"TotalExtentCount","type":"long","description":"Total number of extents in the table"},{"name":"TotalRowCount","type":"long","description":"Total number of rows in the table"},{"name":"HotExtentCount","type":"long","description":"Total number of extents in the table, stored in the hot cache"},{"name":"HotOriginalSize","type":"long","description":"Total original size of data in the table, stored in the hot cache (in bytes)"},{"name":"HotRowCount","type":"long","description":"Total number of rows in the table, stored in the hot cache"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseDXTableUsageStatistics","name":"SynapseDXTableUsageStatistics","tableType":"Microsoft","description":"Azure date explorer synapse table usage statistics. Logs include DatabaseName, TableName, User that can be used for monitoring cluster's table usage","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time (UTC) this event was generated","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The client request ID","isPreferredFacet":true},{"name":"RootActivityId","type":"string","description":"The root activity ID","isPreferredFacet":true},{"name":"StartedOn","type":"datetime","description":"The time (UTC) the table usage statistics operation started","isPreferredFacet":true},{"name":"DatabaseName","type":"string","description":"Name of the database"},{"name":"TableName","type":"string","description":"Name of the table"},{"name":"MinCreatedOn","type":"datetime","description":"Earliest extent time of the table","isPreferredFacet":true},{"name":"MaxCreatedOn","type":"datetime","description":"Lastest extent time of the table","isPreferredFacet":true},{"name":"ApplicationName","type":"string","description":"The name of the application that invoked the command"},{"name":"User","type":"string","description":"User that invoked the query"},{"name":"Principal","type":"string","description":"Principal that invoked the query like 'aaduser=USER_ID;TENANT'"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.synapse/workspaces"]}},{"id":"SynapseGatewayApiRequests","name":"SynapseGatewayApiRequests","tableType":"Microsoft","description":"Azure Synapse gateway API requests.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API Version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"ResultType","type":"string","description":"Status of the event."},{"name":"ResultSignature","type":"string","description":"The sub status of the event"},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"RequestUri","type":"string","description":"The request URI for this query."},{"name":"ClientCorrelationId","type":"string","description":"The client correlation id of this query."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseIntegrationActivityRuns","name":"SynapseIntegrationActivityRuns","tableType":"Microsoft","description":"Logs for Synapse integration activity runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlationId for the log record."},{"name":"Level","type":"string","description":"The log type info level of the record."},{"name":"Location","type":"string","description":"The location of the resource in the cloud where this log is originated."},{"name":"Tags","type":"dynamic","description":"The associated tags of the log record."},{"name":"Status","type":"string","description":"The Status of the sql requests."},{"name":"UserProperties","type":"dynamic","description":"The user properties of the log record."},{"name":"Annotations","type":"dynamic","description":"The annotation details of the log record."},{"name":"Start","type":"datetime","description":"The start time (UTC) of the activity run."},{"name":"End","type":"datetime","description":"The end time (UTC) for the activity run."},{"name":"ActivityName","type":"string","description":"The name of the activity run."},{"name":"ActivityRunId","type":"string","description":"The run id of the activity run."},{"name":"PipelineRunId","type":"string","description":"The pipeline runId of the activity flow."},{"name":"EffectiveIntegrationRuntime","type":"string","description":"The effective integration runtime the activity run job."},{"name":"ActivityType","type":"string","description":"The type of the activity run."},{"name":"PipelineName","type":"string","description":"The pipeline name of the activity flow."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseIntegrationPipelineRuns","name":"SynapseIntegrationPipelineRuns","tableType":"Microsoft","description":"Logs for Synapse integration pipeline runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlationId for the log record."},{"name":"Level","type":"string","description":"The log type info level of the record."},{"name":"Location","type":"string","description":"The location of the resource in the cloud where this log is originated."},{"name":"Tags","type":"dynamic","description":"The associated tags of the log record."},{"name":"Status","type":"string","description":"The Status of the SQL requests."},{"name":"UserProperties","type":"dynamic","description":"The user properties of the log record."},{"name":"Annotations","type":"dynamic","description":"The annotation details of the log record."},{"name":"Start","type":"datetime","description":"The start time (UTC) of the pipeline run."},{"name":"End","type":"datetime","description":"The end time (UTC) for the pipelien run."},{"name":"PipelineName","type":"string","description":"The name of the pipeline flow."},{"name":"RunId","type":"string","description":"The run id of the pipeline job."},{"name":"Predecessors","type":"dynamic","description":"The predecessors information of the pipeline log."},{"name":"Parameters","type":"dynamic","description":"The parameter details of the pipeline run."},{"name":"SystemParameters","type":"dynamic","description":"The system parameter details of the pipeline run."},{"name":"Type","type":"string","description":"The type of the pipeline run."},{"name":"PipelineTenantId","type":"string","description":"The tenantId details of the pipeline run."},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseIntegrationTriggerRuns","name":"SynapseIntegrationTriggerRuns","tableType":"Microsoft","description":"Logs for Synapse integration trigger runs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"CorrelationId","type":"string","description":"The correlationId for the log record."},{"name":"Level","type":"string","description":"The log type info level of the record."},{"name":"Location","type":"string","description":"The location of the resource in the cloud where this log is originated."},{"name":"Tags","type":"dynamic","description":"The associated tags of the log record."},{"name":"Status","type":"string","description":"The Status of the SQL requests."},{"name":"UserProperties","type":"dynamic","description":"The user properties of the log record."},{"name":"Annotations","type":"dynamic","description":"The annotation details of the log record."},{"name":"TriggerId","type":"string","description":"The trigger id of the log record."},{"name":"TriggerName","type":"string","description":"The trigger name of the log record."},{"name":"TriggerType","type":"string","description":"The trigger type of the log record."},{"name":"TriggerEvent","type":"string","description":"The trigger id of the log record."},{"name":"Start","type":"datetime","description":"The start time (UTC) of the trigger run."},{"name":"Parameters","type":"dynamic","description":"The parameter details of the pipeline run."},{"name":"SystemParameters","type":"dynamic","description":"The system parameter details of the pipeline run."},{"name":"Type","type":"string","description":"The type of the pipeline run."},{"name":"PipelineTenantId","type":"string","description":"The tenantId details of the pipeline run."},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseLinkEvent","name":"SynapseLinkEvent","tableType":"Microsoft","description":"Information about Synapse Link, including Link status and Link table status.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Level","type":"int","description":"The log type info level of the record."},{"name":"Location","type":"string","description":"The location of the resource in the cloud where this log is originated."},{"name":"LinkConnectionName","type":"string","description":"The Synapse Link connection name."},{"name":"Properties","type":"dynamic","description":"The properties associated with Synapse Link operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"],"queries":["f355a34a-0902-469d-a20d-126b6abe9647"]}},{"id":"SynapseRbacOperations","name":"SynapseRbacOperations","tableType":"Microsoft","description":"Azure Synapse role-based access control (SRBAC) operations.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"OperationVersion","type":"string","description":"The API version of the operation."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"ResultType","type":"string","description":"Status of the event."},{"name":"ResultSignature","type":"string","description":"The sub status of the event."},{"name":"ResultDescription","type":"string","description":"The static text description of this operation."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Location","type":"string","description":"The region of the resource emitting the event."},{"name":"Properties","type":"dynamic","description":"extended properties related to this event."},{"name":"RoleAssignmentId","type":"string","description":"The Role Assignment Id for this event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseScopePoolScopeJobsEnded","name":"SynapseScopePoolScopeJobsEnded","tableType":"Microsoft","description":"SCOPE ended event including SCOPE job result and Information about the job.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Properties","type":"dynamic","description":"Extended properties related to this event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseScopePoolScopeJobsStateChange","name":"SynapseScopePoolScopeJobsStateChange","tableType":"Microsoft","description":"SCOPE job state change event.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"CorrelationId","type":"string","description":"A GUID used to group together a set of related events."},{"name":"Identity","type":"dynamic","description":"A JSON blob that describes the identity of the user or application that performed the operation."},{"name":"Properties","type":"dynamic","description":"Extended properties related to this event."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseSqlPoolDmsWorkers","name":"SynapseSqlPoolDmsWorkers","tableType":"Microsoft","description":"Information about workers completing DMS steps in an Azure Synapse dedicated SQL pool.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"The logical server name of the SQL DW."},{"name":"ResourceGroup","type":"string","description":"The azure resourceGroup of the SQL DW."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"RequestId","type":"string","description":"The requestId of the DMS workers."},{"name":"StepIndex","type":"int","description":"The step index of the DMS workers."},{"name":"DmsStepIndex","type":"int","description":"The DMS step index of the DMS workers."},{"name":"PdwNodeId","type":"int","description":"The pdw node id of the DMS workers."},{"name":"DistributionId","type":"int","description":"The distribution id of the DMS workers."},{"name":"Type","type":"string","description":"The type of the DMS workers."},{"name":"Status","type":"string","description":"The status of the DMS workers."},{"name":"BytesProcessed","type":"int","description":"The bytes processed of the DMS workers."},{"name":"RowsProcessed","type":"int","description":"The rows processed of the DMS workers."},{"name":"StartTime","type":"datetime","description":"The startTime (UTC) of the DMS workers."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) for the DMS workers."},{"name":"CpuTime","type":"int","description":"The cpu time for the DMS workers."},{"name":"SqlSpId","type":"int","description":"The SQL Sp Id for the DMS workers."},{"name":"DmsCpuId","type":"int","description":"The DMS cpu Id for the DMS workers."},{"name":"ErrorId","type":"string","description":"The errorId of the DMS workers."},{"name":"SourceInfo","type":"string","description":"The row count of the DMS workers."},{"name":"DestinationInfo","type":"string","description":"The row count of the DMS workers."},{"name":"SourceSystem","type":"string"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseSqlPoolExecRequests","name":"SynapseSqlPoolExecRequests","tableType":"Microsoft","description":"Information about SQL requests or queries in an Azure Synapse dedicated SQL pool.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"The logical server name of the SQL DW."},{"name":"ResourceGroup","type":"string","description":"The azure resourceGroup of the SQL DW."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"SessionId","type":"string","description":"The Session ID of the SQL pool instance."},{"name":"RequestId","type":"string","description":"The requestId of the execution requests."},{"name":"Status","type":"string","description":"The status of the execution requests."},{"name":"SubmitTime","type":"datetime","description":"The submitTime (UTC) of the execution requests."},{"name":"StartTime","type":"datetime","description":"The startTime (UTC) of the execution requests."},{"name":"EndCompileTime","type":"datetime","description":"The end compile time (UTC) of the execution requests."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) for the execution requests."},{"name":"Label","type":"string","description":"The label of the execution requests."},{"name":"ErrorId","type":"string","description":"The errorId of the execution requests."},{"name":"DatabaseId","type":"string","description":"The databaseId of the execution requests."},{"name":"Command","type":"string","description":"The SQL command of the execution requests."},{"name":"ResourceClass","type":"string","description":"The resource class of the execution requests."},{"name":"StatementType","type":"string","description":"The statement type of the execution requests."},{"name":"ScopeDepth","type":"int","description":"The scope depth of the execution requests."},{"name":"RootQueryId","type":"string","description":"The rootQueryId of the execution requests."},{"name":"ClientCorrelationId","type":"string","description":"The correlation set by client/user."},{"name":"ExplainOutput","type":"string","description":"The output explain of the execution requests."},{"name":"Importance","type":"string","description":"The importance of the execution requests."},{"name":"ClassifierName","type":"string","description":"The classifier name of the execution requests."},{"name":"ResourceAllocationPercent","type":"string","description":"The resource allocation percent of the execution requests."},{"name":"ResultCacheHit","type":"string","description":"The result cache hit of the execution requests."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseSqlPoolRequestSteps","name":"SynapseSqlPoolRequestSteps","tableType":"Microsoft","description":"Information about request steps that compose a given SQL request or query in an Azure Synapse dedicated SQL pool.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"The logical server name of the SQL DW."},{"name":"ResourceGroup","type":"string","description":"The azure resourceGroup of the SQL DW."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"RequestId","type":"string","description":"The requestId of the execution requests."},{"name":"StepIndex","type":"int","description":"The step index of the execution requests."},{"name":"OperationType","type":"string","description":"The operation type of the execution requests."},{"name":"DistributionType","type":"string","description":"The distribution type of the execution requests."},{"name":"LocationType","type":"string","description":"The location type of the execution requests."},{"name":"Status","type":"string","description":"The status of the execution requests."},{"name":"ErrorId","type":"string","description":"The errorId of the execution requests."},{"name":"StartTime","type":"datetime","description":"The startTime (UTC) of the execution requests."},{"name":"EndCompileTime","type":"datetime","description":"The end compile time (UTC) of the execution requests."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) for the execution requests."},{"name":"RowCount","type":"int","description":"The row count of the execution requests."},{"name":"Command","type":"string","description":"The SQL command of the execution requests."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseSqlPoolSqlRequests","name":"SynapseSqlPoolSqlRequests","tableType":"Microsoft","description":"Information about query distributions of the steps of SQL requests/queries in an Azure Synapse dedicated SQL pool.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"The logical server name of the SQL DW."},{"name":"ResourceGroup","type":"string","description":"The azure resourceGroup of the SQL DW."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"RequestId","type":"string","description":"The request Id of the SQL requests."},{"name":"StepIndex","type":"int","description":"The step index of the SQL requests."},{"name":"PdwNodeId","type":"int","description":"The PdwNodeId of the SQL requests."},{"name":"DistributionId","type":"int","description":"The distribution id of the SQL requests."},{"name":"Status","type":"string","description":"The Status of the SQL requests."},{"name":"ErrorId","type":"string","description":"The error id of the SQL requests."},{"name":"StartTime","type":"datetime","description":"The startTime (UTC) of the SQL requests."},{"name":"EndTime","type":"datetime","description":"The end time (UTC) for the SQL requests."},{"name":"RowCount","type":"int","description":"The row count of the SQL requests."},{"name":"SpId","type":"int","description":"The sp id of the SQL requests."},{"name":"Command","type":"string","description":"The command of the SQL requests."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"SynapseSqlPoolWaits","name":"SynapseSqlPoolWaits","tableType":"Microsoft","description":"Information about the wait states encountered during execution of a SQL request/query in an Azure Synapse dedicated SQL pool, including locks and waits on transmission queues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"LogicalServerName","type":"string","description":"The logical server name of the SQL DW."},{"name":"ResourceGroup","type":"string","description":"The azure resourceGroup of the SQL DW."},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the log was generated."},{"name":"OperationName","type":"string","description":"The operation associated with log record."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"SessionId","type":"string","description":"The session ID of the SQL request."},{"name":"RequestId","type":"string","description":"The request ID of the waits."},{"name":"State","type":"string","description":"The State of the waits."},{"name":"Priority","type":"int","description":"The priority of the waits."},{"name":"LockType","type":"string","description":"The lock type of the SQL instance."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.synapse/workspaces"],"solutions":["LogManagement"]}},{"id":"Syslog","name":"Syslog","tableType":"Microsoft","description":"Syslog events on Linux computers using the Log Analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the data was collected from. For syslog the value is typically Linux.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Computer from which the event originated.","isPreferredFacet":true},{"name":"EventTime","type":"datetime","description":"Date and time that the event was generated."},{"name":"Facility","type":"string","description":"The part of the system that generated the message.","isPreferredFacet":true},{"name":"HostName","type":"string","description":"Name of the system from which the message originated.","isPreferredFacet":true},{"name":"SeverityLevel","type":"string","description":"Severity level of the event.","isPreferredFacet":true},{"name":"SyslogMessage","type":"string","description":"Text of the message."},{"name":"ProcessID","type":"int","description":"ID of the process that generated the message.","isPreferredFacet":true},{"name":"HostIP","type":"string","description":"IP address of the system from which the message originated. Depending on network configuration/topology, this may have a blank or placeholder value, especially when the message originates from a remote device.","isPreferredFacet":true},{"name":"ProcessName","type":"string","description":"Name of the process that generated the message.","isPreferredFacet":true},{"name":"CollectorHostName","type":"string","description":"Name of the system on which the collector agent is installed.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security","virtualmachines"],"resourceTypes":["microsoft.operationalinsights/workspaces","microsoft.containerservice/managedclusters","microsoft.kubernetes/connectedclusters","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.hybridcontainerservice/provisionedclusters"],"solutions":["LogManagement"]}},{"id":"TOUserAudits","name":"TOUserAudits","tableType":"Microsoft","description":"Contains all Toolchain orchestrator API Server audit logs including the events generated as a result of interactions with any external system or toolchain. These events are useful for monitoring all the interactions with the Toolchain orchestrator API server and between Toolchain orchestrator and external orchestrated targets, e.g. Kubernetes. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"OperationName","type":"string","description":"Operation name of the event."},{"name":"Category","type":"string","description":"Category of the event."},{"name":"Location","type":"string","description":"Azure region in which the Toolchain orchestrator diagnostic resource is located."},{"name":"Properties","type":"dynamic","description":"Properties of the event."},{"name":"OperatingResourceId","type":"string","description":"The operating resource id refers to the specific operational resource that the Toolchain orchestrator is managing when this event is triggered."},{"name":"OperatingResourceK8SId","type":"string","description":"The operating resource K8s id refers to K8s resource id (namespace/name) of the specific operational resource that the Toolchain orchestrator is managing when this event is triggered."},{"name":"Message","type":"string","description":"The audit message."},{"name":"User","type":"string","description":"The Microsoft Entra ID object Id of the requester."},{"name":"CorrelationId","type":"string","description":"Correlation ID of the operation."},{"name":"TOServiceName","type":"string","description":"Toolchain orchestrator service name."},{"name":"TOServiceInstance","type":"string","description":"Toolchain orchestrator service pod name."},{"name":"EdgeLocation","type":"string","description":"The Azure Edge custom location resource Id on which the operation happens."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.toolchainorchestrator/diagnostics"],"solutions":["LogManagement"],"queries":["681582c5-1c89-4701-a256-608e82cbd0aa","c9ee41c4-5b23-4e04-a193-21ee5c4cfc8d"]}},{"id":"TOUserDiagnostics","name":"TOUserDiagnostics","tableType":"Microsoft","description":"Contains all Toolchain orchestrator API Server user diagnostics logs. These events are useful for diagnose failed requests on Toolchain orchestrator. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"OperationName","type":"string","description":"Operation name of the event."},{"name":"Category","type":"string","description":"Category of the event."},{"name":"Location","type":"string","description":"Azure region in which the Toolchain orchestrator diagnostic resource is located."},{"name":"Properties","type":"dynamic","description":"Properties of the event."},{"name":"OperatingResourceId","type":"string","description":"The operating resource id refers to the specific operational resource that the Toolchain orchestrator is managing when this event is triggered."},{"name":"OperatingResourceK8SId","type":"string","description":"The operating resource K8s id refers to K8s resource id (namespace/name) of the specific operational resource that the Toolchain orchestrator is managing when this event is triggered."},{"name":"Message","type":"string","description":"The diagnose message."},{"name":"User","type":"string","description":"The Microsoft Entra ID object Id of the requester."},{"name":"CorrelationId","type":"string","description":"Correlation ID of the operation."},{"name":"TOServiceName","type":"string","description":"Toolchain orchestrator service name."},{"name":"TOServiceInstance","type":"string","description":"Toolchain orchestrator service pod name."},{"name":"EdgeLocation","type":"string","description":"The Azure Edge custom location resource Id on which the operation happens."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.toolchainorchestrator/diagnostics"],"solutions":["LogManagement"],"queries":["03c620a0-e64b-46dd-8337-092d17106f96"]}},{"id":"TSIIngress","name":"TSIIngress","tableType":"Microsoft","description":"The Ingress category tracks errors that occur in the ingress pipeline. This category includes errors that occur when receiving events (such as failures to connect to an Event Source) and processing events (such as errors when parsing an event payload).","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time (UTC) at which this event is generated."},{"name":"Location","type":"string","description":"The location of the resource."},{"name":"Category","type":"string","description":"Category of the log event."},{"name":"OperationName","type":"string","description":"Operation name of the event."},{"name":"CorrelationId","type":"string","description":"The correlation ID of the request."},{"name":"Level","type":"string","description":"The severity level of the event."},{"name":"ResultDescription","type":"string","description":"Description of the result of the operation, such as 'Received forbidden error'."},{"name":"Message","type":"string","description":"The message associated with the error. Includes details on what went wrong and how to mitigate the error."},{"name":"ErrorCode","type":"string","description":"The code associated with the error"},{"name":"EventSourceType","type":"string","description":"The type of event source. It could either be Event hub or IoT hub."},{"name":"EventSourceProperties","type":"dynamic","description":"A collection of properties specific to your event source. Contains details such as the consumer group and the access key name."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.timeseriesinsights/environments"]}},{"id":"ThreatIntelExportOperation","name":"ThreatIntelExportOperation","tableType":"Microsoft","description":"Threat Intelligence Export Operation Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of when the log entry was generated (UTC)."},{"name":"TimeExported","type":"datetime","description":"The time of export to destination (UTC)."},{"name":"Id","type":"string","description":"A Sentinel internal unique identifier that identifies a STIX object and can be used with Sentinel APIs."},{"name":"StixId","type":"string","description":"A globally unique identifier that identifies a STIX object."},{"name":"ExternallyExportedId","type":"string","description":"The unique identifier of the exported object."},{"name":"SourceSystem","type":"string","description":"The name of the STIX object source."},{"name":"ExportedBy","type":"string","description":"The user who initiated the export operation (email address)."},{"name":"ExportDuration","type":"int","description":"The total time, in milliseconds, taken to complete the export operation."},{"name":"ExportId","type":"string","description":"A value that uniquely identifies the Export operation."},{"name":"ExportType","type":"string","description":"Represents the export destination type. e.g. TAXII"},{"name":"Status","type":"string","description":"Status of the export operation, possible values: 'Success', 'Failure', 'Timeout'."},{"name":"ErrorDetails","type":"string","description":"Additional information when Status is 'Failure' / 'Timeout'."},{"name":"DestinationInfo","type":"dynamic","description":"Additional information about the export destination depending on ExportType."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/threatintelligence"],"solutions":["SecurityInsights"]}},{"id":"ThreatIntelIndicators","name":"ThreatIntelIndicators","tableType":"Microsoft","description":"Threat Intelligence table that contains STIX indicators.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time of indicator ingestion."},{"name":"WorkspaceId","type":"string","description":"The workspace that submitted the indicator."},{"name":"AzureTenantId","type":"string","description":"The tenant that submitted the indicator."},{"name":"Id","type":"string","description":"A value that uniquely identifies the indicator STIX object. This value is usable with Sentinel APIs."},{"name":"SourceSystem","type":"string","description":"The name of the source."},{"name":"LastUpdateMethod","type":"string","description":"The component that last updated the indicator."},{"name":"IsDeleted","type":"bool","description":"A value that indicates whether the data was deleted from Sentinel or not."},{"name":"AdditionalFields","type":"dynamic","description":"The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red."},{"name":"Data","type":"dynamic","description":"All object properties, formatted according to the STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf)."},{"name":"IsActive","type":"bool","description":"A value that specifies if an indicator is active and valid for detections."},{"name":"Revoked","type":"bool","description":"A value that specifies whether the indicator was revoked."},{"name":"ValidUntil","type":"datetime","description":"The time at which this indicator should no longer be considered a valid indicator of the bahviors it is related to or represents."},{"name":"ValidFrom","type":"datetime","description":"The time from which this indicator is considered a valid indicator of the behaviors it is related or represents."},{"name":"Created","type":"datetime","description":"The date when the indicator was created."},{"name":"Modified","type":"datetime","description":"The date when the indicator was modified."},{"name":"Tags","type":"string","description":"Sentinel defined tags for the indicator."},{"name":"Confidence","type":"int","description":"The confidence that the creator has in the correctness of their data. The value must be a number in the range of 0-100."},{"name":"Pattern","type":"string","description":"The detection pattern for this indicator MAY be expressed as a STIX pattern."},{"name":"ObservableKey","type":"string","description":"The entire left-hand side of an equality comparison from the pattern."},{"name":"ObservableValue","type":"string","description":"The entire right-hand side of an equality comparison from the pattern."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/threatintelligence"],"solutions":["SecurityInsights"]}},{"id":"ThreatIntelObjects","name":"ThreatIntelObjects","tableType":"Microsoft","description":"Threat Intelligence Generic STIX Object Table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time of STIX object ingestion."},{"name":"WorkspaceId","type":"string","description":"The workspace that submitted the STIX object."},{"name":"AzureTenantId","type":"string","description":"The tenant that submitted the STIX object."},{"name":"Id","type":"string","description":"A value that uniquely identifies the STIX object. This value is usable with Sentinel APIs."},{"name":"SourceSystem","type":"string","description":"The name of the source."},{"name":"StixType","type":"string","description":"The name of this STIX Object."},{"name":"LastUpdateMethod","type":"string","description":"The component that last updated the record."},{"name":"IsDeleted","type":"bool","description":"A value that indicates whether the data was deleted from Sentinel or not."},{"name":"AdditionalFields","type":"dynamic","description":"The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red."},{"name":"Data","type":"dynamic","description":"All object properties, formatted according to STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf)."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/threatintelligence"],"solutions":["SecurityInsights"]}},{"id":"ThreatIntelligenceIndicator","name":"ThreatIntelligenceIndicator","tableType":"Microsoft","description":"Threat Intelligence Indicator","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time of indicator ingestion."},{"name":"SourceSystem","type":"string","description":"Source system."},{"name":"Action","type":"string","description":"Action to take on indicator match."},{"name":"ActivityGroupNames","type":"string","description":"Activity groups associated with indicator."},{"name":"AdditionalInformation","type":"string","description":"Free text additional information for indicator."},{"name":"ConfidenceScore","type":"real","description":"Confidence rating of the indicator, from 0 to 100."},{"name":"Description","type":"string","description":"Description of the indicator."},{"name":"DiamondModel","type":"string","description":"Diamond model value for the indicator, one of adversary, capability, infrastructure or victim."},{"name":"ExternalIndicatorId","type":"string","description":"Identifier for indicator from submitting system."},{"name":"ExpirationDateTime","type":"datetime","description":"Time of indicator expiration."},{"name":"IndicatorId","type":"string","description":"Unique identifier for indicator, calculated by receiving system."},{"name":"ThreatType","type":"string","description":"Threat type of indicator."},{"name":"Active","type":"bool","description":"Indicates whether indicator is active."},{"name":"KillChainActions","type":"bool","description":"Indicates whether kill chain value 'actions' is set."},{"name":"KillChainC2","type":"bool","description":"Indicates whether kill chain value 'C2' is set."},{"name":"KillChainDelivery","type":"bool","description":"Indicates whether kill chain value 'delivery' is set."},{"name":"KillChainExploitation","type":"bool","description":"Indicates whether kill chain value 'exploitation' is set."},{"name":"KillChainReconnaissance","type":"bool","description":"Indicates whether kill chain value 'reconniassance' is set."},{"name":"KillChainWeaponization","type":"bool","description":"Indicates whether kill chain value 'weaponization' is set."},{"name":"KnownFalsePositives","type":"string","description":"Text describing situations where indicator may cause false positives."},{"name":"MalwareNames","type":"string","description":"List of malware names associated with indicator"},{"name":"PassiveOnly","type":"bool","description":"Indicates whether the indicator should trigger an event that is visible to a user."},{"name":"ThreatSeverity","type":"int","description":"Indicator severity rating from 0 to 5. Higher value indicates greater severity."},{"name":"Tags","type":"string","description":"Free form tags."},{"name":"TrafficLightProtocolLevel","type":"string","description":"Industry standard traffic light protocol level, one of white, green, amber or red."},{"name":"EmailEncoding","type":"string","description":"The email encoding observable."},{"name":"EmailLanguage","type":"string","description":"The email language observable."},{"name":"EmailRecipient","type":"string","description":"The email recipient observable."},{"name":"EmailSenderAddress","type":"string","description":"The email sender address observable."},{"name":"EmailSenderName","type":"string","description":"The email sender name observable."},{"name":"EmailSourceDomain","type":"string","description":"The email source domain observable."},{"name":"EmailSourceIpAddress","type":"string","description":"The email source IP address observable."},{"name":"EmailSubject","type":"string","description":"The email subject observable."},{"name":"EmailXMailer","type":"string","description":"The email X-Mailer observable."},{"name":"FileCompileDateTime","type":"datetime","description":"The file compilation time observable."},{"name":"FileCreatedDateTime","type":"datetime","description":"The file creation time observable."},{"name":"FileHashType","type":"string","description":"The file hash type observable."},{"name":"FileHashValue","type":"string","description":"The file hash value observable."},{"name":"FileMutexName","type":"string","description":"The file mutex name observable."},{"name":"FileName","type":"string","description":"The file name observable."},{"name":"FilePacker","type":"string","description":"The file packer observable."},{"name":"FilePath","type":"string","description":"The file path observable."},{"name":"FileSize","type":"int","description":"The file size observable."},{"name":"FileType","type":"string","description":"The file type observable."},{"name":"DomainName","type":"string","description":"The domain name observable."},{"name":"NetworkIP","type":"string","description":"The network IP address observable."},{"name":"NetworkPort","type":"int","description":"The network port observable."},{"name":"NetworkDestinationAsn","type":"int","description":"The network destination autonomous system number observable."},{"name":"NetworkDestinationCidrBlock","type":"string","description":"The network destination CIDR block observable."},{"name":"NetworkDestinationIP","type":"string","description":"The network destination IP address."},{"name":"NetworkCidrBlock","type":"string","description":"The network CIDR block observable."},{"name":"NetworkDestinationPort","type":"int","description":"The network destination port observable."},{"name":"NetworkProtocol","type":"int","description":"The network protocol observable."},{"name":"NetworkSourceAsn","type":"int","description":"The network source autonomous system number observable."},{"name":"NetworkSourceCidrBlock","type":"string","description":"The network source CIDR block observable."},{"name":"NetworkSourceIP","type":"string","description":"The network source IP address observable."},{"name":"NetworkSourcePort","type":"int","description":"The network source port observable."},{"name":"Url","type":"string","description":"The url observable."},{"name":"UserAgent","type":"string","description":"The user agent observable."},{"name":"IndicatorProvider","type":"string","description":"The name of the entity that provided the indicator."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"]}},{"id":"UAApp","name":"UAApp","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"AppVendor","type":"string","isPreferredFacet":true},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"AppLanguage","type":"string"},{"name":"TotalInstalls","type":"int"},{"name":"ComputersWithIssues","type":"int"},{"name":"MonthlyActiveComputers","type":"int"},{"name":"PercentActiveComputers","type":"string","isPreferredFacet":true},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"UpgradeAssessment","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"ReadyForWindows","type":"string","isPreferredFacet":true},{"name":"IsRollup","type":"bool","isPreferredFacet":true},{"name":"RollupLevel","type":"string","isPreferredFacet":true},{"name":"AppType","type":"string"},{"name":"AppCategory","type":"string"},{"name":"AppOwner","type":"string"},{"name":"TestPlan","type":"string"},{"name":"TestResult","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAComputer","name":"UAComputer","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"OSBuild","type":"string","isPreferredFacet":true},{"name":"OSArchitecture","type":"string"},{"name":"TotalIssues","type":"int"},{"name":"SysReqIssues","type":"int"},{"name":"AppIssues","type":"int"},{"name":"DriverIssues","type":"int"},{"name":"UpgradeAssessment","type":"string","isPreferredFacet":true},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"LastScan","type":"datetime"},{"name":"InventoryVersion","type":"string","isPreferredFacet":true},{"name":"ConfigMgrClientID","type":"string"},{"name":"ItemRank","type":"int"},{"name":"DeploymentStatus","type":"string","isPreferredFacet":true},{"name":"DeploymentError","type":"string","isPreferredFacet":true},{"name":"DeploymentErrorDetails","type":"string"},{"name":"OriginBuild","type":"string","isPreferredFacet":true},{"name":"OriginOSVersion","type":"string","isPreferredFacet":true},{"name":"TargetBuild","type":"string","isPreferredFacet":true},{"name":"TargetOSVersion","type":"string","isPreferredFacet":true},{"name":"UserAction","type":"string"},{"name":"UninstallComment","type":"string"},{"name":"UninstallReason","type":"string"},{"name":"HoursToUninstall","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAComputerRank","name":"UAComputerRank","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"ItemRank","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UADriver","name":"UADriver","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"HardwareName","type":"string","isPreferredFacet":true},{"name":"HardwareType","type":"string","isPreferredFacet":true},{"name":"HardwareID","type":"string","isPreferredFacet":true},{"name":"DriverVendor","type":"string","isPreferredFacet":true},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string","isPreferredFacet":true},{"name":"DriverDate","type":"string"},{"name":"TotalComputers","type":"int"},{"name":"DriverAvailability","type":"string","isPreferredFacet":true},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"UpgradeAssessment","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"Importance","type":"string","isPreferredFacet":true},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"IsRollup","type":"bool","isPreferredFacet":true},{"name":"RollupLevel","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UADriverProblemCodes","name":"UADriverProblemCodes","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"HardwareName","type":"string","isPreferredFacet":true},{"name":"HardwareType","type":"string","isPreferredFacet":true},{"name":"HardwareID","type":"string","isPreferredFacet":true},{"name":"DriverVendor","type":"string","isPreferredFacet":true},{"name":"DriverName","type":"string","isPreferredFacet":true},{"name":"DriverVersion","type":"string","isPreferredFacet":true},{"name":"DriverDate","type":"string"},{"name":"DriverAvailability","type":"string","isPreferredFacet":true},{"name":"ProblemCode","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAFeedback","name":"UAFeedback","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"Title","type":"string"},{"name":"Category","type":"string","isPreferredFacet":true},{"name":"Feedback","type":"string","isPreferredFacet":true},{"name":"TotalUpvotes","type":"int"},{"name":"Sentiment","type":"string","isPreferredFacet":true},{"name":"FeedbackSubmittedDate","type":"datetime"},{"name":"MicrosoftResponse","type":"string"},{"name":"AppName","type":"string","isPreferredFacet":true},{"name":"AppVersion","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAIESiteDiscovery","name":"UAIESiteDiscovery","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"SiteName","type":"string","isPreferredFacet":true},{"name":"NumberOfVisits","type":"int"},{"name":"URL","type":"string"},{"name":"DocMode","type":"string","isPreferredFacet":true},{"name":"DocModeReason","type":"string","isPreferredFacet":true},{"name":"BrowserStateReason","type":"string","isPreferredFacet":true},{"name":"Zone","type":"string","isPreferredFacet":true},{"name":"ActiveXName","type":"string","isPreferredFacet":true},{"name":"ActiveXGuid","type":"string"},{"name":"IsRollup","type":"bool","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAOfficeAddIn","name":"UAOfficeAddIn","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"OfficeAddInID","type":"string"},{"name":"OfficeAddInName","type":"string","isPreferredFacet":true},{"name":"OfficeAddInDescription","type":"string"},{"name":"OfficeProduct","type":"string","isPreferredFacet":true},{"name":"OfficeProductVersion","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAProposedActionPlan","name":"UAProposedActionPlan","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ItemRank","type":"int"},{"name":"ItemType","type":"string","isPreferredFacet":true},{"name":"ItemName","type":"string","isPreferredFacet":true},{"name":"ItemVendor","type":"string","isPreferredFacet":true},{"name":"ItemVersion","type":"string"},{"name":"ItemLanguage","type":"string"},{"name":"ItemHardwareID","type":"string"},{"name":"UpgradeDecision","type":"string","isPreferredFacet":true},{"name":"ComputersUnblocked","type":"int"},{"name":"CumulativeUnblocked","type":"int"},{"name":"CumulativeUnblockedPct","type":"real"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UASysReqIssue","name":"UASysReqIssue","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"SysReqType","type":"string","isPreferredFacet":true},{"name":"Issue","type":"string","isPreferredFacet":true},{"name":"UpgradeAssessment","type":"string","isPreferredFacet":true},{"name":"Guidance","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UAUpgradedComputer","name":"UAUpgradedComputer","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"Manufacturer","type":"string","isPreferredFacet":true},{"name":"Model","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"OSBuild","type":"string","isPreferredFacet":true},{"name":"OSArchitecture","type":"string"},{"name":"LastScan","type":"datetime"},{"name":"ConfigMgrClientID","type":"string"},{"name":"DeploymentStatus","type":"string","isPreferredFacet":true},{"name":"DeploymentError","type":"string","isPreferredFacet":true},{"name":"DeploymentErrorDetails","type":"string"},{"name":"OriginBuild","type":"string","isPreferredFacet":true},{"name":"OriginOSVersion","type":"string","isPreferredFacet":true},{"name":"TargetBuild","type":"string","isPreferredFacet":true},{"name":"TargetOSVersion","type":"string","isPreferredFacet":true},{"name":"UserAction","type":"string"},{"name":"UninstallComment","type":"string"},{"name":"UninstallReason","type":"string"},{"name":"HoursToUninstall","type":"int"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["CompatibilityAssessment"]}},{"id":"UCClient","name":"UCClient","tableType":"Microsoft","description":"Update Compliance - This event acts as an individual device's record, containing data like the current build installed, device's name, the OS Edition, active hours (quantitative), and so on.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the snapshot generated this specific record."},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal Global Device Identifier.","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD Device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD Tenant to which the device belongs.","isPreferredFacet":true},{"name":"SCCMClientId","type":"string","description":"A GUID corresponding to the SCCM Client ID on the device.","isPreferredFacet":true},{"name":"DeviceName","type":"string","description":"The Device given name.","isPreferredFacet":true},{"name":"DeviceFamily","type":"string","description":"The device family e.g. PC, Phone.","isPreferredFacet":true},{"name":"DeviceFormFactor","type":"string","description":"The device form factor e.g. Notebook, Desktop, Phone.","isPreferredFacet":true},{"name":"DeviceManufacturer","type":"string","description":"The device OEM Manufacturer e.g. Hewlett-Packard.","isPreferredFacet":true},{"name":"DeviceModel","type":"string","description":"The device's OEM model e.g. HP7420 Workstation.","isPreferredFacet":true},{"name":"Country","type":"string","description":"The last-reported location of device (country), based on IP address. Shown as country code.","isPreferredFacet":true},{"name":"City","type":"string","description":"The last-reported location of device (city), based on IP address.","isPreferredFacet":true},{"name":"PrimaryDiskFreeCapacityMb","type":"int","description":"Free disk capacity of the primary disk in Megabytes.","isPreferredFacet":true},{"name":"OSVersion","type":"string","description":"The version of Windows 10 as is organized on aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"OSBuild","type":"string","description":"The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"OSBuildNumber","type":"int","description":"An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device.","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int","description":"An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device.","isPreferredFacet":true},{"name":"OSEdition","type":"string","description":"The Windows 10 Edition or SKU.","isPreferredFacet":true},{"name":"OSArchitecture","type":"string","description":"The architecture of the Operating System e.g. x86.","isPreferredFacet":true},{"name":"IsVirtual","type":"bool","description":"Whether device is a Virtual Device.","isPreferredFacet":true},{"name":"OSServicingChannel","type":"string","description":"The elected Windows 10 Servicing Channel of the device.","isPreferredFacet":true},{"name":"OSFeatureUpdateStatus","type":"string","description":"Whether or not the device is on the latest available Feature Update.","isPreferredFacet":true},{"name":"OSQualityUpdateStatus","type":"string","description":"Whether or not the device is on the latest available Quality Update, for its Feature Update.","isPreferredFacet":true},{"name":"OSSecurityUpdateStatus","type":"string","description":"Whether or not the device is on the latest available Security Update, for its Feature Update.","isPreferredFacet":true},{"name":"OSFeatureUpdateComplianceStatus","type":"string","description":"Whether or not the device is on the latest Feature Update being Offered by WUfB DS, else NotApplicable.","isPreferredFacet":true},{"name":"OSSecurityUpdateComplianceStatus","type":"string","description":"Whether or not the device is on the latest Security update (QU, Classification==Security) being offered by WUfB DS, else NotApplicable.","isPreferredFacet":true},{"name":"OSQualityUpdateComplianceStatus","type":"string","description":"Whether or not the device is on the latest Quality Update being Offered by WUfB DS, else NotApplicable.","isPreferredFacet":true},{"name":"OSFeatureUpdateReleaseTime","type":"datetime","description":"The release date of the Feature Update currently installed on the device.","isPreferredFacet":true},{"name":"OSQualityUpdateReleaseTime","type":"datetime","description":"The release date of the Quality Update currently installed on the device.","isPreferredFacet":true},{"name":"OSFeatureUpdateEOSTime","type":"datetime","description":"The end of service date of the Feature Update currently installed on the device.","isPreferredFacet":true},{"name":"WUFeaturePauseState","type":"string","description":"Indicates pause status of device for FU, possible values are Paused, NotPaused, NotConfigured.","isPreferredFacet":true},{"name":"WUFeatureDeferralDays","type":"int","description":"CSP: DeferFeatureUpdates. The WU Feature Update Deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting.","isPreferredFacet":true},{"name":"WUQualityDeferralDays","type":"int","description":"CSP: DeferQualityUpdatesThe WU Quality Update Deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting.","isPreferredFacet":true},{"name":"WUQualityPauseState","type":"string","description":"Indicates pause status of device for QU, possible values are Paused, NotPaused, NotConfigured.","isPreferredFacet":true},{"name":"WUFeatureDeadlineDays","type":"int","description":"CSP: ConfigureDeadlineForFeatureUpdatesThe WU Feature Update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the deadline in days.","isPreferredFacet":true},{"name":"WUQualityDeadlineDays","type":"int","description":"CSP: ConfigureDeadlineForQualityUpdates The WU Qualty Update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the deadline in days.","isPreferredFacet":true},{"name":"WUFeatureGracePeriodDays","type":"int","description":"The WU grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the Grace Period in days.","isPreferredFacet":true},{"name":"WUQualityGracePeriodDays","type":"int","description":"The WU grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the Grace Period in days.","isPreferredFacet":true},{"name":"WUDODownloadMode","type":"string","description":"The WU DO DownloadMode configuration, brought over from Update Compliance.","isPreferredFacet":true},{"name":"UpdateConnectivityLevel","type":"string","description":"Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. ","isPreferredFacet":true},{"name":"WUFeaturePauseStartTime","type":"datetime","description":"CSP: PauseFeatureUpdatesStartTime. The time WU Feature Update Pause was activated, if activated, else null.eature Updates will be paused for 35 days from the specified start date.","isPreferredFacet":true},{"name":"WUFeaturePauseEndTime","type":"datetime","description":"CSP:PauseFEatureUpdatesEndTime The time WU Feature Update Pause will end, if activated, else null.","isPreferredFacet":true},{"name":"WUQualityPauseStartTime","type":"datetime","description":"CSP:PauseQualityUpdatesStartTime The time WU Quality Update Pause was activated; if activated; else null.","isPreferredFacet":true},{"name":"WUQualityPauseEndTime","type":"datetime","description":"CSP:PauseQualityUpdatesEndTimeThe time WU Quality Update Pause will end, if activated, else null.","isPreferredFacet":true},{"name":"WUAutomaticUpdates","type":"int","description":"CSP: AllowAutoUpdate &'AuOptions' Enables the IT admin to manage automatic update behavior to scan, download, and install updates.","isPreferredFacet":true},{"name":"WUDeadlineNoAutoRestart","type":"int","description":"CSP:ConfigureDeadlineNoAutoReboot. Devices will not automatically restart outside of active hours until the deadline is reached, 1 - Enabled 0 (default) - Disabled","isPreferredFacet":true},{"name":"WUNotificationLevel","type":"int","description":"CSP: UpdateNotificationLevel. This policy allows you to define what Windows Update notifications users see. 0 (default) � Use the default Windows Update notifications. 1 � Turn off all notifications, excluding restart warnings. 2 � Turn off all notifications, including restart warnings","isPreferredFacet":true},{"name":"WUPauseUXDisabled","type":"int","description":"CSP: SetDisablePauseUXAccess. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user cannot access the Pause updates\" feature. Supported values 0, 1.","isPreferredFacet":true},{"name":"WUUXDisabled","type":"int","description":"CSP:SetDisableUXWUAccess.This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. Default is 0. Supported values 0, 1.","isPreferredFacet":true},{"name":"WUServiceURLConfigured","type":"string","description":"CSP:UpdateServiceUrl. The following list shows the supported values: Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL.","isPreferredFacet":true},{"name":"WURestartNotification","type":"int","description":"CSP: AutoRestartRequiredNotificationDismissal. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.The following list shows the supported values: 1 (default) = Auto Dismissal. 2 � User Dismissal.","isPreferredFacet":true},{"name":"LastWUScanTime","type":"datetime","description":"The last time this device performed a successful WU Scan, if any.","isPreferredFacet":true},{"name":"LastCensusScanTime","type":"datetime","description":"The last time this device performed a successful Census Scan, if any.","isPreferredFacet":true},{"name":"IsDeviceHotpatchEnrolled","type":"bool","description":"Indicates whether the device has been enrolled to receive windows security updates without requiring a restart.","isPreferredFacet":true},{"name":"IsDeviceVBSEnabled","type":"bool","description":"Whether Virtual Based Security (VBS) is enabled on the device. Enabling VBS is a prerequisite for devices to recieve windows security updates without a restart.","isPreferredFacet":true},{"name":"IsDeviceHotpatchEligible","type":"bool","description":"Specifies whether a device meets the necessary criteria to receive windows security updates without requiring a restart.","isPreferredFacet":true},{"name":"LastHotpatchEnrolledTime","type":"datetime","description":"The last time when device was enrolled to receive security updates without restart.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"UCClientReadinessStatus","name":"UCClientReadinessStatus","tableType":"Microsoft","description":"Update Compliance - Status message for an UC client device, which indicates update readiness of the given device for a specific target version.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event is generated."},{"name":"DeviceName","type":"string","description":"The Device given name.","isPreferredFacet":true},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal global device identifier.","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD tenant to which the device belongs.","isPreferredFacet":true},{"name":"SCCMClientId","type":"string","description":"A GUID corresponding to the SCCM client ID on the device.","isPreferredFacet":true},{"name":"OSName","type":"string","description":"The version of Windows 10 as is organized on aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"OSVersion","type":"string","description":"The version of Windows 10 as is organized on aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"OSBuild","type":"string","description":"The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"TargetOSName","type":"string","description":"The version of Windows 10 as is organized on aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"TargetOSVersion","type":"string","description":"The version of Windows 10 as is organized on aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"TargetOSBuild","type":"string","description":"The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo.","isPreferredFacet":true},{"name":"ReadinessStatus","type":"string","description":"Whether or not the device is capable of taking target OS and version.","isPreferredFacet":true},{"name":"ReadinessReason","type":"string","description":"Reason why the device is not capable of taking target OS and version.","isPreferredFacet":true},{"name":"ReadinessScanTime","type":"datetime","description":"The time the readiness generated this specific record."},{"name":"ReadinessExpiryTime","type":"datetime","description":"The time the readiness report expires."},{"name":"SetupReadinessStatus","type":"string","description":"Whether or not the device is capable of taking target OS and version when setup ran.","isPreferredFacet":true},{"name":"SetupReadinessReason","type":"string","description":"Reason why the device is not capable of taking target OS and version when setup ran.","isPreferredFacet":true},{"name":"SetupReadinessTime","type":"datetime","description":"The time the readiness generated this specific record when setup ran."},{"name":"SetupReadinessExpiryTime","type":"datetime","description":"The time the readiness report expires."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"UCClientUpdateStatus","name":"UCClientUpdateStatus","tableType":"Microsoft","description":"Update Compliance - Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time the snapshot generated this specific record."},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal Global Device Identifier","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD Device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD Tenant to which the device belongs.","isPreferredFacet":true},{"name":"SCCMClientId","type":"string","description":"A GUID corresponding to the SCCM Client ID on the device.","isPreferredFacet":true},{"name":"DeviceName","type":"string","description":"Device's given name.","isPreferredFacet":true},{"name":"DeploymentId","type":"string","description":"The identifier of the Deployment that is targeting this update to this device, else empty.","isPreferredFacet":true},{"name":"ClientSubstate","type":"string","description":"Last-known state of this update relative to the device, from the client (the device's WDD).","isPreferredFacet":true},{"name":"ClientState","type":"string","description":"Higher-level bucketization of ClientSubstate.","isPreferredFacet":true},{"name":"ClientSubstateRank","type":"int","description":"Ranking of Client Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.","isPreferredFacet":true},{"name":"FurthestClientSubstate","type":"string","description":"Furthest clientSubstate.","isPreferredFacet":true},{"name":"FurthestClientSubstateRank","type":"int","description":"Ranking of furthest clientSubstate.","isPreferredFacet":true},{"name":"UpdateHealthGroupL1","type":"string","description":"Grouping design to describe the current update installation's \"health\", L1 (highest-level).","isPreferredFacet":true},{"name":"UpdateHealthGroupRankL1","type":"int","description":"Integer for ranking the L1 UpdateHealthGroup.","isPreferredFacet":true},{"name":"UpdateHealthGroupL2","type":"string","description":"Second grouping, subset of L1, more detailed.","isPreferredFacet":true},{"name":"UpdateHealthGroupRankL2","type":"int","description":"Integer for ranking the L2 UpdateHealthGroup.","isPreferredFacet":true},{"name":"UpdateHealthGroupL3","type":"string","description":"Third grouping, subset of L3, more detailed.","isPreferredFacet":true},{"name":"UpdateHealthGroupRankL3","type":"int","description":"Integer for ranking the L3 UpdateHealthGroup.","isPreferredFacet":true},{"name":"UpdateSource","type":"string","description":"The source of the update - UUP, MUv6, Media.","isPreferredFacet":true},{"name":"UpdateCategory","type":"string","description":"The type of content this DeviceUpdateEvent is tracking.","isPreferredFacet":true},{"name":"UpdateClassification","type":"string","description":"Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU).","isPreferredFacet":true},{"name":"UpdateManufacturer","type":"string","description":"Manufacturer of update. Microsoft for WU FU/QU, for D&F name of driver manufacturer e.g. NVIDIA.","isPreferredFacet":true},{"name":"UpdateDisplayName","type":"string","description":"The long-form display name for the given update. Varies on content type (FU/QU).","isPreferredFacet":true},{"name":"TargetVersion","type":"string","description":"The target OS Version - eg, 1909.","isPreferredFacet":true},{"name":"TargetBuild","type":"string","description":"The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).","isPreferredFacet":true},{"name":"TargetBuildNumber","type":"int","description":"Integer of the Major portion of Build.","isPreferredFacet":true},{"name":"TargetRevisionNumber","type":"int","description":"Integer or the Minor (or Revision) portion of Build.","isPreferredFacet":true},{"name":"TargetKBNumber","type":"string","description":"KB Article.","isPreferredFacet":true},{"name":"UpdateConnectivityLevel","type":"string","description":"Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. ","isPreferredFacet":true},{"name":"IsUpdateHealthy","type":"bool","description":"True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating.","isPreferredFacet":true},{"name":"EventData","type":"string","description":"Json to fill with arbitrary K/V pairs. Used to populate contextual data that would otherwise be sparsely populated if elevated to a field always present in the schema. ","isPreferredFacet":true},{"name":"UpdateReleaseTime","type":"datetime","description":"The release date of the update.","isPreferredFacet":true},{"name":"ClientSubstateTime","type":"datetime","description":"DateTime of last Client Substate transition.","isPreferredFacet":true},{"name":"OfferReceivedTime","type":"datetime","description":"DateTime when device last reported entering OfferReceived, else empty.","isPreferredFacet":true},{"name":"RestartRequiredTime","type":"datetime","description":"DateTime when device first reported entering RebootRequired (or RebootPending), else empty.","isPreferredFacet":true},{"name":"UpdateInstalledTime","type":"datetime","description":"DateTime when event transitioned to UpdateInstalled, else empty.","isPreferredFacet":true},{"name":"UpdateId","type":"string","description":"Update ID of the targeted update.","isPreferredFacet":true},{"name":"CatalogId","type":"string","description":"The update catalog ID.","isPreferredFacet":true},{"name":"IsHotpatchUpdate","type":"bool","description":"Status of whether a device is taking a windows security update without requiring a restart or not","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"UCDOAggregatedStatus","name":"UCDOAggregatedStatus","tableType":"Microsoft","description":"Update Compliance - aggregates all individual UCDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled to delivery.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event was generated."},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD tenant to which the device belongs."},{"name":"DeviceCount","type":"long","description":"Total count of devices."},{"name":"ContentType","type":"string","description":"The type of content being downloaded."},{"name":"BytesFromCDN","type":"long","description":"Total number of bytes downloaded from a CDN versus a peer. This counts against bandwidth optimization."},{"name":"BytesFromIntPeers","type":"long","description":"Total number of bytes downloaded from internet peers."},{"name":"BytesFromPeers","type":"long","description":"Total number of bytes downloaded from peers."},{"name":"BytesFromGroupPeers","type":"long","description":"Total number of bytes downloaded from group peers."},{"name":"BytesFromCache","type":"long","description":"Total number of bytes downloaded from cache."},{"name":"BWOptPercent28Days","type":"real","description":"Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 28-day basis."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["LogManagement","WaaSUpdateInsights"],"queries":["6c73ae0a-50af-46ee-9ff1-e19b1d3d9a0b"]}},{"id":"UCDOStatus","name":"UCDOStatus","tableType":"Microsoft","description":"Update Compliance - provides information, for a single device, on their bandwidth utilization across content types in the event they use delivery optimization.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event was generated."},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD tenant to which the device belongs."},{"name":"DeviceName","type":"string","description":"User or organization-provided device name. If this appears as '#', then you may need to configure devices to send device name."},{"name":"GlobalDeviceId","type":"string","description":"Microsoft global device identifier. This is a identifier used by Microsoft internally."},{"name":"GroupID","type":"string","description":"The delivery optimization group ID."},{"name":"OSVersion","type":"string","description":"The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild."},{"name":"DownloadMode","type":"string","description":"Device's delivery optimization download mode as configured on the device."},{"name":"DownloadModeSrc","type":"string","description":"The source of the download mode configuration."},{"name":"ContentDownloadMode","type":"int","description":"Device's delivery optimization download mode that was used for this content."},{"name":"DOStatusDescription","type":"string","description":"A short description of DO's status, if any."},{"name":"Country","type":"string","description":"Approximate country device was in while downloading content, based on IP address."},{"name":"City","type":"string","description":"Approximate city device was in while downloading content, based on IP address."},{"name":"ISP","type":"string","description":"The internet service provider estimation."},{"name":"PeeringStatus","type":"string","description":"The DO peering status."},{"name":"ContentType","type":"string","description":"The type of content being downloaded."},{"name":"TotalTimeForDownload","type":"string","description":"The total time it took to download the content."},{"name":"TotalTransfers","type":"long","description":"The total count of data transfers to download this content."},{"name":"PeerEligibleTransfers","type":"long","description":"Total count of eligible transfers by peers."},{"name":"NoPeersCount","type":"long","description":"The count of peers this device interacted with."},{"name":"PeersUnknownCount","type":"long","description":"The count of peers for which there is an unknown relation."},{"name":"PeersSuccessCount","type":"long","description":"The count of peers this device successfully connected to."},{"name":"PeersCannotConnectCount","type":"long","description":"The count of peers this device was unable to connect to."},{"name":"BytesFromCDN","type":"long","description":"Total number of bytes downloaded from a CDN versus a peer. This counts against bandwidth optimization."},{"name":"BytesFromIntPeers","type":"long","description":"Total number of bytes downloaded from internet peers."},{"name":"BytesFromPeers","type":"long","description":"Total number of bytes downloaded from peers."},{"name":"BytesFromGroupPeers","type":"long","description":"Total number of bytes downloaded from group peers."},{"name":"BytesFromCache","type":"long","description":"Total number of bytes downloaded from cache."},{"name":"BWOptPercent7Days","type":"real","description":"Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 7-day basis."},{"name":"BWOptPercent28Days","type":"real","description":"Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 28-day basis."},{"name":"LastCensusSeenTime","type":"datetime","description":"A DateTime corresponding to the last time the device sent data to Microsoft. Indicates freshness of any fields of this record."},{"name":"CacheNodeDetails","type":"dynamic","description":"An array of cache node details associated with this device, including cache node identifier, date, and bytes served."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["LogManagement","WaaSUpdateInsights"],"queries":["367b4e64-9488-45f8-94fa-88905a332c73"]}},{"id":"UCDeviceAlert","name":"UCDeviceAlert","tableType":"Microsoft","description":"Update Compliance - These alerts are activated as a result of an issue that is device-specific, and is not specific to a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as the fact it is on a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in WUfB DS will be a ServiceDeviceAlert, as it is a device-wide state in the service to not be correctly registered.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event is generated and logged."},{"name":"AlertId","type":"string","description":"The unique identifier of this Alert.","isPreferredFacet":true},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal Global Device Identifier.","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD Device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD Tenant to which the device belongs.","isPreferredFacet":true},{"name":"SCCMClientId","type":"string","description":"A GUID corresponding to the SCCM Client ID on the device.","isPreferredFacet":true},{"name":"DeviceName","type":"string","description":"Device's given name.","isPreferredFacet":true},{"name":"AlertType","type":"string","description":"The type of Alert this is, ClientUpdateAlert, ServiceUpdateAlert. Indicates which fields will be present.","isPreferredFacet":true},{"name":"AlertSubtype","type":"string","description":"The Subtype of Alert.","isPreferredFacet":true},{"name":"AlertStatus","type":"string","description":"Whether this Alert is Active, Resolved, or Deleted.","isPreferredFacet":true},{"name":"AlertRank","type":"int","description":"Integer ranking of Alert for prioritization during troubleshooting.","isPreferredFacet":true},{"name":"AlertClassification","type":"string","description":"Whether this Alert is an Error, a Warning, or Informational.","isPreferredFacet":true},{"name":"Description","type":"string","description":"A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail.","isPreferredFacet":true},{"name":"Recommendation","type":"string","description":"A localized string translated from RecommendedAction, Message, and other fields (depending on source of Alert) that provides a recommended action."},{"name":"AlertData","type":"string","description":"An optional string formatted as a json payload containing metadata for the alert.","isPreferredFacet":true},{"name":"ErrorCode","type":"string","description":"The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with a underscore separator.","isPreferredFacet":true},{"name":"ErrorSymName","type":"string","description":"The symbolic name that maps to the Error Code, if any. Otherwise empty."},{"name":"URL","type":"string","description":"An optional URL to get more in-depth information related to this alert.","isPreferredFacet":true},{"name":"StartTime","type":"datetime","description":"The time this alert was activated.","isPreferredFacet":true},{"name":"ResolvedTime","type":"datetime","description":"The time this alert was resolved, else empty.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"UCServiceUpdateStatus","name":"UCServiceUpdateStatus","tableType":"Microsoft","description":"Update Compliance - Update Event that comes directly from the service-side, and only tells the \"service-side\" of the story, for one device (client), and one update, in one deployment. As such, this event is stripped of certain fields in favor of being able to show data in near real-time.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event is generated."},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal Global Device Identifier","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD Device ID"},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD Tenant to which the device belongs.","isPreferredFacet":true},{"name":"DeploymentId","type":"string","description":"The identifier of the Deployment that is targeting this update to this device, else empty.","isPreferredFacet":true},{"name":"ServiceSubstate","type":"string","description":"Last-known state of this update relative to the device, from the client (the device's WDD).","isPreferredFacet":true},{"name":"ServiceState","type":"string","description":"High-level state of update's status relative to device, service-side.","isPreferredFacet":true},{"name":"ServiceSubstateRank","type":"int","description":"Ranking of Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.","isPreferredFacet":true},{"name":"DeploymentIsExpedited","type":"bool","description":"Whether this content is being expedited by WUfB DS.","isPreferredFacet":true},{"name":"UpdateCategory","type":"string","description":"The type of content this DeviceUpdateEvent is tracking.","isPreferredFacet":true},{"name":"UpdateClassification","type":"string","description":"Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU).","isPreferredFacet":true},{"name":"UpdateManufacturer","type":"string","description":"Manufacturer of update. Microsoft for WU FU/QU, for D&F name of driver manufacturer e.g. NVIDIA.","isPreferredFacet":true},{"name":"UpdateDisplayName","type":"string","description":"The long-form display name for the given update. Varies on content type (FU/QU).","isPreferredFacet":true},{"name":"TargetVersion","type":"string","description":"The target OS Version - eg, 1909.","isPreferredFacet":true},{"name":"TargetBuild","type":"string","description":"The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).","isPreferredFacet":true},{"name":"UpdateReleaseTime","type":"datetime","description":"DateTime of update's release date.","isPreferredFacet":true},{"name":"OfferReadyTime","type":"datetime","description":"DateTime of OfferReady transition. If empty, not yet been Offered.","isPreferredFacet":true},{"name":"ProjectedOfferReadyTime","type":"datetime","description":"Projected time update will be Offered to device. If empty, unknown. ","isPreferredFacet":true},{"name":"ServiceSubstateTime","type":"datetime","description":"DateTime of last ServiceSubstate transition.","isPreferredFacet":true},{"name":"DeploymentName","type":"string","description":"Friendly name of the created deployment.","isPreferredFacet":true},{"name":"PolicyId","type":"string","description":"The policy identifier targeting the update to this device.","isPreferredFacet":true},{"name":"PolicyName","type":"string","description":"Friendly name of the created update policy.","isPreferredFacet":true},{"name":"UpdateId","type":"string","description":"Update ID of the targeted update.","isPreferredFacet":true},{"name":"CatalogId","type":"string","description":"Catalog ID for update.","isPreferredFacet":true},{"name":"PolicyCreatedTime","type":"datetime","description":"The datetime of when the policy was created.","isPreferredFacet":true},{"name":"DeploymentApprovedTime","type":"datetime","description":"The datetime of when the update deployment was approved.","isPreferredFacet":true},{"name":"DeploymentRevokeTime","type":"datetime","description":"The datetime of when the update deployment was Revoked.","isPreferredFacet":true},{"name":"UpdateRecommendedTime","type":"datetime","description":"The datetime of when the update was recomemnded to the device.","isPreferredFacet":true},{"name":"UpdateProvider","type":"string","description":"Update provider of drivers and firmware, eg. Microsoft.","isPreferredFacet":true},{"name":"UpdateVersion","type":"string","description":"Update version of drivers and firmware.","isPreferredFacet":true},{"name":"UpdateVersionTime","type":"datetime","description":"Update version time of drivers and firmware.","isPreferredFacet":true},{"name":"UdpateIsSystemManifest","type":"bool","description":"Signifies if update is a system manifest.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"UCUpdateAlert","name":"UCUpdateAlert","tableType":"Microsoft","description":"Update Compliance - Alert for both Client and Service Update, will contain information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert will not necessarily contain client-side statuses. ","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Time at which this event is generated."},{"name":"AlertId","type":"string","description":"The unique identifier of this Alert.","isPreferredFacet":true},{"name":"GlobalDeviceId","type":"string","description":"Microsoft internal Global Device Identifier.","isPreferredFacet":true},{"name":"AzureADTenantId","type":"string","description":"A GUID corresponding to this device's AAD Device ID."},{"name":"AzureADDeviceId","type":"string","description":"A GUID corresponding to the AAD Tenant to which the device belongs.","isPreferredFacet":true},{"name":"SCCMClientId","type":"string","description":"A GUID corresponding to the SCCM Client ID on the device.","isPreferredFacet":true},{"name":"DeploymentId","type":"string","description":"The identifier of the Deployment that is targeting this update to this device, else empty.","isPreferredFacet":true},{"name":"DeviceName","type":"string","description":"Device's given name.","isPreferredFacet":true},{"name":"AlertType","type":"string","description":"The type of Alert this is, ClientUpdateAlert, ServiceUpdateAlert. Indicates which fields will be present.","isPreferredFacet":true},{"name":"AlertSubtype","type":"string","description":"The Subtype of Alert.","isPreferredFacet":true},{"name":"AlertStatus","type":"string","description":"Whether this Alert is Active, Resolved, or Deleted.","isPreferredFacet":true},{"name":"AlertRank","type":"int","description":"Integer ranking of Alert for prioritization during troubleshooting.","isPreferredFacet":true},{"name":"AlertClassification","type":"string","description":"Whether this Alert is an Error, a Warning, or Informational.","isPreferredFacet":true},{"name":"ServiceSubstate","type":"string","description":"Ranking of Client Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.","isPreferredFacet":true},{"name":"ServiceSubstateRank","type":"int","description":"Rank of ServiceSubstate","isPreferredFacet":true},{"name":"ClientSubstate","type":"string","description":"If the Alert is from the Client, the ClientSubstate at the time thie Alert was activated or updated, else Empty.","isPreferredFacet":true},{"name":"ClientSubstateRank","type":"int","description":"Rank of ClientSubstate.","isPreferredFacet":true},{"name":"UpdateCategory","type":"string","description":"The type of content this DeviceUpdateEvent is tracking.","isPreferredFacet":true},{"name":"UpdateClassification","type":"string","description":"Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU)","isPreferredFacet":true},{"name":"TargetVersion","type":"string","description":"The target OS Version - eg, 1909.","isPreferredFacet":true},{"name":"TargetBuild","type":"string","description":"The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).","isPreferredFacet":true},{"name":"Description","type":"string","description":"A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail.","isPreferredFacet":true},{"name":"Recommendation","type":"string","description":"A localized string translated from RecommendedAction, Message, and other fields (depending on source of Alert) that provides a recommended action."},{"name":"AlertData","type":"string","description":"An optional string formatted as a json payload containing metadata for the alert.","isPreferredFacet":true},{"name":"ErrorCode","type":"string","description":"The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with a underscore separator.","isPreferredFacet":true},{"name":"ErrorSymName","type":"string","description":"The symbolic name that maps to the Error Code, if any. Otherwise empty."},{"name":"URL","type":"string","description":"An optional URL to get more in-depth information related to this alert.","isPreferredFacet":true},{"name":"StartTime","type":"datetime","description":"The time this alert was activated.","isPreferredFacet":true},{"name":"ResolvedTime","type":"datetime","description":"The time this alert was resolved, else empty.","isPreferredFacet":true},{"name":"UpdateId","type":"string","description":"Update ID of the targeted update.","isPreferredFacet":true},{"name":"CatalogId","type":"string","description":"The update catalog ID.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"solutions":["LogManagement","WaaSUpdateInsights"]}},{"id":"Update","name":"Update","tableType":"Microsoft","description":"Details for update schedule run. Includes information such as which updates where available and which were installed.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"Title","type":"string","isPreferredFacet":true},{"name":"MSRCSeverity","type":"string","isPreferredFacet":true},{"name":"Classification","type":"string","isPreferredFacet":true},{"name":"PublishedDate","type":"datetime"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"UpdateState","type":"string","isPreferredFacet":true},{"name":"Product","type":"string","isPreferredFacet":true},{"name":"KBID","type":"string","isPreferredFacet":true},{"name":"UpdateID","type":"string","isPreferredFacet":true},{"name":"RevisionNumber","type":"string","isPreferredFacet":true},{"name":"Optional","type":"bool","isPreferredFacet":true},{"name":"RebootBehavior","type":"string","isPreferredFacet":true},{"name":"MSRCBulletinID","type":"string","isPreferredFacet":true},{"name":"Approved","type":"bool","isPreferredFacet":true},{"name":"ApprovalSource","type":"string","isPreferredFacet":true},{"name":"InstallTimePredictionSeconds","type":"real"},{"name":"InstallTimeDeviationRangeSeconds","type":"real"},{"name":"InstallTimeAvailable","type":"bool","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"VMUUID","type":"string"},{"name":"OSType","type":"string","isPreferredFacet":true},{"name":"ProductVersion","type":"string","isPreferredFacet":true},{"name":"ProductArch","type":"string","isPreferredFacet":true},{"name":"CVENumbers","type":"string","isPreferredFacet":true},{"name":"BulletinUrl","type":"string","isPreferredFacet":true},{"name":"BulletinID","type":"string","isPreferredFacet":true},{"name":"PackageRepository","type":"string","isPreferredFacet":true},{"name":"PackageSeverity","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSFullName","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","security"],"solutions":["Security","SecurityCenter","SecurityCenterFree","Updates"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.automation/automationaccounts"]}},{"id":"UpdateRunProgress","name":"UpdateRunProgress","tableType":"Microsoft","description":"Breaks down each run of your update schedule by the patches available at the time with details on the installation status of each patch.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"KBID","type":"string","isPreferredFacet":true},{"name":"UpdateId","type":"string"},{"name":"SucceededOnRetry","type":"bool","isPreferredFacet":true},{"name":"ErrorResult","type":"string","isPreferredFacet":true},{"name":"UpdateRunName","type":"string"},{"name":"InstallationStatus","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"Title","type":"string","isPreferredFacet":true},{"name":"Product","type":"string","isPreferredFacet":true},{"name":"OSType","type":"string","isPreferredFacet":true},{"name":"StartTime","type":"datetime"},{"name":"EndTime","type":"datetime"},{"name":"CorrelationId","type":"string"},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"VMUUID","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management"],"solutions":["Updates"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.automation/automationaccounts"]}},{"id":"UpdateSummary","name":"UpdateSummary","tableType":"Microsoft","description":"Summary for each update schedule run. Includes information such as how many updates were not installed.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"SourceComputerId","type":"string"},{"name":"OldestMissingSecurityUpdateInDays","type":"int","isPreferredFacet":true},{"name":"OldestMissingSecurityUpdateBucket","type":"string"},{"name":"WindowsUpdateSetting","type":"string"},{"name":"WindowsUpdateAgentVersion","type":"string","isPreferredFacet":true},{"name":"WSUSServer","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string"},{"name":"OsVersion","type":"string","isPreferredFacet":true},{"name":"NETRuntimeVersion","type":"string","isPreferredFacet":true},{"name":"CriticalUpdatesMissing","type":"int"},{"name":"SecurityUpdatesMissing","type":"int"},{"name":"OtherUpdatesMissing","type":"int"},{"name":"TotalUpdatesMissing","type":"int"},{"name":"RestartPending","type":"bool","isPreferredFacet":true},{"name":"SubscriptionId","type":"string"},{"name":"ResourceGroup","type":"string","isPreferredFacet":true},{"name":"ResourceProvider","type":"string","isPreferredFacet":true},{"name":"Resource","type":"string","isPreferredFacet":true},{"name":"ResourceId","type":"string","isPreferredFacet":true},{"name":"ResourceType","type":"string","isPreferredFacet":true},{"name":"ComputerEnvironment","type":"string"},{"name":"VMUUID","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"solutions":["Security","SecurityCenter","SecurityCenterFree","Updates"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets","microsoft.automation/automationaccounts"]}},{"id":"UrlClickEvents","name":"UrlClickEvents","tableType":"Microsoft","description":"Events involving URLs clicked, selected, or requested on Microsoft Defender for Office 365.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility."},{"name":"Url","type":"string","description":"The full URL that was clicked on by the user."},{"name":"ActionType","type":"string","description":"Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list."},{"name":"AccountUpn","type":"string","description":"User Principal Name of the account that clicked on the link."},{"name":"Workload","type":"string","description":"The application from which the user clicked on the link, with the values being Email, Office and Teams."},{"name":"NetworkMessageId","type":"string","description":"The unique identifier for the email that contains the clicked link, generated by Microsoft 365."},{"name":"IPAddress","type":"string","description":"Public IP address of the device from which the user clicked on the link."},{"name":"ThreatTypes","type":"string","description":"Verdict at the time of click, which tells whether the URL led to malware, phish or other threats."},{"name":"DetectionMethods","type":"string","description":"Detection technology which was used to identify the threat at the time of click."},{"name":"IsClickedThrough","type":"bool","description":"Indicates whether the user was able to click through to the original URL or was not allowed."},{"name":"UrlChain","type":"string","description":"For scenarios involving redirections, it includes URLs present in the redirection chain."},{"name":"ReportId","type":"string","description":"This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event."},{"name":"AppName","type":"string","description":"The application's display name as exposed by the associated service principal."},{"name":"AppVersion","type":"string","description":"Version of the client application where click occurred"},{"name":"SourceId","type":"string","description":"Unique identifier for the source of the click"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["11769810-ba17-4663-bdc3-d6114617aadd"]}},{"id":"Usage","name":"Usage","tableType":"Microsoft","description":"Hourly usage data for each table in the workspace.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"Plan","type":"string","description":"Plan of this table (Analytics, Basic or Auxiliary)."},{"name":"SourceSystem","type":"string","description":"For Usage record SourceSystem is always OMS."},{"name":"StartTime","type":"datetime","description":"Start time of the 1 hour aggregation window (same as TimeGenerated)."},{"name":"EndTime","type":"datetime","description":"End time of the one hour aggregation window."},{"name":"ResourceUri","type":"string","description":"The URI of the workspace. This will be same for all records in this table in workspace.","isPreferredFacet":true},{"name":"LinkedResourceUri","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"DataType","type":"string","description":"Table that usage is being reported about.","isPreferredFacet":true},{"name":"Solution","type":"string","description":"Solution about which usage is being reported.","isPreferredFacet":true},{"name":"BatchesWithinSla","type":"long","description":"Deprecated"},{"name":"BatchesOutsideSla","type":"long","description":"Deprecated"},{"name":"BatchesCapped","type":"long","description":"Deprecated"},{"name":"TotalBatches","type":"long","description":"Deprecated"},{"name":"AvgLatencyInSeconds","type":"real","description":"Deprecated"},{"name":"Quantity","type":"real","description":"Size of data in Mbytes."},{"name":"QuantityUnit","type":"string","description":"Value is alwais Mbytes.","isPreferredFacet":true},{"name":"IsBillable","type":"bool","description":"Logical flag to indicate whether we bill for this data record.","isPreferredFacet":true},{"name":"MeterId","type":"string","description":"GUID of the meter used for billing.","isPreferredFacet":true},{"name":"LinkedMeterId","type":"string","description":"Deprecated","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["monitor"],"solutions":["LogManagement"]}},{"id":"UserAccessAnalytics","name":"UserAccessAnalytics","tableType":"Microsoft","description":"This analytics table, for a given user, provides the direct or transitive access to Azure resources. For example, if the user under investigation is Jane Smith, Access Analytics calculates all the Azure subscriptions that she either can access directly, via groups or serviceprincipals.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the access analytics is calculated"},{"name":"AADTenantId","type":"string","description":"Unique identifier of the Azure Tenant"},{"name":"SourceEntityType","type":"string","description":"Type of entity which has access to the target entity"},{"name":"SourceEntityId","type":"string","description":"Unique identifier of entity which has access to the target entity"},{"name":"SourceEntityName","type":"string","description":"Display name of entity which has access to the target entity"},{"name":"TargetEntityType","type":"string","description":"Type of the entity which the source entity can access"},{"name":"TargetEntityId","type":"string","description":"Unique identifier of the entity which the source entity can access"},{"name":"TargetEntityName","type":"string","description":"Display name of the entity which the source entity can access"},{"name":"AccessLevel","type":"string","description":"The level of access that the source entity has to the target entity"},{"name":"AccessType","type":"string","description":"The type of access that the source entity has to the target entity"},{"name":"AccessStartTime","type":"datetime","description":"Timestamp when the source entity was provided access to the target entity"},{"name":"AccessEndTime","type":"datetime","description":"Timestamp when the source entity's access to the target entity was revoked"},{"name":"AccessEndReason","type":"string","description":"Reason why the source entity's access to the target entity was revoked"},{"name":"AccessId","type":"string","description":"Unique identifier for the access between source and target entity"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["BehaviorAnalyticsInsights"]}},{"id":"UserPeerAnalytics","name":"UserPeerAnalytics","tableType":"Microsoft","description":"This analytics table, for a given user, provides a ranked list of peers. For example, if the user is Jane Smith, Peer Analytics calculates all of Jane's peers based on her mailing list, security groups, etc and provides the top 20 of her peers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp when the peer analytics is calculated"},{"name":"AADTenantId","type":"string","description":"Unique identifier of the Azure Tenant"},{"name":"UserId","type":"string","description":"Unique identifier of the primary user"},{"name":"UserPrincipalName","type":"string","description":"User principal name of the primary user"},{"name":"UserName","type":"string","description":"User name of the primary user"},{"name":"PeerUserId","type":"string","description":"Unique identifier of the peer of the primary user"},{"name":"PeerUserPrincipalName","type":"string","description":"User principal name of the peer of the primary user"},{"name":"PeerUserName","type":"string","description":"User name of the peer of the primary user"},{"name":"Rank","type":"int","description":"Rank of the peer with respect to the primary user"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"solutions":["BehaviorAnalyticsInsights"]}},{"id":"VCoreMongoRequests","name":"VCoreMongoRequests","tableType":"Microsoft","description":"This table details data plane requests for MongoDB (vCore).","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Timestamp (in UTC) of the Mongo (vCore) data plane request."},{"name":"ClusterName","type":"string","description":"Cluster name."},{"name":"OperationName","type":"string","description":"The Mongo (vCore) operation that was executed."},{"name":"ActivityId","type":"string","description":"The unique identifier (GUID) for this Mongo (vCore) request."},{"name":"ErrorCode","type":"int","description":"The error code (if applicable) for this request."},{"name":"DurationMs","type":"real","description":"The server-side execution time (in ms) for this request."},{"name":"DatabaseName","type":"string","description":"The name of the Cosmos DB database against which this request was issued."},{"name":"CollectionName","type":"string","description":"The name of the Cosmos DB container against which this request was issued."},{"name":"ClientIp","type":"string","description":"The IP address of the client VM which issued the request."},{"name":"PiiCommandText","type":"string","description":"Full text query for this Mongo (vCore) request."},{"name":"ReadRequest","type":"string","description":"The server-side read request latency for this request."},{"name":"RegionName","type":"string","description":"The region against which this request was issued."},{"name":"RequestLength","type":"real","description":"The payload size (in bytes) of the request."},{"name":"ResponseLength","type":"real","description":"The payload size (in bytes) of the server response."},{"name":"TransportProtocol","type":"string","description":"The transport protocol of the request."},{"name":"UserAgent","type":"string","description":"The user agent suffix associated with the client issuing the request."},{"name":"UserId","type":"string","description":"The user id associated with the client issuing the request."},{"name":"WriteResponse","type":"string","description":"The server-side write request latency for this request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.documentdb/mongoclusters"],"solutions":["LogManagement"],"queries":["7c29ceda-72da-4398-befe-2a17722165b1","5bb1d784-35fa-4065-bcfe-d780877bb42a","9883e7d9-5df2-4ced-bd47-3fc5f34f3c7a","4ad830b9-b8b6-4e8e-a934-754d4ad2d959"]}},{"id":"VIAudit","name":"VIAudit","tableType":"Microsoft","description":"Audit logs from Video Indexer.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"VideoIndexerResourceId","type":"string","description":"The Video Indexer resource ID."},{"name":"Location","type":"string","description":"The Video Indexer resource location."},{"name":"AccountName","type":"string","description":"The Video Indexer account name."},{"name":"AccountId","type":"string","description":"The Video Indexer account ID."},{"name":"VideoId","type":"string","description":"The Video Indexer video ID."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"Signature","type":"int","description":"Http response signature of the operation, for example: 200, 401."},{"name":"Status","type":"string","description":"Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success."},{"name":"Description","type":"string","description":"The operation description."},{"name":"ExternalUserId","type":"string","description":"Caller external user Id."},{"name":"Upn","type":"string","description":"Caller email."},{"name":"Claims","type":"dynamic","description":"Caller claims details."},{"name":"CallerIpAddress","type":"string","description":"The caller IP address."},{"name":"CorrelationId","type":"string","description":"A unique record identifier."},{"name":"DurationMs","type":"int","description":"The operation duration in milliseconds."},{"name":"OperationVersion","type":"string","description":"The Video Indexer operations API version."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.videoindexer/accounts"],"solutions":["LogManagement"],"queries":["b81828c9-f1b6-4901-8705-744199b363c5","ed8f4b3c-4e68-47a7-98d8-86e8dae96466","a933b563-1729-4a4a-aae6-0918df2a3762","260cbcfa-559a-416b-b97d-31c385b384be"]}},{"id":"VIIndexing","name":"VIIndexing","tableType":"Microsoft","description":"Indexing logs from Video Indexer.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"VideoIndexerResourceId","type":"string","description":"Video Indexer resource ID."},{"name":"Location","type":"string","description":"Video Indexer resource location."},{"name":"AccountName","type":"string","description":"Video Indexer account name."},{"name":"AccountId","type":"string","description":"Video Indexer account ID."},{"name":"VideoId","type":"string","description":"Video Indexer video ID."},{"name":"OperationName","type":"string","description":"The name of the operation that triggered the event."},{"name":"ErrorCode","type":"string","description":"The error code if the operation failed"},{"name":"Status","type":"string","description":"Status of the operation, for example: Success, Failure, Warning, Informational or PartialSuccess."},{"name":"ErrorDescription","type":"string","description":"The description of the error code ."},{"name":"ExternalUserId","type":"string","description":"Caller external user Id."},{"name":"Upn","type":"string","description":"Caller email."},{"name":"CorrelationId","type":"string","description":"A unique record identifier."},{"name":"DurationMs","type":"int","description":"The operation duration in milliseconds."},{"name":"OperationVersion","type":"string","description":"Video Indexer operations API version."},{"name":"IndexingProperties","type":"dynamic","description":"Properties of the indexing operation request."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.videoindexer/accounts"],"solutions":["LogManagement"],"queries":["9ddee6d4-c94d-411d-8fb9-ee10fc74502b","8a09c867-4caf-4a3c-ae4a-d8bd5c2b0263"]}},{"id":"VMBoundPort","name":"VMBoundPort","tableType":"Microsoft","description":"Traffic for open server ports on the monitored machine.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of the server","isPreferredFacet":true},{"name":"ProcessName","type":"string","description":"Unique identifier for the process in the ServiceMapProcess_CL table.","isPreferredFacet":true},{"name":"Ip","type":"string","description":"Port IP address. Can be wildcard IP 0.0.0.0.","isPreferredFacet":true},{"name":"Port","type":"int","description":"Port number.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"The protocol. Example tcp or udp (only tcp is currently supported).","isPreferredFacet":true},{"name":"IsWildcardBind","type":"bool","description":"Specifies whether connection made as a wildcard bind request.","isPreferredFacet":true},{"name":"BytesSent","type":"long","description":"Bytes sent on the port"},{"name":"BytesReceived","type":"long","description":"Bytes received on the port"},{"name":"LinksLive","type":"long","description":"Count of live links at the end of the time period recorded."},{"name":"LinksTerminated","type":"long","description":"Count of terminated links over the time periof recorded."},{"name":"LinksEstablished","type":"long","description":"Count of links established on the port."},{"name":"Responses","type":"long","description":"Count of responses in the time period recorded."},{"name":"ResponseTimeSum","type":"long","description":"Measurement of the total time between first and last byte received"},{"name":"ResponseTimeMin","type":"long","description":"Measurement of the minimum time between first and last byte received."},{"name":"ResponseTimeMax","type":"long","description":"Measurement of the maximum time between first and last byte received."},{"name":"PortId","type":"string","description":"Port ID.","isPreferredFacet":true},{"name":"Machine","type":"string","description":"Unique identifier to the machine in the ServiceMapComputer_CL table.","isPreferredFacet":true},{"name":"Process","type":"string","description":"Identity of the process or group of processes that the port is associated with.","isPreferredFacet":true},{"name":"AgentId","type":"string","description":"Unique agent GUID for the agent reporting data on the server.","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"Value is OpsManager for all records.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"solutions":["AzureResources","InfrastructureInsights","ServiceMap","VMInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"VMComputer","name":"VMComputer","tableType":"Microsoft","description":"Inventory data for servers collected by the Service Map and VM Insights solutions using the Dependency agent and Log analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"The name of the computer.","isPreferredFacet":true},{"name":"AgentId","type":"string","description":"Unique ID for the microsoft monitoring agent installed on the server.","isPreferredFacet":true},{"name":"Machine","type":"string","description":"AgentId with m- prepended.","isPreferredFacet":true},{"name":"DisplayName","type":"string","description":"The display name of the server.","isPreferredFacet":true},{"name":"FullDisplayName","type":"string","description":"The full display name of the server.","isPreferredFacet":true},{"name":"HostName","type":"string","description":"The host name of the server without domain.","isPreferredFacet":true},{"name":"BootTime","type":"datetime","description":"The boot time in UTC","isPreferredFacet":true},{"name":"TimeZone","type":"string","description":"The UTC timezone offset of the server.","isPreferredFacet":true},{"name":"VirtualizationState","type":"string","description":"Values will be Unknown Physical Virtual or Hypervisor","isPreferredFacet":true},{"name":"Ipv4Addresses","type":"dynamic","description":"A list of the server's IPv4 addresses","isPreferredFacet":true},{"name":"Ipv4SubnetMasks","type":"dynamic","description":"A list of the server's IPv4 subnet masks.","isPreferredFacet":true},{"name":"Ipv4DefaultGateways","type":"dynamic","description":"A list of the server's IPv4 default gateways.","isPreferredFacet":true},{"name":"Ipv6Addresses","type":"dynamic","description":"A list of the server's IPv6 addresses","isPreferredFacet":true},{"name":"MacAddresses","type":"dynamic","description":"A list of the server's MAC addresses","isPreferredFacet":true},{"name":"DnsNames","type":"dynamic","description":"An array of DNS names","isPreferredFacet":true},{"name":"DependencyAgentVersion","type":"string","description":"The version number of the dependency agent on the server.","isPreferredFacet":true},{"name":"OperatingSystemFamily","type":"string","description":"Value will be windows or linux","isPreferredFacet":true},{"name":"OperatingSystemFullName","type":"string","description":"The full name of the operating system","isPreferredFacet":true},{"name":"PhysicalMemoryMB","type":"long","description":"The physical memory in MB","isPreferredFacet":true},{"name":"Cpus","type":"int","description":"The number of CPUs","isPreferredFacet":true},{"name":"CpuSpeed","type":"int","description":"The CPU speed in MHz","isPreferredFacet":true},{"name":"VirtualMachineType","type":"string","description":"hyperv vmware xen and so on","isPreferredFacet":true},{"name":"VirtualMachineNativeId","type":"string","description":"The native id of the server.","isPreferredFacet":true},{"name":"VirtualMachineNativeName","type":"string","description":"The name of the VM","isPreferredFacet":true},{"name":"VirtualMachineHypervisorId","type":"string","description":"The hypervisor id of the server.","isPreferredFacet":true},{"name":"HypervisorType","type":"string","description":"The hypervisor type of the server.","isPreferredFacet":true},{"name":"HypervisorId","type":"string","description":"The hypervisor id of the server.","isPreferredFacet":true},{"name":"HostingProvider","type":"string","description":"The hosting provider for the server","isPreferredFacet":true},{"name":"AzureSubscriptionId","type":"string","description":"The subscription ID of the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureResourceGroup","type":"string","description":"The resource group for the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureResourceName","type":"string","description":"The Azure name for the resource.","isPreferredFacet":true},{"name":"AzureLocation","type":"string","description":"The location of the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureUpdateDomain","type":"string","description":"The update domain of the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureFaultDomain","type":"string","description":"The fault domain for the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureVmId","type":"string","description":"The Azure ID of the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureSize","type":"string","description":"The size of the Azure VM.�Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureImagePublisher","type":"string","description":"The publisher of the VM image used on the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureImageOffering","type":"string","description":"The description of the image used on the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureImageSku","type":"string","description":"The sku for the VM image used on the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureImageVersion","type":"string","description":"The image version used on the server. Only available for Azure VMs and VMSS instances.","isPreferredFacet":true},{"name":"AzureCloudServiceName","type":"string","description":"For cloud services the service name of the server.","isPreferredFacet":true},{"name":"AzureCloudServiceDeployment","type":"string","description":"For cloud services the deployment id of the server.","isPreferredFacet":true},{"name":"AzureCloudServiceRoleName","type":"string","description":"For cloud services the role name of the server.","isPreferredFacet":true},{"name":"AzureCloudServiceRoleType","type":"string","description":"For cloud services the role type of the server.","isPreferredFacet":true},{"name":"AzureCloudServiceInstanceId","type":"string","description":"For cloud services the instance name of the server.","isPreferredFacet":true},{"name":"AzureVmScaleSetName","type":"string","description":"For scale sets the name of the scale set.","isPreferredFacet":true},{"name":"AzureVmScaleSetDeployment","type":"string","description":"For scale sets the deployment id of the server.","isPreferredFacet":true},{"name":"AzureVmScaleSetResourceId","type":"string","description":"For scale sets the resource id of the scale set.","isPreferredFacet":true},{"name":"AzureVmScaleSetInstanceId","type":"string","description":"For scale sets the instance id of the server.","isPreferredFacet":true},{"name":"AzureServiceFabricClusterId","type":"string","description":"For service fabric clusters the cluster id of the server.","isPreferredFacet":true},{"name":"AzureServiceFabricClusterName","type":"string","description":"For service fabric clusters the cluster name.","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"The source of the data collected (Insights)","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"solutions":["AzureResources","ServiceMap","VMInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"VMConnection","name":"VMConnection","tableType":"Microsoft","description":"Traffic for inbound and outbound connections to and from monitored computers.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"Name of the server from the ServiceMapComputer_CL table.","isPreferredFacet":true},{"name":"Direction","type":"string","description":"Direction of the connection value is inbound or outbound","isPreferredFacet":true},{"name":"ProcessName","type":"string","description":"Unique identifier for the process in the ServiceMapProcess_CL table.","isPreferredFacet":true},{"name":"SourceIp","type":"string","description":"IP address of the source.","isPreferredFacet":true},{"name":"DestinationIp","type":"string","description":"IP address of the destination.","isPreferredFacet":true},{"name":"DestinationPort","type":"int","description":"Port number of the destination.","isPreferredFacet":true},{"name":"Protocol","type":"string","description":"Protocol used for the connection. Only possible value is tcp.","isPreferredFacet":true},{"name":"RemoteIp","type":"string","description":"The IP address of the remote end of a connection is included in the RemoteIp property. For inbound connections RemoteIp is the same as SourceIp while for outbound connections it is the same as DestinationIp.","isPreferredFacet":true},{"name":"RemoteDnsQuestions","type":"string","description":"A JSON array of DNS questions (lookups) that were performed on the machine and resolved to the RemoteIp listed in the record."},{"name":"RemoteDnsCanonicalNames","type":"string","description":"A JSON array of canonical names that came back from the DNS server. For example when using traffic manager you issue a question to foo.trafficmanage.net and get a canonical name as something.myservice.com together with an ip address."},{"name":"RemoteClassification","type":"string","description":"A classification of the remote endpoint based on its ip and dns names and the corresponding Azure service.","isPreferredFacet":true},{"name":"RemoteLongitude","type":"real","description":"Geolocation longitude. An example would be -122.12."},{"name":"RemoteLatitude","type":"real","description":"Geolocation latitude. An example would be 47.68."},{"name":"RemoteCountry","type":"string","description":"Name of the country or region hosting RemoteIp.","isPreferredFacet":true},{"name":"BytesSent","type":"long","description":"Total number of bytes that have been sent during the reporting time window."},{"name":"BytesReceived","type":"long","description":"Total number of bytes that have been received during the reporting time window."},{"name":"LinksLive","type":"long","description":"Number of physical network connections that were open at the end of the reporting time window."},{"name":"LinksTerminated","type":"long","description":"Number of physical network connections that have been terminated during the reporting time window."},{"name":"LinksEstablished","type":"long","description":"Number of physical network connections that have been established during the reporting time window."},{"name":"LinksFailed","type":"long","description":"Number of physical network connections that have failed during the reporting time window. This information is currently available only for outbound connections."},{"name":"Responses","type":"long","description":"Number of responses observed during the reporting time window."},{"name":"ResponseTimeSum","type":"long","description":"Sum of all response times observed during the reporting time window in milliseconds. If no value the property is blank."},{"name":"ResponseTimeMin","type":"long","description":"Smallest response time observed during the reporting time windowin milliseconds. If no value the property is blank."},{"name":"ResponseTimeMax","type":"long","description":"Largest response time observed during the reporting time window in milliseconds. If no value the property is blank."},{"name":"MaliciousIp","type":"string","description":"Remote IP address.","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","description":"Threat indicator detected. Possible values are Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist.","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the observed threat."},{"name":"TLPLevel","type":"string","description":"Traffic Light Protocol (TLP) Level. Possible values are White Green Amber Red.","isPreferredFacet":true},{"name":"Confidence","type":"string","description":"Values are 0 - 100.","isPreferredFacet":true},{"name":"Severity","type":"int","description":"Possible values are 0 - 5 where 5 is the most severe and 0 is not severe at all. Default value is 3.","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string","description":"The first time the provider reported the indicator."},{"name":"LastReportedDateTime","type":"string","description":"Indicates indicators are deactivated with True or False value."},{"name":"IsActive","type":"string","description":"The last time the indicator was seen by Interflow.","isPreferredFacet":true},{"name":"ConnectionId","type":"string","description":"Unique Id for the connection record.","isPreferredFacet":true},{"name":"Machine","type":"string","description":"FQDN of the computer.","isPreferredFacet":true},{"name":"Process","type":"string","description":"Identity of process or groups of processes initiating or accepting the connection.","isPreferredFacet":true},{"name":"AgentId","type":"string","description":"Unique agent GUID for the agent reporting data on the server.","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"Value is OpsManager for all records.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"solutions":["AzureResources","InfrastructureInsights","ServiceMap","VMInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"VMProcess","name":"VMProcess","tableType":"Microsoft","description":"Process data for servers collected by the Service Map and VM Insights solutions using the Dependency agent and Log analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created.","isPreferredFacet":true},{"name":"Computer","type":"string","description":"The name of the computer.","isPreferredFacet":true},{"name":"AgentId","type":"string","description":"Unique ID for the dependency agent installed on the server.","isPreferredFacet":true},{"name":"Machine","type":"string","description":"The machine name of the server.","isPreferredFacet":true},{"name":"Process","type":"string","description":"The name of the process.","isPreferredFacet":true},{"name":"ExecutableName","type":"string","description":"The name of the process executable","isPreferredFacet":true},{"name":"DisplayName","type":"string","description":"The friendly display name of the process","isPreferredFacet":true},{"name":"Role","type":"string","description":"The role of the process.","isPreferredFacet":true},{"name":"Group","type":"string","description":"The process group name for the process","isPreferredFacet":true},{"name":"StartTime","type":"datetime","description":"The process pool start time","isPreferredFacet":true},{"name":"FirstPid","type":"int","description":"The first PID in the process pool","isPreferredFacet":true},{"name":"Description","type":"string","description":"The process description","isPreferredFacet":true},{"name":"CompanyName","type":"string","description":"The name of the company","isPreferredFacet":true},{"name":"InternalName","type":"string","description":"The internal name","isPreferredFacet":true},{"name":"ProductName","type":"string","description":"The name of the product","isPreferredFacet":true},{"name":"ProductVersion","type":"string","description":"The product version","isPreferredFacet":true},{"name":"FileVersion","type":"string","description":"The file version","isPreferredFacet":true},{"name":"ExecutablePath","type":"string","description":"The path to the executable file","isPreferredFacet":true},{"name":"CommandLine","type":"string","description":"The command line","isPreferredFacet":true},{"name":"WorkingDirectory","type":"string","description":"The working directory","isPreferredFacet":true},{"name":"Services","type":"dynamic","description":"A list of services associated with the process.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The account under which the process is executing","isPreferredFacet":true},{"name":"UserDomain","type":"string","description":"The domain under which the process is executing","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"The source of the data collected (OpsManager)","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"solutions":["AzureResources","ServiceMap","VMInsights"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"W3CIISLog","name":"W3CIISLog","tableType":"Microsoft","description":"Internet Information Server (IIS) log on Windows computers using the Log Analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","description":"Type of agent the event was collected from. Possible values are OpsManager and AzureStorage.","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Date and time the record was created."},{"name":"sSiteName","type":"string","description":"Name of the IIS site.","isPreferredFacet":true},{"name":"sIP","type":"string","description":"IP address of the server on which the log file entry was generated.","isPreferredFacet":true},{"name":"csMethod","type":"string","description":"Method of the request such as GET or POST.","isPreferredFacet":true},{"name":"csUriStem","type":"string","description":"Target of the action such as a web page for example Default.htm.","isPreferredFacet":true},{"name":"csUriQuery","type":"string","description":"The query if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.","isPreferredFacet":true},{"name":"sPort","type":"int","description":"Server port number that is configured for the service.","isPreferredFacet":true},{"name":"csUserName","type":"string","description":"Name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen.","isPreferredFacet":true},{"name":"cIP","type":"string","description":"IP address of the client that accessed the web server.","isPreferredFacet":true},{"name":"csVersion","type":"string","description":"Protocol version that the client used.","isPreferredFacet":true},{"name":"csUserAgent","type":"string","description":"Browser type of the client.","isPreferredFacet":true},{"name":"csCookie","type":"string","description":"Content of the cookie sent or received if any."},{"name":"csReferer","type":"string","description":"Site that the user last visited. This site provided a link to the current site.","isPreferredFacet":true},{"name":"csHost","type":"string","description":"Host header name if any.","isPreferredFacet":true},{"name":"scStatus","type":"string","description":"HTTP status code.","isPreferredFacet":true},{"name":"scSubStatus","type":"string","description":"Substatus error code.","isPreferredFacet":true},{"name":"scWin32Status","type":"string","description":"Windows status code.","isPreferredFacet":true},{"name":"scBytes","type":"long","description":"Number of bytes that the server sent."},{"name":"csBytes","type":"long","description":"Number of bytes that the server received."},{"name":"TimeTaken","type":"long","description":"Length of time to process the request in milliseconds."},{"name":"Computer","type":"string","description":"Name of the computer that the event was collected from.","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","description":"Name of the management group for Operations Manager agents. For other agents this is AOI-.","isPreferredFacet":true},{"name":"MaliciousIP","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).","isPreferredFacet":true},{"name":"Description","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension)."},{"name":"TLPLevel","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.","isPreferredFacet":true},{"name":"Confidence","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.","isPreferredFacet":true},{"name":"Severity","type":"int","description":"Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension)."},{"name":"LastReportedDateTime","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension)."},{"name":"IsActive","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).","isPreferredFacet":true},{"name":"RemoteIPLongitude","type":"real","description":"Longitude of the client IP address."},{"name":"RemoteIPLatitude","type":"real","description":"Latitude of the client IP address."},{"name":"RemoteIPCountry","type":"string","description":"Country/region of the IP address of the client.","isPreferredFacet":true},{"name":"StorageAccount","type":"string","description":"Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.","isPreferredFacet":true},{"name":"AzureDeploymentID","type":"string","description":"Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent when data is pulled from Azure storage.","isPreferredFacet":true},{"name":"Role","type":"string","description":"Role instance of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage.","isPreferredFacet":true},{"name":"RoleInstance","type":"string","description":"Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage.","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["management","virtualmachines"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["LogManagement"]}},{"id":"WDAVStatus","name":"WDAVStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"EngineVersion","type":"string"},{"name":"ApplicationVersion","type":"string"},{"name":"DefinitionVersion","type":"string"},{"name":"UpdateStatus","type":"string","isPreferredFacet":true},{"name":"DetailedStatus","type":"string","isPreferredFacet":true},{"name":"ProtectionState","type":"string","isPreferredFacet":true},{"name":"CloudBlockLevel","type":"string"},{"name":"PuaMode","type":"string"},{"name":"SampleSubmission","type":"string"},{"name":"LastDefinitionUpdateTime","type":"datetime"},{"name":"MoreInformation","type":"string"},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WDAVThreat","name":"WDAVThreat","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"ThreatName","type":"string","isPreferredFacet":true},{"name":"ThreatReportId","type":"string"},{"name":"ThreatId","type":"int"},{"name":"ThreatStatus","type":"string","isPreferredFacet":true},{"name":"ThreatAction","type":"string","isPreferredFacet":true},{"name":"ThreatError","type":"string","isPreferredFacet":true},{"name":"IsCloudSignature","type":"bool"},{"name":"ThreatCategory","type":"string"},{"name":"ThreatAlertLevel","type":"string"},{"name":"ThreatFamily","type":"string"},{"name":"RemediationAction","type":"string"},{"name":"ThreatEncyclopediaLink","type":"string"},{"name":"MoreInformation","type":"string"},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WOUserAudits","name":"WOUserAudits","tableType":"Microsoft","description":"Contains all workload orchestration API Server audit logs including the events generated as a result of interactions with any external system or toolchain. These events are useful for monitoring all the interactions with the workload orchestration API server and between workload orchestration and external orchestrated targets, e.g. Kubernetes. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"OperationName","type":"string","description":"Operation name of the event."},{"name":"Category","type":"string","description":"Category of the event."},{"name":"Location","type":"string","description":"Azure region in which the workload orchestration diagnostic resource is located."},{"name":"Properties","type":"dynamic","description":"Properties of the event."},{"name":"OperatingResourceId","type":"string","description":"The operating resource id refers to the specific operational resource that the workload orchestration is managing when this event is triggered."},{"name":"OperatingResourceK8SId","type":"string","description":"The operating resource K8s id refers to K8s resource id (namespace/name) of the specific operational resource that the workload orchestration is managing when this event is triggered."},{"name":"Message","type":"string","description":"The audit message."},{"name":"User","type":"string","description":"The Microsoft Entra ID object Id of the requester."},{"name":"CorrelationId","type":"string","description":"Correlation ID of the operation."},{"name":"WOServiceName","type":"string","description":"workload orchestration service name."},{"name":"WOServiceInstance","type":"string","description":"workload orchestration service pod name."},{"name":"EdgeLocation","type":"string","description":"The Azure Edge custom location resource Id on which the operation happens."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit","resources"],"resourceTypes":["microsoft.edge/diagnostics"],"solutions":["LogManagement"],"queries":["f6dd9440-131a-478c-a85d-815c5ee81fc6","5bac9c74-6e1e-4a67-8693-9661cc3fdb1e"]}},{"id":"WOUserDiagnostics","name":"WOUserDiagnostics","tableType":"Microsoft","description":"Contains all workload orchestration API Server user diagnostics logs. These events are useful for diagnose failed requests on workload orchestration. Requires Diagnostic Settings to use the Resource Specific destination table.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Event generation time."},{"name":"OperationName","type":"string","description":"Operation name of the event."},{"name":"Category","type":"string","description":"Category of the event."},{"name":"Location","type":"string","description":"Azure region in which the workload orchestration diagnostic resource is located."},{"name":"Properties","type":"dynamic","description":"Properties of the event."},{"name":"OperatingResourceId","type":"string","description":"The operating resource id refers to the specific operational resource that the workload orchestration is managing when this event is triggered."},{"name":"OperatingResourceK8SId","type":"string","description":"The operating resource K8s id refers to K8s resource id (namespace/name) of the specific operational resource that the workload orchestration is managing when this event is triggered."},{"name":"Message","type":"string","description":"The diagnose message."},{"name":"User","type":"string","description":"The Microsoft Entra ID object Id of the requester."},{"name":"CorrelationId","type":"string","description":"Correlation ID of the operation."},{"name":"WOServiceName","type":"string","description":"workload orchestration service name."},{"name":"WOServiceInstance","type":"string","description":"workload orchestration service pod name."},{"name":"EdgeLocation","type":"string","description":"The Azure Edge custom location resource Id on which the operation happens."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"resourceTypes":["microsoft.edge/diagnostics"],"solutions":["LogManagement"],"queries":["b3bdb478-5088-4179-a6f9-669e1b97f2d6"]}},{"id":"WUDOAggregatedStatus","name":"WUDOAggregatedStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"ContentType","type":"string","isPreferredFacet":true},{"name":"BytesFromCDN","type":"long"},{"name":"BytesFromIntPeers","type":"long"},{"name":"BytesFromPeers","type":"long"},{"name":"BytesFromGroupPeers","type":"long"},{"name":"BWOptPercent28Days","type":"real"},{"name":"DeviceCount","type":"int"},{"name":"DownloadMode","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WUDOStatus","name":"WUDOStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"GroupID","type":"string"},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"DownloadMode","type":"string","isPreferredFacet":true},{"name":"DownloadModeSrc","type":"string","isPreferredFacet":true},{"name":"ContentDownloadMode","type":"int","isPreferredFacet":true},{"name":"DOStatusDescription","type":"string","isPreferredFacet":true},{"name":"Country","type":"string","isPreferredFacet":true},{"name":"City","type":"string","isPreferredFacet":true},{"name":"ISP","type":"string","isPreferredFacet":true},{"name":"PeeringStatus","type":"string","isPreferredFacet":true},{"name":"ContentType","type":"string","isPreferredFacet":true},{"name":"TotalTimeForDownload","type":"string"},{"name":"TotalTransfers","type":"long"},{"name":"PeerEligibleTransfers","type":"long"},{"name":"NoPeersCount","type":"long"},{"name":"PeersUnknownCount","type":"long"},{"name":"PeersSuccessCount","type":"long"},{"name":"PeersCannotConnectCount","type":"long"},{"name":"BytesFromCDN","type":"long"},{"name":"BytesFromIntPeers","type":"long"},{"name":"BytesFromPeers","type":"long"},{"name":"BytesFromGroupPeers","type":"long"},{"name":"BWOptPercent7Days","type":"real"},{"name":"BWOptPercent28Days","type":"real"},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WVDAgentHealthStatus","name":"WVDAgentHealthStatus","tableType":"Microsoft","description":"Azure Virtual Desktop agent health status.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)"},{"name":"OperationName","type":"string","description":"The name of the operation"},{"name":"SessionHostName","type":"string","description":"Name of the Virtual Machine"},{"name":"SessionHostResourceId","type":"string","description":"The ARM path of the session host"},{"name":"AgentVersion","type":"string","description":"The version of the WVD Agent running on the Virtual Machine"},{"name":"OSVersion","type":"string","description":"The version of the operating system"},{"name":"SxSStackVersion","type":"string","description":"The version of the reverse connect listener running on the VM"},{"name":"AllowNewSessions","type":"string","description":"State of the AllowNewSession settings of the host pool"},{"name":"Status","type":"string","description":"The current status of the VM, whether its healthy or not"},{"name":"StatusTimeStamp","type":"datetime","description":"The time recorded when there was a change in the health status"},{"name":"LastHeartBeat","type":"datetime","description":"The time recorded when there was a change in the health status"},{"name":"UpgradeState","type":"string","description":"The last known state from a previous update"},{"name":"UpgradeErrorMsg","type":"string","description":"The version of the reverse connect listener running on the VM"},{"name":"LastUpgradeTimeStamp","type":"datetime","description":"The time recorded when there was a change in the upgrade status"},{"name":"SessionHostHealthCheckResult","type":"dynamic","description":"The set of results on health checks"},{"name":"ActiveSessions","type":"string","description":"The number of active sessions on the VM"},{"name":"InactiveSessions","type":"string","description":"The number of disconnected, or logged off sessions on the VM"},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"],"solutions":["LogManagement"],"queries":["9301ac33-090c-4cb5-b841-dc31c5d1ce13","7409e5d2-1178-4487-8f11-fb38a1a368ac"]}},{"id":"WVDAutoscaleEvaluationPooled","name":"WVDAutoscaleEvaluationPooled","tableType":"Microsoft","description":"The results of an Azure Virtual Desktop Autoscale scaling plan evaluation on a hostpool. This includes information on the actions Autoscale took on the sessions hosts, such as starting or deallocating them, and why it took those actions. The column names that start with 'Config' contain the scaling plan configuration values for the current Autoscale schedule phase. If the ResultType column value is 'Failed' then join to the WVDErrors table using the CorrelationId column to get more details. For Autoscale documentation see https://go.microsoft.com/fwlink/?linkid=2169532 .","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) this event was generated.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"A GUID generated for this Autoscale evaluation.","isPreferredFacet":true},{"name":"ScalingPlanResourceId","type":"string","description":"Resource ID of the Autoscale scaling plan.","isPreferredFacet":true},{"name":"ResultType","type":"string","description":"Status of this evaluation event.","isPreferredFacet":true},{"name":"ScalingReasonMessage","type":"string","description":"The actions Autoscale decided to perform and why it took those actions.","isPreferredFacet":true},{"name":"ScalingEvaluationStartTime","type":"datetime","description":"The timestamp (UTC) when the Autoscale evaluation started.","isPreferredFacet":true},{"name":"ConfigScheduleName","type":"string","description":"Name of schedule used in the evaluation.","isPreferredFacet":true},{"name":"ConfigSchedulePhase","type":"string","description":"Schedule phase at the time of evaluation.","isPreferredFacet":true},{"name":"MaxSessionLimitPerSessionHost","type":"int","description":"The 'MaxSessionLimit' value defined on the host pool. The is the maximum number of user sessions allowed per session host.","isPreferredFacet":true},{"name":"ConfigCapacityThresholdPercent","type":"real","description":"Capacity threshold percent.","isPreferredFacet":true},{"name":"ConfigMinActiveSessionHostsPercent","type":"real","description":"Minimum percent of session hosts that should be active.","isPreferredFacet":true},{"name":"TotalSessionHostCount","type":"int","description":"Number of session hosts in the host pool.","isPreferredFacet":true},{"name":"UnhealthySessionHostCount","type":"int","description":"Number of session hosts in a faulty state.","isPreferredFacet":true},{"name":"ExcludedSessionHostCount","type":"int","description":"Number of session hosts excluded from being managed by Autoscale.","isPreferredFacet":true},{"name":"ActiveSessionHostCount","type":"int","description":"Number of session hosts accepting user connections.","isPreferredFacet":true},{"name":"SessionCount","type":"int","description":"Number of user sessions, only the user sessions from session hosts which considered active by Autoscale are included.","isPreferredFacet":true},{"name":"SessionOccupancyPercent","type":"real","description":"Percent of session host capacity occupied by user sessions.","isPreferredFacet":true},{"name":"ActiveSessionHostsPercent","type":"real","description":"Percent of session hosts in the host pool considered active by Autoscale.","isPreferredFacet":true},{"name":"Properties","type":"dynamic","description":"Additional information. The fields included here may be changed in the future.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WVDCheckpoints","name":"WVDCheckpoints","tableType":"Microsoft","description":"Windows Virtual Desktop Checkpoint Activity","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"ActivityType","type":"string","description":"The type of activity for which this checkpoint was reported.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation Id for the activity.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user name for the activity associated with the checkpoint.","isPreferredFacet":true},{"name":"Name","type":"string","description":"The name of the checkpoint.","isPreferredFacet":true},{"name":"Source","type":"string","description":"The component that emitted the checkpoint.","isPreferredFacet":true},{"name":"Parameters","type":"dynamic","description":"The parameters for the checkpoint.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/workspaces"]}},{"id":"WVDConnectionGraphicsDataPreview","name":"WVDConnectionGraphicsDataPreview","tableType":"Microsoft","description":"Windows Virtual Desktop connection graphics data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the QoE event was generated on the VM","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation ID for the activity","isPreferredFacet":true},{"name":"ServerSkippedFramesPercentage","type":"int","description":"The percentage of frames dropped because server is busy in the second with the highest dropped frames in the last evaluated connection time interval","isPreferredFacet":true},{"name":"NetworkSkippedFramesPercentage","type":"int","description":"The percentage of frames dropped because of insufficient network bandwidth in the second with the highest dropped frames in the last evaluated connection time interval","isPreferredFacet":true},{"name":"ClientSkippedFramesPercentage","type":"int","description":"The percentage of frames dropped because of slow client decoding in the second with the highest dropped frames in the last evaluated connection time interval","isPreferredFacet":true},{"name":"EncodingDelayOnServerInMs","type":"int","description":"The encoding time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval","isPreferredFacet":true},{"name":"DecodingTimeOnClientInMs","type":"int","description":"The decoding time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval","isPreferredFacet":true},{"name":"RenderingTimeOnClientInMs","type":"int","description":"The rendering time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval","isPreferredFacet":true},{"name":"EstRoundTripTimeInMs","type":"int","description":"The average of estimated network round trip times (milliseconds) in the last evaluated connection time interval","isPreferredFacet":true},{"name":"EstAvailableBandwidthKBps","type":"int","description":"The average of estimated network bandwidth (kilobyte per second) in the last evaluated connection time interval","isPreferredFacet":true},{"name":"CompressedFrameSizeInBytes","type":"int","description":"The compressed size (bytes) of the frame with highest E2E delay in the last evaluated connection time interval","isPreferredFacet":true},{"name":"EndToEndDelayInMs","type":"int","description":"The highest end-to-end delay (milliseconds) of the frames sent in the last evaluated connection time interval. E2E delay is the delay from the time when a frame is captured on the server until the time frame is rendered on the client","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WVDConnectionNetworkData","name":"WVDConnectionNetworkData","tableType":"Microsoft","description":"Windows Virtual Desktop connection network data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) when the network event was generated on the VM","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation ID for the activity","isPreferredFacet":true},{"name":"EstRoundTripTimeInMs","type":"int","description":"The average of estimated network round trip times (milliseconds) in the last evaluated connection time interval","isPreferredFacet":true},{"name":"EstAvailableBandwidthKBps","type":"int","description":"The average of estimated network bandwidth (kilobyte per second) in the last evaluated connection time interval","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WVDConnections","name":"WVDConnections","tableType":"Microsoft","description":"Windows Virtual Desktop Connection Activity.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The activity Id.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user who initiated the connection.","isPreferredFacet":true},{"name":"State","type":"string","description":"The state of the connection.","isPreferredFacet":true},{"name":"ClientOS","type":"string","description":"The OS of the client that is connecting (if available).","isPreferredFacet":true},{"name":"ClientVersion","type":"string","description":"The version of the client that is connecting (if available).","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"The type of the client that is connecting (if available).","isPreferredFacet":true},{"name":"ClientSideIPAddress","type":"string","description":"The remote IP address from the client side.","isPreferredFacet":true},{"name":"PredecessorConnectionId","type":"string","description":"The predecessor Correlation Id of the connection, if the current connection is an auto-reconnect.","isPreferredFacet":true},{"name":"ConnectionType","type":"string","description":"The type of connection - either RAIL (RemoteApp Integrated Locally) or Desktop.","isPreferredFacet":true},{"name":"ResourceAlias","type":"string","description":"The alias of the app that the user attempted to connect to.","isPreferredFacet":true},{"name":"SessionHostName","type":"string","description":"The FQDN of the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostPoolType","type":"string","description":"The type of session host pool - either SharedDesktop or PersonalDesktop.","isPreferredFacet":true},{"name":"SessionHostAzureVmId","type":"string","description":"The Azure VM Id of the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostIPAddress","type":"string","description":"The IP address of the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostOSVersion","type":"string","description":"The OS version of the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostOSDescription","type":"string","description":"The OS SKU description of the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostAgentVersion","type":"string","description":"The version of the WVD Agent running on the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostSxSStackVersion","type":"string","description":"The version of the WVD RDP Stack running on the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"SessionHostSessionId","type":"string","description":"The Session Id of WVD RDP Stack running on the machine where the user connection was orchestrated.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant Id of the user.","isPreferredFacet":true},{"name":"GatewayRegion","type":"string","description":"The region of the WVD Gateway for the server side user connection.","isPreferredFacet":true},{"name":"SessionHostJoinType","type":"string","description":"The type of the domain join for the Session Host - either DomainJoined, HybridAzureADJoined or AzureADJoined.","isPreferredFacet":true},{"name":"IsClientPrivateLink","type":"string","description":"True if the client side of this connection used a private link endpoint during orchestration.","isPreferredFacet":true},{"name":"IsSessionHostPrivateLink","type":"string","description":"True if the session host side of this connection used a private link endpoint during orchestration.","isPreferredFacet":true},{"name":"TransportType","type":"string","description":"The type of transport used by the RDP connection: Shortpath, TURN, Websocket.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WVDErrors","name":"WVDErrors","tableType":"Microsoft","description":"Windows Virtual Desktop Error Activity","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The activity Id.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user for which the error happened.","isPreferredFacet":true},{"name":"ActivityType","type":"string","description":"The activity type for which the error happened.","isPreferredFacet":true},{"name":"Source","type":"string","description":"The source of the error.","isPreferredFacet":true},{"name":"Code","type":"long","description":"The error code for the error.","isPreferredFacet":true},{"name":"CodeSymbolic","type":"string","description":"The error code symbolic representation (if available).","isPreferredFacet":true},{"name":"Message","type":"string","description":"The error message.","isPreferredFacet":true},{"name":"ServiceError","type":"bool","description":"Indicator whether this is a service or customer error.","isPreferredFacet":true},{"name":"Operation","type":"string","description":"The name of the operation that failed.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/workspaces"]}},{"id":"WVDFeeds","name":"WVDFeeds","tableType":"Microsoft","description":"Windows Virtual Desktop Feed Activity","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The activity Id.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user that initiated the feed request.","isPreferredFacet":true},{"name":"ClientOS","type":"string","description":"The OS of the client that is requesting the feed (if available).","isPreferredFacet":true},{"name":"ClientVersion","type":"string","description":"The version of the client that is requesting the feed (if available).","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"The type of the client that is requesting the feed (if available).","isPreferredFacet":true},{"name":"ClientSideIPAddress","type":"string","description":"The remote IP address from the client side.","isPreferredFacet":true},{"name":"RDPTotal","type":"int","description":"The total number of RDP files that the client attempted to retrieve.","isPreferredFacet":true},{"name":"RDPFail","type":"int","description":"The number of RDP files that failed to be retrieved.","isPreferredFacet":true},{"name":"IconTotal","type":"int","description":"The total number of Icons (PNG, ICO) files that the client attempted to retrieve.","isPreferredFacet":true},{"name":"IconFail","type":"int","description":"The number of Icons (PNG, ICO) files that failed to be retrieved.","isPreferredFacet":true},{"name":"IsClientPrivateLink","type":"string","description":"True if the client used a private link endpoint for the feed request.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant Id of the user.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/workspaces"]}},{"id":"WVDHostRegistrations","name":"WVDHostRegistrations","tableType":"Microsoft","description":"Windows Virtual Desktop Host Registration Activity","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The activity Id.","isPreferredFacet":true},{"name":"SessionHostName","type":"string","description":"The name of the session host that was registered with the WVD service.","isPreferredFacet":true},{"name":"SessionHostIPAddress","type":"string","description":"The IP address of the session host that was registered with the WVD service.","isPreferredFacet":true},{"name":"IsSessionHostPrivateLink","type":"string","description":"True if the session host side of this connection used a private link endpoint during orchestration.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WVDManagement","name":"WVDManagement","tableType":"Microsoft","description":"Windows Virtual Desktop Management Activity","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The activity Id.","isPreferredFacet":true},{"name":"UserName","type":"string","description":"The user that initiated the management request.","isPreferredFacet":true},{"name":"Route","type":"string","description":"The route for the management request.","isPreferredFacet":true},{"name":"ArmObjectScope","type":"string","description":"The ARM object scope for the management request - used for session hosts, applications.","isPreferredFacet":true},{"name":"ClientSideIPAddress","type":"string","description":"The remote IP address from the client side.","isPreferredFacet":true},{"name":"ObjectsFetched","type":"int","description":"The number of objects that were fetched.","isPreferredFacet":true},{"name":"ObjectsCreated","type":"int","description":"The number of objects that were created.","isPreferredFacet":true},{"name":"ObjectsUpdated","type":"int","description":"The number of objects that were updated.","isPreferredFacet":true},{"name":"ObjectsDeleted","type":"int","description":"The number of objects that were deleted.","isPreferredFacet":true},{"name":"ProvisioningCorrelationId","type":"string","description":"The ID of the top-level provisioning operation. This maps to the field in WVDSessionHostManagement table called CorrelationId.","isPreferredFacet":true},{"name":"AadTenantId","type":"string","description":"The AAD tenant Id of the user.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools","microsoft.desktopvirtualization/applicationgroups","microsoft.desktopvirtualization/workspaces"]}},{"id":"WVDMultiLinkAdd","name":"WVDMultiLinkAdd","tableType":"Microsoft","description":"Azure Virtual Desktop MultiLink Add Activity.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)."},{"name":"CorrelationId","type":"string","description":"The correlation ID for the activity."},{"name":"Category","type":"string","description":"The category of the event."},{"name":"LinkId","type":"string","description":"The identifier uses to track of network transport path."},{"name":"GatewayRegion","type":"string","description":"The Azure region where the client’s connection gateway is located."},{"name":"ClientTransportType","type":"string","description":"The transport protocol the AVD client is using for an individual link."},{"name":"ServerTransportType","type":"string","description":"The transport protocol the AVD session host is using for an individual link."},{"name":"ClientNatIP","type":"string","description":"The public IP address for the client's NAT."},{"name":"ServerNatIP","type":"string","description":"The public ip address of the session host."},{"name":"ServerTURNIP","type":"string","description":"The IP address of the TURN server that the AVD client connects to."},{"name":"ClientTURNIP","type":"string","description":"The IP address of the client side used for connecting to the TURN server."},{"name":"ClientTransportIP","type":"string","description":"The IP address of the client endpoint used for the transport connection to the session host."},{"name":"ServerTransportIP","type":"string","description":"The IP address of the session host used for the transport connection."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"],"solutions":["LogManagement"]}},{"id":"WVDSessionHostManagement","name":"WVDSessionHostManagement","tableType":"Microsoft","description":"Windows Virtual Desktop session host management data.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the event.","isPreferredFacet":true},{"name":"CorrelationId","type":"string","description":"The correlation ID for the activity.","isPreferredFacet":true},{"name":"ClientType","type":"string","description":"Information about the client that initiated the update (portal, Powershell etc.).","isPreferredFacet":true},{"name":"FailedSessionHostCleanupPolicy","type":"string","description":"The policy for cleaning up session hosts that have failed provisioning.","isPreferredFacet":true},{"name":"FromInstanceCount","type":"int","description":"The instance count before the operation. For an update operation, FromInstanceCount and ToInstanceCount are the same value.","isPreferredFacet":true},{"name":"FromSessionHostConfigVer","type":"string","description":"The version of SHC before the operation (that session hosts are moving from; can be looked up with new SHC table). For a provisioning operation, it is the same as the ToSessionHostConfiguration.","isPreferredFacet":true},{"name":"UpdateMaxVmsRemoved","type":"int","description":"The maximum number of virtual machines that might become unavailable during the session host update operation.","isPreferredFacet":true},{"name":"ProvisioningStatus","type":"string","description":"The status of the current update/provisioning operation.","isPreferredFacet":true},{"name":"ProvisioningType","type":"string","description":"The type of operation (provisioning, update).","isPreferredFacet":true},{"name":"ProvisioningCanaryPolicy","type":"string","description":"The policy for creating a test canary session host before creating the rest of the requested session hosts.","isPreferredFacet":true},{"name":"ScheduledDateTime","type":"string","description":"When the session host update is scheduled, the scheduled time.","isPreferredFacet":true},{"name":"ScheduledDateTimeZone","type":"string","description":"The time zone that updates and provisioning happen in.","isPreferredFacet":true},{"name":"ToInstanceCount","type":"int","description":"The instance count after the operation. For an update operation, FromInstanceCount and ToInstanceCount are the same value.","isPreferredFacet":true},{"name":"ToSessionHostConfigVer","type":"string","description":"The version of SHC after the operation (that session hosts are moving to; can be looked up with new SHC table). For a provisioning operation, is the same as the FromSessionHostConfiguration is.","isPreferredFacet":true},{"name":"UpdateMethod","type":"string","description":"The method that is used for the session host update operation (e.g.: VmRecreate).","isPreferredFacet":true},{"name":"UpdateStartWindowInMinutes","type":"int","description":"The window of allowable time for an update to start in minutes.","isPreferredFacet":true},{"name":"UpdateDeleteOriginalVm","type":"bool","description":"Property indicates whether the original VM should be deleted after the update.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["windowsvirtualdesktop"],"solutions":["LogManagement"],"resourceTypes":["microsoft.desktopvirtualization/hostpools"]}},{"id":"WaaSDeploymentStatus","name":"WaaSDeploymentStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSBuild","type":"string","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int"},{"name":"OSServicingBranch","type":"string","isPreferredFacet":true},{"name":"UpdateCategory","type":"string","isPreferredFacet":true},{"name":"UpdateClassification","type":"string","isPreferredFacet":true},{"name":"ReleaseName","type":"string","isPreferredFacet":true},{"name":"UpdateReleasedDate","type":"datetime"},{"name":"OriginBuild","type":"string","isPreferredFacet":true},{"name":"TargetBuild","type":"string","isPreferredFacet":true},{"name":"TargetOSVersion","type":"string","isPreferredFacet":true},{"name":"TargetOSRevision","type":"int"},{"name":"DeferralDays","type":"int","isPreferredFacet":true},{"name":"PauseState","type":"string","isPreferredFacet":true},{"name":"ExpectedInstallDate","type":"datetime"},{"name":"DeploymentStatus","type":"string","isPreferredFacet":true},{"name":"DetailedStatus","type":"string","isPreferredFacet":true},{"name":"DeploymentError","type":"string","isPreferredFacet":true},{"name":"DeploymentErrorCode","type":"string","isPreferredFacet":true},{"name":"RecommendedAction","type":"string","isPreferredFacet":true},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WaaSInsiderStatus","name":"WaaSInsiderStatus","tableType":"Microsoft","description":"Summary of each run of your update schedule with details like how many updates were not installed etc.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"OSFamily","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSBuild","type":"string","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int"},{"name":"OSArchitecture","type":"string"},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"WaaSUpdateStatus","name":"WaaSUpdateStatus","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ComputerID","type":"string"},{"name":"OSFamily","type":"string","isPreferredFacet":true},{"name":"OSName","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"OSBuild","type":"string","isPreferredFacet":true},{"name":"OSRevisionNumber","type":"int"},{"name":"OSArchitecture","type":"string"},{"name":"OSEdition","type":"string","isPreferredFacet":true},{"name":"OSServicingBranch","type":"string","isPreferredFacet":true},{"name":"DownloadMode","type":"string","isPreferredFacet":true},{"name":"FeatureDeferralDays","type":"int","isPreferredFacet":true},{"name":"FeaturePauseState","type":"string","isPreferredFacet":true},{"name":"FeaturePauseDays","type":"int","isPreferredFacet":true},{"name":"QualityDeferralDays","type":"int","isPreferredFacet":true},{"name":"QualityPauseState","type":"string","isPreferredFacet":true},{"name":"QualityPauseDays","type":"int","isPreferredFacet":true},{"name":"OSCurrentStatus","type":"string","isPreferredFacet":true},{"name":"OSFeatureUpdateStatus","type":"string","isPreferredFacet":true},{"name":"OSQualityUpdateStatus","type":"string","isPreferredFacet":true},{"name":"OSSecurityUpdateStatus","type":"string","isPreferredFacet":true},{"name":"NeedAttentionStatus","type":"string","isPreferredFacet":true},{"name":"LastScan","type":"datetime"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["desktopanalytics"],"solutions":["WaaSUpdateInsights"]}},{"id":"Watchlist","name":"Watchlist","tableType":"Microsoft","description":"Azure Sentinel Watchlist contains imported data from CSV files that can be used to join or filter as an alert/incident condition.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isDimensionTable":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of when the event was generated."},{"name":"AzureTenantId","type":"string","description":"The AAD tenant ID to which this Watchlist table belongs."},{"name":"WatchlistId","type":"string","description":"The Resource Manager Watchlist resource name."},{"name":"WatchlistItemId","type":"string","description":"The Watchlist item unique ID."},{"name":"WatchlistName","type":"string","description":"The display name of Watchlist."},{"name":"WatchlistAlias","type":"string","description":"The unique string referring to the Watchlist."},{"name":"Source","type":"string","description":"The input source of the Watchlist."},{"name":"Provider","type":"string","description":"The input provider of the Watchlist."},{"name":"CreatedBy","type":"dynamic","description":"The JSON object with the user who created the Watchlist or Watchlist item, including: Object ID, email and name."},{"name":"UpdatedBy","type":"dynamic","description":"The JSON object with the user who last updated the Watchlist or Watchlist item, including: Object ID, email and name."},{"name":"CreatedTimeUTC","type":"datetime","description":"The time (UTC) when the Watchlist or Watchlist item was first created."},{"name":"LastUpdatedTimeUTC","type":"datetime","description":"The time (UTC) when Watchlist or Watchlist item was last updated."},{"name":"Notes","type":"string","description":"The notes provided by user."},{"name":"Tags","type":"string","description":"The JSON array of tags provided by user."},{"name":"DefaultDuration","type":"string","description":"The JSON object describing the default duration to live that each item of a Watchlist should inherit on creation. The default duration has this format : P(n)Y(n)M(n)DT(n)H(n)M(n)S, where P, Y, M, DT, H, M and S are invariant. For example, P3Y6M4DT12H30M9S represents a duration of three years, six months, four days, twelve hours, thirty minutes, and nine seconds."},{"name":"TimeToLive","type":"datetime","description":"The time to live for a Watchlist record, expressed as a date and time of day (e.g. 2020-08-20T17:00:00.9618037Z). Its original value is inherited from Watchlist’s default duration. If TimeToLive passes, the record is considered deleted. A record's duration can be extended at any time by updating the TimeToLive value."},{"name":"WatchlistItem","type":"dynamic","description":"The JSON object with key-value pairs from the input Watchlist source."},{"name":"EntityMapping","type":"dynamic","description":"The JSON object with Azure Sentinel entity mapping to input columns."},{"name":"CorrelationId","type":"string","description":"The ID for correlated events."},{"name":"SearchKey","type":"string","description":"The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address."},{"name":"WatchlistCategory","type":"string","description":"The Watchlist category provided by user."},{"name":"_DTTimestamp","type":"datetime","description":"The time (UTC) when the event was generated."},{"name":"_DTItemId","type":"string","description":"The Watchlist or Watchlist item unique ID. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item has unique ID and belongs to a Watchlist. The containing Watchlist can identified using the 'WatchlistId'."},{"name":"_DTItemType","type":"string","description":"Distinguish between a Watchlist and a Watchlist item. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item type will belong to a Watchlist type and the containing Watchlist can identified using the 'WatchlistId'."},{"name":"_DTItemStatus","type":"string","description":"Was the Watchlist or Watchlist item created, updated or deleted by user. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. If a Watchlist is added, the the status would be 'Created'. If the name of the Watchlist is updated from 'RiskyUsers' to 'RiskyEmployees' the status would be 'Updated'."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["security"],"solutions":["SecurityInsights"],"queries":["94477231-37df-47e8-88a1-862e04d16a75","d2812a18-ed70-4a01-b124-0f1bf86e86ac"]}},{"id":"WebPubSubConnectivity","name":"WebPubSubConnectivity","tableType":"Microsoft","description":"Connectivity logs provide detailed information for Azure Web PubSub hub connections. For example, basic information (user ID, connection ID, and so on) and event information (connect, disconnect, and abort event, and so on) and can be used to troubleshoot connection-related issues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The operation of the log event. It can be used to filter the log based on a specific operation name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of Azure Web PubSub service.","isPreferredFacet":true},{"name":"Level","type":"string","description":"The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP of the client or server connects to Web PubSub service.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The message of the log event. It provides details about the event.","isPreferredFacet":true},{"name":"UserId","type":"string","description":"The unique identifier of the user. It is defined by the client or app server.","isPreferredFacet":true},{"name":"ConnectionId","type":"string","description":"The unique identifier of the connection connected to service.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.signalrservice/webpubsub"]}},{"id":"WebPubSubHttpRequest","name":"WebPubSubHttpRequest","tableType":"Microsoft","description":"Http request logs provide detailed information for the http requests received by Azure Web PubSub. For example, status code and url of the request and is helpful to troubleshoot request-related issues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The operation of the log event. It can be used to filter the log based on a specific operation name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of Azure Web PubSub service.","isPreferredFacet":true},{"name":"Level","type":"string","description":"The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP of the client or server connects to Web PubSub service.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The message of the log event. It provides details about the event.","isPreferredFacet":true},{"name":"Url","type":"string","description":"The uniform resource locator of the request.","isPreferredFacet":true},{"name":"StatusCode","type":"string","description":"The Http response code.","isPreferredFacet":true},{"name":"HttpMethod","type":"string","description":"The HTTP method.","isPreferredFacet":true},{"name":"DurationMs","type":"string","description":"The duration in millisecond unit between the request is received and processed.","isPreferredFacet":true},{"name":"Headers","type":"string","description":"The additional information passed by the client and the server with an HTTP request or response.","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"The unique identifier of the invocations. It's used for tracing invocations.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.signalrservice/webpubsub"]}},{"id":"WebPubSubMessaging","name":"WebPubSubMessaging","tableType":"Microsoft","description":"Messaging logs provide tracing information for the Azure Web PubSub hub messages received and sent via Azure Web PubSub service. For example, tracing ID and message type of the message. Typically the message is recorded when it arrives at or leaves from service and is helpful for troubleshooting message-related issues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp (UTC) of the log.","isPreferredFacet":true},{"name":"OperationName","type":"string","description":"The operation of the log event. It can be used to filter the log based on a specific operation name.","isPreferredFacet":true},{"name":"Location","type":"string","description":"The location of Azure Web PubSub service.","isPreferredFacet":true},{"name":"Level","type":"string","description":"The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'.","isPreferredFacet":true},{"name":"CallerIpAddress","type":"string","description":"The IP of the client or server connects to Web PubSub service.","isPreferredFacet":true},{"name":"Message","type":"string","description":"The message of the log event. It provides details about the event.","isPreferredFacet":true},{"name":"UserId","type":"string","description":"The unique identifier of the user. It is defined by the client or app server.","isPreferredFacet":true},{"name":"ConnectionId","type":"string","description":"The unique identifier of the connection connected to service.","isPreferredFacet":true},{"name":"TraceId","type":"string","description":"The unique identifier of the invocations. It's used for tracing invocations.","isPreferredFacet":true},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources"],"solutions":["LogManagement"],"resourceTypes":["microsoft.signalrservice/webpubsub"]}},{"id":"Windows365AuditLogs","name":"Windows365AuditLogs","tableType":"Microsoft","description":"Windows365 Audit Logs.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"Date and time when the report was generated (UTC)."},{"name":"OperationName","type":"string","description":"The name of the operation."},{"name":"Result","type":"string","description":"The result of the operation."},{"name":"ApplicationId","type":"string","description":"The caller application id of the operation."},{"name":"UserPrincipalName","type":"string","description":"The user principal name of the user."},{"name":"UserId","type":"string","description":"The user Id of the user."},{"name":"OtherIdentityProperties","type":"string","description":"The identity properties of the user, include Type, UserPermission, ApplicationDisplayName, ServicePrincipleName, UserScopeTags, RemoteTenantId, and RemoteUserId."},{"name":"ComponentName","type":"string","description":"The component name of the operation."},{"name":"OtherAuditEventProperties","type":"string","description":"The audit event properties of the operation, include componentName, operationType, category, activityDateTime, auditEventId, correlationId, shoeboxCategory, and resources."},{"name":"ActivityId","type":"string","description":"The activity Id of the operation."},{"name":"RelatedActivityId","type":"string","description":"The related activity Id of the operation."},{"name":"SessionId","type":"string","description":"The session Id of the operation."},{"name":"ScenarioId","type":"string","description":"The scenario Id of the operation."},{"name":"ScenarioInstanceId","type":"string","description":"The scenario instance Id of the operation."},{"name":"ServiceName","type":"string","description":"The service name of the operation."},{"name":"ApplicationName","type":"string","description":"The application name of the operation."},{"name":"BuildVersion","type":"string","description":"The build version of the operation."},{"name":"Pid","type":"string","description":"The pid of the operation."},{"name":"Tid","type":"string","description":"The tid of the operation."},{"name":"ResourceExtendedProperties","type":"string","description":"The resource extended properties of the operation."},{"name":"CallerExtendedProperties","type":"string","description":"The caller extended properties of the operation."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["audit"],"resourceTypes":["microsoft.intune/operations"],"solutions":["LogManagement"]}},{"id":"WindowsClientAssessmentRecommendation","name":"WindowsClientAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Windows Client assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Forest","type":"string"},{"name":"Domain","type":"string","isPreferredFacet":true},{"name":"Server","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["AzureResources","WindowsClientAssessmentPlus"]}},{"id":"WindowsEvent","name":"WindowsEvent","tableType":"Microsoft","description":"Windows events which are collected and sent by the agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The time stamp when the event was generated on the computer."},{"name":"Provider","type":"string","description":"System Properties Type - Identifies the provider that logged the event."},{"name":"Channel","type":"string","description":"The channel to which the event was logged."},{"name":"Computer","type":"string","description":"The name of the computer on which the event occurred."},{"name":"Task","type":"int","description":"The task defined in the event."},{"name":"EventLevel","type":"int","description":"Contains the severity level of the event."},{"name":"EventLevelName","type":"string","description":"The rendered message string of the level specified in the event."},{"name":"EventID","type":"int","description":"The identifier that the provider used to identify the event."},{"name":"ManagementGroupName","type":"string","description":"Additional information based on the resource type."},{"name":"SystemUserId","type":"string","description":"The ID of the user who is responsible for the event."},{"name":"Version","type":"int","description":"Contains the version number of the event's definition."},{"name":"Opcode","type":"string","description":"The opcode element is defined by the SystemPropertiesType complex type."},{"name":"Keywords","type":"string","description":"A bitmask of the keywords defined in the event."},{"name":"Correlation","type":"string","description":"The activity identifiers that consumers can use to group related events together."},{"name":"SystemProcessId","type":"int","description":"Identifies the process that generated the event."},{"name":"SystemThreadId","type":"int","description":"Identifies the thread that generated the event."},{"name":"EventRecordId","type":"string","description":"The record number assigned to the event when it was logged."},{"name":"EventData","type":"dynamic","description":"Contains the event data parsed to dynamic type. If the parsing fails then this field will contain null and the RawEventData field will be populated."},{"name":"RawEventData","type":"string","description":"The raw event XML when parsing fails. It's null when parsing successful."},{"name":"EventOriginId","type":"string","description":"VM ID obtained from the Azure Instance Metadata Service (IMDS)."},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["security"],"resourceTypes":["microsoft.securityinsights/securityinsights"],"solutions":["CustomizedWindowsEventsFiltering","InternalWindowsEvent","SecurityInsights","WEFInternalUat","WEF_10x","WEF_10xDSRE","WinLog","WindowsEventForwarding"],"queries":["dcd68ba6-0656-43f8-8c16-21ed36226048"]}},{"id":"WindowsFirewall","name":"WindowsFirewall","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","isPreferredFacet":true},{"name":"CommunicationDirection","type":"string","isPreferredFacet":true},{"name":"FirewallAction","type":"string","isPreferredFacet":true},{"name":"Protocol","type":"string","isPreferredFacet":true},{"name":"SourceIP","type":"string","isPreferredFacet":true},{"name":"DestinationIP","type":"string","isPreferredFacet":true},{"name":"RemoteIP","type":"string","isPreferredFacet":true},{"name":"SourcePort","type":"int","isPreferredFacet":true},{"name":"FullDestinationAddress","type":"string"},{"name":"DestinationPort","type":"int","isPreferredFacet":true},{"name":"RequestSizeInBytes","type":"long"},{"name":"Info","type":"string"},{"name":"ManagementGroupName","type":"string","isPreferredFacet":true},{"name":"MaliciousIP","type":"string","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"TLPLevel","type":"string","isPreferredFacet":true},{"name":"Confidence","type":"string","isPreferredFacet":true},{"name":"Severity","type":"int","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string"},{"name":"LastReportedDateTime","type":"string"},{"name":"IsActive","type":"string","isPreferredFacet":true},{"name":"MaliciousIPLongitude","type":"real"},{"name":"MaliciousIPLatitude","type":"real"},{"name":"MaliciousIPCountry","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"description":"Contains fully formed Windows Firewall log messages that already match the WindowsFirewall table format.","related":{"categories":["security"],"resourceTypes":["microsoft.operationalinsights/workspaces","microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"],"solutions":["Security","WindowsFirewall"]}},{"id":"WindowsServerAssessmentRecommendation","name":"WindowsServerAssessmentRecommendation","tableType":"Microsoft","description":"Recommendations generated by Windows Server assessments that are started through a scheduled task. When you schedule the assessment it runs by default every 7 days and upload the data into Azure Log Analytics","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"SourceSystem","type":"string","isPreferredFacet":true},{"name":"AssessmentId","type":"string","isPreferredFacet":true},{"name":"RecommendationId","type":"string","isPreferredFacet":true},{"name":"Recommendation","type":"string","isPreferredFacet":true},{"name":"Description","type":"string"},{"name":"RecommendationResult","type":"string","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime"},{"name":"FocusAreaId","type":"string","isPreferredFacet":true},{"name":"FocusArea","type":"string","isPreferredFacet":true},{"name":"ActionAreaId","type":"string","isPreferredFacet":true},{"name":"ActionArea","type":"string","isPreferredFacet":true},{"name":"RecommendationWeight","type":"real"},{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"AffectedObjectType","type":"string","isPreferredFacet":true},{"name":"AffectedObjectName","type":"string","isPreferredFacet":true},{"name":"Domain","type":"string","isPreferredFacet":true},{"name":"Server","type":"string","isPreferredFacet":true},{"name":"Cluster","type":"string","isPreferredFacet":true},{"name":"HyperVMHost","type":"string","isPreferredFacet":true},{"name":"Ipv4Address","type":"string","isPreferredFacet":true},{"name":"OSVersion","type":"string","isPreferredFacet":true},{"name":"Technology","type":"string"},{"name":"WebServer","type":"string","isPreferredFacet":true},{"name":"WebSite","type":"string","isPreferredFacet":true},{"name":"IISApplication","type":"string","isPreferredFacet":true},{"name":"IISApplicationPool","type":"string","isPreferredFacet":true},{"name":"CustomData","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["workloads"],"solutions":["AzureResources","WindowsServerAssessment"]}},{"id":"WireData","name":"WireData","tableType":"Microsoft","description":"Network data collected by the WireData solution using by the Dependency agent and Log analytics agent.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","description":"Computer name where data was collected","isPreferredFacet":true},{"name":"SessionStartTime","type":"datetime","description":"Start time of session","isPreferredFacet":true},{"name":"SessionEndTime","type":"datetime","description":"End time of session","isPreferredFacet":true},{"name":"LocalIP","type":"string","description":"IP address of the local computer","isPreferredFacet":true},{"name":"LocalSubnet","type":"string","description":"Subnet where data was collected","isPreferredFacet":true},{"name":"LocalMAC","type":"string","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"LocalPortNumber","type":"int","description":"Local port number","isPreferredFacet":true},{"name":"RemoteIP","type":"string","description":"Remote IP address used by the remote computer","isPreferredFacet":true},{"name":"RemoteMAC","type":"string","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"RemotePortNumber","type":"int","description":"Port number used by the remote IP address","isPreferredFacet":true},{"name":"SessionID","type":"string","description":"A unique value that identifies communication session between two IP addresses","isPreferredFacet":true},{"name":"SequenceNumber","type":"long","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"SessionState","type":"string","description":"Connected or disconnected","isPreferredFacet":true},{"name":"SentBytes","type":"long","description":"Number of bytes sent","isPreferredFacet":true},{"name":"ReceivedBytes","type":"long","description":"Amount of bytes received","isPreferredFacet":true},{"name":"TotalBytes","type":"long","description":"Total number of bytes sent during session","isPreferredFacet":true},{"name":"ProtocolName","type":"string","description":"Name of the network protocol used","isPreferredFacet":true},{"name":"IPVersion","type":"string","description":"IP version","isPreferredFacet":true},{"name":"SentPackets","type":"long","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"ReceivedPackets","type":"long","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"Direction","type":"string","description":"Inbound or outbound","isPreferredFacet":true},{"name":"ApplicationProtocol","type":"string","description":"Type of network protocol used","isPreferredFacet":true},{"name":"ProcessID","type":"int","description":"Windows process ID","isPreferredFacet":true},{"name":"ProcessName","type":"string","description":"Path and file name of the process","isPreferredFacet":true},{"name":"ApplicationServiceName","type":"string","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"LatencyMilliseconds","type":"int","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"LatencySamplingTimeStamp","type":"datetime","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"LatencySamplingFailureRate","type":"string","description":"Hold over field from old schema - attribute not collected","isPreferredFacet":true},{"name":"MaliciousIP","type":"string","description":"IP address of a known malicious source","isPreferredFacet":true},{"name":"IndicatorThreatType","type":"string","description":"Threat indicator detected is one of the following values Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist.","isPreferredFacet":true},{"name":"Description","type":"string","description":"Description of the observed threat."},{"name":"TLPLevel","type":"string","description":"Traffic Light Protocol (TLP) Level is one of the defined values White Green Amber Red.","isPreferredFacet":true},{"name":"Confidence","type":"string","description":"Confidence level for Malicious IP identification. Values are 0 - 100.","isPreferredFacet":true},{"name":"Severity","type":"int","description":"Suspected malware severity","isPreferredFacet":true},{"name":"FirstReportedDateTime","type":"string","description":"The first time the provider reported the threat."},{"name":"LastReportedDateTime","type":"string","description":"The last time the indicator was seen by Interflow."},{"name":"IsActive","type":"string","description":"Indicates indicators are deactivated with True or False value.","isPreferredFacet":true},{"name":"RemoteIPLongitude","type":"real","description":"IP longitude value"},{"name":"RemoteIPLatitude","type":"real","description":"IP latitude value"},{"name":"RemoteIPCountry","type":"string","description":"Country/region of the remote IP address","isPreferredFacet":true},{"name":"SourceSystem","type":"string","description":"OpsManager","isPreferredFacet":true},{"name":"ManagementGroupName","type":"string","description":"Name of the Operations Manager management group","isPreferredFacet":true},{"name":"TimeGenerated","type":"datetime","description":"Time of the record","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["virtualmachines","security"],"solutions":["WireData","WireData2"],"resourceTypes":["microsoft.compute/virtualmachines","microsoft.conenctedvmwarevsphere/virtualmachines","microsoft.azurestackhci/virtualmachines","microsoft.scvmm/virtualmachines","microsoft.compute/virtualmachinescalesets"]}},{"id":"WorkloadDiagnosticLogs","name":"WorkloadDiagnosticLogs","tableType":"Microsoft","description":"Diagnostic logs from the Workload Monitoring data collection services running on the Monitoring VM. Includes logs from wli and ms-telegraf services. Used to troubleshoot configuration or data collection issues.","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"The timestamp of when the log was generated."},{"name":"Computer","type":"string","description":"Name of the Computer generating the log."},{"name":"Category","type":"string","description":"The category of the log."},{"name":"Status","type":"string","description":"The status of the record. Example: Error, Warning, etc."},{"name":"Message","type":"string","description":"The message of the log entry."},{"name":"Tags","type":"dynamic","description":"Dimensions or other metatata about the record. For example may contain the Monitoring profile ID the log entry is about."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads","monitor"],"solutions":["LogManagement"],"queries":["0d32e6ff-9894-415e-a981-2e9e5f76bd78"]}},{"id":"WorkloadMonitoringPerf","name":"WorkloadMonitoringPerf","tableType":"Microsoft","timespanColumn":"TimeGenerated","tableAPIState":"Any","columns":[{"name":"Computer","type":"string","isPreferredFacet":true},{"name":"ObjectName","type":"string","isPreferredFacet":true},{"name":"CounterName","type":"string","isPreferredFacet":true},{"name":"InstanceName","type":"string","isPreferredFacet":true},{"name":"PerfCounterValue","type":"real"},{"name":"TimeGenerated","type":"datetime"},{"name":"SourceSystem","type":"string"},{"name":"ProcessorInstance","type":"string","isPreferredFacet":true},{"name":"LogicalDisk","type":"string","isPreferredFacet":true},{"name":"PhysicalDisk","type":"string","isPreferredFacet":true},{"name":"NetworkAdapter","type":"string","isPreferredFacet":true},{"name":"MemoryInstance","type":"string","isPreferredFacet":true},{"name":"IsSystemDisk","type":"string","isPreferredFacet":true},{"name":"ServiceName","type":"string"},{"name":"SecureChannel","type":"string","isPreferredFacet":true},{"name":"ProcessorInformation","type":"string","isPreferredFacet":true},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"}],"related":{"categories":["workloads"],"solutions":["InfrastructureInsights"]}},{"id":"ZTSJobStatus","name":"ZTSJobStatus","tableType":"Microsoft","description":"Job status logs for Zero Trust Segmentation.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"UTC timestamp when the log was generated."},{"name":"JobMessage","type":"string","description":"Job message."},{"name":"JobErrorCode","type":"string","description":"Short, stable error code emitted with the job status log (e.g. 'None', 'JobDeleteFailed', 'NoWorkspaceConnectivity', 'PartialWorkspaceConnectivity', 'RequestValidationFailed', 'JobScheduleFailed', 'RunFailed')."},{"name":"CorrelationId","type":"string","description":"ZTS correlation ID used in support scenarios."},{"name":"Location","type":"string","description":"Azure region of the resource."},{"name":"LogLevel","type":"string","description":"Indicates the log level."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit"],"resourceTypes":["microsoft.zerotrustsegmentation/segmentationmanagers"],"solutions":["LogManagement"]}},{"id":"ZTSRequest","name":"ZTSRequest","tableType":"Microsoft","description":"Requests made to the Zero Trust Segmentation service.","timespanColumn":"TimeGenerated","tableAPIState":"Any","isTroubleshootingAllowed":true,"columns":[{"name":"TenantId","type":"string"},{"name":"TimeGenerated","type":"datetime","description":"UTC timestamp when the log record was generated."},{"name":"OperationName","type":"string","description":"The operation performed in the request."},{"name":"OperationVersion","type":"string","description":"The API version against which the operation was performed."},{"name":"Uri","type":"string","description":"The full URI of the request, including endpoint and query parameters."},{"name":"ResultType","type":"string","description":"The result type of the request operation."},{"name":"HttpStatusCode","type":"int","description":"HTTP response status code."},{"name":"CorrelationId","type":"string","description":"Internal ZTS correlation ID used in support scenarios."},{"name":"Location","type":"string","description":"Azure region or location of the resource."},{"name":"Properties","type":"dynamic","description":"Additional properties related to the request, stored as a JSON object."},{"name":"SourceSystem","type":"string"},{"name":"Type","type":"string","description":"The name of the table"},{"name":"_IsBillable","type":"string"},{"name":"_BilledSize","type":"real"},{"name":"_ResourceId","type":"string","description":"A unique identifier for the resource that the record is associated with"},{"name":"_SubscriptionId","type":"string","description":"A unique identifier for the subscription that the record is associated with"}],"related":{"categories":["resources","audit","network"],"resourceTypes":["microsoft.zerotrustsegmentation/segmentationmanagers"],"solutions":["LogManagement"],"queries":["716e9029-57e3-485d-87f4-97497192d3cb"]}}],"solutions":[{"id":"ADAssessment","name":"ADAssessment","displayName":"Active Directory Health Check","description":"Assess the risk and health of Active Directory environments.","related":{"tables":["ADAssessmentRecommendation"],"queries":["ddf445a1-d5a6-11ea-aba2-c8348e03e0b8","ddf445a2-d5a6-11ea-be86-c8348e03e0b8","ddf445a3-d5a6-11ea-8248-c8348e03e0b8","ddf445a4-d5a6-11ea-9289-c8348e03e0b8","ddf445a5-d5a6-11ea-8158-c8348e03e0b8","ddf445a6-d5a6-11ea-b3b7-c8348e03e0b8","ddf445a7-d5a6-11ea-aae9-c8348e03e0b8","ddf445a8-d5a6-11ea-8d3c-c8348e03e0b8"]}},{"id":"ADAssessmentPlus","name":"ADAssessmentPlus","related":{"tables":["ADAssessmentRecommendation"]}},{"id":"ADReplication","name":"ADReplication","displayName":"AD Replication Status","description":"Identify Active Directory replication issues in your environment.","related":{"tables":["ADReplicationResult"]}},{"id":"ADSecurityAssessment","name":"ADSecurityAssessment","related":{"tables":["ADSecurityAssessmentRecommendation"]}},{"id":"AlertManagement","name":"AlertManagement","displayName":"Alert Management","description":"View your Operations Manager and Log Anlaytics Log alerts to easily triage alerts and identify the root causes of problems in your environment.","related":{"tables":["AlertHistory"]}},{"id":"AntiMalware","name":"AntiMalware","displayName":"Antimalware Assessment","description":"View status of antivirus and antimalware scans across your servers.","related":{"tables":["ProtectionStatus"],"queries":["51c067a6-a025-11ea-a1b8-c8348e02520c","51c43753-a025-11ea-b382-c8348e02520c","51c6ccf0-a025-11ea-93fd-c8348e02520c"]}},{"id":"ApplicationInsights","name":"ApplicationInsights","related":{"tables":["ApplicationInsights"]}},{"id":"AzureAssessment","name":"AzureAssessment","related":{"tables":["AzureAssessmentRecommendation"]}},{"id":"AzureResources","name":"AzureResources","related":{"tables":["ContainerImageInventory","ContainerNodeInventory","ContainerServiceLog","KubeEvents","KubeHealth","KubeMonAgentEvents","KubePodInventory","KubeServices","VMConnection","KubePVInventory","WindowsClientAssessmentRecommendation","AzureAssessmentRecommendation","ExchangeAssessmentRecommendation","ExchangeOnlineAssessmentRecommendation","SCCMAssessmentRecommendation","SfBAssessmentRecommendation","SfBOnlineAssessmentRecommendation","SharePointOnlineAssessmentRecommendation","SPAssessmentRecommendation","WindowsServerAssessmentRecommendation","ADAssessmentRecommendation","ADSecurityAssessmentRecommendation","SCOMAssessmentRecommendation","SQLAssessmentRecommendation","ADReplicationResult","HealthStateChangeEvent","VMComputer","VMProcess","VMBoundPort","KubeNodeInventory","ContainerLogV2","InsightsMetrics","ContainerInventory","ContainerLog"],"functions":["bd5b5b75-dad2-40f2-b2f1-a58a0b41106d","7625213e-e8e7-433c-9f64-fdc984ad7ee0","cd3f45c0-2b70-42d9-bbad-cbbe7f3ee715","86401b72-78ca-46bd-a1ef-2f63d9230a5c","d6dad52a-5669-4cb4-bbbe-d5d1e4f9435d","2d003852-e92b-49b3-b12e-164332b0edab","f7a72ca9-df71-4cfb-811a-ea70469f3e3f"]}},{"id":"AzureSecurityOfThings","name":"AzureSecurityOfThings","related":{"tables":["SecurityRecommendation","DefenderIoTRawEvent","SecurityAlert","SecurityIoTRawEvent"]}},{"id":"AzureSentinelDSRE","name":"AzureSentinelDSRE","related":{"tables":["DynamicEventCollection"]}},{"id":"AzureSentinelPrivatePreview","name":"AzureSentinelPrivatePreview","related":{"tables":["OfficeActivity"]}},{"id":"BehaviorAnalyticsInsights","name":"BehaviorAnalyticsInsights","displayName":"Microsoft Sentinel UEBA","related":{"tables":["UserAccessAnalytics","UserPeerAnalytics","BehaviorAnalytics","IdentityInfo"]}},{"id":"ChangeTracking","name":"ChangeTracking","displayName":"Change Tracking","description":"Track configuration changes across your servers","related":{"tables":["ConfigurationData","ConfigurationChange"],"queries":["f82e75cb-dd42-11ea-82ac-c8348e03e0b8","f82e75cc-dd42-11ea-a557-c8348e03e0b8","f82e75cd-dd42-11ea-909e-c8348e03e0b8","f82e75ce-dd42-11ea-b511-c8348e03e0b8","f82e75cf-dd42-11ea-bcfc-c8348e03e0b8","f82e75d0-dd42-11ea-91f3-c8348e03e0b8","f82e75d1-dd42-11ea-991a-c8348e03e0b8","f82e75d2-dd42-11ea-b46b-c8348e03e0b8"]}},{"id":"CompatibilityAssessment","name":"CompatibilityAssessment","displayName":"Upgrade Readiness","description":"Use a data-driven approach to streamline and accelerate Windows upgrades.","related":{"tables":["UADriver","UASysReqIssue","UAIESiteDiscovery","UAOfficeAddIn","UAProposedActionPlan","UAComputer","UAUpgradedComputer","UAApp","UAComputerRank","UAFeedback","UADriverProblemCodes"]}},{"id":"ContainerInsights","name":"ContainerInsights","related":{"tables":["ContainerImageInventory","ContainerNodeInventory","ContainerServiceLog","KubeEvents","KubeHealth","KubeMonAgentEvents","KubePodInventory","KubeServices","KubePVInventory","KubeNodeInventory","ContainerLogV2","InsightsMetrics","ContainerInventory","ContainerLog"],"queries":["fa69eeb1-8569-11ea-8fe4-c8348e02520c","59d1df0c-9f8c-4d39-88b2-9c649b110aa3","fa6b98ca-8569-11ea-9445-c8348e02520c","fa6be679-8569-11ea-82ff-c8348e02520c","fa6cf7e0-8569-11ea-9523-c8348e02520c","fa6d45fc-8569-11ea-9289-c8348e02520c","fa6e5843-8569-11ea-8d4b-c8348e02520c","fa6eccc5-8569-11ea-9088-c8348e02520c","fa6f41c2-8569-11ea-98c6-c8348e02520c","fa6f8fde-8569-11ea-a8f6-c8348e02520c","fa705446-8569-11ea-aa86-c8348e02520c","fa7200ef-8569-11ea-b3aa-c8348e02520c","fa724f0c-8569-11ea-931d-c8348e02520c","fa729d2f-8569-11ea-8e66-c8348e02520c","fa73fd03-8569-11ea-aa34-c8348e02520c","fa7471e0-8569-11ea-b6ce-c8348e02520c"]}},{"id":"Containers","name":"Containers","displayName":"Container Monitoring Solution","description":"See performance metrics and logs from Docker containers across your public or private cloud.","related":{"tables":["ContainerImageInventory","ContainerServiceLog","ContainerInventory","ContainerLog"]}},{"id":"CustomizedWindowsEventsFiltering","name":"CustomizedWindowsEventsFiltering","related":{"tables":["WindowsEvent"]}},{"id":"DeviceHealthProd","name":"DeviceHealthProd","displayName":"Device Health","description":"Proactively detect end-user impacting issues","related":{"tables":["DHOSCrashData","DHDriverReliability","DHWipAppLearning","DHOSReliability","DHLogonFailures","DHLogonMetrics","DHAppReliability"]}},{"id":"DnsAnalytics","name":"DnsAnalytics","displayName":"DNS Analytics (Preview)","description":"Provides security, performance and operations related insights into DNS infrastructure","related":{"tables":["DnsEvents","DnsInventory"],"queries":["ddf46cad-d5a6-11ea-a398-c8348e03e0b8"]}},{"id":"ExchangeAssessment","name":"ExchangeAssessment","related":{"tables":["ExchangeAssessmentRecommendation"]}},{"id":"ExchangeOnlineAssessment","name":"ExchangeOnlineAssessment","related":{"tables":["ExchangeOnlineAssessmentRecommendation"]}},{"id":"InfrastructureInsights","name":"InfrastructureInsights","related":{"tables":["WorkloadMonitoringPerf","VMConnection","VMBoundPort","InsightsMetrics"]}},{"id":"InternalWindowsEvent","name":"InternalWindowsEvent","related":{"tables":["WindowsEvent"]}},{"id":"KeyVault","name":"KeyVault","related":{"tables":["KeyVaults"]}},{"id":"LogManagement","name":"LogManagement","related":{"tables":["Perf","W3CIISLog","ETWEvent","ServiceFabricReliableServiceEvent","ServiceFabricOperationalEvent","ServiceFabricReliableActorEvent","ComputerGroup","Operation","AppCenterError","AzureActivity","BlockchainApplicationLog","BlockchainProxyLog","MicrosoftDataShareShareLog","AppServiceAuditLogs","AppServiceFileAuditLogs","ContainerRegistryRepositoryEvents","AppServiceAppLogs","HDInsightStormMetrics","HDInsightAmbariSystemMetrics","HDInsightAmbariClusterAlerts","HDInsightSparkLogs","HDInsightSecurityLogs","HDInsightHiveAndLLAPLogs","HDInsightHadoopAndYarnLogs","HDInsightOozieLogs","HDInsightHiveAndLLAPMetrics","HDInsightHadoopAndYarnMetrics","NWConnectionMonitorDestinationListenerResult","AppServiceIPSecAuditLogs","AppServiceAntivirusScanAuditLogs","ADFSSISIntegrationRuntimeLogs","ADFSSISPackageEventMessages","ADFSSISPackageEventMessageContext","ADFSSISPackageExecutableStatistics","ADFSSISPackageExecutionComponentPhases","ADFSSISPackageExecutionDataStatistics","ABSBotRequests","AEWAuditLogs","TSIIngress","HDInsightKafkaLogs","HDInsightKafkaMetrics","HDInsightHBaseLogs","HDInsightHBaseMetrics","HDInsightStormLogs","HDInsightStormTopologyMetrics","HDInsightSparkApplicationEvents","HDInsightSparkBlockManagerEvents","HDInsightSparkEnvironmentEvents","HDInsightJupyterNotebookEvents","HDInsightSparkExecutorEvents","HDInsightSparkJobEvents","HDInsightSparkSQLExecutionEvents","HDInsightSparkStageEvents","HDInsightSparkStageTaskAccumulables","HDInsightSparkTaskEvents","HDInsightRangerAuditLogs","MicrosoftDataShareReceivedSnapshotLog","MicrosoftDataShareSentSnapshotLog","PurviewScanStatusLogs","HDInsightHiveQueryAppStats","HDInsightHiveTezAppStats","ADTDigitalTwinsOperation","ADTEventRoutesOperation","ADTModelsOperation","ACICollaborationAudit","AppPlatformLogsforSpring","MCCEventLogs","AmlComputeInstanceEvent","AmlDataLabelEvent","AmlDataSetEvent","AmlDataStoreEvent","AmlDeploymentEvent","AmlInferencingEvent","AmlModelsEvent","AmlPipelineEvent","AmlRunEvent","AmlEnvironmentEvent","SynapseDXCommand","SynapseDXFailedIngestion","SynapseDXIngestionBatching","SynapseDXQuery","SynapseDXSucceededIngestion","SynapseDXTableDetails","SynapseDXTableUsageStatistics","WVDErrors","AppPlatformIngressLogs","AppPlatformBuildLogs","WebPubSubConnectivity","WebPubSubHttpRequest","WebPubSubMessaging","Heartbeat","WVDAgentHealthStatus","HDInsightSparkExtraEvents","AppServiceHTTPLogs","DSMAzureBlobStorageLogs","WVDConnectionNetworkData","AegDeliveryFailureLogs","AegPublishFailureLogs","AuditLogs","AppPlatformSystemLogs","AppPlatformContainerEventLogs","AppServicePlatformLogs","OLPSupplyChainEvents","AutoscaleScaleActionsLog","AgriFoodSensorManagementLogs","ADTQueryOperation","AADB2CRequestLogs","ADFSandboxActivityRun","ADTDataHistoryOperation","ADFPipelineRun","AmlOnlineEndpointEventLog","SignalRServiceDiagnosticLogs","PFTitleAuditLogs","VIAudit","VIIndexing","WVDConnectionGraphicsDataPreview","AzureAttestationDiagnostics","MCVPOperationLogs","MCVPAuditLogs","SynapseGatewayApiRequests","SynapseIntegrationPipelineRuns","SynapseIntegrationActivityRuns","SynapseBigDataPoolApplicationsEnded","SynapseBuiltinSqlPoolRequestsEnded","AgriFoodFarmManagementLogs","AgriFoodWeatherLogs","AgriFoodSatelliteLogs","AgriFoodFarmOperationLogs","AgriFoodProviderAuthLogs","AgriFoodApplicationAuditLogs","AgriFoodModelInferenceLogs","AgriFoodInsightLogs","AgriFoodJobProcessedLogs","ResourceManagementPublicAccessLogs","AGSGrafanaLoginEvents","AzureLoadTestingOperation","CassandraAudit","PurviewDataSensitivityLogs","AEWComputePipelinesLogs","HDInsightGatewayAuditLogs","OLPSupplyChainEntityOperations","AppServiceServerlessSecurityPluginData","StorageCacheOperationEvents","StorageCacheUpgradeEvents","StorageCacheWarningEvents","HDInsightKafkaServerLog","UCClientReadinessStatus","UCDeviceAlert","UCServiceUpdateStatus","UCUpdateAlert","WVDHostRegistrations","LogicAppWorkflowRuntime","Event","ASCDeviceEvents","StorageMoverJobRunLogs","MicrosoftAzureBastionAuditLogs","AmlOnlineEndpointConsoleLog","AmlOnlineEndpointTrafficLog","AmlRegistryReadEventsLog","AmlRegistryWriteEventsLog","AADDomainServicesAccountManagement","AADDomainServicesDirectoryServiceAccess","AADDomainServicesPolicyChange","AADDomainServicesPrivilegeUse","WVDAutoscaleEvaluationPooled","OEPAuditLogs","ApiManagementWebSocketConnectionLogs","OEPAirFlowTask","PurviewSecurityLogs","AmlComputeCpuGpuUtilization","ContainerInstanceLog","ContainerEvent","DCRLogErrors","DCRLogTroubleshooting","CassandraLogs","FailedIngestion","ADXIngestionBatching","ADXJournal","SucceededIngestion","ADXTableDetails","ADXTableUsageStatistics","Windows365AuditLogs","AmlRunStatusChangedEvent","AzureMetricsV2","AppServiceAuthenticationLogs","AEWAssignmentBlobLogs","LASummaryLogs","AddonAzureBackupAlerts","AddonAzureBackupJobs","AddonAzureBackupPolicy","AddonAzureBackupStorage","CoreAzureBackup","AADDomainServicesLogonLogoff","ASRReplicatedItems","AzureBackupOperations","CIEventsAudit","CIEventsOperational","SynapseRbacOperations","AddonAzureBackupProtectedInstance","NTATopologyDetails","AMWMetricsUsageDetails","ASRJobs","UCClient","UCClientUpdateStatus","NTAIpDetails","NTAInsights","ApiManagementGatewayLogs","ContainerAppSystemLogs","NGXSecurityLogs","AzureMetrics","WVDFeeds","WVDManagement","WVDSessionHostManagement","ADXDataOperation","AGSGrafanaUsageInsightsEvents","SVMPoolExecutionLog","SVMPoolRequestLog","OEWExperimentScorecardMetricPairs","Alert","ADXCommand","ADXQuery","WVDConnections","ACSEmailStatusUpdateOperational","ACSChatIncomingOperations","ACSSMSIncomingOperations","ACSOptOutManagementOperations","ACSAuthIncomingOperations","ACSBillingUsage","ACSCallingMetrics","ACSCallSurvey","ACSCallClientServiceRequestAndOutcome","ACSCallClientOperations","ACSCallClientMediaStatsTimeSeries","ACSEmailSendMailOperational","ACSCallRecordingIncomingOperations","ACSCallRecordingSummary","ACSCallClosedCaptionsSummary","ACSJobRouterIncomingOperations","ACSRoomsIncomingOperations","ACSCallAutomationMediaSummary","ACSAdvancedMessagingOperations","AKSAudit","AKSAuditAdmin","WOUserAudits","WOUserDiagnostics","AzureDevOpsAuditing","ACRConnectedClientList","AZFWNetworkRule","AZFWFatFlow","AZFWFlowTrace","AZFWApplicationRule","AZFWThreatIntel","AZFWNatRule","AZFWIdpsSignature","AZFWInternalFqdnResolutionFailure","AZFWNetworkRuleAggregation","AZFWApplicationRuleAggregation","AZFWNatRuleAggregation","NCBMSystemLogs","NCBMSecurityLogs","NCBMSecurityDefenderLogs","NCBMBreakGlassAuditLogs","AZMSOperationalLogs","AZMSRunTimeAuditLogs","AZMSDiagnosticErrorLogs","BehaviorInfo","BehaviorEntities","DeviceBehaviorInfo","DeviceBehaviorEntities","PowerBIDatasetsTenant","PowerBIDatasetsWorkspace","DatabricksAccounts","DatabricksClusters","DatabricksDBFS","DatabricksInstancePools","DatabricksJobs","DatabricksNotebook","DatabricksSecrets","DatabricksSQLPermissions","DatabricksSSH","DatabricksWorkspace","OEWAuditLogs","OEWExperimentAssignmentSummary","OEWExperimentScorecards","SynapseSqlPoolSqlRequests","DatabricksCapsule8Dataplane","DatabricksClamAVScan","DatabricksClusterLibraries","DatabricksDatabricksSQL","DatabricksDeltaPipelines","DatabricksFeatureStore","DatabricksGenie","DatabricksGitCredentials","DatabricksGlobalInitScripts","DatabricksIAMRole","DatabricksMLflowAcledArtifact","DatabricksMLflowExperiment","DatabricksModelRegistry","DatabricksServerlessRealTimeInference","DatabricksPartnerHub","DatabricksRemoteHistoryService","DatabricksRepos","DatabricksSQL","DatabricksUnityCatalog","DatabricksWebTerminal","IntuneAuditLogs","IntuneDeviceComplianceOrg","IntuneOperationalLogs","AVSVcSyslog","AVSEsxiFirewallSyslog","AVSEsxiSyslog","AVSNsxManagerSyslog","AVSNsxEdgeSyslog","AVSSyslog","ADFTriggerRun","StorageBlobLogs","StorageFileLogs","StorageQueueLogs","StorageTableLogs","AADDomainServicesDNSAuditsDynamicUpdates","AADDomainServicesDNSAuditsGeneral","AGWPerformanceLogs","ACSCallDiagnostics","ACSCallDiagnosticsUpdates","ACSCallSummary","ACSCallSummaryUpdates","ContainerAppConsoleLogs","AppEnvSpringAppConsoleLogs","AppEnvSessionConsoleLogs","AppEnvSessionPoolEventLogs","AppEnvSessionLifecycleLogs","DevCenterDiagnosticLogs","DevCenterResourceOperationLogs","IntuneDevices","MicrosoftGraphActivityLogs","APIMDevPortalAuditDiagnosticLog","ApiManagementGatewayLlmLog","ArcK8sAudit","ArcK8sAuditAdmin","ArcK8sControlPlane","TOUserAudits","TOUserDiagnostics","CloudHsmServiceOperationAuditLogs","DataTransferOperations","DNSQueryLogs","EGNSuccessfulMqttConnections","EGNFailedMqttConnections","EGNMqttDisconnections","EGNFailedMqttPublishedMessages","EGNFailedMqttSubscriptions","AZMSVnetConnectionEvents","AZMSArchiveLogs","AZMSAutoscaleLogs","AZMSKafkaCoordinatorLogs","AZMSKafkaUserErrorLogs","AZMSCustomerManagedKeyUserLogs","AHDSMedTechDiagnosticLogs","AHDSDicomDiagnosticLogs","AHDSDicomAuditLogs","AZKVAuditLogs","AZKVPolicyEvaluationDetailsLogs","MNFDeviceUpdates","MNFSystemStateMessageUpdates","MNFSystemSessionHistoryUpdates","ASRv2JobEvents","ASRv2HealthEvents","ASRv2ReplicationVaults","ASRv2ReplicationPolicies","ASRv2ReplicationExtensions","ASRv2ProtectedItems","NCMClusterOperationsLogs","NCCKubernetesLogs","NCCPlatformOperationsLogs","NCCVMOrchestrationLogs","NCSStorageAudits","NCSStorageAlerts","NCSStorageLogs","ALBHealthEvent","NatGatewayFlowlogsV1","REDConnectionEvents","AZMSHybridConnectionsEvents","ASCAuditLogs","SCGPoolExecutionLog","SCGPoolRequestLog","AVNMNetworkGroupMembershipChange","AVNMRuleCollectionChange","AVNMConnectivityConfigurationChange","AVNMIPAMPoolAllocationChange","ChaosStudioExperimentEventLogs","DevCenterBillingEventLogs","MDPResourceLog","AEWExperimentAssignmentSummary","AEWExperimentScorecards","AEWExperimentScorecardMetricPairs","AHDSDeidAuditLogs","CCFApplicationLogs","MDCFileIntegrityMonitoringEvents","MDCDetectionFimEvents","MDCDetectionK8SApiEvents","MDCDetectionDNSEvents","MDCDetectionGatingValidationEvents","MDCDetectionProcessV2Events","AMSKeyDeliveryRequests","AMSMediaAccountHealth","AMSLiveEventOperations","AMSStreamingEndpointRequests","AOIDigestion","AOIDatabaseQuery","AOIStorage","NGXOperationLogs","NginxUpstreamUpdateLogs","AFSAuditLogs","StorageMoverCopyLogsFailed","StorageMoverCopyLogsTransferred","SynapseSqlPoolExecRequests","SynapseSqlPoolRequestSteps","SynapseSqlPoolDmsWorkers","SynapseSqlPoolWaits","AmlComputeClusterEvent","AmlComputeClusterNodeEvent","AmlComputeJobEvent","ACSCallAutomationIncomingOperations","ACSCallAutomationStreamingUsage","AKSControlPlane","AZMSApplicationMetricLogs","ContainerRegistryLoginEvents","NWConnectionMonitorTestResult","NWConnectionMonitorPathResult","NWConnectionMonitorDNSResult","AppAvailabilityResults","AppBrowserTimings","AppEvents","AppExceptions","AppMetrics","AppPageViews","AppPerformanceCounters","AppSystemEvents","WVDCheckpoints","ADFSandboxPipelineRun","AADDomainServicesSystemSecurity","DatabricksTables","ACSEmailUserEngagementOperational","AirflowDagProcessingLogs","ADFAirflowSchedulerLogs","ADFAirflowTaskLogs","ADFAirflowWebLogs","ADFAirflowWorkerLogs","AppDependencies","AppRequests","WorkloadDiagnosticLogs","SynapseLinkEvent","SynapseIntegrationTriggerRuns","SQLSecurityAuditEvents","SynapseScopePoolScopeJobsEnded","SynapseScopePoolScopeJobsStateChange","UCDOAggregatedStatus","AADGraphActivityLogs","LIATrackingEvents","NSPAccessLogs","LAJobLogs","DSMDataClassificationLogs","DSMDataLabelingLogs","AGCAccessLogs","AGCFirewallLogs","CDBDataPlaneRequests","CDBPartitionKeyStatistics","CDBPartitionKeyRUConsumption","CDBQueryRuntimeStatistics","CDBMongoRequests","CDBCassandraRequests","CDBGremlinRequests","CDBTableApiRequests","CDBControlPlaneRequests","EGNSuccessfulHttpDataPlaneOperations","EGNFailedHttpDataPlaneOperations","AegDataPlaneRequests","NCCIDRACLogs","ATCExpressRouteCircuitIpfix","ATCPrivatePeeringMetadata","ATCMicrosoftPeeringMetadata","MicrosoftServicePrincipalSignInLogs","AADCustomSecurityAttributeAuditLogs","AADProvisioningLogs","ADFSSignInLogs","AADUserRiskEvents","AADRiskyUsers","AADServicePrincipalRiskEvents","AADRiskyServicePrincipals","MySqlAuditLogs","MySqlSlowLogs","PGSQLPgStatActivitySessions","PGSQLDbTransactionsStats","PGSQLQueryStoreRuntime","PGSQLQueryStoreWaits","PGSQLAutovacuumStats","PGSQLServerLogs","PGSQLPgBouncer","OGOAuditLogs","MPCIngestionLogs","ACREntraAuthenticationAuditLog","OracleCloudDatabase","ADFActivityRun","AppServiceConsoleLogs","AppTraces","AutoscaleEvaluationsLog","FunctionAppLogs","InsightsMetrics","MicrosoftHealthcareApisAuditLogs","AADDomainServicesAccountLogon","DataSetRuns","DataSetOutput","PerfInsightsRun","PerfInsightsFindings","PerfInsightsImpactedResources","AppServiceEnvironmentPlatformLogs","AACHttpRequest","ACLTransactionLogs","ACLUserDefinedLogs","DevCenterAgentHealthLogs","DevCenterConnectionLogs","NTARuleRecommendation","Syslog","MeshControlPlane","AHCIDiagnosticLogs","RetinaNetworkFlowLogs","ContainerNetworkLogs","AZFWDnsQuery","AZFWDnsFlowTrace","DurableTaskSchedulerLogs","ZTSRequest","ApiManagementGatewayMCPLog","PGSQLQueryStoreQueryText","OTelResources","OTelSpans","OTelEvents","OTelTraces","OTelTracesAgent","AGSUpdateEvents","DatabricksBrickStoreHttpGateway","DatabricksDashboards","DatabricksCloudStorageMetadata","DatabricksPredictiveOptimization","DatabricksDataMonitoring","DatabricksIngestion","DatabricksMarketplaceConsumer","DatabricksLineageTracking","DatabricksFilesystem","DatabricksApps","DatabricksClusterPolicies","DatabricksDataRooms","DatabricksGroups","DatabricksMarketplaceProvider","DatabricksOnlineTables","DatabricksRBAC","DatabricksRFA","DatabricksVectorSearch","DatabricksWebhookNotifications","DatabricksWorkspaceFiles","DatabricksLakeviewConfig","DatabricksFiles","DatabricksBudgetPolicyCentral","OEPElasticOperator","OEPElasticsearch","OEPDataplaneLogs","WVDMultiLinkAdd","EdgeActionConsoleLog","EdgeActionServiceLog","AGWAccessLogs","NTANetAnalytics","CDBDataPlaneRequests5M","CDBDataPlaneRequests15M","StorageMalwareScanningResults","NCCKubernetesAPIAuditLogs","NetworkAccessGenerativeAIInsights","EnrichedMicrosoft365AuditLogs","NetworkAccessAlerts","AACAudit","NetworkAccessConnectionEvents","AppGenAIContent","SigninLogs","QuantumProviderAccountJobAuditLogs","QuantumProviderAccountQueueAuditLogs","QuantumProviderAccountTargetAuditLogs","QuantumWorkspaceJobAuditLogs","LedgerUserDefinedLogs","LedgerTransactionLogs","AADServicePrincipalSignInLogs","AADManagedIdentitySignInLogs","AADAgentRiskEvents","AADRiskyAgents","RemoteNetworkHealthLogs","StorageMoverAuditLogs","NTANspRuleRecommendation","Usage","AzureMonitorPipelineLogErrors","SecurityCaseEvent","AMAHealth","MicrosoftGraphPolicyLogs","AGWFirewallLogs","ANFFileAccess","ANFTopClientReadIOPS","ANFTopClientWriteIOPS","ANFTopFileReadIOPS","ANFTopFileWriteIOPS","AzureSQLQueryStoreWaitStatistics","AzureSQLAutomaticTuning","AzureSQLBlocks","AzureSQLDatabaseWaitStatistics","AzureSQLDeadlocks","AzureSQLErrors","AzureSQLQueryStoreRuntimeStatistics","AzureSQLResourceUsageStats","AzureSQLTimeouts","AADNonInteractiveUserSignInLogs","NetworkAccessTraffic","DeviceCustomFileEvents","DeviceCustomNetworkEvents","DeviceCustomRegistryEvents","DeviceCustomScriptEvents","DeviceCustomProcessEvents","DeviceCustomImageLoadEvents","ADGSyslogEvent","OTelLogs","MDECustomCollectionDeviceFileEvents","VCoreMongoRequests","ContainerAppHTTPLogs","DiscoveryBookshelfAuditLogs","DiscoverySupercomputerAuditLogs","DiscoveryWorkspaceAuditLogs","GraphNotificationsActivityLogs","UCDOStatus","LAQueryLogs","ZTSJobStatus","AzureDiagnostics"],"queries":["9b2174e7-b6a3-4613-8f0b-df0bb7cef53e","548e7a2f-4c64-41c2-a5e7-50cefeaaf87b","fa983d75-eb88-4a9a-a890-715661e8a5b2","3fee872d-3c17-4d12-ae85-b270c2af27a1","df6e5ae0-de57-401f-9161-0bf1e39a5309","f615beb4-a0b8-4fe6-a477-3662e6ff0526","8e4177ab-8bf4-4d77-9a00-b9122a27d83a","522fe594-74dd-4e4e-913a-a025b0b10595","cf3c0e16-b107-4df0-8ab9-fc6b56846f34","ba88f54c-7334-11ea-b97f-c8348e02520c","ba896aa0-7334-11ea-b814-c8348e02520c","ba8bb46d-7334-11ea-ae17-c8348e02520c","ba8db056-7334-11ea-bb30-c8348e02520c","ba9048b7-7334-11ea-aa22-c8348e02520c","ba90e48d-7334-11ea-be6e-c8348e02520c","ba926c00-7334-11ea-9216-c8348e02520c","ba92e06e-7334-11ea-a524-c8348e02520c","ba93559a-7334-11ea-aa00-c8348e02520c","0932fe64-c205-11ea-8cfc-c8348e03e0b8","09339aab-c205-11ea-b403-c8348e03e0b8","09339aac-c205-11ea-ad1e-c8348e03e0b8","09339aad-c205-11ea-9405-c8348e03e0b8","09339aae-c205-11ea-a66c-c8348e03e0b8","09339aaf-c205-11ea-8a79-c8348e03e0b8","09339ab0-c205-11ea-8471-c8348e03e0b8","09339ab1-c205-11ea-b87c-c8348e03e0b8","09339ab2-c205-11ea-bbde-c8348e03e0b8","09339ab3-c205-11ea-9701-c8348e03e0b8","09339ab4-c205-11ea-80dd-c8348e03e0b8","09339ab5-c205-11ea-b4f6-c8348e03e0b8","09339ab6-c205-11ea-9eb2-c8348e03e0b8","09339ab7-c205-11ea-b31c-c8348e03e0b8","09339ab8-c205-11ea-be95-c8348e03e0b8","09339ab9-c205-11ea-9088-c8348e03e0b8","09339aba-c205-11ea-9bcb-c8348e03e0b8","09339abb-c205-11ea-883c-c8348e03e0b8","09339abc-c205-11ea-8ebf-c8348e03e0b8","09339abd-c205-11ea-af17-c8348e03e0b8","09339abe-c205-11ea-b842-c8348e03e0b8","09339abf-c205-11ea-af78-c8348e03e0b8","0933c1b3-c205-11ea-a4a3-c8348e03e0b8","0933c1b4-c205-11ea-a4fb-c8348e03e0b8","0933c1b5-c205-11ea-920a-c8348e03e0b8","0933c1b6-c205-11ea-85b3-c8348e03e0b8","0933c1b7-c205-11ea-9582-c8348e03e0b8","0933c1b8-c205-11ea-bc2b-c8348e03e0b8","0933c1b9-c205-11ea-b166-c8348e03e0b8","0933c1ba-c205-11ea-ab65-c8348e03e0b8","bb604487-0c7f-11eb-b9f5-c8348e03e0b8","bb604488-0c7f-11eb-8dbc-c8348e03e0b8","bb604489-0c7f-11eb-9f1a-c8348e03e0b8","bb60448a-0c7f-11eb-8595-c8348e03e0b8","bb60448b-0c7f-11eb-ba0d-c8348e03e0b8","a4288de6-1d24-11eb-9472-c8348e03e0b8","a42903d6-1d24-11eb-8648-c8348e03e0b8","a42903d7-1d24-11eb-afed-c8348e03e0b8","a42903d8-1d24-11eb-aa16-c8348e03e0b8"],"functions":["b65a317e-7513-4379-b5fc-a467d3daa1d9","29112523-50d8-4bb9-931f-47b8b3da558f","4d3c573b-a3fd-4c2a-8566-fc0b6fbcf48c","19551c5e-1e3e-4425-a1d7-c846a0bca2a1","19551c5e-1e3e-4425-a1d7-c846a0bca2a2","19551c5e-1e3e-4425-a1d7-c846a0bca2a3","19551c5e-1e3e-4425-a1d7-c846a0bca2a4","19551c5e-1e3e-4425-a1d7-c846a0bca2a5","19551c5e-1e3e-4425-a1d7-c846a0bca2a6","19551c5e-1e3e-4425-a1d7-c846a0bca2a7"]}},{"id":"Microsoft365Analytics","name":"Microsoft365Analytics","related":{"tables":["MAWindowsBuildInfo","MAApplicationHealth","MAApplication","MADeploymentPlan","MADriverReadiness","MAProposedPilotDevices","MAWindowsCurrencyAssessment","MAWindowsCurrencyAssessmentDailyCounts","MAWindowsDeploymentStatus","MAApplicationInstanceReadiness","MADriverInstanceReadiness","MAApplicationHealthIssues","MAApplicationHealthAlternativeVersions","MAApplicationReadiness","MADevice","MAApplicationInstance","MADeviceReadiness","MADeviceNRT","MAOfficeAddinInstance","MAOfficeAddinReadiness","MAOfficeAddin","MAOfficeAppInstance","MAOfficeAppReadiness","MAOfficeBuildInfo","MAOfficeCurrencyAssessment","MAOfficeSuiteInstance","MADeviceNotEnrolled","MAOfficeAddinHealthEventNRT"]}},{"id":"NetworkMonitoring","name":"NetworkMonitoring","displayName":"Network Performance Monitor","description":"Offers near real time monitoring of network performance parameters like loss and latency.","related":{"tables":["NetworkMonitoring"]}},{"id":"SCCMAssessmentPlus","name":"SCCMAssessmentPlus","related":{"tables":["SCCMAssessmentRecommendation"]}},{"id":"SCOMAssessment","name":"SCOMAssessment","displayName":"System Center Operations Manager Health Check (Preview)","description":"Assess the risk and health of SCOM Server environments.","related":{"tables":["SCOMAssessmentRecommendation"]}},{"id":"SCOMAssessmentPlus","name":"SCOMAssessmentPlus","related":{"tables":["SCOMAssessmentRecommendation"]}},{"id":"SPAssessment","name":"SPAssessment","related":{"tables":["SPAssessmentRecommendation"]}},{"id":"SQLAdvancedThreatProtection","name":"SQLAdvancedThreatProtection","displayName":"SQL Advanced Threat Protection","description":"Monitor SQL Server activity to detect threats and receive action-oriented alerts to your Azure Security Center.","related":{"tables":["SqlAtpStatus"]}},{"id":"SQLAssessment","name":"SQLAssessment","displayName":"SQL Health Check","description":"Assess the risk and health of SQL Server environments.","related":{"tables":["SQLAssessmentRecommendation"],"queries":["ddf445a9-d5a6-11ea-b635-c8348e03e0b8","ddf445aa-d5a6-11ea-8aae-c8348e03e0b8","ddf445ab-d5a6-11ea-8a6f-c8348e03e0b8","ddf445ac-d5a6-11ea-b1c0-c8348e03e0b8","ddf445ad-d5a6-11ea-af86-c8348e03e0b8","ddf445ae-d5a6-11ea-a8f6-c8348e03e0b8","ddf445af-d5a6-11ea-93db-c8348e03e0b8"]}},{"id":"SQLAssessmentPlus","name":"SQLAssessmentPlus","related":{"tables":["SQLAssessmentRecommendation"]}},{"id":"SQLThreatDetection","name":"SQLThreatDetection","related":{"tables":["SqlVulnerabilityAssessmentResult"]}},{"id":"SQLVulnerabilityAssessment","name":"SQLVulnerabilityAssessment","displayName":"SQL Vulnerability Assessment","description":"SQL Vulnerability Assessment","related":{"tables":["SqlVulnerabilityAssessmentResult","SqlVulnerabilityAssessmentScanStatus"]}},{"id":"Security","name":"Security","displayName":"Security and Audit","description":"Provides the ability to explore security related data and helps identify security breaches.","related":{"tables":["SecurityEvent","SecurityBaselineSummary","Update","UpdateSummary","SecurityBaseline","SecurityDetection","WindowsFirewall","ProtectionStatus","SecureScoreControls","SecureScores","SecurityRegulatoryCompliance","SecurityRecommendation","SecurityNestedRecommendation","LinuxAuditLog","SecurityAlert","SecurityAttackPathData","CommonSecurityLog"]}},{"id":"SecurityCenter","name":"SecurityCenter","related":{"tables":["SecurityBaselineSummary","Update","UpdateSummary","SecurityBaseline","ProtectionStatus","SecureScoreControls","SecureScores","SecurityRegulatoryCompliance","SecurityNestedRecommendation","SecurityAlert","SecurityAttackPathData"]}},{"id":"SecurityCenterFree","name":"SecurityCenterFree","related":{"tables":["SecurityBaselineSummary","Update","UpdateSummary","SecurityBaseline","ProtectionStatus","SecureScoreControls","SecureScores","SecurityRegulatoryCompliance","SecurityRecommendation","SecurityNestedRecommendation","SecurityAlert","SecurityAttackPathData"]}},{"id":"SecurityInsights","name":"SecurityInsights","displayName":"Microsoft Sentinel","description":"Microsoft’s cloud native SIEM","related":{"tables":["SecurityEvent","Dynamics365Activity","HuntingBookmark","AWSCloudTrail","DynamicSummary","SecurityIncident","LinuxAuditLog","WindowsEvent","DnsEvents","DnsInventory","SecurityAlert","ConfidentialWatchlist","Anomalies","AWSGuardDuty","AWSCloudWatch","AWSWAF","GCPFirewallLogs","GCPLoadBalancer","GoogleCloudSCC","MicrosoftPurviewInformationProtection","CommunicationComplianceActivity","ProjectActivity","OktaSystemLogs","DataverseActivity","PowerPlatformAdminActivity","ABAPAuditLog","ABAPChangeDocsLog","ABAPUserDetails","ABAPTableDataLog","ABAPAuthorizationDetails","SentinelHealth","SentinelAudit","AggregatedSecurityAlert","ThreatIntelObjects","ThreatIntelIndicators","GCPVPCFlow","GCPDNS","GCPIAM","AWSSecurityHubFindings","OfficeActivity","ThreatIntelligenceIndicator","AWSRoute53Resolver","IlumioInsights","AWSNetworkFirewallAlert","AWSNetworkFirewallFlow","AWSNetworkFirewallTls","GCPCDN","GCPIDS","AlertEvidence","AlertInfo","NetworkSessions","DnsAuditEvents","Watchlist","GCPApigee","AWSS3ServerAccess","GKEAudit","GCPMonitoring","GKEAPIServer","GKEScheduler","GKEControllerManager","GKEHPADecision","GKEApplication","GCPCloudSQL","GCPNAT","GCPNATAudit","GCPResourceManager","GCPComputeEngine","PowerBIActivity","PowerAppsActivity","PowerAutomateActivity","PowerPlatformDlpActivity","PowerPlatformConnectorActivity","DeviceTvmSecureConfigurationAssessment","DeviceTvmSoftwareInventory","DeviceTvmSoftwareVulnerabilities","DeviceTvmSoftwareVulnerabilitiesKB","DeviceTvmSecureConfigurationAssessmentKB","AWSVPCFlow","SentinelBehaviorEntities","ThreatIntelExportOperation","McasShadowItReporting","ASimDhcpEventLogs","ASimFileEventLogs","ASimUserManagementActivityLogs","ASimRegistryEventLogs","ASimAuditEventLogs","ASimNetworkSessionLogs","ASimProcessEventLogs","AWSELBFlowLogs","AWSNLBAccessLogs","AWSALBAccessLogs","GoogleWorkspaceReports","SentinelBehaviorInfo","CopilotActivity","QualysKnowledgeBase","ASimAlertEventLogs","ASimDnsActivityLogs","ASimWebSessionLogs","GCPCloudRun","AWSEKSLogs","ASimAuthenticationEventLogs","CommonSecurityLog","Rapid7InsightVMCloudAssets","Rapid7InsightVMCloudVulnerabilities","SentinelAlibabaCloudVPCFlowLogs","SentinelAlibabaCloudWAFLogs","SentinelAlibabaCloudAPIGatewayLogs","GCPAuditLogs","SalesforceAuditTrail","SalesforceLoginHistory","CloudAppEvents","OAuthAppInfo","IdentityLogonEvents","IdentityQueryEvents","IdentityDirectoryEvents","IdentityEvents","IdentityAccountInfo","EmailAttachmentInfo","EmailEvents","EmailPostDeliveryEvents","EmailUrlInfo","UrlClickEvents","FileMaliciousContentInfo","CampaignInfo","MessageEvents","MessagePostDeliveryEvents","MessageUrlInfo","CloudAuditEvents","CloudProcessEvents","CloudStorageAggregatedEvents","CloudDnsEvents","ASimAgentEventLogs","DeviceNetworkInfo","DeviceNetworkEvents","DeviceProcessEvents","DeviceRegistryEvents","DeviceInfo","DeviceFileEvents","DeviceLogonEvents","DeviceImageLoadEvents","DeviceEvents","DeviceFileCertificateInfo","DisruptionAndResponseEvents","CrowdStrikeVulnerabilities","CrowdStrikeAlerts","CrowdStrikeIncidents","CrowdStrikeDetections","CrowdStrikeHosts","CrowdStrikeCases","CrowdStrikeAuditEvents","SentinelImpervaWAFCloudV2Logs","ASimAssetEntityLogs"],"queries":["ddf445b0-d5a6-11ea-bc48-c8348e03e0b8","ddf445b1-d5a6-11ea-babb-c8348e03e0b8","ddf445b2-d5a6-11ea-85c6-c8348e03e0b8","ddf445b3-d5a6-11ea-90d5-c8348e03e0b8","ddf445b4-d5a6-11ea-9688-c8348e03e0b8","ddf445b5-d5a6-11ea-a854-c8348e03e0b8","ddf445b6-d5a6-11ea-a2ab-c8348e03e0b8","ddf445b7-d5a6-11ea-916b-c8348e03e0b8","ddf445b8-d5a6-11ea-bc05-c8348e03e0b8","ddf445b9-d5a6-11ea-bdff-c8348e03e0b8","ddf445ba-d5a6-11ea-83b5-c8348e03e0b8","ddf445bb-d5a6-11ea-8592-c8348e03e0b8","ddf445bc-d5a6-11ea-a24e-c8348e03e0b8","ddf445bd-d5a6-11ea-bb95-c8348e03e0b8","ddf445be-d5a6-11ea-852f-c8348e03e0b8","ddf445bf-d5a6-11ea-9218-c8348e03e0b8","ddf445c0-d5a6-11ea-bc3f-c8348e03e0b8","ddf445c1-d5a6-11ea-92b8-c8348e03e0b8","ddf445c2-d5a6-11ea-81dd-c8348e03e0b8","ddf445c3-d5a6-11ea-b003-c8348e03e0b8","ddf46ca0-d5a6-11ea-b455-c8348e03e0b8","ddf46ca1-d5a6-11ea-86fb-c8348e03e0b8","ddf46ca2-d5a6-11ea-ae07-c8348e03e0b8","ddf46ca3-d5a6-11ea-b6a7-c8348e03e0b8","ddf46ca4-d5a6-11ea-b876-c8348e03e0b8","ddf46ca5-d5a6-11ea-8e9f-c8348e03e0b8","ddf46ca6-d5a6-11ea-8642-c8348e03e0b8","ddf46ca7-d5a6-11ea-940a-c8348e03e0b8","ddf46ca8-d5a6-11ea-9e8d-c8348e03e0b8","ddf46ca9-d5a6-11ea-aa6f-c8348e03e0b8","ddf46caa-d5a6-11ea-821e-c8348e03e0b8","ddf46cab-d5a6-11ea-be2b-c8348e03e0b8","ddf46cac-d5a6-11ea-aa01-c8348e03e0b8","b839c4b8-2e6c-11eb-978b-c8348e03e0b8","b839c4b9-2e6c-11eb-b951-c8348e03e0b8","b839c4ba-2e6c-11eb-aac2-c8348e03e0b8","b839c4bb-2e6c-11eb-85b9-c8348e03e0b8","b839c4bc-2e6c-11eb-9bb0-c8348e03e0b8","b839c4bd-2e6c-11eb-92a1-c8348e03e0b8","b839c4be-2e6c-11eb-bfbd-c8348e03e0b8","b839c4bf-2e6c-11eb-9169-c8348e03e0b8","b839c4c0-2e6c-11eb-83ef-c8348e03e0b8","b839c4c1-2e6c-11eb-a5d6-c8348e03e0b8","b839c4c2-2e6c-11eb-98df-c8348e03e0b8","b839c4c3-2e6c-11eb-b9b3-c8348e03e0b8","b839c4c4-2e6c-11eb-b7e8-c8348e03e0b8","b839c4c5-2e6c-11eb-b8dd-c8348e03e0b8","b839c4c6-2e6c-11eb-abf4-c8348e03e0b8","b839c4c7-2e6c-11eb-b0d8-c8348e03e0b8","b839c4c8-2e6c-11eb-8554-c8348e03e0b8","b839c4c9-2e6c-11eb-b557-c8348e03e0b8","b839c4ca-2e6c-11eb-bdea-c8348e03e0b8","b839c4cb-2e6c-11eb-a8f4-c8348e03e0b8","b839c4cc-2e6c-11eb-9fee-c8348e03e0b8","b839c4cd-2e6c-11eb-9089-c8348e03e0b8","b839c4ce-2e6c-11eb-9426-c8348e03e0b8","b839c4cf-2e6c-11eb-bfed-c8348e03e0b8","b839c4d0-2e6c-11eb-89cf-c8348e03e0b8","b839c4d1-2e6c-11eb-a467-c8348e03e0b8","b839c4d2-2e6c-11eb-b717-c8348e03e0b8","b839c4d3-2e6c-11eb-9b72-c8348e03e0b8"],"functions":["a152e090-0c01-4ecf-825b-f95512bbaccf","30e646df-c60a-4fc0-ad20-b42c2f3be07d","967d69e8-0b42-460b-935a-9ca4b41a6996","7eabe0ef-f8fb-46c4-86cb-9b0fd77057bc","f2f715dd-4437-5581-9e3a-9849f31b7b2e","20975018-f4a1-55fd-a19e-8ace398c873b","aaafb27a-fbee-5e52-b2da-c8f2add85b53","878a4bf8-ab5a-5910-8d27-3c4ce0d268fb","9dd6654b-6c4e-5f69-9d97-426d62969a41","615e1a81-ff4f-551a-adce-d0bfaa46ac4e","10fc7e1a-23ed-5034-a89f-d3485b7667ef","d1813ef1-05a5-5e65-a5d7-e8f399c64e3b","17446833-46a4-5ac6-9739-17ec9ce6c6e7","e1d01bce-bb0a-5771-95d9-e6927c9803ca","edb65ae4-a2b8-5321-9f93-57a81f552023","38425253-f081-5574-8d01-1ef25366d20c","6004200a-ea4c-5963-8ea7-7411196da9b8","36a1bf66-3208-5df0-9964-04ec9bb2ea98","3d93296d-00b9-5e04-8126-edd84e9ff112","8db4427b-54d0-5f94-87f9-5e7a8d2b8370","89909bc5-63b2-590b-b3b3-e8f5bea2fcfd","1fb5bab9-8bf8-5745-bb46-1858f0bdca77","af841918-ea4a-515c-bb21-0a7a5bc741fc","a3969e5c-574a-526d-937a-f347c8c77929","cf296479-dace-5fb4-906c-a270dcee23d8","9acfdefa-84a4-531b-a67c-296df42d9e4f","a22d978f-3944-5ad8-9452-757225af75b0","5fe2edb1-cf39-5039-bf18-5abc1bae5f4c","9c002e33-2ecf-409e-b665-645ebff50636","e316c508-8b3f-5198-88b0-8fd97672a930","c6259971-9108-5987-9e17-56cf8fc1ae52","d2f30bd8-b742-50ac-b597-8e87631d5ab5","7deeb113-dcc0-59d7-87cb-c24333c61527","73f523ef-c4c8-5d6d-8344-e4426d763242","020f486b-2b61-5a05-ac2e-fea3e90e4611","3609ce33-4573-50d6-b32b-501da4bbd9b8","93c664d8-6aca-5fba-84dc-93e372845c58","0b52622c-efc0-598a-9f5b-bbb3eaa1a1b2","2ba8a52f-8c63-506e-b52d-2fb281e363be","b2728627-cc75-5d63-ac2e-7948afe330a7","006342ba-acb0-54f9-abac-9e8d77e5cca1","3912cecf-a0fd-554f-a102-a4490a0c379b","dc6b50a3-d19d-519f-9ddf-71ee933244bc","0078aa34-7c78-5df5-aae9-34584eec0e62","6891f070-90fe-572f-81cd-82858392278a","d8d50a40-7f2f-546a-b7e0-5e1b645e4326","ed507fbd-5ed6-5691-a314-83a588b86c30","772cfc0a-fa4a-57e9-81fa-2aea1c62c16e","c3eac87f-f4e3-5e2c-b77d-fe9811c31c72","6698263a-5e7c-5d52-8b59-2b2100e45954","16c6a3b1-24d5-509c-a568-3dda0deda604","5ed013bc-6070-5d6a-ace5-30b451f75b8b","62ef56d4-509c-5f92-a5e4-264b93c6fff2","6bb41b84-2964-571b-a653-0f5039c50af8","5121531d-7e18-56eb-ab30-77af4fefd829","8814d910-64c1-565b-aa6a-0e6fd05f0e37","f76bd818-694c-58bc-99ff-a552b43db6b6","f0586352-639f-538d-a91e-ce9701d3c92a","ed15fe6c-29f1-5bdf-a190-f24bb012b6a2","f2b38451-801c-5a14-93b4-659c6f07b516","d2f23ee9-87c4-5a3b-9c20-8f602f24c005","e0e6bed3-9153-5831-b09e-05325637a8ef","a18af53e-f058-5b49-bcd6-73f2ec59da4f","bc2c82fe-fafd-5ffc-8665-bd7b1bb6ab0b","f2098813-1799-53cc-a8ad-8047b4f2d80e","528bfedf-922a-5b1c-b2c2-bd6470ee94e9","8691e151-39ce-582a-b524-7f54b65eea26","c1fbbe4b-04c8-5e0e-a89e-9217180f089c","100f0e91-b95c-5beb-80cf-17e776ee7393","ab79e25b-194f-593a-86c1-b0f0398e0749","21ac799a-7fab-51e2-b708-5a3a0966c572","963f96dc-fb52-5e0e-9801-20afc546066b","373bc56b-9e24-5106-9592-644341642719","83325eec-c8cc-5790-ba09-a45873ca3498","77ed9d57-1e22-5298-bb95-f857e2c06b2f","ae8924bb-3358-5474-856c-32915255733e","701de73a-ce34-51a4-b7e0-7d4f1eae80a4","f48e9583-3107-5b75-bcb4-8fa6b344cc72","68815256-8748-5527-987c-0eaf06283fa5","93448a67-dbab-5c6e-b14d-89ab7db2b316","b86d87fd-aeb5-5a46-9f74-e4b50a0205f9","76d067a3-4cb1-5032-8baa-8168393e91c4","4765afde-a6fc-5a38-863f-72ec306ed465","2e8e7c1a-5104-5885-b659-d26e17f9af4c","cce83520-0fd8-5bff-88a1-14a21dbd431c","d3e75b28-3354-5d5b-813a-1f82deb43217","002f8919-da28-5edc-9480-9c679de0e646","5c3e07b7-f5e1-5829-bea5-9760a8433fbe","137e5ce5-8fc3-5083-b9b3-b7a476008b0a","d29fe90a-0a0e-5143-bf67-76c8cd791bf1","84ad59fb-630a-529f-87f3-87c45ad38820","1aff9978-3622-55f6-8892-2fd7877667d4","35332196-f904-5e15-8d2e-d5a05150593e","61b00b6e-dda8-5932-a906-948f9bb7365e","a43850a6-f2f3-53cc-babe-cfb0767e7f70","4307fca3-d9f8-5aa4-b086-c4aa15308cdb","224cf01f-0221-5923-abf8-1cc94412bff9","1255cda1-6244-5213-9ac0-e9c70be77046","421a3eaf-8242-501c-a0e1-71f1d4352bae","3c6c520c-7ab5-54fb-8591-5dc17f3390bb","8b81bec8-5153-5410-99d9-c3540fb3da49","d6059a71-ae14-5e4e-8cfb-1ff54c3eb450","c5d2c296-d5e6-56b7-9f2c-2a5a398ebe62","00e37d77-ff2d-5c92-bbba-0ba865661020","77446755-f919-5a23-9f96-6be9e657a2e7","3fdab32c-6915-573f-b1c0-a6733a48c5a2","1af05a29-0c94-5018-b197-e7d99ce83356","ac5ae0be-532a-5fb9-b7dd-11fde8f2d53f","8f528a9b-4a04-53cb-9fc1-5f07a9517902","aaa811e7-673b-50a0-ba97-27ddee2d40b5","886ba633-7fbf-502b-900b-0c0e36d121c9","cfcb20a0-e0bb-58e4-86ae-fe9630bbfe73","cb4d38a6-00ef-579b-ac76-e2f55bec7579","1b96e561-b300-5a7e-933d-9fa98b4518ef","fbf9e04d-8ad2-5e0d-9ad7-fb655bc29bf3","92893c93-bc5c-5379-a55c-6606ef842d92","3589c230-1df7-54c2-b179-7780bafa7229","2d1289e4-fe5c-5f46-bbbf-537d05de8ce5","12d89e36-3e8e-5e54-8fd5-ba969eb266e6","a72948d5-3d8a-5164-91b7-b5f718391a84","0cf3c1bf-2658-565e-9154-c468d4e14ddd","a2395934-e85c-5da1-a1f0-07a298219d34","cd7d5892-fe13-5d47-9c11-8ad77413e1d1","5d59511a-8bd8-59ba-b49a-c7fc5e7011c3","9c36adf5-007b-59d1-9443-5e7f4b35af86","ee2df6e1-b687-580c-8a94-e9e1e7eefcfc","a2b31e99-d831-58b9-b18c-ac9304e2c1a1","39152ac1-2a72-530c-86be-1711210a28b2","4fbbf424-f21e-51a2-ae26-a33b354125b8","c8c97676-3c0b-56a9-b735-607b9176185e","76af9035-4665-5009-8281-60ae1485a98c","9cbf2c15-f05c-5385-8f28-6ae28a427608","ab36b294-4cfa-5980-9aa9-902a4e25448f","be182916-38f9-564c-b476-fe81169d7e84","e37de94c-ac58-56c0-8ec7-0b673722bb1b","18fdeceb-99ab-5194-9098-7cbb5980f991","4661400d-2647-54cf-bd02-6e02e56054f3","3f46b554-47ea-5f12-9cb5-324c2cb09ac9","1534d8aa-acc0-5be4-b089-6d503ce07e41","e5a16770-bfb2-5305-886a-4e41d9cd8a08","d6e93572-2746-5e8e-a185-66dfbe3c53a5","b848c19f-41ad-56e2-ab88-e2e207e0d097","871ad8e0-44b4-5444-9bf3-dae96693ea50","ce8dc00d-0dad-5f50-ad9b-8e1f63fc2cf3","c889aaaa-70f7-5c1a-9bee-d18908f72ae7","2e568486-7d77-5798-9dc5-433bb6562e68","56612ec1-3218-5ec1-b32c-33c80359f1a0","d9a8d31a-f20d-5a66-bc08-ca7888a58ae4","74fd6481-7b1b-59cf-9851-e52156150f78","7d890293-0dcb-5584-bf7b-d615f9cb7f70","b6c41b2e-2d38-529d-b32f-2edc38ba6d62","0c327f99-0200-54ca-8a72-f427cc0ae101","b5ec674b-3a68-5feb-8fb1-f769fbb085f3","02b4eeed-157c-5172-b75c-151fcfd068ac","f16f12cd-dd7b-51e3-8c99-2ed4d857bb31","cb8ce4aa-25e2-5141-a5b4-337c24285e3d","55a6be07-1def-5523-92b4-f63c80049713","723f7b25-c699-5469-9ac6-1b5704a2b63a","569d9b71-efa7-52d9-9150-03214bc7e742","2e444f79-0b97-5b7b-967b-1e3f9605e1e2","e61fa185-7fbc-5367-a10c-45e05f1c7eee","721cf9fc-2ce7-51fc-bf6b-da02a715fedc","c298eab0-cb86-5053-ad52-404467af7507","f1022015-c977-5720-9d94-b64c4a5d5636","d6bacb8f-166f-5712-9bbb-cffd517caf31","4a54ec8c-be13-5974-bf97-ecbaa51d3a5e","719d3b89-0644-5cc5-ba2e-53eac0ee8207","46ffe79a-a94f-53e3-88cb-b9a178c9c932","e0efc4c1-efd6-5481-a2b1-0e3fd1cb6684","963fd114-e2de-522f-86ef-2e6b7edcfea1","aa0ba80d-de2a-5ab2-8329-1369094df8b4","22c176d1-ff14-5e53-8045-c2ffdda4051a","2ce6a16e-0477-5513-9727-033e4a21887a","e40a1659-cd0a-5d18-bd5c-c02e366ae3ff","dd2fa0d1-84ff-519c-87d9-2dc811b31b69","8cd8a334-35a9-5099-9075-443aa11153eb","a9b3ece6-cc53-58e8-8516-1e91acd1879e","0fbae1e3-fc59-5107-829b-378d2e27f899","4afeff4a-c2ec-5d92-8381-84fa785697b6","be6b7eb2-46ef-533f-bfda-a362aa51533d","89f5221e-bf52-5de4-b682-31c555f3b899","727bba25-3447-547a-b5c5-dcb64d01a803","00ae3977-67b8-55d7-8d60-99810ae80682","c66a7dfe-5675-523b-9456-e91ef524749a","a14dc84f-df91-5a5e-8dfb-0163a6f6c5e1","cca20c2b-be0c-5a07-88d3-7fb44877fe15","90f5395e-b33b-589d-aaf0-3aba1a47cbad","c7ad76a3-09e5-52e3-9850-500243ec2f83","781b072f-53cc-5e7e-8118-d227d0298aac","dfa1aaf1-da4e-56a1-87c6-f18149b9ae4a","75415d02-834f-5c29-b882-d86be4f7aca1","6ed977f4-618e-5e00-bcad-8d4793548b0d","71bc574f-91da-5cc1-833f-512b05ad4b20","a61f383c-f498-5703-b19f-f10189cc4b17","216c9995-fad4-5d6b-9ec2-0d5887731a81","38ee78f3-fc07-5cdd-b0b6-cfd041f902c0","ef4bb54e-38e4-551f-8ae0-ab5a6d73cd05","d1f104fb-fa94-5f31-a28f-62f72bc72797","c8f65535-a11d-566a-bcdc-43bcce9135c3","7a9bcf3d-f393-5317-be98-05bce368ca2c","59c91f71-5d02-52be-b61a-8fc22951a4e7","d96d827f-ae67-5d97-8af9-ef56d2f12fe9","cb0dcbc7-0d55-5ec6-8067-b9e2fcd531a1","82914f3f-2b23-54fb-a3c8-9c2d318e8244","26a0f406-f0ce-5fb0-92c0-2926b7756f65","b48a2e8f-2564-5b1e-8244-1691b0e87633","ac388398-fdf9-5f7a-ac58-55c75ac0e1b5","df14d375-8404-51b6-9f09-e3212e11a2a6","38d46b58-a32a-5b23-9ba6-05f04c0b52ac","a97d800b-106f-5bf0-97b0-994addb824a9","df313bea-5248-5e8c-a6d7-e6bddb5f8717","5ba5660e-2a1e-52ae-adc9-1d6b08d2bb7d","3d808d88-0cb7-5b96-9a3f-065416db0095","8e9089e8-76a0-5b58-8ebd-5266f7f06868","79308517-f1d5-5954-8d16-4260c90dd272","1fcfe820-c75e-5952-bc58-8f3e80f842c2","3aefb468-db13-5f6b-bbdb-3ffde1bd1317","bab57609-83c6-5faf-97a6-905beae9323b","56288712-29ec-5df6-9a3f-81efe80ea649","7eb6a2df-9e8f-53bc-aacd-234841774da4","4d58d107-a6ab-5bc5-90dd-2b0087cf4f50","b0bf4756-4723-592f-9b7f-232c93628cf7","776c6a6c-6923-59a4-9618-2abd13114785","6b75cb62-2433-589d-b618-44eda2b07f9b","ba94da36-305b-5ad0-8bd0-1edfda438da9","91783af5-c270-5b96-b955-910c3ee5b681","068cd71c-44ec-5d95-9288-6d7b7b94a4cf","127348e8-cc78-556e-b503-a764a1f5e862","a0a3d98c-e4c7-596a-a832-ca57ac301fd2","601063a8-2ad6-51b2-8269-a9bf88793338","9b17aa5d-f557-5cce-b0d3-ca069f133bcc","89348ee3-6aeb-5a04-ad1d-d48b1a7ba686","446d84be-f8c7-55b1-89d5-a41d63796936","e75d711c-4e13-5c99-b771-065c8a65a21e","440cc65c-1f24-58d7-a03c-5a7b32559cfa","faa9385d-b3b4-5150-8caa-686d73034598","045e9ce2-e479-57cd-a473-f49ee8bf1bb9","a5b9b3eb-d502-5361-97fb-eaa2de5f683c","5a6f419c-70b8-5f97-8d14-994ac6d2af24","c388dfc7-dc9f-5b2c-acc6-be7dc5b05fe2","2aa4e228-ebd8-5e57-b13a-cc8a8777fee9","7765aa9d-5d8c-5760-ab75-7827c9d8378d","4253b281-edf2-54a7-8b4c-ed6d82562842","090947e4-eb27-50d5-b0aa-295684c0f504","6d31c590-f1cf-5977-ad0e-98760e4adaf2","58a9982a-10a7-5375-aa43-cf2c92919cd1","6d1a0114-0988-51c4-968e-ae724bbc0741","a883fc10-c239-51ff-92e8-d2ee3ebb7a56","472a0def-2c79-538e-b25c-6151f6e8ec56","ac3bfd92-4174-57a1-9383-f1cb7f87bc90","810886bf-781f-53eb-af42-85fec417b5db","4bbfb554-ba4f-5ba4-b72e-e707efe0b1e2","987bc689-20d4-5536-ab25-20c43137212a","28711922-7194-5661-9b56-0084740d77a3","49e89c0a-0759-5596-92af-91ec2817b0a8","474823eb-1dcf-5681-9ac4-e78d35e2d0ae","1b3a8c0f-cdf7-5b95-a7e6-0f7c1aae0c85","3c6c7bcb-d601-5f76-9c0b-9287b3b24925","4b77cf85-b9c1-55e4-a544-45af35831796","8f408c7b-683f-5f90-94fa-1e74e99de73d","ade252fa-dc3a-5c25-94b8-26ba24b4dfdb","cb619d81-23ad-57a5-899b-a5060af6f0ac","a2042972-25d1-5987-b479-b41ba55669a0","c1805e82-df76-57fa-989c-2d999ffda47d","b5880c46-266d-5876-93ff-30ab99682d8e","1be457d9-37da-557e-b848-c876083c4195","f1fc2811-bd43-5dab-98a8-cb28d397eaa9","87ddc195-2d14-51b3-8d0d-92d249accb62","88822288-e98c-56f2-921b-6304ef0b1aa3","7950b63d-a675-5cfe-b3ab-c373006726cb","ae0dcae3-a4a7-5963-9f92-cbd1cf533bee","8e638efe-df2e-5c8f-9761-847fa2687a8f","7d89135b-ec75-5276-b490-1670d85993c9","3d021f21-b9b5-5da5-95de-d121c54a3652","23ede1f9-100a-53de-a0e0-2f9898af2954","a0a3d428-f331-5baa-a242-0055471f44be","169a3ea2-bd40-56a1-89db-9ddfe487faaa","3ca213f1-7c16-5b8c-bdb2-c8d24097d73b","686d1b26-62f3-5e14-9f94-c36d07c303b5","ee68e59b-fb60-5079-9533-ecd5b5389520","9e9fc152-813f-5ae6-86c6-a8ddc51f5641","c861b54b-80b4-50b1-94c8-60249c6365d5","7d84bff8-d85a-58f5-bf51-6e60c8aa885d","491394d2-fda2-5a10-8488-48ecd3cc4ada","52b80ba7-df6b-5a81-8c78-37b2df8656e4","2b85b99d-5d3d-5c81-a79f-dd379ee52c24","7126b721-8c8f-5cc9-a4ae-1ffd4ff65c0d","ce767a8d-658c-573a-96f8-f7bb9ca56020","67dba2e2-0111-5fb2-80f3-c09291dcb28f","01d425b3-4ea5-58b6-ad05-dd382aa75727","51a34575-887b-514c-9d0a-84db2c759525","332fd5d3-95b2-574b-94a7-5b056115defb","004e41c2-2cf4-57eb-9131-855fea21e0cb","296533c8-1431-52d4-b4d3-440bd01bd983","51222627-761c-5c9c-82d6-f673193610e2","7e67c8a0-0ef5-533e-8559-9e359be23a78","b7527ae5-d322-50e4-9abc-c2ada6b97733","763a8f5c-6449-5e00-9ef2-e3f9443ea07c","0758d388-f402-5004-8e98-4b8d58d4e68e","23c7e460-b763-5c3b-90f3-76bee46f0501","a3b2c0db-8614-5720-aa27-b0d88120ed03","4eb8dfab-5b98-5312-9eae-59eddaf4d723","c33f5553-01b5-5f89-92cd-61bdadcbaea3","cba623d4-dcc5-523b-97f1-902c04bc14bd","d01fc365-24f6-587e-8c30-2e450ab7ca81","c39af2d5-ce82-5bad-ab3d-fee798dde336","9e586f9b-925b-5830-a979-d510cab99dd3","bd97655a-1311-54f6-b344-3f997c69ef73","ee29d8bf-9567-5c21-b060-d2a95de59682","6766687b-e8f2-5e29-b8e4-09001a6a2106","a1712e60-355e-5946-a25a-bbc9c187ec6b","bbe046de-19c5-5557-ab27-4df676195bdb","1d6a9420-068e-53fb-b07d-84a46dcba3e9","37684ffa-7f8f-5053-b9e8-589618aabde4","3f54a213-5941-52f2-81da-ec2ddd8037d8","06afff4c-4b38-54c4-a744-56e63428e412","764d1d4f-0832-57bc-b6fb-67ca754c1866","355c44cb-79ef-53dd-8cf2-d942d8021c69","7ba58875-d3d2-5a57-8b33-7a1653f5ad48","233ba9c2-c98b-5dd7-b8ea-cfae04cad57d","78cce07f-cd1a-513b-8332-d1d1ee4bbd19","8d7388e5-da2f-5315-9226-05e2f75c299e","0d7559dd-7bbd-55b8-9ca4-fe389c945329","3177d4de-9896-56e5-b318-1723498e94db","20c9220c-935f-5596-8378-81c7ca594434","b7822d73-2b22-54a2-8356-8704b1699648","547ab839-511a-594c-8541-6188a6a56c4a","3cb1e1a4-566e-5476-8d7b-a582b523a32a","460afa13-3ef0-5c8f-a3d6-64a593beb628","46c5e6ec-3431-5f99-b361-0ae03353ac6a","ab6ef070-1f88-59c1-a0a3-511fb1140500","88752599-6da7-55bc-a71e-c49278aa9f91","c563481d-d8ba-58ca-bd83-e5033f370715","f3daf1da-2284-57e7-90a2-122d1ca8a1fc","1d4ab680-de7f-5a17-b787-6cd634995e4a","0f3b2de2-15fa-5ea2-a7e7-3f5adc3691cc","3da27875-fa0c-5f10-8ddf-abc6f8b7c8a6","7ad17758-6e1b-5ca9-911e-6b64cdd3d1fe","0b2a8509-ddf3-56e7-9e4a-bc6ea62275f0","7a82d264-ada7-56a4-87b9-bd8e395a9f38","87d6f873-5ad7-51af-bbde-6ff91f2762cb","74e8ea21-f1d7-5647-884c-9be0570cef82","36030c6d-4196-5c11-bd02-44e8770888f9","b23b0698-ede3-539a-949d-5cb282c6a7ca","c1cc7004-9b76-573c-8a24-fc451c5b9f96","697d7a3f-2e46-5c87-befb-33779577dbd6","eeb3cb96-5e24-57cb-9a13-44ffcf9393be","9bbff54e-107c-571f-99a8-490be4696855","ef5b91c9-43f4-582c-a8f6-12ef90f6802f","3e08df47-9631-5b5a-98df-180d315eda4d","5f982731-7285-5515-9f4b-765a1496f7d5","3cd64d79-6e5a-57e4-b0bf-74d4b19b98cc","02153d00-0817-56d3-b321-9cfe843a92c3","5f0e9e37-72b5-533e-8e35-1ed932fe3084","bfdd6394-ae64-5290-82c1-55a36afed3dd","2d9a69e2-3201-542c-bea8-051759a39af8","8e48ee40-bfa8-5488-8d7d-85ca2cf47b7b","704ec65f-8a60-56b9-a055-f9895167993c","49f387d7-a884-541a-8b40-9ab4f7888d92","8b9637e8-b0b0-5a6a-bf53-9334621b50ca","4a183e31-7207-5300-ac05-db11c690822b","2a486c0d-35ec-5bd7-a12c-99f70a5002a7","c1596326-3460-5ad0-a612-59e167280101","deefabef-75d6-5587-8d3b-4022938682a5","fc7155c4-0d2d-575b-b014-efe5ec8f1461","bcaeb6c1-14b2-502e-9d32-2d988dc732f6","554a060b-7206-5e58-b2d5-14ab58dca532","e334b735-bfe1-5b11-8fa4-82e121336d27","70fea7f8-d50d-5dc9-bfc1-58e92bede9f6","b052f410-754b-5cbb-a24d-c88c78bbafad","47f91632-cd30-5d96-aa10-01e864bb9148","c476dc64-cefe-5543-98a4-8530a0a48964","816f3388-03fa-5540-aa97-63c5b7c7c32c","ed0b0f98-3578-5a1b-8434-69543bb411cd","4ed288c0-dcba-552a-91dc-b4c5f2e3d05a","1670afab-1460-5c11-bbfc-eec173edb62c","242ae4aa-16e9-5a96-b75b-ea51ae629f1e","282d4349-0db6-5ac5-a769-fcede4a77bb9","1196120e-827c-57b8-9366-14ed9c34d7e8","37cf01dd-9020-5af1-927b-e0e405390f02","d9791bb4-97fb-5b4d-8660-5a6ff2a3df1e","58d7054c-f8bc-5279-9d1d-97b3bc2595cc","b4289b5a-1661-5712-923d-82e20333e87e","26e44d1f-f6ab-546d-8001-0a0f26267fcf","0802950d-28b9-56de-a05a-6a887a6611ab","cd0aa1b1-d08c-59af-a032-9b463c90101a","8e17ba20-e2da-58f6-bf1d-b7eb5273b3c5","51010255-1487-5347-a517-a56e8a3061f8","4176d863-56f3-5701-8d54-da92408ac5e5","922e05ef-0941-587f-a2e3-34a062e53888","2722ab8e-1141-5636-97cd-4c416669a402","ab36ec57-c9a0-5291-8aec-d848bc3757e3","123c03bc-6d03-53ca-8027-8a1172717fbe","fb1c0a95-92fa-56ec-9e88-e79dba5ba6b6","4ae5bd55-29f1-597f-9158-8ffd95a2fbd5","41e93b7d-a101-55b1-a38a-a6f53db3d5a5","3cf99445-20d2-5de8-9c1c-0e83745991f0","c6f2ffa9-e5dc-52de-bb89-5ae52f529882","6bc54658-a37a-515e-844f-3263d82a6e1b","d2f1abd3-3815-5e54-9da5-7478b0c956b8","aabe34e4-524c-5c64-b514-05e82d6d7158","04fc8565-21c5-5d76-a24e-3bbe5d05ed6b","8856ddd1-8bdd-538f-b007-13b6bc37da38","ed4cbf37-ca1f-5b41-bd3c-8a9aa0f424c4","5f7e57b5-9301-5a4a-9df4-aa09373300c9","3278e078-9adb-58a5-8dab-0136b69e0754","3d74887b-4a91-55a3-b8a7-8eb437fcf2ed","b6f80673-9685-5486-939e-0d8427f0ab42","18cec1b9-295c-57ba-85b4-bdbe2b014f7e","b7f8ff2a-274f-50b1-be1a-38bff328a942","6d9ba913-7800-5bc6-8c12-5c8003d402d3","f72bedb2-6af8-5f65-a153-1a5880771538","5721e7ee-ece3-50a0-b342-e17b5b389a45","c4c2c7f0-6344-529c-8e94-e4455d60e104","d79c96eb-ddd8-5e1d-8d90-5197f02ffcd3","2d51a07c-c2c7-5425-8f5e-162d0f1f9005","3b99a232-e260-562e-a503-13993a879f59","43261809-eb88-597e-8efa-26bff1194394","3c29786d-858d-596b-9cf9-4256677c69b1","d8b3754f-61e3-57d3-8acf-0e19df9f5477","e55278df-daa7-5d5c-934c-19afc6d3f13e","3884854a-6d4e-52f2-9725-03044e787b76","6de16aaf-29eb-5a55-b863-8935487a9bec","a559199e-b624-52f2-b029-73a9535421da","ec935ea2-52a9-59c4-90f1-d9402a477805","77083011-7edc-5791-8618-f1f9158ea41b","00efb338-e9e3-514d-a25f-4c37f14f4898","1c61f70e-ed3a-57bc-8461-05248f2034dd","956cb456-b35e-55da-b341-ce1e36f7bd03","67a14dba-d3c4-53fa-be3b-3cbf03e1d79d","cf4579e4-8c1d-575b-8deb-3d0d5ee6406a","7e6f7906-9973-5dbb-8483-8dfd15a8c157","1631c13d-6a8b-597b-8440-499670ea27a9","4748f1b3-6d39-5d11-a600-bf03380b3238","c8497248-ea1a-5d15-a5fe-92b4bcec0b24","5045a3bb-5eb2-5bd1-82d1-d441e2483389","8e1ce13e-2ccf-5987-98a5-a8bcd674a6e4","7879fedd-58f2-5d1f-bfbe-30175f1214bb","8042fcb0-0832-5410-b5f0-07f88ffe1542","5d4e8758-105c-57a1-b7f0-94917a97b44d","14780bc9-6124-576d-bb4e-beba8925b1ba","d8a5216c-6199-50ba-baca-36790a8c67ec","c965ce5a-9e94-53e4-9c87-fadf4fcb7d34","f9197aaa-d494-5ec6-a8d8-f73e7bcf4813","0af07881-11c6-5021-b383-84ffcfec7464","1aaa6ee7-e89b-593e-a415-7cd39411b8e9","75c736eb-4f5a-5812-b660-2ba38634317a","c6800e07-60e2-5d99-ab45-b7560783d9f7","80e7c5a5-e464-5d40-a919-7d6016fd5139","d231873c-84b4-5f5a-bce5-beb249ecc66a","3131be79-e850-5c85-8506-d81f4b94e2ce","790aa4c4-22c5-5e22-9c90-2cde73b11753","d7cc9882-2480-56d0-a51d-7de5e4b9191e","a152e47c-bec2-5b9a-81ba-1f8acb6b9fb2","37e82ca7-5e24-53bf-9347-232e6693f457","b9adf131-c494-5194-adfb-b3b8e8cd1fe2","417479ee-8547-5670-90d5-c9f0ae9f69de","148d8e98-a0ae-5957-8dd4-b240015cf846","8b201351-4549-5c55-b121-a96bf9118650","a8bdb9c2-f4fc-5529-a6aa-8b0bb0a7ee6d","85642a47-664d-5495-883e-7ae653ff0846","0aa9c175-dcbc-5b95-8b66-56e58ae6826a","7a73b552-bd0b-5211-9ec7-e44dfabb98d9","f1a00484-9cb0-5d8f-afdc-030f12d9ec38","5c3903bc-49c4-5758-8fe6-d73654b884e6","aa4d9df2-a67e-5d97-9fa4-3ed4e6737955","9dc3310e-a065-5101-9af5-fa051525a12f","0edddb52-93bd-5f90-afac-edb3146c008b","837ae332-8b20-5dbd-b04b-9e9860b38bfc","d1318796-2366-5895-b841-ccd7ca1c52c9","6cddbedf-d394-5fa7-898b-d963693c6721","0d7864b9-9bac-553c-a79c-0d649e897d32","addc9f66-7971-566d-b08d-996089aeb5de","a95e86b0-2f20-52f1-b671-09d21c66437d","f54b0991-1e8d-5250-90fe-3e6595674a8a","68d40ff0-9463-53e3-ad76-37a0622a2898","fbcb34a1-deef-534b-a2dd-4ae8238cea6e","591de502-56a5-54d6-89ab-4833dd64ed20","0b1fbfb4-302a-5732-ba05-92f2d94f1eed","e23a78f6-7d17-54f5-960e-323f884c66a8","d81086d3-e6da-5654-bde5-dae00abcebeb","7ce918b7-a9ed-5c4f-b0c7-70fadc2c1f9f","09585ee7-9d88-5777-bc4a-cbae33245b13","0c2c2e0f-dc1f-52fa-b9da-36b52a23d3a9","af797219-5c17-5da4-b443-3caf50fc8801","b6d17033-720a-5de2-9a90-519f75b8416a","541bc2b4-1f59-5bd1-bd1e-bf4a12b9eabf","cefbbe26-cc18-5c86-9bfc-6dcab2180042","3e9030df-c50b-593f-a88f-f0ccc84e827c","d3be83df-5cb8-50de-9621-8e57ad13d0b4","bbe13f75-3038-553f-b8bf-7c479bc22d04","8028ab03-8201-5a4f-9972-89356634aa79","c2d9e50d-0cdd-593e-9a14-f2d2f1cca848","0b513511-eef1-5848-9f69-6ea73071105c","9e8643f9-f7c9-5801-9776-8b89e2050180","dfffb01d-51c4-5d60-a565-df866a05e870","d8eb6aa6-9268-55da-9d9f-5ca487a9bcd1","6db4636c-e1f0-5889-88f2-48a76cbf4f7d","d8a4137f-d6fe-5db6-a6ce-56f50cc2e0f8","c16e7c03-d7a2-5511-8cab-f53e1cce0633","295989f1-465a-51be-95f8-0d70971fcfef","6f171db5-d77b-574f-8a92-2ef49c27dc84","a193f5ee-962e-5185-9711-1f3966c17550","5637b37c-34be-55c7-8b71-c0d9bd2c8a2b","bc2b4e1e-10f0-59bc-b81f-17446082c5f0","3ce73260-a1e1-582d-a8fa-7e4c1fbb75af","af77b66f-bbc9-56c2-aad0-4ea27366d870","a09dd048-0e87-5220-8a5c-70c7dcb90691","950f5409-8df0-52b6-a016-6645aefcd374","9a3e11a6-6b46-55cb-a5b9-5acfa32b112b","a8a1c15f-a18b-5f78-859b-cba700840d48","288dc9cb-d02f-5d56-b7c6-4599a5b0b032","bab3d2d1-014b-5126-86fd-c056a66f1135","3e198abb-e072-54c4-9e43-cb58532c6c2a","61274267-54b5-58aa-806f-04de1fef09d9","1f4691cc-50e5-5a48-b6cc-386060a34432","c56934e7-4163-5759-a386-bb5e45191eb0","254ced33-035d-5472-8a2e-7d4824d4fcab","19c7a3a2-0074-56fd-8c77-01417d1b69a5","6278495d-5353-535f-bc22-88360e92c8c0","bc0f4951-ac01-5f72-a974-0d3b042fd931","7e5a666f-961c-55cb-9e4a-fdf89c099447","de7edaa1-fac2-506c-98d7-1dbf1257755a","12eb8e3f-749c-5427-a64f-e7a6af3faf0a","26baf752-5748-51f5-8eb7-83d85adf2cb8","e05b7046-f392-500f-9804-bea9748c51c1","3c05ca86-de65-5921-916a-9b9dac58b3c6","43307d74-4e34-5cd9-a9f0-ee381f0b347f","7a91f3e8-0c29-57e1-b380-da2a801882e6","b34c18bf-43d0-5e28-83ed-deee72ee74ff","5c84f668-05ab-5d6e-b390-c97ba4d10d34","d0c84fb1-70c4-5f05-b9ea-ea264d3f91b8","a981fd67-71ab-5e13-b87e-3632666d745f","18e56d86-053e-549f-9c0d-c3970f46d478","495ed966-fdd2-5238-9cc4-eeb576e459b3","3b46381c-04ce-522a-8a52-72625636d689","7c617f08-970c-5884-9ea5-e07dd5c3dfe8","7be9bc58-2ebe-58d2-9923-08fc23e4f679","9bb77b98-9da2-55c3-895c-c27feaccf670","92130422-ba25-5b51-b0b0-5b9b790e6ebb","c5f1b49b-1dfe-5d35-8ed5-09a816424ddf","2f31c831-b45d-50f9-b4ef-fe4f5f39c044","04d7a06e-8462-5f8a-bb07-2d7863c3122c","d666a9f7-14e2-5924-b009-3a2db5f1ff02","21828232-0edd-522c-bc39-43765d87aebe","aae50b80-5462-5d2d-a6c2-663e11d4cb1f","c2df6f83-0b5e-5545-9cae-fcbfb97528f5","b193f90e-d81c-5b07-bdf9-f442f02fdeb5","5e589d20-639d-51df-8cfc-6250ab0fe546","ae009c38-3679-51d1-94c1-ecbb3a58fd77","b1a1232f-41f1-5ca7-b831-4b762fe4c8ec","97aaca87-4943-5a1d-ad15-18351f032864","5613f237-db83-5a0f-8780-60bc6bdcb67a","c4f57756-0989-52d2-b462-a0cdd592cc60","d9520006-de34-5672-b0cc-787476767a7a","d12f2b19-d484-51cc-ac09-da72cdda25ac","5af48b34-382c-5de9-b942-6a39d3e5ecc2","f3aadd2e-71b1-5331-b9a4-bbffc003f778","1150e4b9-e0bf-5244-a32b-a4c6d16ad42a","130955c9-c74c-5779-a42a-cd24be011e4b","703b746a-1815-5a4f-b932-239289d4fa4f","176a740a-4523-5f75-a135-3fb04cfbebf0","8126a19b-9eec-59a4-aa68-ca3199401d87","ce54b2ef-09a6-5778-9163-990f3157d6a8","0fa6b099-3f32-58e5-b97e-2ab6c5f0c6c0","42f6b318-eefb-5436-9c4e-614bb78d905d","073534ec-5b44-5933-91a1-3b0fc64f23c0","78a1805f-dbe6-5fa4-92f1-8b25f20badfd","c37f494d-410c-51dd-82b5-b9c2b2d0760c","842563f8-c0c6-564b-b70a-8eb0cf3cc5ab","56a8defd-3b2a-5281-81c9-24522c51052f","29bae92d-e879-5c1c-b702-dda9f4953353","bd437462-80e2-55dc-a5e5-2f36cc5a3bc1","5698d436-975a-5019-bb60-364cb9d4591d","1950a5c6-57ea-5972-93fb-487fb03213bd","63091b21-f597-5f96-b0cf-766cf25e8a09","b041f11f-14f1-515d-8561-2039b527a875","9e10882a-c0bf-5392-8358-9fc4b8c23f96","2edbed7b-129d-59c9-8afb-31ba31d10a44","5dabe1db-06c0-53d9-865b-50fed81cdaef","82bd4748-6c5d-505a-9b69-83ee6241d0b7","6766a411-0a1d-5300-ab9b-e47bcf39b630","594302dd-80b9-53d0-9fd7-931c395b0ba5","09473163-8c9a-57f9-9ecd-00df0c71b862","d3856611-8bd1-52a1-bd43-d74c4d401ca3","9d82073d-6b2d-5959-ac70-34fc8915545a","942f7015-0858-50dd-b3a1-ea23bc395e0b","0a1a141b-2243-5275-87ad-5f5ba0a0a818","3f8b03e0-e95c-585d-a6c1-72cb23058c63","0f0bfea6-c81f-5b2d-ae10-6042c2fae264","342c83a1-c87d-5f13-84c1-f5b241c4d244","45483341-e59d-565f-8c67-3b6b920374f3","d4b6ca42-6305-5094-b814-ffdbd22663fb","3c6c1d83-f581-5604-949a-ba64d7949fa7","460926e6-800a-577e-86a9-799bb8d375ca","2424ad34-e613-5906-a22e-59666a3b13c8","98dc2b4a-9239-527e-b5e1-518d926a0c87","9a241dc1-9a8a-5810-a3f7-f1229fb1f2a5","d5ffffe3-6545-5e38-9547-ba42d802963f","1e4a9783-ebfa-548d-950a-dcebdeff40fd","6a32c22d-1617-5ab9-9868-8bda79135cbe","d6c30943-04b8-5e10-ba49-d2bf86f18362","4fec4bb7-e66e-5d95-9f1c-e330ff756391","9ea8ffac-eac2-5aaa-b31a-fca5e6c76d9b","220c024e-c004-5a42-8bbb-9ce9f6fc4ee5","593270fa-7236-582c-ba03-6f71f5b84471","f362af26-1d94-58de-b6ab-6f86560af853","42f3f10f-253e-53b8-8059-53ea3a0c442a","40d5cefb-6185-57af-bafd-72101ab562fc","31b740e7-598d-5c33-a4d8-cff376292c02","dae05563-8462-5711-8351-9a4772e4c729","42d1b18f-abde-5a05-a911-79165d21eab1","f24bc7f1-8418-5667-bcbd-ecf84f7e2284","c2e506a7-2989-5e71-8cae-10c49855d431","b6375b9f-7ca6-5f77-be85-3631c19242a2","eda0fd87-5e4a-554b-be5c-cff59d3ce07a","e061dea2-6572-555c-8d35-ab675dbcc310","fd81f29b-7bac-5411-a20d-a06aaa20224d","577d78f4-8a19-5485-b2d0-2d76804d3a9b","93521939-ad22-5090-bcd7-35d1b7cc18fa","215fc6ab-b6fe-5e5e-8550-1369e65fab3e","38f0a0e7-4b55-5ec1-a0a7-3040b9b97751","e55841f8-8ec4-5c48-a286-a29e17f3ca05","d367d573-36bf-5820-8a87-6e0f51c229f6","33f7b64a-a938-5d12-a1e5-9457e688e9b9","2420a4b3-1758-54af-bb7f-906f762865fa","8052c91c-d8f8-5f92-8a2a-82a7710dd73e","e3e500c9-c7ee-5711-bdd4-75d16e835a87","82d93f1a-1917-5897-bbda-a1dd80c6ba0e","046cb5bd-2e6f-5d88-8791-1e0c3de4b327","065e3f27-1508-5603-ad00-f05ee67778a1","b7fb35fe-659f-5db8-b204-e8da026493c5","3e729a7c-5a0b-5fe2-91c2-24283b90a16b","16c5d5c6-fa53-4d0d-ae83-58a7cb4bc442","b880122e-8c7b-4409-9713-8a63d66b7e17","204f34dc-7f37-51a4-838f-2923c7a44d4a","93080d07-4718-5013-8687-211643d0f4aa"]}},{"id":"ServiceMap","name":"ServiceMap","displayName":"Service Map","description":"Automatically discover and map servers and their dependencies in real-time.","related":{"tables":["VMConnection","VMComputer","VMProcess","VMBoundPort","InsightsMetrics"]}},{"id":"SfBAssessment","name":"SfBAssessment","related":{"tables":["SfBAssessmentRecommendation"]}},{"id":"SfBOnlineAssessment","name":"SfBOnlineAssessment","related":{"tables":["SfBOnlineAssessmentRecommendation"]}},{"id":"SharePointOnlineAssessment","name":"SharePointOnlineAssessment","related":{"tables":["SharePointOnlineAssessmentRecommendation"]}},{"id":"SurfaceHub","name":"SurfaceHub","displayName":"Surface Hub","description":"Provides the ability to monitor Microsoft Surface Hub devices.","related":{"tables":["DeviceConnectSession","DeviceCalendar","DeviceEtw","DeviceSkypeSignIn","DeviceHeartbeat","DeviceAppLaunch","DeviceHardwareHealth","DeviceCleanup","DeviceAppCrash","DeviceHealth","DeviceSkypeHeartbeat"],"queries":["51c952ba-a025-11ea-9f63-c8348e02520c","51cb9cb0-a025-11ea-9b66-c8348e02520c","51cc86f0-a025-11ea-ae39-c8348e02520c","51ce5ba9-a025-11ea-b3d9-c8348e02520c","51cef7f8-a025-11ea-94ac-c8348e02520c","51d07f71-a025-11ea-bd43-c8348e02520c"]}},{"id":"Updates","name":"Updates","displayName":"Update Management","description":"Identify and orchestrate the installation of missing system updates.","related":{"tables":["UpdateRunProgress","Update","UpdateSummary"],"queries":["51d5d5cb-a025-11ea-a80b-c8348e02520c","51d64afb-a025-11ea-a30b-c8348e02520c","51d84768-a025-11ea-a170-c8348e02520c","51d8e30c-a025-11ea-a73e-c8348e02520c","51da42ca-a025-11ea-8b9b-c8348e02520c","51db05ee-a025-11ea-93b5-c8348e02520c","51db7b14-a025-11ea-96a8-c8348e02520c","51dcdaa5-a025-11ea-8887-c8348e02520c","51dd28da-a025-11ea-9725-c8348e02520c","51dd9de7-a025-11ea-99e2-c8348e02520c"]}},{"id":"VMInsights","name":"VMInsights","displayName":"Azure Monitor for VMs","description":"Monitor the performance and network dependencies of your Azure and on-premise VMs.","related":{"tables":["VMConnection","HealthStateChangeEvent","VMComputer","VMProcess","VMBoundPort","InsightsMetrics"]}},{"id":"WEFInternalUat","name":"WEFInternalUat","related":{"tables":["WindowsEvent"]}},{"id":"WEF_10x","name":"WEF_10x","related":{"tables":["WindowsEvent"]}},{"id":"WEF_10xDSRE","name":"WEF_10xDSRE","related":{"tables":["WindowsEvent"]}},{"id":"WaaSUpdateInsights","name":"WaaSUpdateInsights","displayName":"Update Compliance","description":"Monitor update compliance for Windows 10 devices.","related":{"tables":["WaaSInsiderStatus","WDAVStatus","WDAVThreat","WaaSUpdateStatus","WUDOAggregatedStatus","WUDOStatus","WaaSDeploymentStatus","UCClientReadinessStatus","UCDeviceAlert","UCServiceUpdateStatus","UCUpdateAlert","UCClient","UCClientUpdateStatus","UCDOAggregatedStatus","UCDOStatus"],"queries":["f82e75c3-dd42-11ea-9a7f-c8348e03e0b8","f82e75c4-dd42-11ea-a402-c8348e03e0b8","f82e75c5-dd42-11ea-8046-c8348e03e0b8","f82e75c6-dd42-11ea-8b94-c8348e03e0b8","f82e75c7-dd42-11ea-8a63-c8348e03e0b8","f82e75c8-dd42-11ea-9781-c8348e03e0b8","f82e75c9-dd42-11ea-a3ab-c8348e03e0b8","f82e75ca-dd42-11ea-a4de-c8348e03e0b8","f3993b22-e78f-11ea-8d7e-c8348e03e0b8","f3998942-e78f-11ea-b0a9-c8348e03e0b8"]}},{"id":"WinLog","name":"WinLog","related":{"tables":["WindowsEvent"]}},{"id":"WindowsClientAssessmentPlus","name":"WindowsClientAssessmentPlus","related":{"tables":["WindowsClientAssessmentRecommendation"]}},{"id":"WindowsEventForwarding","name":"WindowsEventForwarding","related":{"tables":["WindowsEvent"]}},{"id":"WindowsFirewall","name":"WindowsFirewall","related":{"tables":["WindowsFirewall"]}},{"id":"WindowsServerAssessment","name":"WindowsServerAssessment","related":{"tables":["WindowsServerAssessmentRecommendation"]}},{"id":"WireData","name":"WireData","related":{"tables":["WireData"]}},{"id":"WireData2","name":"WireData2","displayName":"Wire Data 2.0","description":"Provides the ability to explore wire data and helps identify network related issues.","related":{"tables":["WireData"],"queries":["0933c1bb-c205-11ea-b387-c8348e03e0b8","0933c1bc-c205-11ea-8f2f-c8348e03e0b8","0933c1bd-c205-11ea-ae6b-c8348e03e0b8","0933c1be-c205-11ea-8b45-c8348e03e0b8","0933c1bf-c205-11ea-8e65-c8348e03e0b8","0933c1c0-c205-11ea-b3d5-c8348e03e0b8","0933c1c1-c205-11ea-bdc4-c8348e03e0b8","0933c1c2-c205-11ea-a865-c8348e03e0b8","0933c1c3-c205-11ea-91fc-c8348e03e0b8"]}}]}