Merge pull request #13209 from lderequesensS/fix-kql-ccf-zerofox

v-atulyadav · web-flow · commit aaca33fc6e4c · 2025-12-04T16:15:57.000+05:30
Add KQL query for ZeroFox CCF
diff --git a/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json b/Solutions/ZeroFox/Data Connectors/Alerts/ZeroFoxAlerts_DCR.json
@@ -167,7 +167,7 @@
                 "destinations": [
                     "clv2ws1"
                 ],
-                "transformKql": "source\n| extend TimeGenerated = now()",
+                "transformKql": "source\n| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n | project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
                 "outputStream": "Custom-ZeroFoxAlertPoller_CL"
             }
         ]
diff --git a/Solutions/ZeroFox/Package/3.2.2.zip b/Solutions/ZeroFox/Package/3.2.2.zip
diff --git a/Solutions/ZeroFox/Package/mainTemplate.json b/Solutions/ZeroFox/Package/mainTemplate.json
@@ -1142,7 +1142,7 @@
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source\n| extend TimeGenerated = now()",
+                    "transformKql": "source\n| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n | project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
                     "outputStream": "Custom-ZeroFoxAlertPoller_CL"
                   }
                 ]
@@ -1758,8 +1758,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -1868,8 +1868,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -1978,8 +1978,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }
@@ -2088,8 +2088,8 @@
                     "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "entity_name_s",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "entity_name_s"
                       }
                     ]
                   }

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@`
`167`	`167`	`"destinations": [`
`168`	`168`	`"clv2ws1"`
`169`	`169`	`],`
`170`		`- "transformKql": "source\n\| extend TimeGenerated = now()",`
	`170`	+ "transformKql": "source\n\| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n \| project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n\| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
`171`	`171`	`"outputStream": "Custom-ZeroFoxAlertPoller_CL"`
`172`	`172`	`}`
`173`	`173`	`]`
Original file line number	Diff line number	Diff line change
`@@ -1142,7 +1142,7 @@`
`1142`	`1142`	`"destinations": [`
`1143`	`1143`	`"clv2ws1"`
`1144`	`1144`	`],`
`1145`		`- "transformKql": "source\n\| extend TimeGenerated = now()",`
	`1145`	+ "transformKql": "source\n\| extend \n entity_id_d = toint(entity.id),\n entity_name_s = tostring(entity.name),\n entity_image_s = tostring(entity.image),\n entity_labels_s = tostring(entity.labels),\n entity_entity_group_id_d = toint(entity.entity_group_id),\n entity_entity_group_name_s = tostring(entity.entity_group_name),\n entity_term_s = tostring(entity.term),\n entity_account_s = tostring(entity.account),\n entity_email_receiver_id_s = tostring(entity.email_receiver_id),\n perpetrator_name_s = tostring(perpetrator.name),\n perpetrator_display_name_s = tostring(perpetrator.display_name),\n perpetrator_id_d = toint(perpetrator.id),\n perpetrator_url_s = tostring(perpetrator.url),\n perpetrator_content_s = tostring(perpetrator.content),\n perpetrator_type_s = tostring(perpetrator.type),\n perpetrator_timestamp_t = todatetime(perpetrator.timestamp),\n perpetrator_network_s = tostring(perpetrator.network),\n asset_id_d = toint(asset.id),\n asset_name_s = tostring(asset.name),\n asset_image_s = tostring(asset.image),\n asset_labels_s = tostring(asset.labels),\n asset_entity_group_id_d = toint(asset.entity_group_id),\n asset_entity_group_name_s = tostring(asset.entity_group_name),\n id_d = toint(id),\n Severity = toint(severity),\n rule_group_id_d = toint(rule_group_id),\n reviewed_b = tobool(reviewed),\n escalated_b = tobool(escalated),\n rule_id_d = toint(rule_id),\n last_modified_t = last_modified\n \| project-rename \n TimeGenerated = last_modified,\n alert_type_s = alert_type,\n logs_s = logs,\n offending_content_url_s = offending_content_url,\n asset_term_s = asset_term,\n assignee_s = assignee,\n content_created_at_t = content_created_at,\n entered_by_s = entered_by,\n metadata_s = metadata,\n status_s = status,\n rule_name_s = rule_name,\n protected_locations_s = protected_locations,\n darkweb_term_s = darkweb_term,\n business_network_s = business_network,\n network_s = network,\n protected_social_object_s = protected_social_object,\n notes_s = notes,\n reviews_s = reviews,\n tags_s = tags\n\| project TimeGenerated, alert_type_s, logs_s, offending_content_url_s, asset_term_s, assignee_s, entity_id_d, entity_name_s, entity_image_s, entity_labels_s, entity_entity_group_id_d, entity_entity_group_name_s, entity_term_s, content_created_at_t, id_d, Severity, perpetrator_name_s, perpetrator_display_name_s, perpetrator_id_d, perpetrator_url_s, perpetrator_content_s, perpetrator_type_s, perpetrator_timestamp_t, perpetrator_network_s, rule_group_id_d, asset_id_d, asset_name_s, asset_image_s, asset_labels_s, asset_entity_group_id_d, asset_entity_group_name_s, entered_by_s, metadata_s, status_s, rule_name_s, last_modified_t, protected_locations_s, darkweb_term_s, business_network_s, reviewed_b, escalated_b, network_s, protected_social_object_s, notes_s, reviews_s, rule_id_d, entity_account_s, entity_email_receiver_id_s, tags_s",
`1146`	`1146`	`"outputStream": "Custom-ZeroFoxAlertPoller_CL"`
`1147`	`1147`	`}`
`1148`	`1148`	`]`
`@@ -1758,8 +1758,8 @@`
`1758`	`1758`	`"entityType": "Account",`
`1759`	`1759`	`"fieldMappings": [`
`1760`	`1760`	`{`
`1761`		`- "columnName": "entity_name_s",`
`1762`		`- "identifier": "FullName"`
	`1761`	`+ "identifier": "FullName",`
	`1762`	`+ "columnName": "entity_name_s"`
`1763`	`1763`	`}`
`1764`	`1764`	`]`
`1765`	`1765`	`}`
`@@ -1868,8 +1868,8 @@`
`1868`	`1868`	`"entityType": "Account",`
`1869`	`1869`	`"fieldMappings": [`
`1870`	`1870`	`{`
`1871`		`- "columnName": "entity_name_s",`
`1872`		`- "identifier": "FullName"`
	`1871`	`+ "identifier": "FullName",`
	`1872`	`+ "columnName": "entity_name_s"`
`1873`	`1873`	`}`
`1874`	`1874`	`]`
`1875`	`1875`	`}`
`@@ -1978,8 +1978,8 @@`
`1978`	`1978`	`"entityType": "Account",`
`1979`	`1979`	`"fieldMappings": [`
`1980`	`1980`	`{`
`1981`		`- "columnName": "entity_name_s",`
`1982`		`- "identifier": "FullName"`
	`1981`	`+ "identifier": "FullName",`
	`1982`	`+ "columnName": "entity_name_s"`
`1983`	`1983`	`}`
`1984`	`1984`	`]`
`1985`	`1985`	`}`
`@@ -2088,8 +2088,8 @@`
`2088`	`2088`	`"entityType": "Account",`
`2089`	`2089`	`"fieldMappings": [`
`2090`	`2090`	`{`
`2091`		`- "columnName": "entity_name_s",`
`2092`		`- "identifier": "FullName"`
	`2091`	`+ "identifier": "FullName",`
	`2092`	`+ "columnName": "entity_name_s"`
`2093`	`2093`	`}`
`2094`	`2094`	`]`
`2095`	`2095`	`}`