Azure · v-atulyadav · Nov 21, 2024 · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
@@ -1147,7 +1147,7 @@
                 "destinations": [
                     "clv2ws1"
                 ],
-                "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
+                "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
                 "outputStream": "Custom-CarbonBlack_Alerts_CL"
             },
             {
@@ -1157,7 +1157,7 @@
                 "destinations": [
                     "clv2ws1"
                 ],
-                "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
+                "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
                 "outputStream": "Custom-CarbonBlack_Watchlist_CL"
             },
             {
@@ -1167,7 +1167,7 @@
                 "destinations": [
                     "clv2ws1"
                 ],
-                "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id)  | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount =  toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
+                "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id)  | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount =  toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
                 "outputStream": "Microsoft-ASimAuthenticationEventLogs"
             },
             {

@@ -5,7 +5,7 @@
   "kind": "AmazonWebServicesS3",
   "properties": {
       "connectorDefinitionName": "carbonBlackAWSS3",
-      "dataType": {
+      "dataTypes": {
           "logs": {
               "state": "enabled"
           }

@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link1",
+            "name": "dataconnectors-link2",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -225,4 +225,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}