updating ARM queries (#3563)
This commit is contained in:
yaronMSFT
GitHub
Родитель
56750bbe24
Коммит
0197b206a0
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Sysmon for Linux Network Session Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSessionLinuxSysmon",
|
||||
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ;\n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr\n ;\n SysmonForLinuxNetwork",
|
||||
"query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | where SyslogMessage has_all ('<Provider Name=\"Linux-Sysmon\"', '<EventID>3</EventID>')\n | project-away ProcessName, ProcessID\n | parse SyslogMessage with * '<Data Name=\"SourceIp\">' SrcIpAddr:string '</Data>' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '<EventRecordID>' EventOriginalUid:string '</EventRecordID>'\n *\n '<Computer>' SysmonComputer:string '</Computer>'\n *\n '<Data Name=\"RuleName\">' RuleName:string '</Data>'\n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n '<Data Name=\"User\">' User:string '</Data>'\n '<Data Name=\"Protocol\">' Protocol:string '</Data>' // -- source is lowercase\n '<Data Name=\"Initiated\">' Initiated:bool '</Data>' \n '<Data Name=\"SourceIsIpv6\">' SourceIsIpv6:bool '</Data>'\t\t\n '<Data Name=\"SourceIp\">' * '</Data>'\n '<Data Name=\"SourceHostname\">' SrcHostname:string '</Data>'\n '<Data Name=\"SourcePort\">' SrcPortNumber:int '</Data>'\n '<Data Name=\"SourcePortName\">' SrcPortName:string '</Data>'\n '<Data Name=\"DestinationIsIpv6\">' DestinationIsIpv6:bool '</Data>'\n '<Data Name=\"DestinationIp\">' DstIpAddr:string '</Data>'\n '<Data Name=\"DestinationHostname\">' DstHostname:string '</Data>'\n '<Data Name=\"DestinationPort\">' DstPortNumber:int '</Data>'\n '<Data Name=\"DestinationPortName\">' DstPortName:string '</Data>'\n *\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process,\n SrcAppName = Process,\n SrcAppType = 'Process'\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process,\n DstAppName = Process,\n DstAppType = 'Process' \n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon For Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Network Sessions Parser for Microsoft Defender for IoT - Endpoint",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimNetworkSessionMD4IoT",
|
||||
"query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr\n;\nNetworkSessionMD4IoT\n",
|
||||
"query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:int ','\n '\"BytesOut\":' BytesOut:int ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"Linux\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"Linux\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nNetworkSessionMD4IoT\n",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
}
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "Source Agnostic Web Sessions parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "ASimWebSessions",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "Source Agnostic Network Notables parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imNetworkNotables",
|
||||
"query": "let NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkNotables') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkNotables' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkNotablesGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nNetworkNotablesGeneric",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "Source Agnostic Network Session parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imNetworkSession",
|
||||
"query": "let NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)\n};\nNetworkSessionsGeneric",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_ipv4_prefix, dstipaddr_has_any_ipv4_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n};\nNetworkSessionsGeneric",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "Source Agnostic Web Sessions parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imWebSessions",
|
||||
"query": "let WebSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet WebSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n};\nWebSessionsGeneric",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstipaddr_has_any_ipv4_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
|
||||
}
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Загрузка…
Ссылка в новой задаче