workspace functons
This commit is contained in:
Anki Narravula
Родитель
4204a21e89
Коммит
55c2d74e49
|
|
@ -0,0 +1,46 @@
|
|||
id: 0829eb1f-75c3-4736-bcc9-7402650b3983
|
||||
Function:
|
||||
Title: Workspace Function for SyslogConnectors EventVolume by DeviceProduct
|
||||
Version: '1.0.0'
|
||||
LastUpdated: '2024-07-11'
|
||||
Category: Microsoft Sentinel Parser
|
||||
FunctionName: SyslogConnectorsEventVolumebyDeviceProduct
|
||||
FunctionAlias: SyslogConnectorsEventVolumebyDeviceProduct
|
||||
FunctionQuery: |
|
||||
let startTime = now()-7d;
|
||||
let endTime = now();
|
||||
let DeviceProduct_Input = "Juniper SRX";
|
||||
let empty_table_result = datatable (DeviceProduct:string, Count:long, TimeGenerated:datetime ) [];
|
||||
let empty_table_connector_Events = datatable (TimeGenerated:datetime) [];
|
||||
let BlackberryCylancePROTECT_Events = union isfuzzy=true empty_table_connector_Events, CylancePROTECT | extend DeviceProduct = "Blackberry CylancePROTECT" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let CiscoACI_Events = union isfuzzy=true empty_table_connector_Events, CiscoACIEvent | extend DeviceProduct = "Cisco Application Centric Infrastructure" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) | summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()) ;
|
||||
let CiscoISE_Events = union isfuzzy=true empty_table_connector_Events, CiscoISEEvent | extend DeviceProduct = "Cisco Identity Services Engine" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) | summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let Stealthwatch_Events = union isfuzzy=true empty_table_connector_Events, StealthwatchEvent | extend DeviceProduct = "Cisco Secure Cloud Analytics" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let CiscoUCS_Events = union isfuzzy=true empty_table_connector_Events, CiscoUCS | extend DeviceProduct = "Cisco UCS" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let CiscoWSA_Events = union isfuzzy=true empty_table_connector_Events, CiscoWSAEvent | extend DeviceProduct = "Cisco Web Security Appliance" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let CitrixADC_Events = union isfuzzy=true empty_table_connector_Events, CitrixADCEvent | extend DeviceProduct = "Citrix ADC (former NetScaler)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let DigitalGuardianDLP_Events = union isfuzzy=true empty_table_connector_Events, DigitalGuardianDLPEvent | extend DeviceProduct = "Digital Guardian Data Loss Prevention" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let Exabeam_Events = union isfuzzy=true empty_table_connector_Events, ExabeamEvent | extend DeviceProduct = "Exabeam Advanced Analytics" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let Forescout_Events = union isfuzzy=true empty_table_connector_Events, ForescoutEvent | extend DeviceProduct = "Forescout" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let GitLab_Events = union isfuzzy=true empty_table_connector_Events, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = "GitLab" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let InfobloxNIOS_Events = union isfuzzy=true empty_table_connector_Events, Infoblox | extend DeviceProduct = "Infoblox NIOS" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let ISCBind_Events = union isfuzzy=true empty_table_connector_Events, ISCBind | extend DeviceProduct = "ISC Bind" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let IvantiUEM_Events = union isfuzzy=true empty_table_connector_Events, IvantiUEMEvent | extend DeviceProduct = "Ivanti Unified Endpoint Management" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let JuniperSRX_Events = union isfuzzy=true empty_table_connector_Events, JuniperSRX | extend DeviceProduct = "Juniper SRX" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let McAfeeePO_Events = union isfuzzy=true empty_table_connector_Events, McAfeeEPOEvent | extend DeviceProduct = "McAfee ePolicy Orchestrator (ePO)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let McAfeeNSP_Events = union isfuzzy=true empty_table_connector_Events, McAfeeNSPEvent | extend DeviceProduct = "McAfee Network Security Platform" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let OpenVPN_Events = union isfuzzy=true empty_table_connector_Events, OpenVpnEvent | extend DeviceProduct = "OpenVPN Server" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let OracleDatabaseAudit_Events = union isfuzzy=true empty_table_connector_Events, OracleDatabaseAuditEvent | extend DeviceProduct = "Oracle Database Audit" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let PulseConnectSecure_Events = union isfuzzy=true empty_table_connector_Events, PulseConnectSecure | extend DeviceProduct = "Pulse Connect Secure" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let RSASecurIDAM_Events = union isfuzzy=true empty_table_connector_Events, RSASecurIDAMEvent | extend DeviceProduct = "RSA® SecurID (Authentication Manager)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let SophosXGFirewall_Events = union isfuzzy=true empty_table_connector_Events, SophosXGFirewall | extend DeviceProduct = "Sophos XG Firewall" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let SymantecEndpointProtection_Events = union isfuzzy=true empty_table_connector_Events, SymantecEndpointProtection | extend DeviceProduct = "Symantec Endpoint Protection" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let SymantecVIP_Events = union isfuzzy=true empty_table_connector_Events, SymantecVIP | extend DeviceProduct = "Symantec VIP" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let MicrosoftSysmonForLinux_Events = union isfuzzy=true empty_table_connector_Events, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = "Microsoft Sysmon For Linux" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let VMwareESXi_Events = union isfuzzy=true empty_table_connector_Events, VMwareESXi | extend DeviceProduct = "VMware ESXi" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let SymantecProxySG_Events = union isfuzzy=true empty_table_connector_Events, SymantecProxySG | extend DeviceProduct = "Symantec ProxySG" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let ESETPROTECT_Events = union isfuzzy=true empty_table_connector_Events, CylancePROTECT | extend DeviceProduct = "ESET PROTECT" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let BarracudaCloudFirewall_Events = union isfuzzy=true empty_table_connector_Events, CGFWFirewallActivity | extend DeviceProduct = "Barracuda CloudGen Firewall" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let NasuniEdgeAppliance_Events = union isfuzzy=true empty_table_connector_Events, Syslog | extend DeviceProduct = "Nasuni Edge Appliance" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
let WatchguardFirebox_Events = union isfuzzy=true empty_table_connector_Events, WatchGuardFirebox | extend DeviceProduct = "WatchGuard Firebox" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now());
|
||||
union isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Events, CiscoACI_Events, CiscoISE_Events, Stealthwatch_Events, CiscoUCS_Events, CiscoWSA_Events, CitrixADC_Events, DigitalGuardianDLP_Events, Exabeam_Events, Forescout_Events, GitLab_Events, InfobloxNIOS_Events, ISCBind_Events, IvantiUEM_Events, JuniperSRX_Events, McAfeeePO_Events, OpenVPN_Events, OracleDatabaseAudit_Events, PulseConnectSecure_Events, RSASecurIDAM_Events, SophosXGFirewall_Events, SymantecEndpointProtection_Events, SymantecVIP_Events, MicrosoftSysmonForLinux_Events, VMwareESXi_Events, SymantecProxySG_Events, ESETPROTECT_Events, BarracudaCloudFirewall_Events, NasuniEdgeAppliance_Events, WatchguardFirebox_Events
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
id: cec7a60f-c8ca-4ca9-96d6-6472331c2a2f
|
||||
Function:
|
||||
Title: Workspace Function for Syslog Connectors Overall Status
|
||||
Version: '1.0.0'
|
||||
LastUpdated: '2024-07-11'
|
||||
Category: Microsoft Sentinel Parser
|
||||
FunctionName: SyslogConnectorsOverallStatus
|
||||
FunctionAlias: SyslogConnectorsOverallStatus
|
||||
FunctionQuery: |
|
||||
let empty_table_result = datatable (DeviceProduct:string, EventCount_Last30Days:long, ConnectionStatus:string ) [];
|
||||
let empty_table_connector_status = datatable (TimeGenerated:datetime, DeviceProduct:string, EventCount_Last30Days:long ) [];
|
||||
let known_syslog_supported_devices = externaldata(DeviceProduct: string, ConnectorType:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/anknar/SyslogWorkbook/DataConnectors/SyslogCEFConnectors.csv"] with (format="csv", ignoreFirstRecord=true) | where ConnectorType == "Syslog" | distinct DeviceProduct;
|
||||
let BlackberryCylancePROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = "Blackberry CylancePROTECT" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let CiscoACI_Status = union isfuzzy=true empty_table_connector_status, CiscoACIEvent | extend DeviceProduct = "Cisco Application Centric Infrastructure" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let CiscoISE_Status = union isfuzzy=true empty_table_connector_status, CiscoISEEvent | extend DeviceProduct = "Cisco Identity Services Engine" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let Stealthwatch_Status = union isfuzzy=true empty_table_connector_status, StealthwatchEvent | extend DeviceProduct = "Cisco Secure Cloud Analytics" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let CiscoUCS_Status = union isfuzzy=true empty_table_connector_status, CiscoUCS | extend DeviceProduct = "Cisco UCS" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let CiscoWSA_Status = union isfuzzy=true empty_table_connector_status, CiscoWSAEvent | extend DeviceProduct = "Cisco Web Security Appliance" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let CitrixADC_Status = union isfuzzy=true empty_table_connector_status, CitrixADCEvent | extend DeviceProduct = "Citrix ADC (former NetScaler)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let DigitalGuardianDLP_Status = union isfuzzy=true empty_table_connector_status, DigitalGuardianDLPEvent | extend DeviceProduct = "Digital Guardian Data Loss Prevention" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let Exabeam_Status = union isfuzzy=true empty_table_connector_status, ExabeamEvent | extend DeviceProduct = "Exabeam Advanced Analytics" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let Forescout_Status = union isfuzzy=true empty_table_connector_status, ForescoutEvent | extend DeviceProduct = "Forescout" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let GitLab_Status = union isfuzzy=true empty_table_connector_status, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = "GitLab" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let InfobloxNIOS_Status = union isfuzzy=true empty_table_connector_status, Infoblox | extend DeviceProduct = "Infoblox NIOS" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let ISCBind_Status = union isfuzzy=true empty_table_connector_status, ISCBind | extend DeviceProduct = "ISC Bind" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let IvantiUEM_Status = union isfuzzy=true empty_table_connector_status, IvantiUEMEvent | extend DeviceProduct = "Ivanti Unified Endpoint Management" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let JuniperSRX_Status = union isfuzzy=true empty_table_connector_status, JuniperSRX | extend DeviceProduct = "Juniper SRX" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let McAfeeePO_Status = union isfuzzy=true empty_table_connector_status, McAfeeEPOEvent | extend DeviceProduct = "McAfee ePolicy Orchestrator (ePO)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let McAfeeNSP_Status = union isfuzzy=true empty_table_connector_status, McAfeeNSPEvent | extend DeviceProduct = "McAfee Network Security Platform" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let OpenVPN_Status = union isfuzzy=true empty_table_connector_status, OpenVpnEvent | extend DeviceProduct = "OpenVPN Server" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let OracleDatabaseAudit_Status = union isfuzzy=true empty_table_connector_status, OracleDatabaseAuditEvent | extend DeviceProduct = "Oracle Database Audit" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let PulseConnectSecure_Status = union isfuzzy=true empty_table_connector_status, PulseConnectSecure | extend DeviceProduct = "Pulse Connect Secure" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let RSASecurIDAM_Status = union isfuzzy=true empty_table_connector_status, RSASecurIDAMEvent | extend DeviceProduct = "RSA® SecurID (Authentication Manager)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let SophosXGFirewall_Status = union isfuzzy=true empty_table_connector_status, SophosXGFirewall | extend DeviceProduct = "Sophos XG Firewall" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let SymantecEndpointProtection_Status = union isfuzzy=true empty_table_connector_status, SymantecEndpointProtection | extend DeviceProduct = "Symantec Endpoint Protection" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let SymantecVIP_Status = union isfuzzy=true empty_table_connector_status, SymantecVIP | extend DeviceProduct = "Symantec VIP" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let MicrosoftSysmonForLinux_Status = union isfuzzy=true empty_table_connector_status, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = "Microsoft Sysmon For Linux" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let VMwareESXi_Status = union isfuzzy=true empty_table_connector_status, VMwareESXi | extend DeviceProduct = "VMware ESXi" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let SymantecProxySG_Status = union isfuzzy=true empty_table_connector_status, SymantecProxySG | extend DeviceProduct = "Symantec ProxySG" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let ESETPROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = "ESET PROTECT" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let BarracudaCloudFirewall_Status = union isfuzzy=true empty_table_connector_status, CGFWFirewallActivity | extend DeviceProduct = "Barracuda CloudGen Firewall" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let NasuniEdgeAppliance_Status = union isfuzzy=true empty_table_connector_status, Syslog | extend DeviceProduct = "Nasuni Edge Appliance" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
let WatchguardFirebox_Status = union isfuzzy=true empty_table_connector_status, WatchGuardFirebox | extend DeviceProduct = "WatchGuard Firebox" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected");
|
||||
union isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Status, CiscoACI_Status, CiscoISE_Status, Stealthwatch_Status, CiscoUCS_Status, CiscoWSA_Status, CitrixADC_Status, DigitalGuardianDLP_Status, Exabeam_Status, Forescout_Status, GitLab_Status, InfobloxNIOS_Status, ISCBind_Status, IvantiUEM_Status, JuniperSRX_Status, McAfeeePO_Status, OpenVPN_Status, OracleDatabaseAudit_Status, PulseConnectSecure_Status, RSASecurIDAM_Status, SophosXGFirewall_Status, SymantecEndpointProtection_Status, SymantecVIP_Status, MicrosoftSysmonForLinux_Status, VMwareESXi_Status, SymantecProxySG_Status, ESETPROTECT_Status, BarracudaCloudFirewall_Status, NasuniEdgeAppliance_Status, WatchguardFirebox_Status
|
||||
| extend EventCount_Last30Days = coalesce(EventCount_Last30Days, 0)
|
||||
| extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected")
|
||||
| join kind=fullouter known_syslog_supported_devices on DeviceProduct
|
||||
| extend DeviceProduct = coalesce(DeviceProduct, DeviceProduct1)
|
||||
| extend EventCount_Last30Days = coalesce(EventCount_Last30Days, 0)
|
||||
| extend ConnectionStatus = coalesce(ConnectionStatus, "Not-Connected")
|
||||
| extend OutofBoxSupport = iif(DeviceProduct in (known_syslog_supported_devices), "Available", "Unavailable")
|
||||
| project-away DeviceProduct1
|
||||
Загрузка…
Ссылка в новой задаче