diff --git a/Solutions/Syslog/Workspace Functions/SyslogConnectorsEventVolumebyDeviceProduct.yaml b/Solutions/Syslog/Workspace Functions/SyslogConnectorsEventVolumebyDeviceProduct.yaml new file mode 100644 index 0000000000..1cb044dd82 --- /dev/null +++ b/Solutions/Syslog/Workspace Functions/SyslogConnectorsEventVolumebyDeviceProduct.yaml @@ -0,0 +1,46 @@ +id: 0829eb1f-75c3-4736-bcc9-7402650b3983 +Function: + Title: Workspace Function for SyslogConnectors EventVolume by DeviceProduct + Version: '1.0.0' + LastUpdated: '2024-07-11' +Category: Microsoft Sentinel Parser +FunctionName: SyslogConnectorsEventVolumebyDeviceProduct +FunctionAlias: SyslogConnectorsEventVolumebyDeviceProduct +FunctionQuery: | + let startTime = now()-7d; + let endTime = now(); + let DeviceProduct_Input = "Juniper SRX"; + let empty_table_result = datatable (DeviceProduct:string, Count:long, TimeGenerated:datetime ) []; + let empty_table_connector_Events = datatable (TimeGenerated:datetime) []; + let BlackberryCylancePROTECT_Events = union isfuzzy=true empty_table_connector_Events, CylancePROTECT | extend DeviceProduct = "Blackberry CylancePROTECT" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let CiscoACI_Events = union isfuzzy=true empty_table_connector_Events, CiscoACIEvent | extend DeviceProduct = "Cisco Application Centric Infrastructure" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) | summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()) ; + let CiscoISE_Events = union isfuzzy=true empty_table_connector_Events, CiscoISEEvent | extend DeviceProduct = "Cisco Identity Services Engine" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) | summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let Stealthwatch_Events = union isfuzzy=true empty_table_connector_Events, StealthwatchEvent | extend DeviceProduct = "Cisco Secure Cloud Analytics" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let CiscoUCS_Events = union isfuzzy=true empty_table_connector_Events, CiscoUCS | extend DeviceProduct = "Cisco UCS" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let CiscoWSA_Events = union isfuzzy=true empty_table_connector_Events, CiscoWSAEvent | extend DeviceProduct = "Cisco Web Security Appliance" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let CitrixADC_Events = union isfuzzy=true empty_table_connector_Events, CitrixADCEvent | extend DeviceProduct = "Citrix ADC (former NetScaler)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let DigitalGuardianDLP_Events = union isfuzzy=true empty_table_connector_Events, DigitalGuardianDLPEvent | extend DeviceProduct = "Digital Guardian Data Loss Prevention" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let Exabeam_Events = union isfuzzy=true empty_table_connector_Events, ExabeamEvent | extend DeviceProduct = "Exabeam Advanced Analytics" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let Forescout_Events = union isfuzzy=true empty_table_connector_Events, ForescoutEvent | extend DeviceProduct = "Forescout" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let GitLab_Events = union isfuzzy=true empty_table_connector_Events, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = "GitLab" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let InfobloxNIOS_Events = union isfuzzy=true empty_table_connector_Events, Infoblox | extend DeviceProduct = "Infoblox NIOS" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let ISCBind_Events = union isfuzzy=true empty_table_connector_Events, ISCBind | extend DeviceProduct = "ISC Bind" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" |where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let IvantiUEM_Events = union isfuzzy=true empty_table_connector_Events, IvantiUEMEvent | extend DeviceProduct = "Ivanti Unified Endpoint Management" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let JuniperSRX_Events = union isfuzzy=true empty_table_connector_Events, JuniperSRX | extend DeviceProduct = "Juniper SRX" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let McAfeeePO_Events = union isfuzzy=true empty_table_connector_Events, McAfeeEPOEvent | extend DeviceProduct = "McAfee ePolicy Orchestrator (ePO)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let McAfeeNSP_Events = union isfuzzy=true empty_table_connector_Events, McAfeeNSPEvent | extend DeviceProduct = "McAfee Network Security Platform" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let OpenVPN_Events = union isfuzzy=true empty_table_connector_Events, OpenVpnEvent | extend DeviceProduct = "OpenVPN Server" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let OracleDatabaseAudit_Events = union isfuzzy=true empty_table_connector_Events, OracleDatabaseAuditEvent | extend DeviceProduct = "Oracle Database Audit" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let PulseConnectSecure_Events = union isfuzzy=true empty_table_connector_Events, PulseConnectSecure | extend DeviceProduct = "Pulse Connect Secure" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let RSASecurIDAM_Events = union isfuzzy=true empty_table_connector_Events, RSASecurIDAMEvent | extend DeviceProduct = "RSA® SecurID (Authentication Manager)" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let SophosXGFirewall_Events = union isfuzzy=true empty_table_connector_Events, SophosXGFirewall | extend DeviceProduct = "Sophos XG Firewall" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let SymantecEndpointProtection_Events = union isfuzzy=true empty_table_connector_Events, SymantecEndpointProtection | extend DeviceProduct = "Symantec Endpoint Protection" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let SymantecVIP_Events = union isfuzzy=true empty_table_connector_Events, SymantecVIP | extend DeviceProduct = "Symantec VIP" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let MicrosoftSysmonForLinux_Events = union isfuzzy=true empty_table_connector_Events, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = "Microsoft Sysmon For Linux" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let VMwareESXi_Events = union isfuzzy=true empty_table_connector_Events, VMwareESXi | extend DeviceProduct = "VMware ESXi" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let SymantecProxySG_Events = union isfuzzy=true empty_table_connector_Events, SymantecProxySG | extend DeviceProduct = "Symantec ProxySG" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let ESETPROTECT_Events = union isfuzzy=true empty_table_connector_Events, CylancePROTECT | extend DeviceProduct = "ESET PROTECT" |where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let BarracudaCloudFirewall_Events = union isfuzzy=true empty_table_connector_Events, CGFWFirewallActivity | extend DeviceProduct = "Barracuda CloudGen Firewall" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let NasuniEdgeAppliance_Events = union isfuzzy=true empty_table_connector_Events, Syslog | extend DeviceProduct = "Nasuni Edge Appliance" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + let WatchguardFirebox_Events = union isfuzzy=true empty_table_connector_Events, WatchGuardFirebox | extend DeviceProduct = "WatchGuard Firebox" | where DeviceProduct_Input == DeviceProduct or DeviceProduct_Input == "*" | where TimeGenerated between (startTime .. endTime) |summarize Count = count() by DeviceProduct, bin_at(TimeGenerated, 1d, now()); + union isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Events, CiscoACI_Events, CiscoISE_Events, Stealthwatch_Events, CiscoUCS_Events, CiscoWSA_Events, CitrixADC_Events, DigitalGuardianDLP_Events, Exabeam_Events, Forescout_Events, GitLab_Events, InfobloxNIOS_Events, ISCBind_Events, IvantiUEM_Events, JuniperSRX_Events, McAfeeePO_Events, OpenVPN_Events, OracleDatabaseAudit_Events, PulseConnectSecure_Events, RSASecurIDAM_Events, SophosXGFirewall_Events, SymantecEndpointProtection_Events, SymantecVIP_Events, MicrosoftSysmonForLinux_Events, VMwareESXi_Events, SymantecProxySG_Events, ESETPROTECT_Events, BarracudaCloudFirewall_Events, NasuniEdgeAppliance_Events, WatchguardFirebox_Events \ No newline at end of file diff --git a/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml b/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml new file mode 100644 index 0000000000..3eea9490b9 --- /dev/null +++ b/Solutions/Syslog/Workspace Functions/SyslogConnectorsOverallStatus.yaml @@ -0,0 +1,52 @@ +id: cec7a60f-c8ca-4ca9-96d6-6472331c2a2f +Function: + Title: Workspace Function for Syslog Connectors Overall Status + Version: '1.0.0' + LastUpdated: '2024-07-11' +Category: Microsoft Sentinel Parser +FunctionName: SyslogConnectorsOverallStatus +FunctionAlias: SyslogConnectorsOverallStatus +FunctionQuery: | + let empty_table_result = datatable (DeviceProduct:string, EventCount_Last30Days:long, ConnectionStatus:string ) []; + let empty_table_connector_status = datatable (TimeGenerated:datetime, DeviceProduct:string, EventCount_Last30Days:long ) []; + let known_syslog_supported_devices = externaldata(DeviceProduct: string, ConnectorType:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/anknar/SyslogWorkbook/DataConnectors/SyslogCEFConnectors.csv"] with (format="csv", ignoreFirstRecord=true) | where ConnectorType == "Syslog" | distinct DeviceProduct; + let BlackberryCylancePROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = "Blackberry CylancePROTECT" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let CiscoACI_Status = union isfuzzy=true empty_table_connector_status, CiscoACIEvent | extend DeviceProduct = "Cisco Application Centric Infrastructure" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let CiscoISE_Status = union isfuzzy=true empty_table_connector_status, CiscoISEEvent | extend DeviceProduct = "Cisco Identity Services Engine" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let Stealthwatch_Status = union isfuzzy=true empty_table_connector_status, StealthwatchEvent | extend DeviceProduct = "Cisco Secure Cloud Analytics" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let CiscoUCS_Status = union isfuzzy=true empty_table_connector_status, CiscoUCS | extend DeviceProduct = "Cisco UCS" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let CiscoWSA_Status = union isfuzzy=true empty_table_connector_status, CiscoWSAEvent | extend DeviceProduct = "Cisco Web Security Appliance" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let CitrixADC_Status = union isfuzzy=true empty_table_connector_status, CitrixADCEvent | extend DeviceProduct = "Citrix ADC (former NetScaler)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let DigitalGuardianDLP_Status = union isfuzzy=true empty_table_connector_status, DigitalGuardianDLPEvent | extend DeviceProduct = "Digital Guardian Data Loss Prevention" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let Exabeam_Status = union isfuzzy=true empty_table_connector_status, ExabeamEvent | extend DeviceProduct = "Exabeam Advanced Analytics" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let Forescout_Status = union isfuzzy=true empty_table_connector_status, ForescoutEvent | extend DeviceProduct = "Forescout" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let GitLab_Status = union isfuzzy=true empty_table_connector_status, GitLabApp, GitLabAudit, GitLabAccess | extend DeviceProduct = "GitLab" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let InfobloxNIOS_Status = union isfuzzy=true empty_table_connector_status, Infoblox | extend DeviceProduct = "Infoblox NIOS" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let ISCBind_Status = union isfuzzy=true empty_table_connector_status, ISCBind | extend DeviceProduct = "ISC Bind" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let IvantiUEM_Status = union isfuzzy=true empty_table_connector_status, IvantiUEMEvent | extend DeviceProduct = "Ivanti Unified Endpoint Management" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let JuniperSRX_Status = union isfuzzy=true empty_table_connector_status, JuniperSRX | extend DeviceProduct = "Juniper SRX" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let McAfeeePO_Status = union isfuzzy=true empty_table_connector_status, McAfeeEPOEvent | extend DeviceProduct = "McAfee ePolicy Orchestrator (ePO)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let McAfeeNSP_Status = union isfuzzy=true empty_table_connector_status, McAfeeNSPEvent | extend DeviceProduct = "McAfee Network Security Platform" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let OpenVPN_Status = union isfuzzy=true empty_table_connector_status, OpenVpnEvent | extend DeviceProduct = "OpenVPN Server" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let OracleDatabaseAudit_Status = union isfuzzy=true empty_table_connector_status, OracleDatabaseAuditEvent | extend DeviceProduct = "Oracle Database Audit" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let PulseConnectSecure_Status = union isfuzzy=true empty_table_connector_status, PulseConnectSecure | extend DeviceProduct = "Pulse Connect Secure" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let RSASecurIDAM_Status = union isfuzzy=true empty_table_connector_status, RSASecurIDAMEvent | extend DeviceProduct = "RSA® SecurID (Authentication Manager)" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let SophosXGFirewall_Status = union isfuzzy=true empty_table_connector_status, SophosXGFirewall | extend DeviceProduct = "Sophos XG Firewall" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let SymantecEndpointProtection_Status = union isfuzzy=true empty_table_connector_status, SymantecEndpointProtection | extend DeviceProduct = "Symantec Endpoint Protection" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let SymantecVIP_Status = union isfuzzy=true empty_table_connector_status, SymantecVIP | extend DeviceProduct = "Symantec VIP" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let MicrosoftSysmonForLinux_Status = union isfuzzy=true empty_table_connector_status, Syslog | where ProcessName == 'sysmon' | extend DeviceProduct = "Microsoft Sysmon For Linux" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let VMwareESXi_Status = union isfuzzy=true empty_table_connector_status, VMwareESXi | extend DeviceProduct = "VMware ESXi" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let SymantecProxySG_Status = union isfuzzy=true empty_table_connector_status, SymantecProxySG | extend DeviceProduct = "Symantec ProxySG" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let ESETPROTECT_Status = union isfuzzy=true empty_table_connector_status, CylancePROTECT | extend DeviceProduct = "ESET PROTECT" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let BarracudaCloudFirewall_Status = union isfuzzy=true empty_table_connector_status, CGFWFirewallActivity | extend DeviceProduct = "Barracuda CloudGen Firewall" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let NasuniEdgeAppliance_Status = union isfuzzy=true empty_table_connector_status, Syslog | extend DeviceProduct = "Nasuni Edge Appliance" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + let WatchguardFirebox_Status = union isfuzzy=true empty_table_connector_status, WatchGuardFirebox | extend DeviceProduct = "WatchGuard Firebox" | summarize EventCount_Last30Days = countif(TimeGenerated > ago(30d)) by DeviceProduct | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected"); + union isfuzzy=true empty_table_result, BlackberryCylancePROTECT_Status, CiscoACI_Status, CiscoISE_Status, Stealthwatch_Status, CiscoUCS_Status, CiscoWSA_Status, CitrixADC_Status, DigitalGuardianDLP_Status, Exabeam_Status, Forescout_Status, GitLab_Status, InfobloxNIOS_Status, ISCBind_Status, IvantiUEM_Status, JuniperSRX_Status, McAfeeePO_Status, OpenVPN_Status, OracleDatabaseAudit_Status, PulseConnectSecure_Status, RSASecurIDAM_Status, SophosXGFirewall_Status, SymantecEndpointProtection_Status, SymantecVIP_Status, MicrosoftSysmonForLinux_Status, VMwareESXi_Status, SymantecProxySG_Status, ESETPROTECT_Status, BarracudaCloudFirewall_Status, NasuniEdgeAppliance_Status, WatchguardFirebox_Status + | extend EventCount_Last30Days = coalesce(EventCount_Last30Days, 0) + | extend ConnectionStatus = iff(EventCount_Last30Days > 0, "Connected", "Not-Connected") + | join kind=fullouter known_syslog_supported_devices on DeviceProduct + | extend DeviceProduct = coalesce(DeviceProduct, DeviceProduct1) + | extend EventCount_Last30Days = coalesce(EventCount_Last30Days, 0) + | extend ConnectionStatus = coalesce(ConnectionStatus, "Not-Connected") + | extend OutofBoxSupport = iif(DeviceProduct in (known_syslog_supported_devices), "Available", "Unavailable") + | project-away DeviceProduct1 \ No newline at end of file