Add tabs to InfobloxCDC.yaml

Solutions/Infoblox Cloud Data Connector/Parsers/InfobloxCDC.yaml

@@ -8,57 +8,57 @@ FunctionName: InfobloxCDC
 FunctionAlias: InfobloxCDC
 FunctionQuery: |
     CommonSecurityLog
-| where DeviceVendor == "Infoblox" and DeviceProduct == "Data Connector"
-| extend AdditionalExtensions = trim_end("InfobloxDHCPOptions=;(.*?)",AdditionalExtensions)
-| extend AdditionalExtensions = strcat(AdditionalExtensions, ";")
-| extend 
-    // DHCP
-    InfobloxClientID = extract("InfobloxClientID=(.*?);", 1, AdditionalExtensions),
-    InfobloxFingerprint = extract("InfobloxFingerprint=(.*?);", 1, AdditionalExtensions),
-    InfobloxFingerprintPr = extract("InfobloxFingerprintPr=(.*?);", 1, AdditionalExtensions),
-    InfobloxHost = extract("InfobloxHost=(.*?);", 1, AdditionalExtensions),
-    InfobloxIPSpace = extract("InfobloxIPSpace=(.*?);", 1, AdditionalExtensions),
-    InfobloxLeaseOp = extract("InfobloxLeaseOp=(.*?);", 1, AdditionalExtensions),
-    InfobloxLeaseUUID = extract("InfobloxLeaseUUID=(.*?);", 1, AdditionalExtensions),
-    InfobloxLifetime = extract("InfobloxLifetime=(.*?);", 1, AdditionalExtensions),
-    InfobloxRangeEnd = extract("InfobloxRangeEnd=(.*?);", 1, AdditionalExtensions),
-    InfobloxRangeStart = extract("InfobloxRangeStart=(.*?);", 1, AdditionalExtensions),
-    InfobloxSubnet = extract("InfobloxSubnet=(.*?);", 1, AdditionalExtensions),
-    // DNS
-    InfobloxAnCount = extract("InfobloxAnCount=(.*?);", 1, AdditionalExtensions),
-    InfobloxArCount = extract("InfobloxArCount=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1ConnectionType = extract("InfobloxB1ConnectionType=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1DNSTags = extract("InfobloxB1DNSTags=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1Network = extract("InfobloxB1Network=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1Region = extract("InfobloxB1Region=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1SrcOSVersion = extract("InfobloxB1SrcOSVersion=(.*?);", 1, AdditionalExtensions),
-    InfobloxDNSQClass = extract("InfobloxDNSQClass=(.*?);", 1, AdditionalExtensions),
-    InfobloxDNSQFlags = extract("InfobloxDNSQFlags=(.*?);", 1, AdditionalExtensions),
-    InfobloxDNSQType = extract("InfobloxDNSQType=(.*?);", 1, AdditionalExtensions),
-    InfobloxDNSRCode = extract("InfobloxDNSRCode=(.*?);", 1, AdditionalExtensions),
-    InfobloxNsCount = extract("InfobloxNsCount=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1OPHName = extract("InfobloxB1OPHName=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1OPHIPAddress = extract("InfobloxB1OPHIPAddress=(.*?);", 1, AdditionalExtensions),
-    // Security TD
-    InfobloxB1FeedName = extract("InfobloxB1FeedName=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1FeedType = extract("InfobloxB1FeedType=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1PolicyAction = extract("InfobloxB1PolicyAction=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1PolicyName = extract("InfobloxB1PolicyName=(.*?);", 1, AdditionalExtensions),
-    InfobloxB1ThreatIndicator = extract("InfobloxB1ThreatIndicator=(.*?);", 1, AdditionalExtensions),
-    InfobloxDomainCat = extract("InfobloxDomainCat=(.*?);", 1, AdditionalExtensions),
-    InfobloxPolicyID = extract("InfobloxPolicyID=(.*?);", 1, AdditionalExtensions),
-    InfobloxRPZ = extract("InfobloxRPZ=(.*?);", 1, AdditionalExtensions),
-    InfobloxRPZRule = extract("InfobloxRPZRule=(.*?);", 1, AdditionalExtensions),
-    InfobloxThreatLevel = extract("InfobloxThreatLevel=(.*?);", 1, AdditionalExtensions),
-    ThreatConfidence = toint(extract("InfobloxThreatConfidence=(.*?);", 1, AdditionalExtensions)),
-    InfobloxThreatProperty = extract("InfobloxThreatProperty=(.*?);", 1, AdditionalExtensions)
-| extend ThreatLevel_Score = toint(column_ifexists("InfobloxThreatLevel", ""))
-| extend ThreatLevel = case(ThreatLevel_Score>=80, "High",
-                       ThreatLevel_Score>=50 and ThreatLevel_Score<80, "Medium",
-                       ThreatLevel_Score<50 and ThreatLevel_Score>=1, "Low",
-                       ThreatLevel_Score == 0,"Info",
-                       "N/A" )
-| extend ThreatClass = extract("(.*?)_", 1, tostring(column_ifexists("InfobloxThreatProperty", "")))
-| extend ThreatProperty = extract("([^_]*$)", 1, tostring(column_ifexists("InfobloxThreatProperty", "")))
-| extend DeviceName = column_ifexists("DeviceName", "")
-| extend SourceMACAddress = column_ifexists("SourceMACAddress", "")
+    | where DeviceVendor == "Infoblox" and DeviceProduct == "Data Connector"
+    | extend AdditionalExtensions = trim_end("InfobloxDHCPOptions=;(.*?)",AdditionalExtensions)
+    | extend AdditionalExtensions = strcat(AdditionalExtensions, ";")
+    | extend 
+        // DHCP
+        InfobloxClientID = extract("InfobloxClientID=(.*?);", 1, AdditionalExtensions),
+        InfobloxFingerprint = extract("InfobloxFingerprint=(.*?);", 1, AdditionalExtensions),
+        InfobloxFingerprintPr = extract("InfobloxFingerprintPr=(.*?);", 1, AdditionalExtensions),
+        InfobloxHost = extract("InfobloxHost=(.*?);", 1, AdditionalExtensions),
+        InfobloxIPSpace = extract("InfobloxIPSpace=(.*?);", 1, AdditionalExtensions),
+        InfobloxLeaseOp = extract("InfobloxLeaseOp=(.*?);", 1, AdditionalExtensions),
+        InfobloxLeaseUUID = extract("InfobloxLeaseUUID=(.*?);", 1, AdditionalExtensions),
+        InfobloxLifetime = extract("InfobloxLifetime=(.*?);", 1, AdditionalExtensions),
+        InfobloxRangeEnd = extract("InfobloxRangeEnd=(.*?);", 1, AdditionalExtensions),
+        InfobloxRangeStart = extract("InfobloxRangeStart=(.*?);", 1, AdditionalExtensions),
+        InfobloxSubnet = extract("InfobloxSubnet=(.*?);", 1, AdditionalExtensions),
+        // DNS
+        InfobloxAnCount = extract("InfobloxAnCount=(.*?);", 1, AdditionalExtensions),
+        InfobloxArCount = extract("InfobloxArCount=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1ConnectionType = extract("InfobloxB1ConnectionType=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1DNSTags = extract("InfobloxB1DNSTags=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1Network = extract("InfobloxB1Network=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1Region = extract("InfobloxB1Region=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1SrcOSVersion = extract("InfobloxB1SrcOSVersion=(.*?);", 1, AdditionalExtensions),
+        InfobloxDNSQClass = extract("InfobloxDNSQClass=(.*?);", 1, AdditionalExtensions),
+        InfobloxDNSQFlags = extract("InfobloxDNSQFlags=(.*?);", 1, AdditionalExtensions),
+        InfobloxDNSQType = extract("InfobloxDNSQType=(.*?);", 1, AdditionalExtensions),
+        InfobloxDNSRCode = extract("InfobloxDNSRCode=(.*?);", 1, AdditionalExtensions),
+        InfobloxNsCount = extract("InfobloxNsCount=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1OPHName = extract("InfobloxB1OPHName=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1OPHIPAddress = extract("InfobloxB1OPHIPAddress=(.*?);", 1, AdditionalExtensions),
+        // Security TD
+        InfobloxB1FeedName = extract("InfobloxB1FeedName=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1FeedType = extract("InfobloxB1FeedType=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1PolicyAction = extract("InfobloxB1PolicyAction=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1PolicyName = extract("InfobloxB1PolicyName=(.*?);", 1, AdditionalExtensions),
+        InfobloxB1ThreatIndicator = extract("InfobloxB1ThreatIndicator=(.*?);", 1, AdditionalExtensions),
+        InfobloxDomainCat = extract("InfobloxDomainCat=(.*?);", 1, AdditionalExtensions),
+        InfobloxPolicyID = extract("InfobloxPolicyID=(.*?);", 1, AdditionalExtensions),
+        InfobloxRPZ = extract("InfobloxRPZ=(.*?);", 1, AdditionalExtensions),
+        InfobloxRPZRule = extract("InfobloxRPZRule=(.*?);", 1, AdditionalExtensions),
+        InfobloxThreatLevel = extract("InfobloxThreatLevel=(.*?);", 1, AdditionalExtensions),
+        ThreatConfidence = toint(extract("InfobloxThreatConfidence=(.*?);", 1, AdditionalExtensions)),
+        InfobloxThreatProperty = extract("InfobloxThreatProperty=(.*?);", 1, AdditionalExtensions)
+    | extend ThreatLevel_Score = toint(column_ifexists("InfobloxThreatLevel", ""))
+    | extend ThreatLevel = case(ThreatLevel_Score>=80, "High",
+                           ThreatLevel_Score>=50 and ThreatLevel_Score<80, "Medium",
+                           ThreatLevel_Score<50 and ThreatLevel_Score>=1, "Low",
+                           ThreatLevel_Score == 0,"Info",
+                           "N/A" )
+    | extend ThreatClass = extract("(.*?)_", 1, tostring(column_ifexists("InfobloxThreatProperty", "")))
+    | extend ThreatProperty = extract("([^_]*$)", 1, tostring(column_ifexists("InfobloxThreatProperty", "")))
+    | extend DeviceName = column_ifexists("DeviceName", "")
+    | extend SourceMACAddress = column_ifexists("SourceMACAddress", "")