Dev/generic parser (#2410)

* Custom parser deployer

Tools/ARM-Templates/ParserQuery/CustomParser.json

@@ -0,0 +1,50 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+      "workspaceName": {
+          "type": "string"
+      },
+      "location": {
+        "type": "string"
+      },
+      "ParserFunctionAlias": {
+          "type": "string",
+          "metadata": {
+             "description": "Parser function alias"
+          }
+      },
+      "ParserCode": {
+          "type": "string",
+          "metadata": {
+             "description": "KQL parser query"
+          }
+      }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "[parameters('ParserFunctionAlias')]",
+            "dependsOn": [
+              "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+            ],
+            "properties": {
+              "etag": "*",
+              "displayName": "Generic Parser",
+              "category": "Security",
+              "FunctionAlias": "[parameters('ParserFunctionAlias')]",
+              "query": "[parameters('ParserCode')]",
+              "version": 1
+          }
+        }
+      ]
+    }
+  ]
+}

Tools/ARM-Templates/ParserQuery/README.md

@@ -0,0 +1,5 @@
+# Custom Parser
+
+This template let's you deply a custom parser
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FARM-Templates%2FParserQuery%2FCustomParser.json)