Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #2255 from Azure/dicolanl-46 

MCASActivity Data Connector
This commit is contained in:
Sarah Young 2021-05-07 10:29:39 +12:00 коммит произвёл GitHub
Родитель 68f74c1088 2891f2e6a6
Коммит 8b9739f1ce
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 1727 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1307
DataConnectors/MCASActivityPlaybook/azuredeploy.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
DataConnectors/MCASActivityPlaybook/lastrun-MCAS.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"lastRun": "",
"lastRunEpoch": 0
}

33
DataConnectors/MCASActivityPlaybook/readme.md Normal file
Просмотреть файл

@ -0,0 +1,33 @@
# Ingest MCAS (Microsoft Cloud App Security) Activities
Author: Nicholas DiCola
Get-MCASActivity playbook ingests MCAS Activities via (API)[https://docs.microsoft.com/cloud-app-security/api-activities-list] and writes them to a custom log table called MCASActivity_CL.
There are a number of configuration steps required to deploy the Logic App playbooks.
## Configuration Steps
1. Generate a MCAS (API Token)[https://docs.microsoft.com/cloud-app-security/api-authentication]. Settings -> Security Extensions -> API tokens.
2. Deploy the ARM template and fill in the parameters.
```
"APIToken": This is the MCAS API Token
"MCASURL": This is the MCAS URL. See About in the portal for specfici url.
"workspaceId": The Sentinel Workspace ID
"workSpaceKey": The Sentinel Workspace Key
```
3. There is a json file (lastrun-MCAS.json).
4. Upload the lastrun-MCAS.json to the storage account mcasactivitylogicapp container.
5. Get the Storage Access Key
6. Go to the azureblob-MCASActivity connection resource.
7. Click Edit API Connection.
8. Enter the storage account name and access key. Click Save.
9. The playbooks are deployed as disabled since the json file and connection has to be authorized. Go to the playbook and click Enable.
Note: there is a parsers (here)[https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/MCAS] to make the logs more readable
## Deploy the Logic App template
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityPlaybook%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton""/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FMCASActivityPlaybook%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>

383
Parsers/MCAS/MCASActivity.txt Normal file
Просмотреть файл

@ -0,0 +1,383 @@
// Microsoft Cloud App Security Activities
// Last Updated Date: May 6, 2021
//
//This parser parses MCAS Activities to extract the infromation from their various components. It is assumed that the playbook to ingest activities data into Sentinel is enabled
//
// Parser Notes:
// 1. This parser assumes logs are collected into a custom log table entitled MCASActivity_CL
//
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias.
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. MCASActivity | take 10).
//
// References :
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
// Tech Community Blog on GitHub data: <>
//
//
MCASActivity_CL
| extend TimeStamp = unixtime_milliseconds_todatetime(tolong(timestamp_d))
| project TimeGenerated,
TimeStamp,
id=columnifexists('_id_s', ""),
aadTenantId=columnifexists('aadTenantId_g', ""),
appId=columnifexists('appId_d', ""),
appName=columnifexists('appName_s', ""),
appType=columnifexists('appType_d', ""),
classifications=columnifexists('classifications_s', ""),
collected_aadLogins_correlationId=columnifexists('collected_aadLogins_correlationId_g', ""),
collected_aadLogins_enqueueTime=columnifexists('collected_aadLogins_enqueueTime_d', ""),
collected_aadLogins_MCAS_Router=columnifexists('collected_aadLogins_MCAS_Router_b', ""),
collected_aadLogins_routingTime=columnifexists('collected_aadLogins_routingTime_d', ""),
collected_azure_enqueueTime=columnifexists('collected_azure_enqueueTime_d', ""),
collected_azure_MCAS_Router=columnifexists('collected_azure_MCAS_Router_b', ""),
collected_azure_resourceGroup=columnifexists('collected_azure_resourceGroup_s', ""),
collected_azure_resourceNameGuid=columnifexists('collected_azure_resourceName_g', ""),
collected_azure_resourceName=columnifexists('collected_azure_resourceName_s', ""),
collected_azure_resourceProvider=columnifexists('collected_azure_resourceProvider_s', ""),
collected_azure_resourceType=columnifexists('collected_azure_resourceType_s', ""),
collected_azure_routingTime=columnifexists('collected_azure_routingTime_d', ""),
collected_azure_subscriptionId=columnifexists('collected_azure_subscriptionId_g', ""),
collected_o365_AcceptedAsNewValue=columnifexists('collected_o365_AcceptedAsNewValue_s', ""),
collected_o365_AcceptedAsOldValue=columnifexists('collected_o365_AcceptedAsOldValue_s', ""),
collected_o365_AcceptedOnNewValue=columnifexists('collected_o365_AcceptedOnNewValue_s', ""),
collected_o365_AcceptedOnOldValue=columnifexists('collected_o365_AcceptedOnOldValue_s', ""),
collected_o365_AccountEnabledNewValue=columnifexists('collected_o365_AccountEnabledNewValue_s', ""),
collected_o365_AccountEnabledOldValue=columnifexists('collected_o365_AccountEnabledOldValue_s', ""),
collected_o365_ActorIdServicePrincipalNamesNewValueGuid=columnifexists('collected_o365_ActorIdServicePrincipalNamesNewValue_g', ""),
collected_o365_ActorIdServicePrincipalNamesNewValue=columnifexists('collected_o365_ActorIdServicePrincipalNamesNewValue_s', ""),
collected_o365_ActorIdServicePrincipalNamesOldValue=columnifexists('collected_o365_ActorIdServicePrincipalNamesOldValue_s', ""),
collected_o365_AlternativeSecurityIdNewValue=columnifexists('collected_o365_AlternativeSecurityIdNewValue_s', ""),
collected_o365_AlternativeSecurityIdOldValue=columnifexists('collected_o365_AlternativeSecurityIdOldValue_s', ""),
collected_o365_AppAddressNewValue=columnifexists('collected_o365_AppAddressNewValue_s', ""),
collected_o365_AppAddressOldValue=columnifexists('collected_o365_AppAddressOldValue_s', ""),
collected_o365_AppPrincipalIdNewValue=columnifexists('collected_o365_AppPrincipalIdNewValue_s', ""),
collected_o365_AppPrincipalIdOldValue=columnifexists('collected_o365_AppPrincipalIdOldValue_s', ""),
collected_o365_blobCreated=columnifexists('collected_o365_blobCreated_t', ""),
collected_o365_blobId=columnifexists('collected_o365_blobId_s', ""),
collected_o365_commandParameters=columnifexists('collected_o365_commandParameters_s', ""),
collected_o365_CreationTypeNewValue=columnifexists('collected_o365_CreationTypeNewValue_s', ""),
collected_o365_CreationTypeOldValue=columnifexists('collected_o365_CreationTypeOldValue_s', ""),
collected_o365_CredentialNewValue=columnifexists('collected_o365_CredentialNewValue_s', ""),
collected_o365_CredentialOldValue=columnifexists('collected_o365_CredentialOldValue_s', ""),
collected_o365_DisplayNameNewValue=columnifexists('collected_o365_DisplayNameNewValue_s', ""),
collected_o365_DisplayNameOldValue=columnifexists('collected_o365_DisplayNameOldValue_s', ""),
collected_o365_extendedProperties_additionaldetails=columnifexists('collected_o365_extendedProperties_additionaldetails_s', ""),
collected_o365_GivenNameNewValue=columnifexists('collected_o365_GivenNameNewValue_s', ""),
collected_o365_GivenNameOldValue=columnifexists('collected_o365_GivenNameOldValue_s', ""),
collected_o365_IncludedUpdatedPropertiesNewValue=columnifexists('collected_o365_IncludedUpdatedPropertiesNewValue_s', ""),
collected_o365_IncludedUpdatedPropertiesOldValue=columnifexists('collected_o365_IncludedUpdatedPropertiesOldValue_s', ""),
collected_o365_InviteTicketNewValue=columnifexists('collected_o365_InviteTicketNewValue_s', ""),
collected_o365_InviteTicketOldValue=columnifexists('collected_o365_InviteTicketOldValue_s', ""),
collected_o365_MailNicknameNewValue=columnifexists('collected_o365_MailNicknameNewValue_s', ""),
collected_o365_MailNicknameOldValue=columnifexists('collected_o365_MailNicknameOldValue_s', ""),
collected_o365_OtherMailNewValue=columnifexists('collected_o365_OtherMailNewValue_s', ""),
collected_o365_OtherMailOldValue=columnifexists('collected_o365_OtherMailOldValue_s', ""),
collected_o365_ProxyAddressesNewValue=columnifexists('collected_o365_ProxyAddressesNewValue_s', ""),
collected_o365_ProxyAddressesOldValue=columnifexists('collected_o365_ProxyAddressesOldValue_s', ""),
collected_o365_ServicePrincipalNameNewValue=columnifexists('collected_o365_ServicePrincipalNameNewValue_s', ""),
collected_o365_ServicePrincipalNameOldValue=columnifexists('collected_o365_ServicePrincipalNameOldValue_s', ""),
collected_o365_SPNNewValueGuid=columnifexists('collected_o365_SPNNewValue_g', ""),
collected_o365_SPNNewValue=columnifexists('collected_o365_SPNNewValue_s', ""),
collected_o365_SPNOldValue=columnifexists('collected_o365_SPNOldValue_s', ""),
collected_o365_StsRefreshTokensValidFromNewValue=columnifexists('collected_o365_StsRefreshTokensValidFromNewValue_s', ""),
collected_o365_StsRefreshTokensValidFromOldValue=columnifexists('collected_o365_StsRefreshTokensValidFromOldValue_s', ""),
collected_o365_SurnameNewValue=columnifexists('collected_o365_SurnameNewValue_s', ""),
collected_o365_SurnameOldValue=columnifexists('collected_o365_SurnameOldValue_s', ""),
collected_o365_target_formatted=columnifexists('collected_o365_target_formatted_s', ""),
collected_o365_target_NAME=columnifexists('collected_o365_target_NAME_s', ""),
collected_o365_target_OTHERGuid=columnifexists('collected_o365_target_OTHER_g', ""),
collected_o365_target_OTHER=columnifexists('collected_o365_target_OTHER_s', ""),
collected_o365_target_PUID=columnifexists('collected_o365_target_PUID_s', ""),
collected_o365_target_SPNGuid=columnifexists('collected_o365_target_SPN_g', ""),
collected_o365_target_SPN=columnifexists('collected_o365_target_SPN_s', ""),
collected_o365_target_UPN=columnifexists('collected_o365_target_UPN_s', ""),
collected_o365_TargetIdServicePrincipalNamesNewValueGuid=columnifexists('collected_o365_TargetIdServicePrincipalNamesNewValue_g', ""),
collected_o365_TargetIdServicePrincipalNamesNewValue=columnifexists('collected_o365_TargetIdServicePrincipalNamesNewValue_s', ""),
collected_o365_TargetIdServicePrincipalNamesOldValue=columnifexists('collected_o365_TargetIdServicePrincipalNamesOldValue_s', ""),
collected_o365_TargetIdUserTypeNewValue=columnifexists('collected_o365_TargetIdUserTypeNewValue_s', ""),
collected_o365_TargetIdUserTypeOldValue=columnifexists('collected_o365_TargetIdUserTypeOldValue_s', ""),
collected_o365_UserPrincipalNameNewValue=columnifexists('collected_o365_UserPrincipalNameNewValue_s', ""),
collected_o365_UserPrincipalNameOldValue=columnifexists('collected_o365_UserPrincipalNameOldValue_s', ""),
collected_o365_UserStateChangedOnNewValue=columnifexists('collected_o365_UserStateChangedOnNewValue_s', ""),
collected_o365_UserStateChangedOnOldValue=columnifexists('collected_o365_UserStateChangedOnOldValue_s', ""),
collected_o365_UserStateNewValue=columnifexists('collected_o365_UserStateNewValue_s', ""),
collected_o365_UserStateOldValue=columnifexists('collected_o365_UserStateOldValue_s', ""),
collected_o365_UserTypeNewValue=columnifexists('collected_o365_UserTypeNewValue_s', ""),
collected_o365_UserTypeOldValue=columnifexists('collected_o365_UserTypeOldValue_s', ""),
confidenceLevel=columnifexists('confidenceLevel_d', ""),
connection_targetIp=columnifexists('connection_targetIp_s', ""),
connection_targetPort=columnifexists('connection_targetPort_d', ""),
created=columnifexists('created_d', ""),
createdRaw=columnifexists('createdRaw_d', ""),
description_id=columnifexists('description_id_s', ""),
description_metadata_activity_result_message=columnifexists('description_metadata_activity_result_message_s', ""),
description_metadata_colon=columnifexists('description_metadata_colon_s', ""),
description_metadata_dash=columnifexists('description_metadata_dash_s', ""),
description_metadata_event_category=columnifexists('description_metadata_event_category_s', ""),
description_metadata_operation_name=columnifexists('description_metadata_operation_name_s', ""),
description_metadata_operation_status=columnifexists('description_metadata_operation_status_s', ""),
description_metadata_parameters=columnifexists('description_metadata_parameters_s', ""),
description_metadata_target_object=columnifexists('description_metadata_target_object_s', ""),
description_metadata_to_object=columnifexists('description_metadata_to_object_s', ""),
description=columnifexists('description_s', ""),
device_certificate_certifiedByClientCertificate=columnifexists('device_certificate_certifiedByClientCertificate_b', ""),
device_clientIP=columnifexists('device_clientIP_s', ""),
device_countryCode=columnifexists('device_countryCode_s', ""),
device_machineId=columnifexists('device_machineId_g', ""),
device_userAgent=columnifexists('device_userAgent_s', ""),
entityData_0_displayName=columnifexists('entityData_0_displayName_s', ""),
entityData_0_id_idGuid=columnifexists('entityData_0_id_id_g', ""),
entityData_0_id_id=columnifexists('entityData_0_id_id_s', ""),
entityData_0_id_inst=columnifexists('entityData_0_id_inst_d', ""),
entityData_0_id_saas=columnifexists('entityData_0_id_saas_d', ""),
entityData_0_resolved=columnifexists('entityData_0_resolved_b', ""),
entityData_1_displayName=columnifexists('entityData_1_displayName_s', ""),
entityData_1_id_idGuid=columnifexists('entityData_1_id_id_g', ""),
entityData_1_id_id=columnifexists('entityData_1_id_id_s', ""),
entityData_1_id_inst=columnifexists('entityData_1_id_inst_d', ""),
entityData_1_id_saas=columnifexists('entityData_1_id_saas_d', ""),
entityData_1_resolved=columnifexists('entityData_1_resolved_b', ""),
entityData_2_displayName=columnifexists('entityData_2_displayName_s', ""),
entityData_2_id_idGuid=columnifexists('entityData_2_id_id_g', ""),
entityData_2_id_inst=columnifexists('entityData_2_id_inst_d', ""),
entityData_2_id_saas=columnifexists('entityData_2_id_saas_d', ""),
entityData_2_resolved=columnifexists('entityData_2_resolved_b', ""),
eventRouting_adminEvent=columnifexists('eventRouting_adminEvent_b', ""),
eventRouting_auditing=columnifexists('eventRouting_auditing_b', ""),
eventRouting_dispersed=columnifexists('eventRouting_dispersed_b', ""),
eventRouting_isAadLimitedSession=columnifexists('eventRouting_isAadLimitedSession_b', ""),
eventRouting_lograbber=columnifexists('eventRouting_lograbber_b', ""),
eventRouting_niptuck=columnifexists('eventRouting_niptuck_b', ""),
eventRouting_samlproxy=columnifexists('eventRouting_samlproxy_b', ""),
eventRouting_scubaUnpacker=columnifexists('eventRouting_scubaUnpacker_b', ""),
eventType=columnifexists('eventType_d', ""),
eventTypeName=columnifexists('eventTypeName_s', ""),
eventTypeValue=columnifexists('eventTypeValue_s', ""),
failedUserData_userName=columnifexists('failedUserData_userName_s', ""),
genericEventType=columnifexists('genericEventType_s', ""),
host_name=columnifexists('host_name_s', ""),
http_httpMethod=columnifexists('http_httpMethod_s', ""),
http_httpPath=columnifexists('http_httpPath_s', ""),
http_httpReferer=columnifexists('http_httpReferer_s', ""),
http_requestId=columnifexists('http_requestId_g', ""),
instantiation=columnifexists('instantiation_d', ""),
instantiationRaw=columnifexists('instantiationRaw_d', ""),
internals_otherIPs=columnifexists('internals_otherIPs_s', ""),
location_anonymousProxy=columnifexists('location_anonymousProxy_b', ""),
location_carrier=columnifexists('location_carrier_s', ""),
location_category=columnifexists('location_category_d', ""),
location_categoryValue=columnifexists('location_categoryValue_s', ""),
location_city=columnifexists('location_city_s', ""),
location_countryCode=columnifexists('location_countryCode_s', ""),
location_ipTags=columnifexists('location_ipTags_s', ""),
location_isSatelliteProvider=columnifexists('location_isSatelliteProvider_b', ""),
location_latitude=columnifexists('location_latitude_d', ""),
location_longitude=columnifexists('location_longitude_d', ""),
location_organizationSearchable=columnifexists('location_organizationSearchable_s', ""),
location_postalCode=columnifexists('location_postalCode_s', ""),
location_region=columnifexists('location_region_s', ""),
lograbberService_categoryReasonForNotGedi=columnifexists('lograbberService_categoryReasonForNotGedi_s', ""),
lograbberService_o365EventGrabber=columnifexists('lograbberService_o365EventGrabber_b', ""),
lograbberService_scubaUnpacker=columnifexists('lograbberService_scubaUnpacker_b', ""),
lograbberService_valueReasonForNotGedi=columnifexists('lograbberService_valueReasonForNotGedi_s', ""),
mainInfo_activityResult_isSuccess=columnifexists('mainInfo_activityResult_isSuccess_b', ""),
mainInfo_activityResult_message=columnifexists('mainInfo_activityResult_message_s', ""),
mainInfo_eventObjects=columnifexists('mainInfo_eventObjects_s', ""),
mainInfo_prettyOperationName=columnifexists('mainInfo_prettyOperationName_s', ""),
mainInfo_rawOperationName=columnifexists('mainInfo_rawOperationName_s', ""),
mainInfo_type=columnifexists('mainInfo_type_s', ""),
matchingRuleDetails=columnifexists('matchingRuleDetails_s', ""),
matchingRules=columnifexists('matchingRules_s', ""),
performedActionNamesSet=columnifexists('performedActionNamesSet_s', ""),
performedActions=columnifexists('performedActions_s', ""),
protocols_HTTP=columnifexists('protocols_HTTP_b', ""),
protocols_SSL=columnifexists('protocols_SSL_b', ""),
rawDataJson_AccountMoniker=columnifexists('rawDataJson_AccountMoniker_s', ""),
rawDataJson_AccountMonikerLocation=columnifexists('rawDataJson_AccountMonikerLocation_s', ""),
rawDataJson_ActivityId=columnifexists('rawDataJson_ActivityId_g', ""),
rawDataJson_Actor=columnifexists('rawDataJson_Actor_s', ""),
rawDataJson_ActorContextId=columnifexists('rawDataJson_ActorContextId_g', ""),
rawDataJson_AlertId=columnifexists('rawDataJson_AlertId_g', ""),
rawDataJson_AlertLinks=columnifexists('rawDataJson_AlertLinks_s', ""),
rawDataJson_AlertType=columnifexists('rawDataJson_AlertType_s', ""),
rawDataJson_AppId=columnifexists('rawDataJson_AppId_s', ""),
rawDataJson_ApplicationDisplayName=columnifexists('rawDataJson_ApplicationDisplayName_s', ""),
rawDataJson_applicationId=columnifexists('rawDataJson_applicationId_g', ""),
rawDataJson_ApplicationId=columnifexists('rawDataJson_ApplicationId_g', ""),
rawDataJson_ApplicationName=columnifexists('rawDataJson_ApplicationName_s', ""),
rawDataJson_armServiceRequestId=columnifexists('rawDataJson_armServiceRequestId_g', ""),
rawDataJson_audience=columnifexists('rawDataJson_audience_s', ""),
rawDataJson_authorization=columnifexists('rawDataJson_authorization_s', ""),
rawDataJson_AzureActiveDirectoryEventType=columnifexists('rawDataJson_AzureActiveDirectoryEventType_d', ""),
rawDataJson_BrowserId=columnifexists('rawDataJson_BrowserId_g', ""),
rawDataJson_Call=columnifexists('rawDataJson_Call_s', ""),
rawDataJson_Category=columnifexists('rawDataJson_Category_s', ""),
rawDataJson_channels=columnifexists('rawDataJson_channels_d', ""),
rawDataJson_claims=columnifexists('rawDataJson_claims_s', ""),
rawDataJson_ClientAppId=columnifexists('rawDataJson_ClientAppId_s', ""),
rawDataJson_ClientIP=columnifexists('rawDataJson_ClientIP_s', ""),
rawDataJson_CommentId=columnifexists('rawDataJson_CommentId_s', ""),
rawDataJson_Comments=columnifexists('rawDataJson_Comments_s', ""),
rawDataJson_correlationId=columnifexists('rawDataJson_correlationId_g', ""),
rawDataJson_CorrelationId=columnifexists('rawDataJson_CorrelationId_g', ""),
rawDataJson_CreationTime=columnifexists('rawDataJson_CreationTime_t', ""),
rawDataJson_CustomUniqueId=columnifexists('rawDataJson_CustomUniqueId_b', ""),
rawDataJson_Data=columnifexists('rawDataJson_Data_s', ""),
rawDataJson_Deployment=columnifexists('rawDataJson_Deployment_g', ""),
rawDataJson_description=columnifexists('rawDataJson_description_s', ""),
rawDataJson_DeviceInfo=columnifexists('rawDataJson_DeviceInfo_s', ""),
rawDataJson_DeviceTrustType=columnifexists('rawDataJson_DeviceTrustType_s', ""),
rawDataJson_DoNotDistributeEvent=columnifexists('rawDataJson_DoNotDistributeEvent_b', ""),
rawDataJson_eventCategory=columnifexists('rawDataJson_eventCategory_s', ""),
rawDataJson_EventEnvironment=columnifexists('rawDataJson_EventEnvironment_s', ""),
rawDataJson_EventId=columnifexists('rawDataJson_EventId_d', ""),
rawDataJson_eventInstanceId=columnifexists('rawDataJson_eventInstanceId_g', ""),
rawDataJson_eventName=columnifexists('rawDataJson_eventName_s', ""),
rawDataJson_EventName=columnifexists('rawDataJson_EventName_s', ""),
rawDataJson_EventNamespace=columnifexists('rawDataJson_EventNamespace_s', ""),
rawDataJson_EventSource=columnifexists('rawDataJson_EventSource_s', ""),
rawDataJson_eventSource=columnifexists('rawDataJson_eventSource_s', ""),
rawDataJson_eventTimestamp=columnifexists('rawDataJson_eventTimestamp_t', ""),
rawDataJson_EventType=columnifexists('rawDataJson_EventType_s', ""),
rawDataJson_EventVersion=columnifexists('rawDataJson_EventVersion_s', ""),
rawDataJson_ExtendedProperties=columnifexists('rawDataJson_ExtendedProperties_s', ""),
rawDataJson_ExternalAccess=columnifexists('rawDataJson_ExternalAccess_b', ""),
rawDataJson_GDSEnqueueTimeUtc=columnifexists('rawDataJson_GDSEnqueueTimeUtc_t', ""),
rawDataJson_HighPriorityMediaProcessing=columnifexists('rawDataJson_HighPriorityMediaProcessing_b', ""),
rawDataJson_HomeTenantUserObjectId=columnifexists('rawDataJson_HomeTenantUserObjectId_g', ""),
rawDataJson_httpRequest=columnifexists('rawDataJson_httpRequest_s', ""),
rawDataJson_Id=columnifexists('rawDataJson_Id_g', ""),
rawDataJson_InterSystemsId=columnifexists('rawDataJson_InterSystemsId_g', ""),
rawDataJson_IntraSystemId=columnifexists('rawDataJson_IntraSystemId_g', ""),
rawDataJson_IpAddress=columnifexists('rawDataJson_IpAddress_s', ""),
rawDataJson_IsDeviceCompliantAndManaged=columnifexists('rawDataJson_IsDeviceCompliantAndManaged_b', ""),
rawDataJson_IsInteractiveComputed=columnifexists('rawDataJson_IsInteractiveComputed_b', ""),
rawDataJson_isRetry=columnifexists('rawDataJson_isRetry_b', ""),
rawDataJson_issuedAt=columnifexists('rawDataJson_issuedAt_s', ""),
rawDataJson_issuer=columnifexists('rawDataJson_issuer_s', ""),
rawDataJson_ItemType=columnifexists('rawDataJson_ItemType_s', ""),
rawDataJson_level=columnifexists('rawDataJson_level_d', ""),
rawDataJson_Level=columnifexists('rawDataJson_Level_d', ""),
rawDataJson_ListId=columnifexists('rawDataJson_ListId_g', ""),
rawDataJson_ListItemUniqueId=columnifexists('rawDataJson_ListItemUniqueId_g', ""),
rawDataJson_LoginErrorCode=columnifexists('rawDataJson_LoginErrorCode_d', ""),
rawDataJson_LoginStatus=columnifexists('rawDataJson_LoginStatus_s', ""),
rawDataJson_MfaRequired=columnifexists('rawDataJson_MfaRequired_b', ""),
rawDataJson_MfaStatusRaw=columnifexists('rawDataJson_MfaStatusRaw_s', ""),
rawDataJson_ModifiedProperties=columnifexists('rawDataJson_ModifiedProperties_s', ""),
rawDataJson_MsodsTenantRegionScope=columnifexists('rawDataJson_MsodsTenantRegionScope_s', ""),
rawDataJson_Name=columnifexists('rawDataJson_Name_s', ""),
rawDataJson_ObjectIdGuid=columnifexists('rawDataJson_ObjectId_g', ""),
rawDataJson_ObjectId=columnifexists('rawDataJson_ObjectId_s', ""),
rawDataJson_Operation=columnifexists('rawDataJson_Operation_s', ""),
rawDataJson_operationId=columnifexists('rawDataJson_operationId_g', ""),
rawDataJson_operationName=columnifexists('rawDataJson_operationName_s', ""),
rawDataJson_OrganizationId=columnifexists('rawDataJson_OrganizationId_g', ""),
rawDataJson_OrganizationName=columnifexists('rawDataJson_OrganizationName_s', ""),
rawDataJson_OriginalEnqueueTimeUtc=columnifexists('rawDataJson_OriginalEnqueueTimeUtc_t', ""),
rawDataJson_OriginatingServer=columnifexists('rawDataJson_OriginatingServer_s', ""),
rawDataJson_Parameters=columnifexists('rawDataJson_Parameters_s', ""),
rawDataJson_Pid=columnifexists('rawDataJson_Pid_d', ""),
rawDataJson_PolicyId=columnifexists('rawDataJson_PolicyId_g', ""),
rawDataJson_PreciseTimeStamp=columnifexists('rawDataJson_PreciseTimeStamp_t', ""),
rawDataJson_principalOid=columnifexists('rawDataJson_principalOid_g', ""),
rawDataJson_principalPuid=columnifexists('rawDataJson_principalPuid_s', ""),
rawDataJson_properties=columnifexists('rawDataJson_properties_s', ""),
rawDataJson_ProviderGuid=columnifexists('rawDataJson_ProviderGuid_g', ""),
rawDataJson_ProviderName=columnifexists('rawDataJson_ProviderName_s', ""),
rawDataJson_RecordType=columnifexists('rawDataJson_RecordType_d', ""),
rawDataJson_RequestId=columnifexists('rawDataJson_RequestId_g', ""),
rawDataJson_resourceProvider=columnifexists('rawDataJson_resourceProvider_s', ""),
rawDataJson_resourceUri=columnifexists('rawDataJson_resourceUri_s', ""),
rawDataJson_ResultStatus=columnifexists('rawDataJson_ResultStatus_s', ""),
rawDataJson_Role=columnifexists('rawDataJson_Role_s', ""),
rawDataJson_RoleInstance=columnifexists('rawDataJson_RoleInstance_s', ""),
rawDataJson_RoleLocation=columnifexists('rawDataJson_RoleLocation_s', ""),
rawDataJson_RowKey=columnifexists('rawDataJson_RowKey_s', ""),
rawDataJson_SDSQueryExecutionTimeUtc=columnifexists('rawDataJson_SDSQueryExecutionTimeUtc_t', ""),
rawDataJson_Severity=columnifexists('rawDataJson_Severity_s', ""),
rawDataJson_Site=columnifexists('rawDataJson_Site_g', ""),
rawDataJson_SiteUrl=columnifexists('rawDataJson_SiteUrl_s', ""),
rawDataJson_Source=columnifexists('rawDataJson_Source_s', ""),
rawDataJson_SourceFileExtension=columnifexists('rawDataJson_SourceFileExtension_s', ""),
rawDataJson_SourceFileName=columnifexists('rawDataJson_SourceFileName_s', ""),
rawDataJson_SourceRelativeUrl=columnifexists('rawDataJson_SourceRelativeUrl_s', ""),
rawDataJson_Status=columnifexists('rawDataJson_Status_s', ""),
rawDataJson_status=columnifexists('rawDataJson_status_s', ""),
rawDataJson_subscriptionIdGuid=columnifexists('rawDataJson_subscriptionId_g', ""),
rawDataJson_subscriptionId=columnifexists('rawDataJson_subscriptionId_s', ""),
rawDataJson_subStatus=columnifexists('rawDataJson_subStatus_s', ""),
rawDataJson_SupportTicketId=columnifexists('rawDataJson_SupportTicketId_s', ""),
rawDataJson_Target=columnifexists('rawDataJson_Target_s', ""),
rawDataJson_TargetContextId=columnifexists('rawDataJson_TargetContextId_g', ""),
rawDataJson_TaskName=columnifexists('rawDataJson_TaskName_s', ""),
rawDataJson_tenantId=columnifexists('rawDataJson_tenantId_g', ""),
rawDataJson_TenantId=columnifexists('rawDataJson_TenantId_g', ""),
rawDataJson_Tid=columnifexists('rawDataJson_Tid_d', ""),
rawDataJson_TIMESTAMP=columnifexists('rawDataJson_TIMESTAMP_t', ""),
rawDataJson_TimeStamp=columnifexists('rawDataJson_TimeStamp_t', ""),
rawDataJson_uniqueTokenId=columnifexists('rawDataJson_uniqueTokenId_s', ""),
rawDataJson_Upn=columnifexists('rawDataJson_Upn_s', ""),
rawDataJson_UserAgent=columnifexists('rawDataJson_UserAgent_s', ""),
rawDataJson_UserId=columnifexists('rawDataJson_UserId_s', ""),
rawDataJson_UserIsPassthru=columnifexists('rawDataJson_UserIsPassthru_b', ""),
rawDataJson_UserKey=columnifexists('rawDataJson_UserKey_s', ""),
rawDataJson_UserName=columnifexists('rawDataJson_UserName_s', ""),
rawDataJson_UserPrincipalObjectID=columnifexists('rawDataJson_UserPrincipalObjectID_g', ""),
rawDataJson_UserTenantId=columnifexists('rawDataJson_UserTenantId_g', ""),
rawDataJson_UserTenantMsodsRegionScope=columnifexists('rawDataJson_UserTenantMsodsRegionScope_s', ""),
rawDataJson_UserType=columnifexists('rawDataJson_UserType_d', ""),
rawDataJson_Version=columnifexists('rawDataJson_Version_d', ""),
rawDataJson_WebId=columnifexists('rawDataJson_WebId_g', ""),
rawDataJson_Workload=columnifexists('rawDataJson_Workload_s', ""),
resolvedActor_governable=columnifexists('resolvedActor_governable_b', ""),
resolvedActor_idGuid=columnifexists('resolvedActor_id_g', ""),
resolvedActor_id=columnifexists('resolvedActor_id_s', ""),
resolvedActor_instanceId=columnifexists('resolvedActor_instanceId_s', ""),
resolvedActor_name=columnifexists('resolvedActor_name_s', ""),
resolvedActor_objType=columnifexists('resolvedActor_objType_s', ""),
resolvedActor_resolved=columnifexists('resolvedActor_resolved_b', ""),
resolvedActor_role=columnifexists('resolvedActor_role_s', ""),
resolvedActor_saasId=columnifexists('resolvedActor_saasId_s', ""),
resolvedActor_tags=columnifexists('resolvedActor_tags_s', ""),
resolvedActorAccount_governable=columnifexists('resolvedActorAccount_governable_b', ""),
resolvedActorAccount_idGuid=columnifexists('resolvedActorAccount_id_g', ""),
resolvedActorAccount_id=columnifexists('resolvedActorAccount_id_s', ""),
resolvedActorAccount_instanceId=columnifexists('resolvedActorAccount_instanceId_s', ""),
resolvedActorAccount_name=columnifexists('resolvedActorAccount_name_s', ""),
resolvedActorAccount_resolved=columnifexists('resolvedActorAccount_resolved_b', ""),
resolvedActorAccount_role=columnifexists('resolvedActorAccount_role_s', ""),
resolvedActorAccount_saasId=columnifexists('resolvedActorAccount_saasId_s', ""),
resolvedActorAccount_tags=columnifexists('resolvedActorAccount_tags_s', ""),
saasId=columnifexists('saasId_d', ""),
serviceHostName=columnifexists('serviceHostName_s', ""),
session_sessionId=columnifexists('session_sessionId_g', ""),
severity=columnifexists('severity_s', ""),
source=columnifexists('source_d', ""),
srcAppId=columnifexists('srcAppId_d', ""),
tags=columnifexists('tags_s', ""),
targetAppLoginUrl=columnifexists('targetAppLoginUrl_s', ""),
tenantId=columnifexists('tenantId_d', ""),
timestampRaw=columnifexists('timestampRaw_d', ""),
uid=columnifexists('uid_s', ""),
user_userNameGuid=columnifexists('user_userName_g', ""),
user_userName=columnifexists('user_userName_s', ""),
user_userTags=columnifexists('user_userTags_s', ""),
userAgent_browser=columnifexists('userAgent_browser_s', ""),
userAgent_deviceType=columnifexists('userAgent_deviceType_s', ""),
userAgent_family=columnifexists('userAgent_family_s', ""),
userAgent_major=columnifexists('userAgent_major_s', ""),
userAgent_minor=columnifexists('userAgent_minor_s', ""),
userAgent_name=columnifexists('userAgent_name_s', ""),
userAgent_nativeBrowser=columnifexists('userAgent_nativeBrowser_b', ""),
userAgent_operatingSystem_family=columnifexists('userAgent_operatingSystem_family_s', ""),
userAgent_operatingSystem_name=columnifexists('userAgent_operatingSystem_name_s', ""),
userAgent_operatingSystem_version=columnifexists('userAgent_operatingSystem_version_s', ""),
userAgent_os=columnifexists('userAgent_os_s', ""),
userAgent_tags=columnifexists('userAgent_tags_s', ""),
userAgent_type=columnifexists('userAgent_type_s', ""),
userAgent_typeName=columnifexists('userAgent_typeName_s', ""),
userAgent_version=columnifexists('userAgent_version_s', "")